Google Git
Sign in
webkit / WebKit / b1b64c7d7c98bd7f06492bd6a6bccf4d56dd383e / . / Source / JavaScriptCore / ChangeLog
blob: 54c417619029343a8e54950e0427c3b0374dc542 [file] [log] [blame]
msaboff@apple.comb1b64c72012-07-06 00:04:05 +0000[diff] [blame^]12012-07-05 Michael Saboff <msaboff@apple.com>
2
3 JSString::tryHashConstLock() fails to get exclusive lock
4 https://bugs.webkit.org/show_bug.cgi?id=90639
5
6 Reviewed by Oliver Hunt.
7
8 Added check that the string is already locked even before compare and swap.
9
10 * heap/MarkStack.cpp:
11 (JSC::JSString::tryHashConstLock):
12
fpizlo@apple.comd68b1f82012-07-05 22:55:51 +0000[diff] [blame]132012-07-04 Filip Pizlo <fpizlo@apple.com>
14
15 Inline property storage should not be wasted when it is exhausted
16 https://bugs.webkit.org/show_bug.cgi?id=90347
17
18 Reviewed by Gavin Barraclough.
19
20 Previously, if we switched an object from using inline storage to out-of-line
21 storage, we would abandon the inline storage. This would have two main implications:
22 (i) all accesses to the object, even for properties that were previously in inline
23 storage, must now take an extra indirection; and (ii) we waste a non-trivial amount
24 of space since we must allocate additional out-of-line storage to hold properties
25 that would have fit in the inline storage. There's also the copying cost when
26 switching to out-of-line storage - we must copy all inline properties into ouf-of-line
27 storage.
28
29 This patch changes the way that object property storage works so that we can use both
30 inline and out-of-line storage concurrently. This is accomplished by introducing a
31 new notion of property offset. This PropertyOffset is a 32-bit signed integer and it
32 behaves as follows:
33
34 offset == -1: invalid offset, indicating a property that does not exist.
35
36 0 <= offset <= inlineStorageCapacity: offset into inline storage.
37
38 inlineStorageCapacity < offset: offset into out-of-line storage.
39
40 Because non-final objects don't have inline storage, the only valid PropertyOffsets
41 for those objects' properties are -1 or > inlineStorageCapacity.
42
43 This now means that the decision to use inline or out-of-line storage for an access is
44 made based on the offset, rather than the structure. It also means that any access
45 where the offset is a variable must have an extra branch, unless the type of the
46 object is also known (if it's known to be a non-final object then we can just assert
47 that the offset is >= inlineStorageCapacity).
48
49 This looks like a big Kraken speed-up and a slight V8 speed-up.
50
51 * GNUmakefile.list.am:
52 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
53 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
54 * JavaScriptCore.xcodeproj/project.pbxproj:
55 * assembler/ARMv7Assembler.h:
56 (ARMv7Assembler):
57 (JSC::ARMv7Assembler::ldrWide8BitImmediate):
58 (JSC::ARMv7Assembler::replaceWithLoad):
59 (JSC::ARMv7Assembler::replaceWithAddressComputation):
60 * assembler/AbstractMacroAssembler.h:
61 (AbstractMacroAssembler):
62 (ConvertibleLoadLabel):
63 (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel):
64 (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::isSet):
65 (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
66 (JSC::AbstractMacroAssembler::replaceWithLoad):
67 (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
68 * assembler/CodeLocation.h:
69 (JSC):
70 (CodeLocationCommon):
71 (CodeLocationConvertibleLoad):
72 (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
73 (JSC::CodeLocationCommon::convertibleLoadAtOffset):
74 * assembler/LinkBuffer.cpp:
75 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
76 * assembler/LinkBuffer.h:
77 (LinkBuffer):
78 (JSC::LinkBuffer::locationOf):
79 * assembler/MacroAssemblerARMv7.h:
80 (MacroAssemblerARMv7):
81 (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
82 * assembler/MacroAssemblerX86.h:
83 (JSC::MacroAssemblerX86::convertibleLoadPtr):
84 (MacroAssemblerX86):
85 * assembler/MacroAssemblerX86_64.h:
86 (JSC::MacroAssemblerX86_64::convertibleLoadPtr):
87 (MacroAssemblerX86_64):
88 * assembler/RepatchBuffer.h:
89 (RepatchBuffer):
90 (JSC::RepatchBuffer::replaceWithLoad):
91 (JSC::RepatchBuffer::replaceWithAddressComputation):
92 (JSC::RepatchBuffer::setLoadInstructionIsActive):
93 * assembler/X86Assembler.h:
94 (JSC::X86Assembler::replaceWithLoad):
95 (X86Assembler):
96 (JSC::X86Assembler::replaceWithAddressComputation):
97 * bytecode/CodeBlock.cpp:
98 (JSC::CodeBlock::printGetByIdOp):
99 (JSC::CodeBlock::dump):
100 (JSC::CodeBlock::finalizeUnconditionally):
101 * bytecode/GetByIdStatus.cpp:
102 (JSC::GetByIdStatus::computeFromLLInt):
103 (JSC::GetByIdStatus::computeForChain):
104 (JSC::GetByIdStatus::computeFor):
105 * bytecode/GetByIdStatus.h:
106 (JSC::GetByIdStatus::GetByIdStatus):
107 (JSC::GetByIdStatus::offset):
108 (GetByIdStatus):
109 * bytecode/Opcode.h:
110 (JSC):
111 (JSC::padOpcodeName):
112 * bytecode/PutByIdStatus.cpp:
113 (JSC::PutByIdStatus::computeFromLLInt):
114 (JSC::PutByIdStatus::computeFor):
115 * bytecode/PutByIdStatus.h:
116 (JSC::PutByIdStatus::PutByIdStatus):
117 (JSC::PutByIdStatus::offset):
118 (PutByIdStatus):
119 * bytecode/ResolveGlobalStatus.cpp:
120 (JSC):
121 (JSC::computeForStructure):
122 * bytecode/ResolveGlobalStatus.h:
123 (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
124 (JSC::ResolveGlobalStatus::offset):
125 (ResolveGlobalStatus):
126 * bytecode/StructureSet.h:
127 (StructureSet):
128 * bytecode/StructureStubInfo.h:
129 * dfg/DFGByteCodeParser.cpp:
130 (ByteCodeParser):
131 (JSC::DFG::ByteCodeParser::handleGetByOffset):
132 (JSC::DFG::ByteCodeParser::handleGetById):
133 (JSC::DFG::ByteCodeParser::parseBlock):
134 * dfg/DFGCapabilities.h:
135 (JSC::DFG::canCompileOpcode):
136 * dfg/DFGJITCompiler.cpp:
137 (JSC::DFG::JITCompiler::link):
138 * dfg/DFGJITCompiler.h:
139 (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
140 (PropertyAccessRecord):
141 * dfg/DFGRepatch.cpp:
142 (JSC::DFG::dfgRepatchByIdSelfAccess):
143 (JSC::DFG::generateProtoChainAccessStub):
144 (JSC::DFG::tryCacheGetByID):
145 (JSC::DFG::tryBuildGetByIDList):
146 (JSC::DFG::tryBuildGetByIDProtoList):
147 (JSC::DFG::emitPutReplaceStub):
148 (JSC::DFG::emitPutTransitionStub):
149 (JSC::DFG::tryCachePutByID):
150 (JSC::DFG::tryBuildPutByIdList):
151 * dfg/DFGSpeculativeJIT.h:
152 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
153 * dfg/DFGSpeculativeJIT32_64.cpp:
154 (JSC::DFG::SpeculativeJIT::cachedGetById):
155 (JSC::DFG::SpeculativeJIT::cachedPutById):
156 (JSC::DFG::SpeculativeJIT::compile):
157 * dfg/DFGSpeculativeJIT64.cpp:
158 (JSC::DFG::SpeculativeJIT::cachedGetById):
159 (JSC::DFG::SpeculativeJIT::cachedPutById):
160 (JSC::DFG::SpeculativeJIT::compile):
161 * heap/MarkStack.cpp:
162 (JSC::visitChildren):
163 * interpreter/Interpreter.cpp:
164 (JSC::Interpreter::tryCacheGetByID):
165 (JSC::Interpreter::privateExecute):
166 * jit/JIT.cpp:
167 (JSC::JIT::privateCompileMainPass):
168 (JSC::JIT::privateCompileSlowCases):
169 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
170 * jit/JIT.h:
171 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
172 (JSC::JIT::compileGetByIdProto):
173 (JSC::JIT::compileGetByIdSelfList):
174 (JSC::JIT::compileGetByIdProtoList):
175 (JSC::JIT::compileGetByIdChainList):
176 (JSC::JIT::compileGetByIdChain):
177 (JSC::JIT::compilePutByIdTransition):
178 (JIT):
179 * jit/JITInlineMethods.h:
180 (JSC::JIT::emitAllocateBasicJSObject):
181 * jit/JITOpcodes.cpp:
182 (JSC::JIT::emit_op_resolve_global):
183 * jit/JITOpcodes32_64.cpp:
184 (JSC::JIT::emit_op_resolve_global):
185 * jit/JITPropertyAccess.cpp:
186 (JSC::JIT::compileGetDirectOffset):
187 (JSC::JIT::emit_op_method_check):
188 (JSC::JIT::compileGetByIdHotPath):
189 (JSC::JIT::emit_op_put_by_id):
190 (JSC::JIT::compilePutDirectOffset):
191 (JSC::JIT::privateCompilePutByIdTransition):
192 (JSC::JIT::patchGetByIdSelf):
193 (JSC::JIT::patchPutByIdReplace):
194 (JSC::JIT::privateCompileGetByIdProto):
195 (JSC::JIT::privateCompileGetByIdSelfList):
196 (JSC::JIT::privateCompileGetByIdProtoList):
197 (JSC::JIT::privateCompileGetByIdChainList):
198 (JSC::JIT::privateCompileGetByIdChain):
199 * jit/JITPropertyAccess32_64.cpp:
200 (JSC::JIT::emit_op_method_check):
201 (JSC::JIT::compileGetByIdHotPath):
202 (JSC::JIT::emit_op_put_by_id):
203 (JSC::JIT::compilePutDirectOffset):
204 (JSC::JIT::compileGetDirectOffset):
205 (JSC::JIT::privateCompilePutByIdTransition):
206 (JSC::JIT::patchGetByIdSelf):
207 (JSC::JIT::patchPutByIdReplace):
208 (JSC::JIT::privateCompileGetByIdProto):
209 (JSC::JIT::privateCompileGetByIdSelfList):
210 (JSC::JIT::privateCompileGetByIdProtoList):
211 (JSC::JIT::privateCompileGetByIdChainList):
212 (JSC::JIT::privateCompileGetByIdChain):
213 (JSC::JIT::emit_op_get_by_pname):
214 * jit/JITStubs.cpp:
215 (JSC::JITThunks::tryCacheGetByID):
216 (JSC::DEFINE_STUB_FUNCTION):
217 * llint/LLIntSlowPaths.cpp:
218 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
219 * llint/LowLevelInterpreter.asm:
220 * llint/LowLevelInterpreter32_64.asm:
221 * llint/LowLevelInterpreter64.asm:
222 * offlineasm/x86.rb:
223 * runtime/JSGlobalObject.h:
224 (JSGlobalObject):
225 (JSC::JSGlobalObject::functionNameOffset):
226 * runtime/JSObject.cpp:
227 (JSC::JSObject::visitChildren):
228 (JSC):
229 (JSC::JSFinalObject::visitChildren):
230 (JSC::JSObject::put):
231 (JSC::JSObject::deleteProperty):
232 (JSC::JSObject::getPropertySpecificValue):
233 (JSC::JSObject::removeDirect):
234 (JSC::JSObject::growOutOfLineStorage):
235 (JSC::JSObject::getOwnPropertyDescriptor):
236 * runtime/JSObject.h:
237 (JSObject):
238 (JSC::JSObject::getDirect):
239 (JSC::JSObject::getDirectLocation):
240 (JSC::JSObject::hasInlineStorage):
241 (JSC::JSObject::inlineStorageUnsafe):
242 (JSC::JSObject::inlineStorage):
243 (JSC::JSObject::outOfLineStorage):
244 (JSC::JSObject::locationForOffset):
245 (JSC::JSObject::offsetForLocation):
246 (JSC::JSObject::getDirectOffset):
247 (JSC::JSObject::putDirectOffset):
248 (JSC::JSObject::putUndefinedAtDirectOffset):
249 (JSC::JSObject::addressOfOutOfLineStorage):
250 (JSC::JSObject::finishCreation):
251 (JSC::JSNonFinalObject::JSNonFinalObject):
252 (JSC::JSNonFinalObject::finishCreation):
253 (JSFinalObject):
254 (JSC::JSFinalObject::finishCreation):
255 (JSC::JSFinalObject::JSFinalObject):
256 (JSC::JSObject::offsetOfOutOfLineStorage):
257 (JSC::JSObject::setOutOfLineStorage):
258 (JSC::JSObject::JSObject):
259 (JSC):
260 (JSC::JSCell::fastGetOwnProperty):
261 (JSC::JSObject::putDirectInternal):
262 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
263 (JSC::JSObject::putDirectWithoutTransition):
264 (JSC::offsetRelativeToPatchedStorage):
265 (JSC::indexRelativeToBase):
266 (JSC::offsetRelativeToBase):
267 * runtime/JSPropertyNameIterator.cpp:
268 (JSC::JSPropertyNameIterator::create):
269 * runtime/JSPropertyNameIterator.h:
270 (JSPropertyNameIterator):
271 (JSC::JSPropertyNameIterator::getOffset):
272 (JSC::JSPropertyNameIterator::finishCreation):
273 * runtime/JSValue.cpp:
274 (JSC::JSValue::putToPrimitive):
275 * runtime/Operations.h:
276 (JSC::normalizePrototypeChain):
277 * runtime/Options.cpp:
278 (JSC):
279 (JSC::Options::initialize):
280 * runtime/PropertyMapHashTable.h:
281 (PropertyMapEntry):
282 (JSC::PropertyMapEntry::PropertyMapEntry):
283 (PropertyTable):
284 (JSC::PropertyTable::PropertyTable):
285 (JSC::PropertyTable::getDeletedOffset):
286 (JSC::PropertyTable::addDeletedOffset):
287 (JSC::PropertyTable::nextOffset):
288 (JSC):
289 (JSC::PropertyTable::sizeInMemory):
290 * runtime/PropertyOffset.h: Added.
291 (JSC):
292 (JSC::checkOffset):
293 (JSC::validateOffset):
294 (JSC::isValidOffset):
295 (JSC::isInlineOffset):
296 (JSC::isOutOfLineOffset):
297 (JSC::offsetInInlineStorage):
298 (JSC::offsetInOutOfLineStorage):
299 (JSC::offsetInRespectiveStorage):
300 (JSC::numberOfOutOfLineSlotsForLastOffset):
301 (JSC::numberOfSlotsForLastOffset):
302 (JSC::nextPropertyOffsetFor):
303 (JSC::firstPropertyOffsetFor):
304 * runtime/PropertySlot.h:
305 (JSC::PropertySlot::cachedOffset):
306 (JSC::PropertySlot::setValue):
307 (JSC::PropertySlot::setCacheableGetterSlot):
308 (JSC::PropertySlot::clearOffset):
309 * runtime/PutPropertySlot.h:
310 (JSC::PutPropertySlot::setExistingProperty):
311 (JSC::PutPropertySlot::setNewProperty):
312 (JSC::PutPropertySlot::cachedOffset):
313 (PutPropertySlot):
314 * runtime/Structure.cpp:
315 (JSC::Structure::Structure):
316 (JSC::Structure::materializePropertyMap):
317 (JSC::nextOutOfLineStorageCapacity):
318 (JSC::Structure::growOutOfLineCapacity):
319 (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
320 (JSC::Structure::addPropertyTransitionToExistingStructure):
321 (JSC::Structure::addPropertyTransition):
322 (JSC::Structure::removePropertyTransition):
323 (JSC::Structure::flattenDictionaryStructure):
324 (JSC::Structure::addPropertyWithoutTransition):
325 (JSC::Structure::removePropertyWithoutTransition):
326 (JSC::Structure::copyPropertyTableForPinning):
327 (JSC::Structure::get):
328 (JSC::Structure::putSpecificValue):
329 (JSC::Structure::remove):
330 * runtime/Structure.h:
331 (Structure):
332 (JSC::Structure::putWillGrowOutOfLineStorage):
333 (JSC::Structure::previousID):
334 (JSC::Structure::outOfLineCapacity):
335 (JSC::Structure::outOfLineSizeForKnownFinalObject):
336 (JSC::Structure::outOfLineSizeForKnownNonFinalObject):
337 (JSC::Structure::outOfLineSize):
338 (JSC::Structure::hasInlineStorage):
339 (JSC::Structure::inlineCapacity):
340 (JSC::Structure::inlineSizeForKnownFinalObject):
341 (JSC::Structure::inlineSize):
342 (JSC::Structure::totalStorageSize):
343 (JSC::Structure::totalStorageCapacity):
344 (JSC::Structure::firstValidOffset):
345 (JSC::Structure::lastValidOffset):
346 (JSC::Structure::isValidOffset):
347 (JSC::Structure::isEmpty):
348 (JSC::Structure::transitionCount):
349 (JSC::Structure::get):
350
oliver@apple.com5635b542012-07-05 20:36:37 +0000[diff] [blame]3512012-07-05 Oliver Hunt <oliver@apple.com>
352
353 JSObjectCallAsFunction should thisConvert the provided thisObject
354 https://bugs.webkit.org/show_bug.cgi?id=90628
355
356 Reviewed by Gavin Barraclough.
357
358 Perform this conversion on the provided this object.
359
360 * API/JSObjectRef.cpp:
361 (JSObjectCallAsFunction):
362
zherczeg@webkit.orgd6e661f2012-07-05 07:04:16 +0000[diff] [blame]3632012-07-05 Zoltan Herczeg <zherczeg@webkit.org>
364
zherczeg@webkit.orgda8c37d2012-07-05 07:53:51 +0000[diff] [blame]365 [Qt] Unreviewed buildfix after r121886. Typo fix.
366
367 * assembler/MacroAssemblerARM.cpp:
368 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
369
3702012-07-05 Zoltan Herczeg <zherczeg@webkit.org>
371
zherczeg@webkit.orgd6e661f2012-07-05 07:04:16 +0000[diff] [blame]372 Port DFG JIT to traditional ARM
373 https://bugs.webkit.org/show_bug.cgi?id=90198
374
375 Reviewed by Filip Pizlo.
376
377 This patch contains the macro assembler part of the
378 DFG JIT support on ARM systems with fixed 32 bit instruction
379 width. A large amount of old code was refactored, and the ARMv4
380 or lower support is removed from the macro assembler.
381
382 Sunspider is improved by 8%, and V8 is 92%.
383
384 * assembler/ARMAssembler.cpp:
385 (JSC::ARMAssembler::dataTransfer32):
386 (JSC::ARMAssembler::baseIndexTransfer32):
387 (JSC):
388 (JSC::ARMAssembler::dataTransfer16):
389 (JSC::ARMAssembler::baseIndexTransfer16):
390 (JSC::ARMAssembler::dataTransferFloat):
391 (JSC::ARMAssembler::baseIndexTransferFloat):
392 (JSC::ARMAssembler::executableCopy):
393 * assembler/ARMAssembler.h:
394 (JSC::ARMAssembler::ARMAssembler):
395 (JSC::ARMAssembler::emitInst):
396 (JSC::ARMAssembler::vmov_f64_r):
397 (ARMAssembler):
398 (JSC::ARMAssembler::vabs_f64_r):
399 (JSC::ARMAssembler::vneg_f64_r):
400 (JSC::ARMAssembler::ldr_imm):
401 (JSC::ARMAssembler::ldr_un_imm):
402 (JSC::ARMAssembler::dtr_u):
403 (JSC::ARMAssembler::dtr_ur):
404 (JSC::ARMAssembler::dtr_d):
405 (JSC::ARMAssembler::dtr_dr):
406 (JSC::ARMAssembler::dtrh_u):
407 (JSC::ARMAssembler::dtrh_ur):
408 (JSC::ARMAssembler::dtrh_d):
409 (JSC::ARMAssembler::dtrh_dr):
410 (JSC::ARMAssembler::fdtr_u):
411 (JSC::ARMAssembler::fdtr_d):
412 (JSC::ARMAssembler::push_r):
413 (JSC::ARMAssembler::pop_r):
414 (JSC::ARMAssembler::poke_r):
415 (JSC::ARMAssembler::peek_r):
416 (JSC::ARMAssembler::vmov_vfp64_r):
417 (JSC::ARMAssembler::vmov_arm64_r):
418 (JSC::ARMAssembler::vmov_vfp32_r):
419 (JSC::ARMAssembler::vmov_arm32_r):
420 (JSC::ARMAssembler::vcvt_u32_f64_r):
421 (JSC::ARMAssembler::vcvt_f64_f32_r):
422 (JSC::ARMAssembler::vcvt_f32_f64_r):
423 (JSC::ARMAssembler::clz_r):
424 (JSC::ARMAssembler::bkpt):
425 (JSC::ARMAssembler::bx):
426 (JSC::ARMAssembler::blx):
427 (JSC::ARMAssembler::labelIgnoringWatchpoints):
428 (JSC::ARMAssembler::labelForWatchpoint):
429 (JSC::ARMAssembler::label):
430 (JSC::ARMAssembler::getLdrImmAddress):
431 (JSC::ARMAssembler::replaceWithJump):
432 (JSC::ARMAssembler::maxJumpReplacementSize):
433 (JSC::ARMAssembler::getOp2Byte):
434 (JSC::ARMAssembler::getOp2Half):
435 (JSC::ARMAssembler::RM):
436 (JSC::ARMAssembler::RS):
437 (JSC::ARMAssembler::RD):
438 (JSC::ARMAssembler::RN):
439 * assembler/AssemblerBufferWithConstantPool.h:
440 (JSC::AssemblerBufferWithConstantPool::ensureSpaceForAnyInstruction):
441 * assembler/MacroAssemblerARM.cpp:
442 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
443 * assembler/MacroAssemblerARM.h:
444 (JSC::MacroAssemblerARM::add32):
445 (MacroAssemblerARM):
446 (JSC::MacroAssemblerARM::and32):
447 (JSC::MacroAssemblerARM::lshift32):
448 (JSC::MacroAssemblerARM::mul32):
449 (JSC::MacroAssemblerARM::neg32):
450 (JSC::MacroAssemblerARM::rshift32):
451 (JSC::MacroAssemblerARM::urshift32):
452 (JSC::MacroAssemblerARM::xor32):
453 (JSC::MacroAssemblerARM::load8):
454 (JSC::MacroAssemblerARM::load8Signed):
455 (JSC::MacroAssemblerARM::load16):
456 (JSC::MacroAssemblerARM::load16Signed):
457 (JSC::MacroAssemblerARM::load32):
458 (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
459 (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
460 (JSC::MacroAssemblerARM::store8):
461 (JSC::MacroAssemblerARM::store16):
462 (JSC::MacroAssemblerARM::store32):
463 (JSC::MacroAssemblerARM::move):
464 (JSC::MacroAssemblerARM::jump):
465 (JSC::MacroAssemblerARM::branchAdd32):
466 (JSC::MacroAssemblerARM::mull32):
467 (JSC::MacroAssemblerARM::branchMul32):
468 (JSC::MacroAssemblerARM::nearCall):
469 (JSC::MacroAssemblerARM::compare32):
470 (JSC::MacroAssemblerARM::test32):
471 (JSC::MacroAssemblerARM::sub32):
472 (JSC::MacroAssemblerARM::call):
473 (JSC::MacroAssemblerARM::loadFloat):
474 (JSC::MacroAssemblerARM::loadDouble):
475 (JSC::MacroAssemblerARM::storeFloat):
476 (JSC::MacroAssemblerARM::storeDouble):
477 (JSC::MacroAssemblerARM::moveDouble):
478 (JSC::MacroAssemblerARM::addDouble):
479 (JSC::MacroAssemblerARM::divDouble):
480 (JSC::MacroAssemblerARM::subDouble):
481 (JSC::MacroAssemblerARM::mulDouble):
482 (JSC::MacroAssemblerARM::absDouble):
483 (JSC::MacroAssemblerARM::negateDouble):
484 (JSC::MacroAssemblerARM::convertInt32ToDouble):
485 (JSC::MacroAssemblerARM::convertFloatToDouble):
486 (JSC::MacroAssemblerARM::convertDoubleToFloat):
487 (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
488 (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32):
489 (JSC::MacroAssemblerARM::truncateDoubleToInt32):
490 (JSC::MacroAssemblerARM::truncateDoubleToUint32):
491 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
492 (JSC::MacroAssemblerARM::branchDoubleNonZero):
493 (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
494 (JSC::MacroAssemblerARM::invert):
495 (JSC::MacroAssemblerARM::replaceWithJump):
496 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
497 (JSC::MacroAssemblerARM::call32):
498 * assembler/SH4Assembler.h:
499 (JSC::SH4Assembler::label):
500 * dfg/DFGAssemblyHelpers.h:
501 (JSC::DFG::AssemblyHelpers::debugCall):
502 (JSC::DFG::AssemblyHelpers::boxDouble):
503 (JSC::DFG::AssemblyHelpers::unboxDouble):
504 * dfg/DFGCCallHelpers.h:
505 (CCallHelpers):
506 (JSC::DFG::CCallHelpers::setupArguments):
507 * dfg/DFGFPRInfo.h:
508 (DFG):
509 * dfg/DFGGPRInfo.h:
510 (DFG):
511 (GPRInfo):
512 * dfg/DFGOperations.cpp:
513 (JSC):
514 * dfg/DFGSpeculativeJIT.h:
515 (SpeculativeJIT):
516 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
517 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
518 * jit/JITStubs.cpp:
519 (JSC):
520 * jit/JITStubs.h:
521 (JITStackFrame):
522 * jit/JSInterfaceJIT.h:
523 (JSInterfaceJIT):
524
commit-queue@webkit.orgd106bf22012-07-04 21:36:52 +0000[diff] [blame]5252012-07-04 Anthony Scian <ascian@rim.com>
526
527 Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
528 https://bugs.webkit.org/show_bug.cgi?id=40118
529
530 Reviewed by Yong Li.
531
532 Added member functions to expose function name, urlString, and line #.
533 Refactored toString to make use of these member functions to reduce
534 duplicated code for future maintenance.
535
536 Manually tested refactoring of toString by tracing thrown exceptions.
537
538 * interpreter/Interpreter.h:
539 (JSC::StackFrame::toString):
540 (JSC::StackFrame::friendlySourceURL):
541 (JSC::StackFrame::friendlyFunctionName):
542 (JSC::StackFrame::friendlyLineNumber):
543
wingo@igalia.com17649d82012-07-04 20:32:26 +0000[diff] [blame]5442012-07-04 Andy Wingo <wingo@igalia.com>
545
546 [GTK] Enable parallel GC
547 https://bugs.webkit.org/show_bug.cgi?id=90568
548
549 Reviewed by Martin Robinson.
550
551 * runtime/Options.cpp: Include <algorithm.h> for std::min.
552
commit-queue@webkit.org1fcb31a2012-07-04 16:16:01 +0000[diff] [blame]5532012-07-04 John Mellor <johnme@chromium.org>
554
555 Text Autosizing: Add compile flag and runtime setting
556 https://bugs.webkit.org/show_bug.cgi?id=87394
557
558 This patch renames Font Boosting to Text Autosizing.
559
560 Reviewed by Adam Barth.
561
562 * Configurations/FeatureDefines.xcconfig:
563
msaboff@apple.comd08f3502012-07-03 22:57:00 +0000[diff] [blame]5642012-07-03 Michael Saboff <msaboff@apple.com>
565
566 Enh: Hash Const JSString in Backing Stores to Save Memory
567 https://bugs.webkit.org/show_bug.cgi?id=86024
568
569 Reviewed by Oliver Hunt.
570
571 During garbage collection, each marking thread keeps a HashMap of
572 strings. While visiting via MarkStack::copyAndAppend(), we check to
573 see if the string we are visiting is already in the HashMap. If not
574 we add it. If so, we change the reference to the current string we're
575 visiting to the prior string.
576
577 To reduce the performance impact of this change, two throttles have
578 ben added. 1) We only try hash consting if a significant number of new
579 strings have been created since the last hash const. Currently this is
580 set at 100 strings. 2) If a string is unique at the end of a marking
581 it will not be checked during further GC phases. In some cases this
582 won't catch all duplicates, but we are trying to catch the growth of
583 duplicate strings.
584
585 * heap/Heap.cpp:
586 (JSC::Heap::markRoots):
587 * heap/MarkStack.cpp:
588 (JSC::MarkStackThreadSharedData::resetChildren):
589 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
590 (JSC::MarkStackThreadSharedData::reset):
591 (JSC::MarkStack::setup): Check to see if enough strings have been created
592 to hash const.
593 (JSC::MarkStack::reset): Added call to clear m_uniqueStrings.
594 (JSC::JSString::tryHashConstLock): New method to lock JSString for
595 hash consting.
596 (JSC::JSString::releaseHashConstLock): New unlock method.
597 (JSC::JSString::shouldTryHashConst): Set of checks to see if we should
598 try to hash const the string.
599 (JSC::MarkStack::internalAppend): New method that performs the hash consting.
600 (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash
601 consting internalAppend().
602 * heap/MarkStack.h:
603 (MarkStackThreadSharedData):
604 (MarkStack):
605 * runtime/JSGlobalData.cpp:
606 (JSC::JSGlobalData::JSGlobalData):
607 * runtime/JSGlobalData.h:
608 (JSGlobalData):
609 (JSC::JSGlobalData::haveEnoughNewStringsToHashConst):
610 (JSC::JSGlobalData::resetNewStringsSinceLastHashConst):
611 * runtime/JSString.h:
612 (JSString): Changed from using bool flags to using an unsigned
613 m_flags field. This works better with the weakCompareAndSwap in
614 JSString::tryHashConstLock(). Changed the 8bitness setting and
615 checking to use new accessors.
616 (JSC::JSString::JSString):
617 (JSC::JSString::finishCreation):
618 (JSC::JSString::is8Bit): Updated for new m_flags.
619 (JSC::JSString::setIs8Bit): New setter.
620 New hash const flags accessors:
621 (JSC::JSString::isHashConstSingleton):
622 (JSC::JSString::clearHashConstSingleton):
623 (JSC::JSString::setHashConstSingleton):
624 (JSC::JSRopeString::finishCreation):
625 (JSC::JSRopeString::append):
626
tony@chromium.orga47ad862012-07-03 20:26:08 +0000[diff] [blame]6272012-07-03 Tony Chang <tony@chromium.org>
628
629 [chromium] Unreviewed, update .gitignore to handle VS2010 files.
630
631 * JavaScriptCore.gyp/.gitignore:
632
commit-queue@webkit.orgfbda60c2012-07-03 19:19:22 +0000[diff] [blame]6332012-07-03 Mark Lam <mark.lam@apple.com>
634
635 Add ability to symbolically set and dump JSC VM options.
636 See comments in runtime/Options.h for details on how the options work.
637 https://bugs.webkit.org/show_bug.cgi?id=90420
638
639 Reviewed by Filip Pizlo.
640
641 * assembler/LinkBuffer.cpp:
642 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
643 * assembler/LinkBuffer.h:
644 (JSC):
645 * bytecode/CodeBlock.cpp:
646 (JSC::CodeBlock::shouldOptimizeNow):
647 * bytecode/CodeBlock.h:
648 (JSC::CodeBlock::likelyToTakeSlowCase):
649 (JSC::CodeBlock::couldTakeSlowCase):
650 (JSC::CodeBlock::likelyToTakeSpecialFastCase):
651 (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
652 (JSC::CodeBlock::likelyToTakeAnySlowCase):
653 (JSC::CodeBlock::jitAfterWarmUp):
654 (JSC::CodeBlock::jitSoon):
655 (JSC::CodeBlock::reoptimizationRetryCounter):
656 (JSC::CodeBlock::countReoptimization):
657 (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
658 (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
659 (JSC::CodeBlock::optimizeSoon):
660 (JSC::CodeBlock::exitCountThresholdForReoptimization):
661 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
662 * bytecode/ExecutionCounter.h:
663 (JSC::ExecutionCounter::clippedThreshold):
664 * dfg/DFGByteCodeParser.cpp:
665 (JSC::DFG::ByteCodeParser::handleInlining):
666 * dfg/DFGCapabilities.h:
667 (JSC::DFG::mightCompileEval):
668 (JSC::DFG::mightCompileProgram):
669 (JSC::DFG::mightCompileFunctionForCall):
670 (JSC::DFG::mightCompileFunctionForConstruct):
671 (JSC::DFG::mightInlineFunctionForCall):
672 (JSC::DFG::mightInlineFunctionForConstruct):
673 * dfg/DFGCommon.h:
674 (JSC::DFG::shouldShowDisassembly):
675 * dfg/DFGDriver.cpp:
676 (JSC::DFG::compile):
677 * dfg/DFGOSRExit.cpp:
678 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
679 * dfg/DFGVariableAccessData.h:
680 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
681 * heap/MarkStack.cpp:
682 (JSC::MarkStackSegmentAllocator::allocate):
683 (JSC::MarkStackSegmentAllocator::shrinkReserve):
684 (JSC::MarkStackArray::MarkStackArray):
685 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
686 (JSC::SlotVisitor::donateKnownParallel):
687 (JSC::SlotVisitor::drain):
688 (JSC::SlotVisitor::drainFromShared):
689 * heap/MarkStack.h:
690 (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
691 (JSC::MarkStack::addOpaqueRoot):
692 * heap/SlotVisitor.h:
693 (JSC::SlotVisitor::donate):
694 * jit/JIT.cpp:
695 (JSC::JIT::emitOptimizationCheck):
696 * jsc.cpp:
697 (printUsageStatement):
698 (parseArguments):
699 * runtime/InitializeThreading.cpp:
700 (JSC::initializeThreadingOnce):
701 * runtime/JSGlobalData.cpp:
702 (JSC::enableAssembler):
703 * runtime/JSGlobalObject.cpp:
704 (JSC::JSGlobalObject::JSGlobalObject):
705 * runtime/Options.cpp:
706 (JSC):
707 (JSC::overrideOptionWithHeuristic):
708 (JSC::Options::initialize):
709 (JSC::Options::setOption):
710 (JSC::Options::dumpAllOptions):
711 (JSC::Options::dumpOption):
712 * runtime/Options.h:
713 (JSC):
714 (Options):
715 (EntryInfo):
716
commit-queue@webkit.org337179a2012-07-03 13:43:13 +0000[diff] [blame]7172012-07-03 Jocelyn Turcotte <jocelyn.turcotte@nokia.com> Joel Dillon <joel.dillon@codethink.co.uk>
718
719 [Qt][Win] Fix broken QtWebKit5.lib linking
720 https://bugs.webkit.org/show_bug.cgi?id=88321
721
722 Reviewed by Kenneth Rohde Christiansen.
723
724 The goal is to have different ports build systems define STATICALLY_LINKED_WITH_WTF
725 when building JavaScriptCore, if both are packaged in the same DLL, instead
726 of relying on the code to handle this.
727 The effects of BUILDING_* and STATICALLY_LINKED_WITH_* are currently the same
728 except for a check in Source/JavaScriptCore/config.h.
729
730 Keeping the old way for the WX port as requested by the port's contributors.
731 For non-Windows ports there is no difference between IMPORT and EXPORT, no
732 change is needed.
733
734 * API/JSBase.h:
735 JS symbols shouldn't be included by WTF objects anymore. Remove the export when BUILDING_WTF.
736 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
737 Make sure that JavaScriptCore uses import symbols of WTF for the Win port.
738 * runtime/JSExportMacros.h:
739
fpizlo@apple.comaedde2e2012-07-03 00:10:08 +0000[diff] [blame]7402012-07-02 Filip Pizlo <fpizlo@apple.com>
741
fpizlo@apple.com8618e4b2012-07-03 01:27:16 +0000[diff] [blame]742 DFG OSR exit value recoveries should be computed lazily
743 https://bugs.webkit.org/show_bug.cgi?id=82155
744
745 Reviewed by Gavin Barraclough.
746
747 This change aims to reduce one aspect of DFG compile times: the fact
748 that we currently compute the value recoveries for each local and
749 argument on every speculation check. We compile many speculation checks,
750 so this can add up quick. The strategy that this change takes is to
751 have the DFG save just enough information about how the compiler is
752 choosing to represent state, that the DFG::OSRExitCompiler can reify
753 the value recoveries lazily.
754
755 This appears to be an 0.3% SunSpider speed-up and is neutral elsewhere.
756
757 I also took the opportunity to fix the sampling regions profiler (it
758 was missing an export macro) and to put in more sampling regions in
759 the DFG (which are disabled so long as ENABLE(SAMPLING_REGIONS) is
760 false).
761
762 * CMakeLists.txt:
763 * GNUmakefile.list.am:
764 * JavaScriptCore.xcodeproj/project.pbxproj:
765 * Target.pri:
766 * bytecode/CodeBlock.cpp:
767 (JSC):
768 (JSC::CodeBlock::shrinkDFGDataToFit):
769 * bytecode/CodeBlock.h:
770 (CodeBlock):
771 (JSC::CodeBlock::minifiedDFG):
772 (JSC::CodeBlock::variableEventStream):
773 (DFGData):
774 * bytecode/Operands.h:
775 (JSC::Operands::hasOperand):
776 (Operands):
777 (JSC::Operands::size):
778 (JSC::Operands::at):
779 (JSC::Operands::operator[]):
780 (JSC::Operands::isArgument):
781 (JSC::Operands::isVariable):
782 (JSC::Operands::argumentForIndex):
783 (JSC::Operands::variableForIndex):
784 (JSC::Operands::operandForIndex):
785 (JSC):
786 (JSC::dumpOperands):
787 * bytecode/SamplingTool.h:
788 (SamplingRegion):
789 * dfg/DFGByteCodeParser.cpp:
790 (JSC::DFG::parse):
791 * dfg/DFGCFAPhase.cpp:
792 (JSC::DFG::performCFA):
793 * dfg/DFGCSEPhase.cpp:
794 (JSC::DFG::performCSE):
795 * dfg/DFGFixupPhase.cpp:
796 (JSC::DFG::performFixup):
797 * dfg/DFGGenerationInfo.h:
798 (JSC::DFG::GenerationInfo::GenerationInfo):
799 (JSC::DFG::GenerationInfo::initConstant):
800 (JSC::DFG::GenerationInfo::initInteger):
801 (JSC::DFG::GenerationInfo::initJSValue):
802 (JSC::DFG::GenerationInfo::initCell):
803 (JSC::DFG::GenerationInfo::initBoolean):
804 (JSC::DFG::GenerationInfo::initDouble):
805 (JSC::DFG::GenerationInfo::initStorage):
806 (GenerationInfo):
807 (JSC::DFG::GenerationInfo::noticeOSRBirth):
808 (JSC::DFG::GenerationInfo::use):
809 (JSC::DFG::GenerationInfo::spill):
810 (JSC::DFG::GenerationInfo::setSpilled):
811 (JSC::DFG::GenerationInfo::fillJSValue):
812 (JSC::DFG::GenerationInfo::fillCell):
813 (JSC::DFG::GenerationInfo::fillInteger):
814 (JSC::DFG::GenerationInfo::fillBoolean):
815 (JSC::DFG::GenerationInfo::fillDouble):
816 (JSC::DFG::GenerationInfo::fillStorage):
817 (JSC::DFG::GenerationInfo::appendFill):
818 (JSC::DFG::GenerationInfo::appendSpill):
819 * dfg/DFGJITCompiler.cpp:
820 (JSC::DFG::JITCompiler::link):
821 (JSC::DFG::JITCompiler::compile):
822 (JSC::DFG::JITCompiler::compileFunction):
823 * dfg/DFGMinifiedGraph.h: Added.
824 (DFG):
825 (MinifiedGraph):
826 (JSC::DFG::MinifiedGraph::MinifiedGraph):
827 (JSC::DFG::MinifiedGraph::at):
828 (JSC::DFG::MinifiedGraph::append):
829 (JSC::DFG::MinifiedGraph::prepareAndShrink):
830 (JSC::DFG::MinifiedGraph::setOriginalGraphSize):
831 (JSC::DFG::MinifiedGraph::originalGraphSize):
832 * dfg/DFGMinifiedNode.cpp: Added.
833 (DFG):
834 (JSC::DFG::MinifiedNode::fromNode):
835 * dfg/DFGMinifiedNode.h: Added.
836 (DFG):
837 (JSC::DFG::belongsInMinifiedGraph):
838 (MinifiedNode):
839 (JSC::DFG::MinifiedNode::MinifiedNode):
840 (JSC::DFG::MinifiedNode::index):
841 (JSC::DFG::MinifiedNode::op):
842 (JSC::DFG::MinifiedNode::hasChild1):
843 (JSC::DFG::MinifiedNode::child1):
844 (JSC::DFG::MinifiedNode::hasConstant):
845 (JSC::DFG::MinifiedNode::hasConstantNumber):
846 (JSC::DFG::MinifiedNode::constantNumber):
847 (JSC::DFG::MinifiedNode::hasWeakConstant):
848 (JSC::DFG::MinifiedNode::weakConstant):
849 (JSC::DFG::MinifiedNode::getIndex):
850 (JSC::DFG::MinifiedNode::compareByNodeIndex):
851 (JSC::DFG::MinifiedNode::hasChild):
852 * dfg/DFGNode.h:
853 (Node):
854 * dfg/DFGOSRExit.cpp:
855 (JSC::DFG::OSRExit::OSRExit):
856 * dfg/DFGOSRExit.h:
857 (OSRExit):
858 * dfg/DFGOSRExitCompiler.cpp:
859 * dfg/DFGOSRExitCompiler.h:
860 (OSRExitCompiler):
861 * dfg/DFGOSRExitCompiler32_64.cpp:
862 (JSC::DFG::OSRExitCompiler::compileExit):
863 * dfg/DFGOSRExitCompiler64.cpp:
864 (JSC::DFG::OSRExitCompiler::compileExit):
865 * dfg/DFGPredictionPropagationPhase.cpp:
866 (JSC::DFG::performPredictionPropagation):
867 * dfg/DFGRedundantPhiEliminationPhase.cpp:
868 (JSC::DFG::performRedundantPhiElimination):
869 * dfg/DFGSpeculativeJIT.cpp:
870 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
871 (DFG):
872 (JSC::DFG::SpeculativeJIT::fillStorage):
873 (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
874 (JSC::DFG::SpeculativeJIT::compileMovHint):
875 (JSC::DFG::SpeculativeJIT::compile):
876 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
877 * dfg/DFGSpeculativeJIT.h:
878 (DFG):
879 (JSC::DFG::SpeculativeJIT::use):
880 (SpeculativeJIT):
881 (JSC::DFG::SpeculativeJIT::spill):
882 (JSC::DFG::SpeculativeJIT::speculationCheck):
883 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
884 (JSC::DFG::SpeculativeJIT::recordSetLocal):
885 * dfg/DFGSpeculativeJIT32_64.cpp:
886 (JSC::DFG::SpeculativeJIT::fillInteger):
887 (JSC::DFG::SpeculativeJIT::fillDouble):
888 (JSC::DFG::SpeculativeJIT::fillJSValue):
889 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
890 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
891 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
892 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
893 (JSC::DFG::SpeculativeJIT::compile):
894 * dfg/DFGSpeculativeJIT64.cpp:
895 (JSC::DFG::SpeculativeJIT::fillInteger):
896 (JSC::DFG::SpeculativeJIT::fillDouble):
897 (JSC::DFG::SpeculativeJIT::fillJSValue):
898 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
899 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
900 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
901 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
902 (JSC::DFG::SpeculativeJIT::compile):
903 * dfg/DFGValueRecoveryOverride.h: Added.
904 (DFG):
905 (ValueRecoveryOverride):
906 (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
907 * dfg/DFGValueSource.cpp: Added.
908 (DFG):
909 (JSC::DFG::ValueSource::dump):
910 * dfg/DFGValueSource.h: Added.
911 (DFG):
912 (JSC::DFG::dataFormatToValueSourceKind):
913 (JSC::DFG::valueSourceKindToDataFormat):
914 (JSC::DFG::isInRegisterFile):
915 (ValueSource):
916 (JSC::DFG::ValueSource::ValueSource):
917 (JSC::DFG::ValueSource::forPrediction):
918 (JSC::DFG::ValueSource::forDataFormat):
919 (JSC::DFG::ValueSource::isSet):
920 (JSC::DFG::ValueSource::kind):
921 (JSC::DFG::ValueSource::isInRegisterFile):
922 (JSC::DFG::ValueSource::dataFormat):
923 (JSC::DFG::ValueSource::valueRecovery):
924 (JSC::DFG::ValueSource::nodeIndex):
925 (JSC::DFG::ValueSource::nodeIndexFromKind):
926 (JSC::DFG::ValueSource::kindFromNodeIndex):
927 * dfg/DFGVariableEvent.cpp: Added.
928 (DFG):
929 (JSC::DFG::VariableEvent::dump):
930 (JSC::DFG::VariableEvent::dumpFillInfo):
931 (JSC::DFG::VariableEvent::dumpSpillInfo):
932 * dfg/DFGVariableEvent.h: Added.
933 (DFG):
934 (VariableEvent):
935 (JSC::DFG::VariableEvent::VariableEvent):
936 (JSC::DFG::VariableEvent::reset):
937 (JSC::DFG::VariableEvent::fillGPR):
938 (JSC::DFG::VariableEvent::fillPair):
939 (JSC::DFG::VariableEvent::fillFPR):
940 (JSC::DFG::VariableEvent::spill):
941 (JSC::DFG::VariableEvent::death):
942 (JSC::DFG::VariableEvent::setLocal):
943 (JSC::DFG::VariableEvent::movHint):
944 (JSC::DFG::VariableEvent::kind):
945 (JSC::DFG::VariableEvent::nodeIndex):
946 (JSC::DFG::VariableEvent::dataFormat):
947 (JSC::DFG::VariableEvent::gpr):
948 (JSC::DFG::VariableEvent::tagGPR):
949 (JSC::DFG::VariableEvent::payloadGPR):
950 (JSC::DFG::VariableEvent::fpr):
951 (JSC::DFG::VariableEvent::virtualRegister):
952 (JSC::DFG::VariableEvent::operand):
953 (JSC::DFG::VariableEvent::variableRepresentation):
954 * dfg/DFGVariableEventStream.cpp: Added.
955 (DFG):
956 (JSC::DFG::VariableEventStream::logEvent):
957 (MinifiedGenerationInfo):
958 (JSC::DFG::MinifiedGenerationInfo::MinifiedGenerationInfo):
959 (JSC::DFG::MinifiedGenerationInfo::update):
960 (JSC::DFG::VariableEventStream::reconstruct):
961 * dfg/DFGVariableEventStream.h: Added.
962 (DFG):
963 (VariableEventStream):
964 (JSC::DFG::VariableEventStream::appendAndLog):
965 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
966 (JSC::DFG::performVirtualRegisterAllocation):
967
9682012-07-02 Filip Pizlo <fpizlo@apple.com>
969
fpizlo@apple.comaedde2e2012-07-03 00:10:08 +0000[diff] [blame]970 DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
971 https://bugs.webkit.org/show_bug.cgi?id=90407
972
973 Reviewed by Mark Hahnenberg.
974
975 * dfg/DFGArgumentsSimplificationPhase.cpp:
976 (JSC::DFG::ArgumentsSimplificationPhase::run):
977
barraclough@apple.com15ab3352012-07-02 19:25:59 +0000[diff] [blame]9782012-07-02 Gavin Barraclough <barraclough@apple.com>
979
980 Array.prototype.pop should throw if property is not configurable
981 https://bugs.webkit.org/show_bug.cgi?id=75788
982
983 Rubber Stamped by Oliver Hunt.
984
985 No real bug here any more, but the error we throw sometimes has a misleading message.
986
987 * runtime/JSArray.cpp:
988 (JSC::JSArray::pop):
989
fpizlo@apple.com3aef57f2012-06-30 19:28:26 +0000[diff] [blame]9902012-06-29 Filip Pizlo <fpizlo@apple.com>
991
fpizlo@apple.com604d38a2012-07-01 03:54:49 +0000[diff] [blame]992 JSObject wastes too much memory on unused property slots
993 https://bugs.webkit.org/show_bug.cgi?id=90255
994
995 Reviewed by Mark Hahnenberg.
996
997 Rolling back in after applying a simple fix: it appears that
998 JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
999 property storage than necessary. Fixing this appears to resolve the crash.
1000
1001 This does a few things:
1002
1003 - JSNonFinalObject no longer has inline property storage.
1004
1005 - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
1006 or 2x the inline storage for JSFinalObject.
1007
1008 - Property storage is only reallocated if it needs to be. Previously, we
1009 would reallocate the property storage on any transition where the original
1010 structure said shouldGrowProperyStorage(), but this led to spurious
1011 reallocations when doing transitionless property adds and there are
1012 deleted property slots available. That in turn led to crashes, because we
1013 would switch to out-of-line storage even if the capacity matched the
1014 criteria for inline storage.
1015
1016 - Inline JSFunction allocation is killed off because we don't have a good
1017 way of inlining property storage allocation. This didn't hurt performance.
1018 Killing off code is better than fixing it if that code wasn't doing any
1019 good.
1020
1021 This looks like a 1% progression on V8.
1022
1023 * interpreter/Interpreter.cpp:
1024 (JSC::Interpreter::privateExecute):
1025 * jit/JIT.cpp:
1026 (JSC::JIT::privateCompileSlowCases):
1027 * jit/JIT.h:
1028 * jit/JITInlineMethods.h:
1029 (JSC::JIT::emitAllocateBasicJSObject):
1030 (JSC):
1031 * jit/JITOpcodes.cpp:
1032 (JSC::JIT::emit_op_new_func):
1033 (JSC):
1034 (JSC::JIT::emit_op_new_func_exp):
1035 * runtime/JSFunction.cpp:
1036 (JSC::JSFunction::finishCreation):
1037 * runtime/JSObject.h:
1038 (JSC::JSObject::isUsingInlineStorage):
1039 (JSObject):
1040 (JSC::JSObject::finishCreation):
1041 (JSC):
1042 (JSC::JSNonFinalObject::hasInlineStorage):
1043 (JSNonFinalObject):
1044 (JSC::JSNonFinalObject::JSNonFinalObject):
1045 (JSC::JSNonFinalObject::finishCreation):
1046 (JSC::JSFinalObject::hasInlineStorage):
1047 (JSC::JSFinalObject::finishCreation):
1048 (JSC::JSObject::offsetOfInlineStorage):
1049 (JSC::JSObject::setPropertyStorage):
1050 (JSC::Structure::inlineStorageCapacity):
1051 (JSC::Structure::isUsingInlineStorage):
1052 (JSC::JSObject::putDirectInternal):
1053 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1054 (JSC::JSObject::putDirectWithoutTransition):
1055 * runtime/Structure.cpp:
1056 (JSC::Structure::Structure):
1057 (JSC::nextPropertyStorageCapacity):
1058 (JSC):
1059 (JSC::Structure::growPropertyStorageCapacity):
1060 (JSC::Structure::suggestedNewPropertyStorageSize):
1061 * runtime/Structure.h:
1062 (JSC::Structure::putWillGrowPropertyStorage):
1063 (Structure):
1064
10652012-06-29 Filip Pizlo <fpizlo@apple.com>
1066
fpizlo@apple.com3aef57f2012-06-30 19:28:26 +0000[diff] [blame]1067 Webkit crashes in DFG on Google Docs when creating a new document
1068 https://bugs.webkit.org/show_bug.cgi?id=90209
1069
1070 Reviewed by Gavin Barraclough.
1071
1072 Don't attempt to short-circuit Phantom(GetLocal) if the GetLocal is for a
1073 captured variable.
1074
1075 * dfg/DFGCFGSimplificationPhase.cpp:
1076 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1077
zandobersek@gmail.com069a2d32012-06-30 12:09:15 +0000[diff] [blame]10782012-06-30 Zan Dobersek <zandobersek@gmail.com>
1079
1080 Unreviewed, rolling out r121605.
1081 http://trac.webkit.org/changeset/121605
1082 https://bugs.webkit.org/show_bug.cgi?id=90336
1083
1084 Changes caused flaky crashes in sputnik/Unicode tests on Apple
1085 WK1 and GTK Linux builders
1086
1087 * interpreter/Interpreter.cpp:
1088 (JSC::Interpreter::privateExecute):
1089 * jit/JIT.cpp:
1090 (JSC::JIT::privateCompileSlowCases):
1091 * jit/JIT.h:
1092 * jit/JITInlineMethods.h:
1093 (JSC::JIT::emitAllocateBasicJSObject):
1094 (JSC::JIT::emitAllocateJSFinalObject):
1095 (JSC):
1096 (JSC::JIT::emitAllocateJSFunction):
1097 * jit/JITOpcodes.cpp:
1098 (JSC::JIT::emit_op_new_func):
1099 (JSC::JIT::emitSlow_op_new_func):
1100 (JSC):
1101 (JSC::JIT::emit_op_new_func_exp):
1102 (JSC::JIT::emitSlow_op_new_func_exp):
1103 * runtime/JSFunction.cpp:
1104 (JSC::JSFunction::finishCreation):
1105 * runtime/JSObject.h:
1106 (JSC::JSObject::isUsingInlineStorage):
1107 (JSObject):
1108 (JSC::JSObject::finishCreation):
1109 (JSC):
1110 (JSNonFinalObject):
1111 (JSC::JSNonFinalObject::JSNonFinalObject):
1112 (JSC::JSNonFinalObject::finishCreation):
1113 (JSFinalObject):
1114 (JSC::JSFinalObject::finishCreation):
1115 (JSC::JSObject::offsetOfInlineStorage):
1116 (JSC::JSObject::setPropertyStorage):
1117 (JSC::Structure::isUsingInlineStorage):
1118 (JSC::JSObject::putDirectInternal):
1119 (JSC::JSObject::putDirectWithoutTransition):
1120 (JSC::JSObject::transitionTo):
1121 * runtime/Structure.cpp:
1122 (JSC::Structure::Structure):
1123 (JSC):
1124 (JSC::Structure::growPropertyStorageCapacity):
1125 (JSC::Structure::suggestedNewPropertyStorageSize):
1126 * runtime/Structure.h:
1127 (JSC::Structure::shouldGrowPropertyStorage):
1128 (JSC::Structure::propertyStorageSize):
1129
mhahnenberg@apple.com3100b432012-06-30 01:14:09 +0000[diff] [blame]11302012-06-29 Mark Hahnenberg <mhahnenberg@apple.com>
1131
1132 Remove warning about protected values when the Heap is being destroyed
1133 https://bugs.webkit.org/show_bug.cgi?id=90302
1134
1135 Reviewed by Geoffrey Garen.
1136
1137 Having to do book-keeping about whether values allocated from a certain
1138 VM are or are not protected makes the JSC API much more difficult to use
1139 correctly. Clients should be able to throw an entire VM away and not have
1140 to worry about unprotecting all of the values that they protected earlier.
1141
1142 * heap/Heap.cpp:
1143 (JSC::Heap::lastChanceToFinalize):
1144
fpizlo@apple.com9243e792012-06-30 00:25:01 +0000[diff] [blame]11452012-06-29 Filip Pizlo <fpizlo@apple.com>
1146
1147 JSObject wastes too much memory on unused property slots
1148 https://bugs.webkit.org/show_bug.cgi?id=90255
1149
1150 Reviewed by Mark Hahnenberg.
1151
1152 This does a few things:
1153
1154 - JSNonFinalObject no longer has inline property storage.
1155
1156 - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
1157 or 2x the inline storage for JSFinalObject.
1158
1159 - Property storage is only reallocated if it needs to be. Previously, we
1160 would reallocate the property storage on any transition where the original
1161 structure said shouldGrowProperyStorage(), but this led to spurious
1162 reallocations when doing transitionless property adds and there are
1163 deleted property slots available. That in turn led to crashes, because we
1164 would switch to out-of-line storage even if the capacity matched the
1165 criteria for inline storage.
1166
1167 - Inline JSFunction allocation is killed off because we don't have a good
1168 way of inlining property storage allocation. This didn't hurt performance.
1169 Killing off code is better than fixing it if that code wasn't doing any
1170 good.
1171
1172 This looks like a 1% progression on V8.
1173
1174 * interpreter/Interpreter.cpp:
1175 (JSC::Interpreter::privateExecute):
1176 * jit/JIT.cpp:
1177 (JSC::JIT::privateCompileSlowCases):
1178 * jit/JIT.h:
1179 * jit/JITInlineMethods.h:
1180 (JSC::JIT::emitAllocateBasicJSObject):
1181 (JSC):
1182 * jit/JITOpcodes.cpp:
1183 (JSC::JIT::emit_op_new_func):
1184 (JSC):
1185 (JSC::JIT::emit_op_new_func_exp):
1186 * runtime/JSFunction.cpp:
1187 (JSC::JSFunction::finishCreation):
1188 * runtime/JSObject.h:
1189 (JSC::JSObject::isUsingInlineStorage):
1190 (JSObject):
1191 (JSC::JSObject::finishCreation):
1192 (JSC):
1193 (JSC::JSNonFinalObject::hasInlineStorage):
1194 (JSNonFinalObject):
1195 (JSC::JSNonFinalObject::JSNonFinalObject):
1196 (JSC::JSNonFinalObject::finishCreation):
1197 (JSC::JSFinalObject::hasInlineStorage):
1198 (JSC::JSFinalObject::finishCreation):
1199 (JSC::JSObject::offsetOfInlineStorage):
1200 (JSC::JSObject::setPropertyStorage):
1201 (JSC::Structure::inlineStorageCapacity):
1202 (JSC::Structure::isUsingInlineStorage):
1203 (JSC::JSObject::putDirectInternal):
1204 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
1205 (JSC::JSObject::putDirectWithoutTransition):
1206 * runtime/Structure.cpp:
1207 (JSC::Structure::Structure):
1208 (JSC::nextPropertyStorageCapacity):
1209 (JSC):
1210 (JSC::Structure::growPropertyStorageCapacity):
1211 (JSC::Structure::suggestedNewPropertyStorageSize):
1212 * runtime/Structure.h:
1213 (JSC::Structure::putWillGrowPropertyStorage):
1214 (Structure):
1215
fpizlo@apple.com48a964b2012-06-29 02:40:14 +0000[diff] [blame]12162012-06-28 Filip Pizlo <fpizlo@apple.com>
1217
1218 DFG recompilation heuristics should be based on count, not rate
1219 https://bugs.webkit.org/show_bug.cgi?id=90146
1220
1221 Reviewed by Oliver Hunt.
1222
1223 This removes a bunch of code that was previously trying to prevent spurious
1224 reoptimizations if a large enough majority of executions of a code block did
1225 not result in OSR exit. It turns out that this code was purely harmful. This
1226 patch removes all of that logic and replaces it with a dead-simple
1227 heuristic: if you exit more than N times (where N is an exponential function
1228 of the number of times the code block has already been recompiled) then we
1229 will recompile.
1230
1231 This appears to be a broad ~1% win on many benchmarks large and small.
1232
1233 * bytecode/CodeBlock.cpp:
1234 (JSC::CodeBlock::CodeBlock):
1235 * bytecode/CodeBlock.h:
1236 (JSC::CodeBlock::osrExitCounter):
1237 (JSC::CodeBlock::countOSRExit):
1238 (CodeBlock):
1239 (JSC::CodeBlock::addressOfOSRExitCounter):
1240 (JSC::CodeBlock::offsetOfOSRExitCounter):
1241 (JSC::CodeBlock::adjustedExitCountThreshold):
1242 (JSC::CodeBlock::exitCountThresholdForReoptimization):
1243 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
1244 (JSC::CodeBlock::shouldReoptimizeNow):
1245 (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
1246 * bytecode/ExecutionCounter.cpp:
1247 (JSC::ExecutionCounter::setThreshold):
1248 * bytecode/ExecutionCounter.h:
1249 (ExecutionCounter):
1250 (JSC::ExecutionCounter::clippedThreshold):
1251 * dfg/DFGJITCompiler.cpp:
1252 (JSC::DFG::JITCompiler::compileBody):
1253 * dfg/DFGOSRExit.cpp:
1254 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
1255 * dfg/DFGOSRExitCompiler.cpp:
1256 (JSC::DFG::OSRExitCompiler::handleExitCounts):
1257 * dfg/DFGOperations.cpp:
1258 * jit/JITStubs.cpp:
1259 (JSC::DEFINE_STUB_FUNCTION):
1260 * runtime/Options.cpp:
1261 (Options):
1262 (JSC::Options::initializeOptions):
1263 * runtime/Options.h:
1264 (Options):
1265
commit-queue@webkit.org97ee82b2012-06-28 23:03:07 +0000[diff] [blame]12662012-06-28 Mark Lam <mark.lam@apple.com>
1267
1268 Adding a commenting utility to record BytecodeGenerator comments
1269 with opcodes that are emitted. Presently, the comments can only
1270 be constant strings. Adding comments for opcodes is optional.
1271 If a comment is added, the comment will be printed following the
1272 opcode when CodeBlock::dump() is called.
1273
1274 This utility is disabled by default, and is only meant for VM
1275 development purposes. It should not be enabled for product builds.
1276
1277 To enable this utility, set ENABLE_BYTECODE_COMMENTS in CodeBlock.h
1278 to 1.
1279
1280 https://bugs.webkit.org/show_bug.cgi?id=90095
1281
1282 Reviewed by Geoffrey Garen.
1283
1284 * GNUmakefile.list.am:
1285 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1286 * JavaScriptCore.xcodeproj/project.pbxproj:
1287 * bytecode/CodeBlock.cpp:
1288 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): Dumps the comment.
1289 (JSC):
1290 (JSC::CodeBlock::printUnaryOp): Add comment dumps.
1291 (JSC::CodeBlock::printBinaryOp): Add comment dumps.
1292 (JSC::CodeBlock::printConditionalJump): Add comment dumps.
1293 (JSC::CodeBlock::printCallOp): Add comment dumps.
1294 (JSC::CodeBlock::printPutByIdOp): Add comment dumps.
1295 (JSC::CodeBlock::dump): Add comment dumps.
1296 (JSC::CodeBlock::CodeBlock):
1297 (JSC::CodeBlock::commentForBytecodeOffset):
1298 Finds the comment for an opcode if available.
1299 (JSC::CodeBlock::dumpBytecodeComments):
1300 For debugging whether comments are collected.
1301 It is not being called anywhere.
1302 * bytecode/CodeBlock.h:
1303 (CodeBlock):
1304 (JSC::CodeBlock::bytecodeComments):
1305 * bytecode/Comment.h: Added.
1306 (JSC):
1307 (Comment):
1308 * bytecompiler/BytecodeGenerator.cpp:
1309 (JSC::BytecodeGenerator::BytecodeGenerator):
1310 (JSC::BytecodeGenerator::emitOpcode): Calls emitComment().
1311 (JSC):
1312 (JSC::BytecodeGenerator::emitComment): Adds comment to CodeBlock.
1313 (JSC::BytecodeGenerator::prependComment):
1314 Registers a comment for emitComemnt() to use later.
1315 * bytecompiler/BytecodeGenerator.h:
1316 (BytecodeGenerator):
1317 (JSC::BytecodeGenerator::emitComment):
1318 (JSC::BytecodeGenerator::prependComment):
1319 These are inlined versions of these functions that nullify them
1320 when ENABLE_BYTECODE_COMMENTS is 0.
1321 (JSC::BytecodeGenerator::comments):
1322
oliver@apple.com41383bc2012-06-28 20:54:06 +0000[diff] [blame]13232012-06-28 Oliver Hunt <oliver@apple.com>
1324
1325 32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
1326 https://bugs.webkit.org/show_bug.cgi?id=90127
1327
1328 Reviewed by Filip Pizlo.
1329
1330 The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
1331 correctly. This patch fixes this by killing the fill info in the GenerationInfo
1332 when the spillFormat doesn't guarantee the value is a double.
1333
1334 * dfg/DFGSpeculativeJIT32_64.cpp:
1335 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1336
tkent@chromium.orgb53db042012-06-28 08:48:20 +0000[diff] [blame]13372012-06-28 Kent Tamura <tkent@chromium.org>
1338
1339 Classify form control states by their owner forms
1340 https://bugs.webkit.org/show_bug.cgi?id=89950
1341
1342 Reviewed by Hajime Morita.
1343
1344 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1345 Expose WTF::StringBuilder::canShrink()
1346
msaboff@apple.comff141582012-06-28 01:14:20 +0000[diff] [blame]13472012-06-27 Michael Saboff <msaboff@apple.com>
1348
1349 [Win] jscore-tests flakey
1350 https://bugs.webkit.org/show_bug.cgi?id=88118
1351
1352 Reviewed by Jessie Berlin.
1353
1354 jsDriver.pl on windows intermittently doesn't get the returned value from jsc,
1355 instead it gets 126. Added a new option to jsc (-x) which prints the exit
1356 code before exiting. jsDriver.pl uses this option on Windows and parses the
1357 exit code output for the exit code, removing it before comparing the actual
1358 and expected outputs. Filed a follow on "FIXME" defect:
1359 [WIN] Intermittent failure for jsc return value to propagate through jsDriver.pl
1360 https://bugs.webkit.org/show_bug.cgi?id=90119
1361
1362 * jsc.cpp:
1363 (CommandLine::CommandLine):
1364 (CommandLine):
1365 (printUsageStatement):
1366 (parseArguments):
1367 (jscmain):
1368 * tests/mozilla/jsDriver.pl:
1369 (execute_tests):
1370
commit-queue@webkit.orge12e2f32012-06-28 01:09:22 +0000[diff] [blame]13712012-06-27 Sheriff Bot <webkit.review.bot@gmail.com>
1372
1373 Unreviewed, rolling out r121359.
1374 http://trac.webkit.org/changeset/121359
1375 https://bugs.webkit.org/show_bug.cgi?id=90115
1376
1377 Broke many inspector tests (Requested by jpfau on #webkit).
1378
1379 * interpreter/Interpreter.h:
1380 (JSC::StackFrame::toString):
1381
fpizlo@apple.com12c18392012-06-27 23:16:10 +0000[diff] [blame]13822012-06-27 Filip Pizlo <fpizlo@apple.com>
1383
fpizlo@apple.comc01022e2012-06-28 00:49:55 +0000[diff] [blame]1384 Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on
1385 https://bugs.webkit.org/show_bug.cgi?id=90053
1386 <rdar://problem/11764613>
1387
1388 Reviewed by Mark Hahnenberg.
1389
1390 The problem is that the code was assuming that the recovery should be Undefined if the source of
1391 the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a
1392 UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive.
1393 In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this
1394 was already in place but the fast check for !shouldGenerate() broke it.
1395
1396 * dfg/DFGSpeculativeJIT.cpp:
1397 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1398
13992012-06-27 Filip Pizlo <fpizlo@apple.com>
1400
fpizlo@apple.com12c18392012-06-27 23:16:10 +0000[diff] [blame]1401 DFG disassembly should be easier to read
1402 https://bugs.webkit.org/show_bug.cgi?id=90106
1403
1404 Reviewed by Mark Hahnenberg.
1405
1406 Did a few things:
1407
1408 - Options::showDFGDisassembly now shows OSR exit disassembly as well.
1409
1410 - Phi node dumping doesn't attempt to do line wrapping since it just made the dump harder
1411 to read.
1412
1413 - DFG graph disassembly view shows a few additional node types that turn out to be
1414 essential for understanding OSR exits.
1415
1416 Put together, these changes reinforce the philosophy that anything needed for computing
1417 OSR exit is just as important as the machine code itself. Of course, we still don't take
1418 that philosophy to its full extreme - for example Phantom nodes are not dumped. We may
1419 revisit that in the future.
1420
1421 * assembler/LinkBuffer.cpp:
1422 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1423 * assembler/LinkBuffer.h:
1424 (JSC):
1425 * dfg/DFGDisassembler.cpp:
1426 (JSC::DFG::Disassembler::dump):
1427 * dfg/DFGGraph.cpp:
1428 (JSC::DFG::Graph::dumpBlockHeader):
1429 * dfg/DFGNode.h:
1430 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1431 * dfg/DFGOSRExitCompiler.cpp:
1432 * jit/JIT.cpp:
1433 (JSC::JIT::privateCompile):
1434
mhahnenberg@apple.come16f8092012-06-27 23:08:26 +0000[diff] [blame]14352012-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
1436
1437 JSLock should be per-JSGlobalData
1438 https://bugs.webkit.org/show_bug.cgi?id=89123
1439
1440 Reviewed by Geoffrey Garen.
1441
1442 * API/APIShims.h:
1443 (APIEntryShimWithoutLock):
1444 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to
1445 determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the
1446 HeapTimer class because timerDidFire could run after somebody has started to tear down that particular
1447 JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after
1448 its destruction has begun.
1449 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
1450 (JSC::APIEntryShim::APIEntryShim):
1451 (APIEntryShim):
1452 (JSC::APIEntryShim::~APIEntryShim):
1453 (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
1454 Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
1455 and before we've released it, which can only done in APIEntryShim.
1456 (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
1457 * API/JSContextRef.cpp:
1458 (JSGlobalContextCreate):
1459 (JSGlobalContextCreateInGroup):
1460 (JSGlobalContextRelease):
1461 (JSContextCreateBacktrace):
1462 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1463 * heap/CopiedSpace.cpp:
1464 (JSC::CopiedSpace::tryAllocateSlowCase):
1465 * heap/Heap.cpp:
1466 (JSC::Heap::protect):
1467 (JSC::Heap::unprotect):
1468 (JSC::Heap::collect):
1469 (JSC::Heap::setActivityCallback):
1470 (JSC::Heap::activityCallback):
1471 (JSC::Heap::sweeper):
1472 * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they
1473 are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
1474 and the IncrementalSweeper to make sure they're the last things that get initialized during construction to
1475 prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
1476 (Heap):
1477 * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
1478 (JSC::HeapTimer::~HeapTimer):
1479 (JSC::HeapTimer::invalidate):
1480 (JSC):
1481 (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread
1482 that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the
1483 HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
1484 (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
1485 out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
1486 but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case
1487 we were interrupted between releasing our mutex and trying to grab the APILock.
1488 * heap/HeapTimer.h:
1489 (HeapTimer):
1490 * heap/IncrementalSweeper.cpp:
1491 (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles
1492 all of that for us.
1493 (JSC::IncrementalSweeper::create):
1494 * heap/IncrementalSweeper.h:
1495 (IncrementalSweeper):
1496 * heap/MarkedAllocator.cpp:
1497 (JSC::MarkedAllocator::allocateSlowCase):
1498 * heap/WeakBlock.cpp:
1499 (JSC::WeakBlock::reap):
1500 * jsc.cpp:
1501 (functionGC):
1502 (functionReleaseExecutableMemory):
1503 (jscmain):
1504 * runtime/Completion.cpp:
1505 (JSC::checkSyntax):
1506 (JSC::evaluate):
1507 * runtime/GCActivityCallback.h:
1508 (DefaultGCActivityCallback):
1509 (JSC::DefaultGCActivityCallback::create):
1510 * runtime/JSGlobalData.cpp:
1511 (JSC::JSGlobalData::JSGlobalData):
1512 (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
1513 that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity
1514 it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the
1515 APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
1516 (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
1517 (JSC::JSGlobalData::sharedInstanceInternal):
1518 * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and
1519 de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
1520 (JSGlobalData):
1521 (JSC::JSGlobalData::apiLock):
1522 * runtime/JSGlobalObject.cpp:
1523 (JSC::JSGlobalObject::~JSGlobalObject):
1524 (JSC::JSGlobalObject::init):
1525 * runtime/JSLock.cpp:
1526 (JSC):
1527 (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
1528 (JSC::GlobalJSLock::~GlobalJSLock):
1529 (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that
1530 it can successfully unlock it later without it disappearing from underneath it.
1531 (JSC::JSLockHolder::~JSLockHolder):
1532 (JSC::JSLock::JSLock):
1533 (JSC::JSLock::~JSLock):
1534 (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for
1535 actually waiting for long periods.
1536 (JSC::JSLock::unlock):
1537 (JSC::JSLock::currentThreadIsHoldingLock):
1538 (JSC::JSLock::dropAllLocks):
1539 (JSC::JSLock::dropAllLocksUnconditionally):
1540 (JSC::JSLock::grabAllLocks):
1541 (JSC::JSLock::DropAllLocks::DropAllLocks):
1542 (JSC::JSLock::DropAllLocks::~DropAllLocks):
1543 * runtime/JSLock.h:
1544 (JSC):
1545 (GlobalJSLock):
1546 (JSLockHolder):
1547 (JSLock):
1548 (DropAllLocks):
1549 * runtime/WeakGCMap.h:
1550 (JSC::WeakGCMap::set):
1551 * testRegExp.cpp:
1552 (realMain):
1553
fpizlo@apple.coma8de6ba2012-06-27 21:25:23 +0000[diff] [blame]15542012-06-27 Filip Pizlo <fpizlo@apple.com>
1555
fpizlo@apple.com4a4978b2012-06-27 21:45:08 +0000[diff] [blame]1556 x86 disassembler confuses immediates with addresses
1557 https://bugs.webkit.org/show_bug.cgi?id=90099
1558
1559 Reviewed by Mark Hahnenberg.
1560
1561 Prepend "$" to immediates to disambiguate between immediates and addresses. This is in
1562 accordance with the gas and AT&T syntax.
1563
1564 * disassembler/udis86/udis86_syn-att.c:
1565 (gen_operand):
1566
15672012-06-27 Filip Pizlo <fpizlo@apple.com>
1568
fpizlo@apple.coma8de6ba2012-06-27 21:25:23 +0000[diff] [blame]1569 Add a comment clarifying Options::showDisassembly versus Options::showDFGDisassembly.
1570
1571 Rubber stamped by Mark Hahnenberg.
1572
1573 * runtime/Options.cpp:
1574 (JSC::Options::initializeOptions):
1575
commit-queue@webkit.org50c978a2012-06-27 19:54:48 +0000[diff] [blame]15762012-06-27 Anthony Scian <ascian@rim.com>
1577
1578 Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
1579 https://bugs.webkit.org/show_bug.cgi?id=40118
1580
1581 Reviewed by Yong Li.
1582
1583 Added member functions to expose function name, urlString, and line #.
1584 Refactored toString to make use of these member functions to reduce
1585 duplicated code for future maintenance.
1586
1587 Manually tested refactoring of toString by tracing thrown exceptions.
1588
1589 * interpreter/Interpreter.h:
1590 (StackFrame):
1591 (JSC::StackFrame::toString):
1592 (JSC::StackFrame::friendlySourceURL):
1593 (JSC::StackFrame::friendlyFunctionName):
1594 (JSC::StackFrame::friendlyLineNumber):
1595
vestbo@webkit.org36e47da2012-06-27 13:02:03 +0000[diff] [blame]15962012-06-27 Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
1597
1598 [Qt] Remove redundant c++11 warning suppression code
1599
1600 This is already handled in default_post.
1601
1602 Reviewed by Tor Arne Vestbø.
1603
1604 * Target.pri:
1605
vestbo@webkit.orgcaf4d2f2012-06-27 11:30:42 +0000[diff] [blame]16062012-06-26 Tor Arne Vestbø <tor.arne.vestbo@nokia.com>
1607
1608 [Qt] Add missing heades to HEADERS
1609
1610 For JavaScriptCore there aren't any Qt specific files, so we include all
1611 headers for easy editing in Qt Creator.
1612
1613 Reviewed by Simon Hausmann.
1614
1615 * Target.pri:
1616
dominicc@chromium.org5940f722012-06-27 09:44:31 +0000[diff] [blame]16172012-06-26 Dominic Cooney <dominicc@chromium.org>
1618
1619 [Chromium] Remove unused build scripts and empty folders for JavaScriptCore w/ gyp
1620 https://bugs.webkit.org/show_bug.cgi?id=90029
1621
1622 Reviewed by Adam Barth.
1623
1624 * gyp: Removed.
1625 * gyp/generate-derived-sources.sh: Removed.
1626 * gyp/generate-dtrace-header.sh: Removed.
1627 * gyp/run-if-exists.sh: Removed.
1628 * gyp/update-info-plist.sh: Removed.
1629
ggaren@apple.com6b348072012-06-27 03:44:05 +0000[diff] [blame]16302012-06-26 Geoffrey Garen <ggaren@apple.com>
1631
1632 Reduced (but did not eliminate) use of "berzerker GC"
1633 https://bugs.webkit.org/show_bug.cgi?id=89237
1634
1635 Reviewed by Gavin Barraclough.
1636
1637 (PART 2)
1638
1639 This part turns off "berzerker GC" and turns on incremental shrinking.
1640
1641 * heap/IncrementalSweeper.cpp:
1642 (JSC::IncrementalSweeper::doSweep): Free or shrink after sweeping to
1643 maintain the behavior we used to get from the occasional berzerker GC,
1644 which would run all finalizers and then free or shrink all blocks
1645 synchronously.
1646
1647 * heap/MarkedBlock.h:
1648 (JSC::MarkedBlock::needsSweeping): Sweep zapped blocks, too. It's always
1649 safe to sweep a zapped block (that's the point of zapping), and it's
1650 sometimes profitable. For example, consider this case: Block A does some
1651 allocation (transitioning Block A from Marked to FreeListed), then GC
1652 happens (transitioning Block A to Zapped), then all objects in Block A
1653 are free, then the incremental sweeper visits Block A. If we skipped
1654 Zapped blocks, we'd skip Block A, even though it would be profitable to
1655 run its destructors and free its memory.
1656
1657 * runtime/GCActivityCallback.cpp:
1658 (JSC::DefaultGCActivityCallback::doWork): Don't sweep eagerly; we'll do
1659 this incrementally.
1660
fpizlo@apple.com580d9d72012-06-27 01:34:01 +0000[diff] [blame]16612012-06-26 Filip Pizlo <fpizlo@apple.com>
1662
1663 DFG PutByValAlias is too aggressive
1664 https://bugs.webkit.org/show_bug.cgi?id=90026
1665 <rdar://problem/11751830>
1666
1667 Reviewed by Gavin Barraclough.
1668
1669 For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
1670 performance by much.
1671
1672 For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
1673 is within bounds. This also has the effect of making our out-of-bounds handling consistent
1674 with WebCore.
1675
1676 * dfg/DFGCSEPhase.cpp:
1677 (JSC::DFG::CSEPhase::performNodeCSE):
1678 * dfg/DFGGraph.h:
1679 (JSC::DFG::Graph::byValIsPure):
1680 (JSC::DFG::Graph::clobbersWorld):
1681 * dfg/DFGNodeType.h:
1682 (DFG):
1683 * dfg/DFGSpeculativeJIT.cpp:
1684 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1685 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1686
commit-queue@webkit.org63a25eb2012-06-26 19:55:32 +0000[diff] [blame]16872012-06-26 Yong Li <yoli@rim.com>
1688
1689 [BlackBerry] Add JSC statistics into about:memory
1690 https://bugs.webkit.org/show_bug.cgi?id=89779
1691
1692 Reviewed by Rob Buis.
1693
1694 Fix non-JIT build on BlackBerry broken by r121196.
1695
1696 * runtime/MemoryStatistics.cpp:
1697 (JSC::globalMemoryStatistics):
1698
fpizlo@apple.com6c89cd32012-06-26 19:42:05 +0000[diff] [blame]16992012-06-25 Filip Pizlo <fpizlo@apple.com>
1700
1701 DFG::operationNewArray is unnecessarily slow, and may use the wrong array
1702 prototype when inlined
1703 https://bugs.webkit.org/show_bug.cgi?id=89821
1704
1705 Reviewed by Geoffrey Garen.
1706
1707 Fixes all array allocations to use the right structure, and hence the right prototype. Adds
1708 inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
1709 empty arrays.
1710
1711 * dfg/DFGAbstractState.cpp:
1712 (JSC::DFG::AbstractState::execute):
1713 * dfg/DFGByteCodeParser.cpp:
1714 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
1715 * dfg/DFGCCallHelpers.h:
1716 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
1717 (CCallHelpers):
1718 * dfg/DFGNodeType.h:
1719 (DFG):
1720 * dfg/DFGOperations.cpp:
1721 * dfg/DFGOperations.h:
1722 * dfg/DFGPredictionPropagationPhase.cpp:
1723 (JSC::DFG::PredictionPropagationPhase::propagate):
1724 * dfg/DFGSpeculativeJIT.h:
1725 (JSC::DFG::SpeculativeJIT::callOperation):
1726 * dfg/DFGSpeculativeJIT32_64.cpp:
1727 (JSC::DFG::SpeculativeJIT::compile):
1728 * dfg/DFGSpeculativeJIT64.cpp:
1729 (JSC::DFG::SpeculativeJIT::compile):
1730 * runtime/JSArray.h:
1731 (JSC):
1732 (JSC::constructArray):
1733 * runtime/JSGlobalObject.h:
1734 (JSC):
1735 (JSC::constructArray):
1736
fpizlo@apple.com0b6ad50752012-06-26 09:22:45 +0000[diff] [blame]17372012-06-26 Filip Pizlo <fpizlo@apple.com>
1738
1739 New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
1740 https://bugs.webkit.org/show_bug.cgi?id=89953
1741
1742 Reviewed by Zoltan Herczeg.
1743
1744 DFG 32-bit JIT was confused about the difference between a predicted type and a
1745 proven type. This is easy to get confused about, since a local that is predicted int32
1746 almost always means that the local must be an int32 since speculations are hoisted to
1747 stores to locals. But that is less likely to be the case for arguments, where there is
1748 an additional least-upper-bounding step: any store to an argument with a weird type
1749 may force the argument to be any type.
1750
1751 This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
1752 GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
1753 a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
1754 than the VariableAccessData::prediction(), which is a predicted type.
1755
1756 * dfg/DFGSpeculativeJIT32_64.cpp:
1757 (JSC::DFG::SpeculativeJIT::compile):
1758
fpizlo@apple.com41a1f0e2012-06-26 02:53:39 +0000[diff] [blame]17592012-06-25 Filip Pizlo <fpizlo@apple.com>
1760
1761 JSC should try to make profiling deterministic because otherwise reproducing failures is
1762 nearly impossible
1763 https://bugs.webkit.org/show_bug.cgi?id=89940
1764
1765 Rubber stamped by Gavin Barraclough.
1766
1767 This rolls out the part of http://trac.webkit.org/changeset/121215 that introduced randomness
1768 into the system. Now, instead of randomizing the tier-up threshold, we always set it to an
1769 artificially low (and statically predetermined!) value. This gives most of the benefit of
1770 threshold randomization without actually making the system behave completely differently on
1771 each invocation.
1772
1773 * bytecode/ExecutionCounter.cpp:
1774 (JSC::ExecutionCounter::setThreshold):
1775 * runtime/Options.cpp:
1776 (Options):
1777 (JSC::Options::initializeOptions):
1778 * runtime/Options.h:
1779 (Options):
1780
fpizlo@apple.com3745dbc2012-06-26 02:14:07 +0000[diff] [blame]17812012-06-22 Filip Pizlo <fpizlo@apple.com>
1782
1783 Value profiling should use tier-up threshold randomization to get more coverage
1784 https://bugs.webkit.org/show_bug.cgi?id=89802
1785
1786 Reviewed by Gavin Barraclough.
1787
1788 This patch causes both LLInt and Baseline JIT code to take the OSR slow path several
1789 times before actually doing OSR. If we take the OSR slow path before the execution
1790 count threshold is reached, then we just call CodeBlock::updateAllPredictions() to
1791 compute the current latest least-upper-bound SpecType of all values seen in each
1792 ValueProfile.
1793
1794 * bytecode/CodeBlock.cpp:
1795 (JSC::CodeBlock::stronglyVisitStrongReferences):
1796 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1797 (JSC):
1798 (JSC::CodeBlock::updateAllPredictions):
1799 (JSC::CodeBlock::shouldOptimizeNow):
1800 * bytecode/CodeBlock.h:
1801 (JSC::CodeBlock::llintExecuteCounter):
1802 (JSC::CodeBlock::jitExecuteCounter):
1803 (CodeBlock):
1804 (JSC::CodeBlock::updateAllPredictions):
1805 * bytecode/ExecutionCounter.cpp:
1806 (JSC::ExecutionCounter::setThreshold):
1807 (JSC::ExecutionCounter::status):
1808 (JSC):
1809 * bytecode/ExecutionCounter.h:
1810 (JSC::ExecutionCounter::count):
1811 (ExecutionCounter):
1812 * dfg/DFGAbstractState.cpp:
1813 (JSC::DFG::AbstractState::execute):
1814 * dfg/DFGOperations.cpp:
1815 * dfg/DFGSpeculativeJIT.cpp:
1816 (JSC::DFG::SpeculativeJIT::compile):
1817 * jit/JITStubs.cpp:
1818 (JSC::DEFINE_STUB_FUNCTION):
1819 * llint/LLIntSlowPaths.cpp:
1820 (JSC::LLInt::jitCompileAndSetHeuristics):
1821 (JSC::LLInt::entryOSR):
1822 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1823 * runtime/JSGlobalObject.cpp:
1824 (JSC::JSGlobalObject::JSGlobalObject):
1825 (JSC):
1826 * runtime/JSGlobalObject.h:
1827 (JSGlobalObject):
1828 (JSC::JSGlobalObject::weakRandomInteger):
1829 * runtime/Options.cpp:
1830 (Options):
1831 (JSC::Options::initializeOptions):
1832 * runtime/Options.h:
1833 (Options):
1834 * runtime/WeakRandom.h:
1835 (WeakRandom):
1836 (JSC::WeakRandom::seedUnsafe):
1837
commit-queue@webkit.orgd3790912012-06-26 00:08:19 +0000[diff] [blame]18382012-06-25 Yong Li <yoli@rim.com>
1839
1840 [BlackBerry] Add JSC statistics into about:memory
1841 https://bugs.webkit.org/show_bug.cgi?id=89779
1842
1843 Reviewed by Rob Buis.
1844
1845 Add MemoryStatistics.cpp into build, and fill JITBytes for BlackBerry port.
1846
1847 * PlatformBlackBerry.cmake:
1848 * runtime/MemoryStatistics.cpp:
1849 (JSC::globalMemoryStatistics):
1850
zandobersek@gmail.coma6460e12012-06-23 13:41:40 +0000[diff] [blame]18512012-06-23 Sheriff Bot <webkit.review.bot@gmail.com>
1852
1853 Unreviewed, rolling out r121058.
1854 http://trac.webkit.org/changeset/121058
1855 https://bugs.webkit.org/show_bug.cgi?id=89809
1856
1857 Patch causes plugins tests to crash in GTK debug builds
1858 (Requested by zdobersek on #webkit).
1859
1860 * API/APIShims.h:
1861 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
1862 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
1863 (APIEntryShimWithoutLock):
1864 (JSC::APIEntryShim::APIEntryShim):
1865 (APIEntryShim):
1866 (JSC::APICallbackShim::~APICallbackShim):
1867 * API/JSContextRef.cpp:
1868 (JSGlobalContextCreate):
1869 (JSGlobalContextCreateInGroup):
1870 (JSGlobalContextRelease):
1871 (JSContextCreateBacktrace):
1872 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1873 * heap/CopiedSpace.cpp:
1874 (JSC::CopiedSpace::tryAllocateSlowCase):
1875 * heap/Heap.cpp:
1876 (JSC::Heap::protect):
1877 (JSC::Heap::unprotect):
1878 (JSC::Heap::collect):
1879 (JSC::Heap::setActivityCallback):
1880 (JSC::Heap::activityCallback):
1881 (JSC::Heap::sweeper):
1882 * heap/Heap.h:
1883 (Heap):
1884 * heap/HeapTimer.cpp:
1885 (JSC::HeapTimer::~HeapTimer):
1886 (JSC::HeapTimer::invalidate):
1887 (JSC::HeapTimer::timerDidFire):
1888 (JSC):
1889 * heap/HeapTimer.h:
1890 (HeapTimer):
1891 * heap/IncrementalSweeper.cpp:
1892 (JSC::IncrementalSweeper::doWork):
1893 (JSC::IncrementalSweeper::create):
1894 * heap/IncrementalSweeper.h:
1895 (IncrementalSweeper):
1896 * heap/MarkedAllocator.cpp:
1897 (JSC::MarkedAllocator::allocateSlowCase):
1898 * heap/WeakBlock.cpp:
1899 (JSC::WeakBlock::reap):
1900 * jsc.cpp:
1901 (functionGC):
1902 (functionReleaseExecutableMemory):
1903 (jscmain):
1904 * runtime/Completion.cpp:
1905 (JSC::checkSyntax):
1906 (JSC::evaluate):
1907 * runtime/GCActivityCallback.h:
1908 (DefaultGCActivityCallback):
1909 (JSC::DefaultGCActivityCallback::create):
1910 * runtime/JSGlobalData.cpp:
1911 (JSC::JSGlobalData::JSGlobalData):
1912 (JSC::JSGlobalData::~JSGlobalData):
1913 (JSC::JSGlobalData::sharedInstance):
1914 (JSC::JSGlobalData::sharedInstanceInternal):
1915 * runtime/JSGlobalData.h:
1916 (JSGlobalData):
1917 * runtime/JSGlobalObject.cpp:
1918 (JSC::JSGlobalObject::~JSGlobalObject):
1919 (JSC::JSGlobalObject::init):
1920 * runtime/JSLock.cpp:
1921 (JSC):
1922 (JSC::createJSLockCount):
1923 (JSC::JSLock::lockCount):
1924 (JSC::setLockCount):
1925 (JSC::JSLock::JSLock):
1926 (JSC::JSLock::lock):
1927 (JSC::JSLock::unlock):
1928 (JSC::JSLock::currentThreadIsHoldingLock):
1929 (JSC::JSLock::DropAllLocks::DropAllLocks):
1930 (JSC::JSLock::DropAllLocks::~DropAllLocks):
1931 * runtime/JSLock.h:
1932 (JSC):
1933 (JSLock):
1934 (JSC::JSLock::JSLock):
1935 (JSC::JSLock::~JSLock):
1936 (DropAllLocks):
1937 * runtime/WeakGCMap.h:
1938 (JSC::WeakGCMap::set):
1939 * testRegExp.cpp:
1940 (realMain):
1941
achicu@adobe.comcead7612012-06-23 01:23:48 +0000[diff] [blame]19422012-06-22 Alexandru Chiculita <achicu@adobe.com>
1943
1944 [CSS Shaders] Re-enable the CSS Shaders compile time flag on Safari Mac
1945 https://bugs.webkit.org/show_bug.cgi?id=89781
1946
1947 Reviewed by Dean Jackson.
1948
1949 Added ENABLE_CSS_SHADERS flag as enabled by default on Safari for Mac.
1950
1951 * Configurations/FeatureDefines.xcconfig:
1952
fpizlo@apple.com16e2cbf2012-06-22 23:32:59 +0000[diff] [blame]19532012-06-22 Filip Pizlo <fpizlo@apple.com>
1954
1955 DFG tier-up should happen in prologues, not epilogues
1956 https://bugs.webkit.org/show_bug.cgi?id=89752
1957
1958 Reviewed by Geoffrey Garen.
1959
1960 This change has two outcomes:
1961
1962 1) Slightly reduces the likelihood that a function will be optimized both
1963 standalone and via inlining. Previously, if you had a call sequence like foo()
1964 calls bar() exactly once, and nobody else calls bar(), then bar() would get
1965 optimized first (because it returns first) and then foo() gets optimized. If foo()
1966 can inline bar() then that means that bar() gets optimized twice. But now, if we
1967 optimize in prologues, then foo() will be optimized first. If it inlines bar(),
1968 that means that there will no longer be any calls to bar().
1969
1970 2) It lets us kill some code in JITStubs. Epilogue tier-up was very different from
1971 loop tier-up, since epilogue tier-up should not attempt OSR. But prologue tier-up
1972 requires OSR (albeit really easy OSR since it's the top of the compilation unit),
1973 so it becomes just like loop tier-up. As a result, we now have one optimization
1974 hook (cti_optimize) instead of two (cti_optimize_from_loop and
1975 cti_optimize_from_ret).
1976
1977 As a consequence of not having an optimization check in epilogues, the OSR exit
1978 code must now trigger reoptimization itself instead of just signaling the epilogue
1979 check to fire.
1980
1981 This also adds the ability to count the number of DFG compilations, which was
1982 useful for debugging this patch and might be useful for other things in the future.
1983
1984 * bytecode/CodeBlock.cpp:
1985 (JSC::CodeBlock::reoptimize):
1986 (JSC):
1987 * bytecode/CodeBlock.h:
1988 (CodeBlock):
1989 * dfg/DFGByteCodeParser.cpp:
1990 (JSC::DFG::ByteCodeParser::parseCodeBlock):
1991 * dfg/DFGDriver.cpp:
1992 (DFG):
1993 (JSC::DFG::getNumCompilations):
1994 (JSC::DFG::compile):
1995 * dfg/DFGDriver.h:
1996 (DFG):
1997 * dfg/DFGOSRExitCompiler.cpp:
1998 (JSC::DFG::OSRExitCompiler::handleExitCounts):
1999 * dfg/DFGOperations.cpp:
2000 * dfg/DFGOperations.h:
2001 * jit/JIT.cpp:
2002 (JSC::JIT::emitOptimizationCheck):
2003 * jit/JIT.h:
2004 * jit/JITCall32_64.cpp:
2005 (JSC::JIT::emit_op_ret):
2006 (JSC::JIT::emit_op_ret_object_or_this):
2007 * jit/JITOpcodes.cpp:
2008 (JSC::JIT::emit_op_ret):
2009 (JSC::JIT::emit_op_ret_object_or_this):
2010 (JSC::JIT::emit_op_enter):
2011 * jit/JITOpcodes32_64.cpp:
2012 (JSC::JIT::emit_op_enter):
2013 * jit/JITStubs.cpp:
2014 (JSC::DEFINE_STUB_FUNCTION):
2015 * jit/JITStubs.h:
2016
mhahnenberg@apple.com6d9f86d2012-06-22 21:42:46 +0000[diff] [blame]20172012-06-20 Mark Hahnenberg <mhahnenberg@apple.com>
2018
2019 JSLock should be per-JSGlobalData
2020 https://bugs.webkit.org/show_bug.cgi?id=89123
2021
2022 Reviewed by Gavin Barraclough.
2023
2024 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2025 * API/APIShims.h:
2026 (APIEntryShimWithoutLock):
2027 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to
2028 determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the
2029 HeapTimer class because timerDidFire could run after somebody has started to tear down that particular
2030 JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after
2031 its destruction has begun.
2032 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): Now derefs if it also refed.
2033 (JSC::APIEntryShim::APIEntryShim):
2034 (APIEntryShim):
2035 (JSC::APIEntryShim::~APIEntryShim):
2036 (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
2037 Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
2038 and before we've released it, which can only done in APIEntryShim.
2039 (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
2040 * API/JSContextRef.cpp:
2041 (JSGlobalContextCreate):
2042 (JSGlobalContextCreateInGroup):
2043 (JSGlobalContextRelease):
2044 (JSContextCreateBacktrace):
2045 * heap/CopiedSpace.cpp:
2046 (JSC::CopiedSpace::tryAllocateSlowCase):
2047 * heap/Heap.cpp:
2048 (JSC::Heap::protect):
2049 (JSC::Heap::unprotect):
2050 (JSC::Heap::collect):
2051 (JSC::Heap::setActivityCallback):
2052 (JSC::Heap::activityCallback):
2053 (JSC::Heap::sweeper):
2054 * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they
2055 are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
2056 and the IncrementalSweeper to make sure they're the last things that get initialized during construction to
2057 prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
2058 (Heap):
2059 * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
2060 (JSC::HeapTimer::~HeapTimer):
2061 (JSC::HeapTimer::invalidate):
2062 (JSC):
2063 (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread
2064 that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the
2065 HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
2066 (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
2067 out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
2068 but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case
2069 we were interrupted between releasing our mutex and trying to grab the APILock.
2070 * heap/HeapTimer.h:
2071 (HeapTimer):
2072 * heap/IncrementalSweeper.cpp:
2073 (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles
2074 all of that for us.
2075 (JSC::IncrementalSweeper::create):
2076 * heap/IncrementalSweeper.h:
2077 (IncrementalSweeper):
2078 * heap/MarkedAllocator.cpp:
2079 (JSC::MarkedAllocator::allocateSlowCase):
2080 * heap/WeakBlock.cpp:
2081 (JSC::WeakBlock::reap):
2082 * jsc.cpp:
2083 (functionGC):
2084 (functionReleaseExecutableMemory):
2085 (jscmain):
2086 * runtime/Completion.cpp:
2087 (JSC::checkSyntax):
2088 (JSC::evaluate):
2089 * runtime/GCActivityCallback.h:
2090 (DefaultGCActivityCallback):
2091 (JSC::DefaultGCActivityCallback::create):
2092 * runtime/JSGlobalData.cpp:
2093 (JSC::JSGlobalData::JSGlobalData):
2094 (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
2095 that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity
2096 it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the
2097 APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
2098 (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
2099 (JSC::JSGlobalData::sharedInstanceInternal):
2100 * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and
2101 de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
2102 (JSGlobalData):
2103 (JSC::JSGlobalData::apiLock):
2104 * runtime/JSGlobalObject.cpp:
2105 (JSC::JSGlobalObject::~JSGlobalObject):
2106 (JSC::JSGlobalObject::init):
2107 * runtime/JSLock.cpp:
2108 (JSC):
2109 (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
2110 (JSC::GlobalJSLock::~GlobalJSLock):
2111 (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that
2112 it can successfully unlock it later without it disappearing from underneath it.
2113 (JSC::JSLockHolder::~JSLockHolder):
2114 (JSC::JSLock::JSLock):
2115 (JSC::JSLock::~JSLock):
2116 (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for
2117 actually waiting for long periods.
2118 (JSC::JSLock::unlock):
2119 (JSC::JSLock::currentThreadIsHoldingLock):
2120 (JSC::JSLock::dropAllLocks):
2121 (JSC::JSLock::dropAllLocksUnconditionally):
2122 (JSC::JSLock::grabAllLocks):
2123 (JSC::JSLock::DropAllLocks::DropAllLocks):
2124 (JSC::JSLock::DropAllLocks::~DropAllLocks):
2125 * runtime/JSLock.h:
2126 (JSC):
2127 (GlobalJSLock):
2128 (JSLockHolder):
2129 (JSLock):
2130 (DropAllLocks):
2131 * runtime/WeakGCMap.h:
2132 (JSC::WeakGCMap::set):
2133 * testRegExp.cpp:
2134 (realMain):
2135
peter@chromium.org166f5bb2012-06-22 16:20:33 +0000[diff] [blame]21362012-06-22 Peter Beverloo <peter@chromium.org>
2137
2138 [Chromium] Disable c++0x compatibility warnings in JavaScriptCore.gyp when building for Android
2139 https://bugs.webkit.org/show_bug.cgi?id=88853
2140
2141 Reviewed by Steve Block.
2142
2143 The Android exclusions were necessary to fix a gyp generation error, as
2144 the gcc_version variable wasn't being defined for Android. Remove these
2145 exceptions when Chromium is able to define the gcc_version variable.
2146
2147 * JavaScriptCore.gyp/JavaScriptCore.gyp:
2148
fpizlo@apple.com90011802012-06-22 01:33:30 +0000[diff] [blame]21492012-06-21 Filip Pizlo <fpizlo@apple.com>
2150
2151 op_resolve_global should not prevent DFG inlining
2152 https://bugs.webkit.org/show_bug.cgi?id=89726
2153
2154 Reviewed by Gavin Barraclough.
2155
2156 * bytecode/CodeBlock.cpp:
2157 (JSC::CodeBlock::CodeBlock):
2158 (JSC::CodeBlock::shrinkToFit):
2159 * bytecode/GlobalResolveInfo.h:
2160 (JSC::GlobalResolveInfo::GlobalResolveInfo):
2161 (GlobalResolveInfo):
2162 * dfg/DFGByteCodeParser.cpp:
2163 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2164 * dfg/DFGCapabilities.h:
2165 (JSC::DFG::canInlineOpcode):
2166 * dfg/DFGOperations.cpp:
2167 * dfg/DFGOperations.h:
2168 * dfg/DFGSpeculativeJIT.h:
2169 (JSC::DFG::SpeculativeJIT::callOperation):
2170 * dfg/DFGSpeculativeJIT32_64.cpp:
2171 (JSC::DFG::SpeculativeJIT::compile):
2172 * dfg/DFGSpeculativeJIT64.cpp:
2173 (JSC::DFG::SpeculativeJIT::compile):
2174
fpizlo@apple.com618044d2012-06-21 22:55:42 +0000[diff] [blame]21752012-06-20 Filip Pizlo <fpizlo@apple.com>
2176
2177 DFG should inline 'new Array()'
2178 https://bugs.webkit.org/show_bug.cgi?id=89632
2179
2180 Reviewed by Geoffrey Garen.
2181
2182 This adds support for treating InternalFunction like intrinsics. The code
2183 to do so is actually quite clean, so I don't feel bad about perpetuating
2184 the InternalFunction vs. JSFunction-with-NativeExecutable dichotomy.
2185
2186 Currently this newfound power is only used to inline 'new Array()'.
2187
2188 * dfg/DFGByteCodeParser.cpp:
2189 (ByteCodeParser):
2190 (JSC::DFG::ByteCodeParser::handleCall):
2191 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2192 (DFG):
2193 * dfg/DFGGraph.h:
2194 (JSC::DFG::Graph::isInternalFunctionConstant):
2195 (JSC::DFG::Graph::valueOfInternalFunctionConstant):
2196
mhahnenberg@apple.coma2373032012-06-21 22:38:39 +0000[diff] [blame]21972012-06-21 Mark Hahnenberg <mhahnenberg@apple.com>
2198
2199 Adding copyrights to new files.
2200
2201 * heap/HeapTimer.cpp:
2202 * heap/HeapTimer.h:
2203 * heap/IncrementalSweeper.cpp:
2204 * heap/IncrementalSweeper.h:
2205
commit-queue@webkit.orgc8209e72012-06-21 17:34:26 +0000[diff] [blame]22062012-06-21 Arnaud Renevier <arno@renevier.net>
2207
2208 make sure headers are included only once per file
2209 https://bugs.webkit.org/show_bug.cgi?id=88922
2210
2211 Reviewed by Alexey Proskuryakov.
2212
2213 * bytecode/CodeBlock.h:
2214 * heap/MachineStackMarker.cpp:
2215 * runtime/JSVariableObject.h:
2216
commit-queue@webkit.orgbff9a102012-06-21 15:46:40 +0000[diff] [blame]22172012-06-21 Ryuan Choi <ryuan.choi@gmail.com>
2218
2219 [EFL][WK2] Make WebKit2/Efl headers and resources installable.
2220 https://bugs.webkit.org/show_bug.cgi?id=88207
2221
2222 Reviewed by Chang Shu.
2223
2224 * shell/CMakeLists.txt: Use ${EXEC_INSTALL_DIR} instead of hardcoding "bin"
2225
ggaren@apple.com4b67d0d2012-06-21 02:00:08 +0000[diff] [blame]22262012-06-20 Geoffrey Garen <ggaren@apple.com>
2227
2228 Reduced (but did not eliminate) use of "berzerker GC"
2229 https://bugs.webkit.org/show_bug.cgi?id=89237
2230
2231 Reviewed by Gavin Barraclough.
2232
2233 (PART 1)
2234
2235 This patch turned out to be crashy, so I'm landing the non-crashy bits
2236 first.
2237
2238 This part is pre-requisite refactoring. I didn't actually turn off
2239 "berzerker GC" or turn on incremental shrinking.
2240
2241 * heap/MarkedAllocator.cpp:
2242 (JSC::MarkedAllocator::removeBlock): Make sure to clear the free list when
2243 we throw away the block we're currently allocating out of. Otherwise, we'll
2244 allocate out of a stale free list.
2245
2246 * heap/MarkedSpace.cpp:
2247 (JSC::Free::Free):
2248 (JSC::Free::operator()):
2249 (JSC::Free::returnValue): Refactored this functor to use a shared helper
2250 function, so we can share our implementation with the incremental sweeper.
2251
2252 Also changed to freeing individual blocks immediately instead of linking
2253 them into a list for later freeing. This makes the programming interface
2254 simpler, and it's slightly more efficient to boot.
2255
2256 (JSC::MarkedSpace::~MarkedSpace): Updated for rename.
2257
2258 (JSC::MarkedSpace::freeBlock):
2259 (JSC::MarkedSpace::freeOrShrinkBlock): New helper functions to share behavior
2260 with the incremental sweeper.
2261
2262 (JSC::MarkedSpace::shrink): Updated for new functor behavior.
2263
2264 * heap/MarkedSpace.h: Statically typed languages are awesome.
2265
fpizlo@apple.com8c462122012-06-20 21:07:33 +0000[diff] [blame]22662012-06-20 Filip Pizlo <fpizlo@apple.com>
2267
fpizlo@apple.com3bcb2112012-06-21 01:38:49 +0000[diff] [blame]2268 DFG should optimize ResolveGlobal
2269 https://bugs.webkit.org/show_bug.cgi?id=89617
2270
2271 Reviewed by Oliver Hunt.
2272
2273 This adds inlining of ResolveGlobal accesses that are known monomorphic. It also
2274 adds the specific function optimization to ResolveGlobal, when it is inlined. And,
2275 it makes internal functions act like specific functions, since that will be the
2276 most common use-case of this optimization.
2277
2278 This is only a slighy speed-up (sub 1%), since we don't yet do the obvious thing
2279 with this optimization, which is to completely inline common "globally resolved"
2280 function and constructor calls, like "new Array()".
2281
2282 * CMakeLists.txt:
2283 * GNUmakefile.list.am:
2284 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
2285 * JavaScriptCore.xcodeproj/project.pbxproj:
2286 * Target.pri:
2287 * bytecode/CodeBlock.cpp:
2288 (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
2289 * bytecode/CodeBlock.h:
2290 (CodeBlock):
2291 (JSC::CodeBlock::numberOfGlobalResolveInfos):
2292 * bytecode/GlobalResolveInfo.h:
2293 (JSC::getGlobalResolveInfoBytecodeOffset):
2294 (JSC):
2295 * bytecode/ResolveGlobalStatus.cpp: Added.
2296 (JSC):
2297 (JSC::computeForStructure):
2298 (JSC::computeForLLInt):
2299 (JSC::ResolveGlobalStatus::computeFor):
2300 * bytecode/ResolveGlobalStatus.h: Added.
2301 (JSC):
2302 (ResolveGlobalStatus):
2303 (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
2304 (JSC::ResolveGlobalStatus::state):
2305 (JSC::ResolveGlobalStatus::isSet):
2306 (JSC::ResolveGlobalStatus::operator!):
2307 (JSC::ResolveGlobalStatus::isSimple):
2308 (JSC::ResolveGlobalStatus::takesSlowPath):
2309 (JSC::ResolveGlobalStatus::structure):
2310 (JSC::ResolveGlobalStatus::offset):
2311 (JSC::ResolveGlobalStatus::specificValue):
2312 * dfg/DFGByteCodeParser.cpp:
2313 (ByteCodeParser):
2314 (JSC::DFG::ByteCodeParser::handleGetByOffset):
2315 (DFG):
2316 (JSC::DFG::ByteCodeParser::handleGetById):
2317 (JSC::DFG::ByteCodeParser::parseBlock):
2318 * runtime/JSObject.cpp:
2319 (JSC::getCallableObjectSlow):
2320 (JSC):
2321 (JSC::JSObject::put):
2322 (JSC::JSObject::putDirectVirtual):
2323 (JSC::JSObject::putDirectAccessor):
2324 * runtime/JSObject.h:
2325 (JSC):
2326 (JSC::getCallableObject):
2327 (JSC::JSObject::putOwnDataProperty):
2328 (JSC::JSObject::putDirect):
2329 (JSC::JSObject::putDirectWithoutTransition):
2330
23312012-06-20 Filip Pizlo <fpizlo@apple.com>
2332
fpizlo@apple.com2e368f72012-06-20 23:55:18 +0000[diff] [blame]2333 Functions on global objects should be specializable
2334 https://bugs.webkit.org/show_bug.cgi?id=89615
2335
2336 Reviewed by Oliver Hunt.
2337
2338 I tested to see if this brought back the bug in https://bugs.webkit.org/show_bug.cgi?id=33343,
2339 and it didn't. Bug 33343 was the reason why we disabled global object function specialization
2340 to begin with. So I'm guessing this is safe.
2341
2342 * runtime/JSGlobalObject.cpp:
2343 (JSC::JSGlobalObject::init):
2344
23452012-06-20 Filip Pizlo <fpizlo@apple.com>
2346
fpizlo@apple.com8c462122012-06-20 21:07:33 +0000[diff] [blame]2347 build-webkit failure due to illegal 32-bit integer constants in code
2348 generated by offlineasm
2349 https://bugs.webkit.org/show_bug.cgi?id=89347
2350
2351 Reviewed by Geoffrey Garen.
2352
2353 The offending constants are the magic numbers used by offlineasm to find
2354 offsets in the generated machine code. Added code to turn them into what
2355 the C++ compiler will believe to be valid 32-bit values.
2356
2357 * offlineasm/offsets.rb:
2358
ggaren@apple.com30ef2b32012-06-20 18:24:02 +0000[diff] [blame]23592012-06-19 Geoffrey Garen <ggaren@apple.com>
2360
2361 Made the incremental sweeper more aggressive
2362 https://bugs.webkit.org/show_bug.cgi?id=89527
2363
2364 Reviewed by Oliver Hunt.
2365
2366 This is a pre-requisite to getting rid of "berzerker GC" because we need
2367 the sweeper to reclaim memory in a timely fashion, or we'll see a memory
2368 footprint regression.
2369
2370 * heap/IncrementalSweeper.h:
2371 * heap/IncrementalSweeper.cpp:
2372 (JSC::IncrementalSweeper::scheduleTimer): Since the time slice is predictable,
2373 no need to use a data member to record it.
2374
2375 (JSC::IncrementalSweeper::doSweep): Sweep as many blocks as we can in a
2376 small time slice. This is better than sweeping only one block per timer
2377 fire because that strategy has a heavy timer overhead, and artificially
2378 delays memory reclamation.
2379
fpizlo@apple.com3d517672012-06-20 17:48:23 +0000[diff] [blame]23802012-06-20 Filip Pizlo <fpizlo@apple.com>
2381
2382 DFG should be able to print disassembly interleaved with the IR
2383 https://bugs.webkit.org/show_bug.cgi?id=89551
2384
2385 Reviewed by Geoffrey Garen.
fpizlo@apple.come245b3f2012-06-20 17:51:07 +0000[diff] [blame]2386
2387 This change also removes running Dominators unconditionally on every DFG
2388 compile. Dominators are designed to be computed on-demand, and currently
2389 the only demand is graph dumps.
fpizlo@apple.com3d517672012-06-20 17:48:23 +0000[diff] [blame]2390
2391 * CMakeLists.txt:
2392 * GNUmakefile.list.am:
2393 * JavaScriptCore.xcodeproj/project.pbxproj:
2394 * Target.pri:
2395 * assembler/ARMv7Assembler.h:
2396 (JSC::ARMv7Assembler::labelIgnoringWatchpoints):
2397 (ARMv7Assembler):
2398 * assembler/AbstractMacroAssembler.h:
2399 (AbstractMacroAssembler):
2400 (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
2401 * assembler/X86Assembler.h:
2402 (X86Assembler):
2403 (JSC::X86Assembler::labelIgnoringWatchpoints):
2404 * dfg/DFGCommon.h:
2405 (JSC::DFG::shouldShowDisassembly):
2406 (DFG):
2407 * dfg/DFGDisassembler.cpp: Added.
2408 (DFG):
2409 (JSC::DFG::Disassembler::Disassembler):
2410 (JSC::DFG::Disassembler::dump):
2411 (JSC::DFG::Disassembler::dumpDisassembly):
2412 * dfg/DFGDisassembler.h: Added.
2413 (DFG):
2414 (Disassembler):
2415 (JSC::DFG::Disassembler::setStartOfCode):
2416 (JSC::DFG::Disassembler::setForBlock):
2417 (JSC::DFG::Disassembler::setForNode):
2418 (JSC::DFG::Disassembler::setEndOfMainPath):
2419 (JSC::DFG::Disassembler::setEndOfCode):
2420 * dfg/DFGDriver.cpp:
2421 (JSC::DFG::compile):
2422 * dfg/DFGGraph.cpp:
2423 (JSC::DFG::Graph::dumpCodeOrigin):
2424 (JSC::DFG::Graph::amountOfNodeWhiteSpace):
2425 (DFG):
2426 (JSC::DFG::Graph::printNodeWhiteSpace):
2427 (JSC::DFG::Graph::dump):
2428 (JSC::DFG::Graph::dumpBlockHeader):
2429 * dfg/DFGGraph.h:
2430 * dfg/DFGJITCompiler.cpp:
2431 (JSC::DFG::JITCompiler::JITCompiler):
2432 (DFG):
2433 (JSC::DFG::JITCompiler::compile):
2434 (JSC::DFG::JITCompiler::compileFunction):
2435 * dfg/DFGJITCompiler.h:
2436 (JITCompiler):
2437 (JSC::DFG::JITCompiler::setStartOfCode):
2438 (JSC::DFG::JITCompiler::setForBlock):
2439 (JSC::DFG::JITCompiler::setForNode):
2440 (JSC::DFG::JITCompiler::setEndOfMainPath):
2441 (JSC::DFG::JITCompiler::setEndOfCode):
2442 * dfg/DFGNode.h:
2443 (Node):
2444 (JSC::DFG::Node::willHaveCodeGen):
2445 * dfg/DFGNodeFlags.cpp:
2446 (JSC::DFG::nodeFlagsAsString):
2447 * dfg/DFGSpeculativeJIT.cpp:
2448 (JSC::DFG::SpeculativeJIT::compile):
2449 * dfg/DFGSpeculativeJIT.h:
2450 (SpeculativeJIT):
2451 * runtime/Options.cpp:
2452 (Options):
2453 (JSC::Options::initializeOptions):
2454 * runtime/Options.h:
2455 (Options):
2456
fpizlo@apple.com2adf5272012-06-20 01:33:30 +0000[diff] [blame]24572012-06-19 Filip Pizlo <fpizlo@apple.com>
2458
2459 JSC should be able to show disassembly for all generated JIT code
2460 https://bugs.webkit.org/show_bug.cgi?id=89536
2461
2462 Reviewed by Gavin Barraclough.
2463
2464 Now instead of doing linkBuffer.finalizeCode(), you do
2465 FINALIZE_CODE(linkBuffer, (... explanation ...)). FINALIZE_CODE() then
2466 prints your explanation and the disassembled code, if
2467 Options::showDisassembly is set to true.
2468
2469 * CMakeLists.txt:
2470 * GNUmakefile.list.am:
2471 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2472 * JavaScriptCore.xcodeproj/project.pbxproj:
2473 * Target.pri:
2474 * assembler/LinkBuffer.cpp: Added.
2475 (JSC):
2476 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
2477 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2478 (JSC::LinkBuffer::linkCode):
2479 (JSC::LinkBuffer::performFinalization):
2480 (JSC::LinkBuffer::dumpLinkStatistics):
2481 (JSC::LinkBuffer::dumpCode):
2482 * assembler/LinkBuffer.h:
2483 (LinkBuffer):
2484 (JSC):
2485 * assembler/MacroAssemblerCodeRef.h:
2486 (JSC::MacroAssemblerCodeRef::tryToDisassemble):
2487 (MacroAssemblerCodeRef):
2488 * dfg/DFGJITCompiler.cpp:
2489 (JSC::DFG::JITCompiler::compile):
2490 (JSC::DFG::JITCompiler::compileFunction):
2491 * dfg/DFGOSRExitCompiler.cpp:
2492 * dfg/DFGRepatch.cpp:
2493 (JSC::DFG::generateProtoChainAccessStub):
2494 (JSC::DFG::tryCacheGetByID):
2495 (JSC::DFG::tryBuildGetByIDList):
2496 (JSC::DFG::emitPutReplaceStub):
2497 (JSC::DFG::emitPutTransitionStub):
2498 * dfg/DFGThunks.cpp:
2499 (JSC::DFG::osrExitGenerationThunkGenerator):
2500 * disassembler/Disassembler.h:
2501 (JSC):
2502 (JSC::tryToDisassemble):
2503 * disassembler/UDis86Disassembler.cpp:
2504 (JSC::tryToDisassemble):
2505 * jit/JIT.cpp:
2506 (JSC::JIT::privateCompile):
2507 * jit/JITCode.h:
2508 (JSC::JITCode::tryToDisassemble):
2509 * jit/JITOpcodes.cpp:
2510 (JSC::JIT::privateCompileCTIMachineTrampolines):
2511 * jit/JITOpcodes32_64.cpp:
2512 (JSC::JIT::privateCompileCTIMachineTrampolines):
2513 (JSC::JIT::privateCompileCTINativeCall):
2514 * jit/JITPropertyAccess.cpp:
2515 (JSC::JIT::stringGetByValStubGenerator):
2516 (JSC::JIT::privateCompilePutByIdTransition):
2517 (JSC::JIT::privateCompilePatchGetArrayLength):
2518 (JSC::JIT::privateCompileGetByIdProto):
2519 (JSC::JIT::privateCompileGetByIdSelfList):
2520 (JSC::JIT::privateCompileGetByIdProtoList):
2521 (JSC::JIT::privateCompileGetByIdChainList):
2522 (JSC::JIT::privateCompileGetByIdChain):
2523 * jit/JITPropertyAccess32_64.cpp:
2524 (JSC::JIT::stringGetByValStubGenerator):
2525 (JSC::JIT::privateCompilePutByIdTransition):
2526 (JSC::JIT::privateCompilePatchGetArrayLength):
2527 (JSC::JIT::privateCompileGetByIdProto):
2528 (JSC::JIT::privateCompileGetByIdSelfList):
2529 (JSC::JIT::privateCompileGetByIdProtoList):
2530 (JSC::JIT::privateCompileGetByIdChainList):
2531 (JSC::JIT::privateCompileGetByIdChain):
2532 * jit/SpecializedThunkJIT.h:
2533 (JSC::SpecializedThunkJIT::finalize):
2534 * jit/ThunkGenerators.cpp:
2535 (JSC::charCodeAtThunkGenerator):
2536 (JSC::charAtThunkGenerator):
2537 (JSC::fromCharCodeThunkGenerator):
2538 (JSC::sqrtThunkGenerator):
2539 (JSC::floorThunkGenerator):
2540 (JSC::ceilThunkGenerator):
2541 (JSC::roundThunkGenerator):
2542 (JSC::expThunkGenerator):
2543 (JSC::logThunkGenerator):
2544 (JSC::absThunkGenerator):
2545 (JSC::powThunkGenerator):
2546 * llint/LLIntThunks.cpp:
2547 (JSC::LLInt::generateThunkWithJumpTo):
2548 (JSC::LLInt::functionForCallEntryThunkGenerator):
2549 (JSC::LLInt::functionForConstructEntryThunkGenerator):
2550 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
2551 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
2552 (JSC::LLInt::evalEntryThunkGenerator):
2553 (JSC::LLInt::programEntryThunkGenerator):
2554 * runtime/Options.cpp:
2555 (Options):
2556 (JSC::Options::initializeOptions):
2557 * runtime/Options.h:
2558 (Options):
2559 * yarr/YarrJIT.cpp:
2560 (JSC::Yarr::YarrGenerator::compile):
2561
mhahnenberg@apple.com7ffd08d2012-06-20 00:20:30 +0000[diff] [blame]25622012-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
2563
2564 [Qt][Mac] REGRESSION(r120742): It broke the build
2565 https://bugs.webkit.org/show_bug.cgi?id=89516
2566
2567 Reviewed by Geoffrey Garen.
2568
2569 Removing GCActivityCallbackCF.cpp because it doesn't mesh well with cross-platform
2570 code on Darwin (e.g. Qt). We now use plain ol' vanilla ifdefs to handle platforms
2571 without CF support. These if-defs will probably disappear in the future when we
2572 use cross-platform timers in HeapTimer.
2573
2574 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2575 * JavaScriptCore.xcodeproj/project.pbxproj:
2576 * runtime/GCActivityCallback.cpp:
2577 (JSC):
2578 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2579 (JSC::DefaultGCActivityCallback::doWork):
2580 (JSC::DefaultGCActivityCallback::scheduleTimer):
2581 (JSC::DefaultGCActivityCallback::cancelTimer):
2582 (JSC::DefaultGCActivityCallback::didAllocate):
2583 (JSC::DefaultGCActivityCallback::willCollect):
2584 (JSC::DefaultGCActivityCallback::cancel):
2585 * runtime/GCActivityCallbackCF.cpp: Removed.
2586
fpizlo@apple.com152abff2012-06-19 23:10:12 +0000[diff] [blame]25872012-06-19 Filip Pizlo <fpizlo@apple.com>
2588
2589 DFG CFA forgets to notify subsequent phases of found constants if it proves LogicalNot to be a constant
2590 https://bugs.webkit.org/show_bug.cgi?id=89511
2591 <rdar://problem/11700089>
2592
2593 Reviewed by Geoffrey Garen.
2594
2595 * dfg/DFGAbstractState.cpp:
2596 (JSC::DFG::AbstractState::execute):
2597
commit-queue@webkit.orgb6833002012-06-19 21:06:08 +0000[diff] [blame]25982012-06-19 Mark Lam <mark.lam@apple.com>
2599
2600 CodeBlock::needsCallReturnIndices() is no longer needed.
2601 https://bugs.webkit.org/show_bug.cgi?id=89490
2602
2603 Reviewed by Geoffrey Garen.
2604
2605 * bytecode/CodeBlock.h:
2606 (JSC::CodeBlock::needsCallReturnIndices): removed.
2607 * dfg/DFGJITCompiler.cpp:
2608 (JSC::DFG::JITCompiler::link):
2609 * jit/JIT.cpp:
2610 (JSC::JIT::privateCompile):
2611
fpizlo@apple.com861ea7b2012-06-19 20:05:06 +0000[diff] [blame]26122012-06-19 Filip Pizlo <fpizlo@apple.com>
2613
2614 Unreviewed, try to fix Windows build.
2615
2616 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
2617
fpizlo@apple.com01c2a192012-06-19 19:42:55 +0000[diff] [blame]26182012-06-17 Filip Pizlo <fpizlo@apple.com>
2619
2620 It should be possible to look at disassembly
2621 https://bugs.webkit.org/show_bug.cgi?id=89319
2622
2623 Reviewed by Sam Weinig.
2624
2625 This imports the udis86 disassembler library. The library is placed
2626 behind an abstraction in disassembler/Disassembler.h, so that we can
2627 in the future use other disassemblers (for other platforms) whenever
2628 appropriate. As a first step, the disassembler is being invoked for
2629 DFG verbose dumps.
2630
2631 If we ever want to merge a new version of udis86 in the future, I've
2632 made notes about changes I made to the library in
2633 disassembler/udis86/differences.txt.
2634
2635 * CMakeLists.txt:
2636 * DerivedSources.make:
2637 * GNUmakefile.list.am:
2638 * JavaScriptCore.pri:
2639 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2640 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
2641 * JavaScriptCore.xcodeproj/project.pbxproj:
2642 * dfg/DFGJITCompiler.cpp:
2643 (JSC::DFG::JITCompiler::compile):
2644 (JSC::DFG::JITCompiler::compileFunction):
2645 * disassembler: Added.
2646 * disassembler/Disassembler.h: Added.
2647 (JSC):
2648 (JSC::tryToDisassemble):
2649 * disassembler/UDis86Disassembler.cpp: Added.
2650 (JSC):
2651 (JSC::tryToDisassemble):
2652 * disassembler/udis86: Added.
2653 * disassembler/udis86/differences.txt: Added.
2654 * disassembler/udis86/itab.py: Added.
2655 (UdItabGenerator):
2656 (UdItabGenerator.__init__):
2657 (UdItabGenerator.toGroupId):
2658 (UdItabGenerator.genLookupTable):
2659 (UdItabGenerator.genLookupTableList):
2660 (UdItabGenerator.genInsnTable):
2661 (genItabH):
2662 (genItabH.UD_ITAB_H):
2663 (genItabC):
2664 (genItab):
2665 (main):
2666 * disassembler/udis86/optable.xml: Added.
2667 * disassembler/udis86/ud_opcode.py: Added.
2668 (UdOpcodeTables):
2669 (UdOpcodeTables.sizeOfTable):
2670 (UdOpcodeTables.nameOfTable):
2671 (UdOpcodeTables.updateTable):
2672 (UdOpcodeTables.Insn):
2673 (UdOpcodeTables.Insn.__init__):
2674 (UdOpcodeTables.Insn.__init__.opcode):
2675 (UdOpcodeTables.parse):
2676 (UdOpcodeTables.addInsnDef):
2677 (UdOpcodeTables.print_table):
2678 (UdOpcodeTables.print_tree):
2679 * disassembler/udis86/ud_optable.py: Added.
2680 (UdOptableXmlParser):
2681 (UdOptableXmlParser.parseDef):
2682 (UdOptableXmlParser.parse):
2683 (printFn):
2684 (parse):
2685 (main):
2686 * disassembler/udis86/udis86.c: Added.
2687 (ud_init):
2688 (ud_disassemble):
2689 (ud_set_mode):
2690 (ud_set_vendor):
2691 (ud_set_pc):
2692 (ud):
2693 (ud_insn_asm):
2694 (ud_insn_off):
2695 (ud_insn_hex):
2696 (ud_insn_ptr):
2697 (ud_insn_len):
2698 * disassembler/udis86/udis86.h: Added.
2699 * disassembler/udis86/udis86_decode.c: Added.
2700 (eff_adr_mode):
2701 (ud_lookup_mnemonic):
2702 (decode_prefixes):
2703 (modrm):
2704 (resolve_operand_size):
2705 (resolve_mnemonic):
2706 (decode_a):
2707 (decode_gpr):
2708 (resolve_gpr64):
2709 (resolve_gpr32):
2710 (resolve_reg):
2711 (decode_imm):
2712 (decode_modrm_reg):
2713 (decode_modrm_rm):
2714 (decode_o):
2715 (decode_operand):
2716 (decode_operands):
2717 (clear_insn):
2718 (resolve_mode):
2719 (gen_hex):
2720 (decode_insn):
2721 (decode_3dnow):
2722 (decode_ssepfx):
2723 (decode_ext):
2724 (decode_opcode):
2725 (ud_decode):
2726 * disassembler/udis86/udis86_decode.h: Added.
2727 (ud_itab_entry_operand):
2728 (ud_itab_entry):
2729 (ud_lookup_table_list_entry):
2730 (sse_pfx_idx):
2731 (mode_idx):
2732 (modrm_mod_idx):
2733 (vendor_idx):
2734 (is_group_ptr):
2735 (group_idx):
2736 * disassembler/udis86/udis86_extern.h: Added.
2737 * disassembler/udis86/udis86_input.c: Added.
2738 (inp_buff_hook):
2739 (inp_file_hook):
2740 (ud):
2741 (ud_set_user_opaque_data):
2742 (ud_get_user_opaque_data):
2743 (ud_set_input_buffer):
2744 (ud_set_input_file):
2745 (ud_input_skip):
2746 (ud_input_end):
2747 (ud_inp_next):
2748 (ud_inp_back):
2749 (ud_inp_peek):
2750 (ud_inp_move):
2751 (ud_inp_uint8):
2752 (ud_inp_uint16):
2753 (ud_inp_uint32):
2754 (ud_inp_uint64):
2755 * disassembler/udis86/udis86_input.h: Added.
2756 * disassembler/udis86/udis86_itab_holder.c: Added.
2757 * disassembler/udis86/udis86_syn-att.c: Added.
2758 (opr_cast):
2759 (gen_operand):
2760 (ud_translate_att):
2761 * disassembler/udis86/udis86_syn-intel.c: Added.
2762 (opr_cast):
2763 (gen_operand):
2764 (ud_translate_intel):
2765 * disassembler/udis86/udis86_syn.c: Added.
2766 * disassembler/udis86/udis86_syn.h: Added.
2767 (mkasm):
2768 * disassembler/udis86/udis86_types.h: Added.
2769 (ud_operand):
2770 (ud):
2771 * jit/JITCode.h:
2772 (JITCode):
2773 (JSC::JITCode::tryToDisassemble):
2774
mhahnenberg@apple.coma7ec41b2012-06-19 19:17:31 +0000[diff] [blame]27752012-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
2776
2777 GCActivityCallback and IncrementalSweeper should share code
2778 https://bugs.webkit.org/show_bug.cgi?id=89400
2779
2780 Reviewed by Geoffrey Garen.
2781
2782 A lot of functionality is duplicated between GCActivityCallback and IncrementalSweeper.
2783 We should extract the common functionality out into a separate class that both of them
2784 can inherit from. This refactoring will be an even greater boon when we add the ability
2785 to shut these two agents down in a thread-safe fashion
2786
2787 * CMakeLists.txt:
2788 * GNUmakefile.list.am:
2789 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2790 * JavaScriptCore.xcodeproj/project.pbxproj:
2791 * Target.pri:
2792 * heap/Heap.cpp:
2793 (JSC::Heap::Heap): Move initialization down so that the JSGlobalData has a valid Heap when
2794 we're initializing the GCActivityCallback and the IncrementalSweeper.
2795 * heap/Heap.h:
2796 (Heap):
2797 * heap/HeapTimer.cpp: Added.
2798 (JSC):
2799 (JSC::HeapTimer::HeapTimer): Initialize the various base class data that
2800 DefaultGCActivityCallback::commonConstructor() used to do.
2801 (JSC::HeapTimer::~HeapTimer): Call to invalidate().
2802 (JSC::HeapTimer::synchronize): Same functionality as the old DefaultGCActivityCallback::synchronize().
2803 Virtual so that non-CF subclasses can override.
2804 (JSC::HeapTimer::invalidate): Tears down the runloop timer to prevent any future firing.
2805 (JSC::HeapTimer::timerDidFire): Callback to pass to the timer function. Casts and calls the virtual doWork().
2806 * heap/HeapTimer.h: Added. This is the class that serves as the common base class for
2807 both GCActivityCallback and IncrementalSweeper. It handles setting up and tearing down run loops and synchronizing
2808 across threads for its subclasses.
2809 (JSC):
2810 (HeapTimer):
2811 * heap/IncrementalSweeper.cpp: Changes to accomodate the extraction of common functionality
2812 between IncrementalSweeper and GCActivityCallback into a common ancestor.
2813 (JSC):
2814 (JSC::IncrementalSweeper::doWork):
2815 (JSC::IncrementalSweeper::IncrementalSweeper):
2816 (JSC::IncrementalSweeper::cancelTimer):
2817 (JSC::IncrementalSweeper::create):
2818 * heap/IncrementalSweeper.h:
2819 (IncrementalSweeper):
2820 * runtime/GCActivityCallback.cpp:
2821 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2822 (JSC::DefaultGCActivityCallback::doWork):
2823 * runtime/GCActivityCallback.h:
2824 (GCActivityCallback):
2825 (JSC::GCActivityCallback::willCollect):
2826 (JSC::GCActivityCallback::GCActivityCallback):
2827 (JSC):
2828 (DefaultGCActivityCallback): Remove the platform data struct. The platform data should be kept in
2829 the class itself so as to be accessible by doWork(). Most of the platform data for CF is kept in
2830 HeapTimer anyways, so we only need the m_delay field now.
2831 * runtime/GCActivityCallbackBlackBerry.cpp:
2832 (JSC):
2833 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2834 (JSC::DefaultGCActivityCallback::doWork):
2835 (JSC::DefaultGCActivityCallback::didAllocate):
2836 * runtime/GCActivityCallbackCF.cpp:
2837 (JSC):
2838 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2839 (JSC::DefaultGCActivityCallback::doWork):
2840 (JSC::DefaultGCActivityCallback::scheduleTimer):
2841 (JSC::DefaultGCActivityCallback::cancelTimer):
2842 (JSC::DefaultGCActivityCallback::didAllocate):
2843 (JSC::DefaultGCActivityCallback::willCollect):
2844 (JSC::DefaultGCActivityCallback::cancel):
2845
2846
commit-queue@webkit.orgf5584612012-06-19 09:13:52 +0000[diff] [blame]28472012-06-19 Mike West <mkwst@chromium.org>
2848
2849 Introduce ENABLE_CSP_NEXT configuration flag.
2850 https://bugs.webkit.org/show_bug.cgi?id=89300
2851
2852 Reviewed by Adam Barth.
2853
2854 The 1.0 draft of the Content Security Policy spec is just about to
2855 move to Last Call. We'll hide work on the upcoming 1.1 spec behind
2856 this ENABLE flag, disabled by default.
2857
2858 Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
2859
2860 * Configurations/FeatureDefines.xcconfig:
2861
commit-queue@webkit.org3e0a1a02012-06-19 06:07:28 +0000[diff] [blame]28622012-06-18 Mark Lam <mark.lam@apple.com>
2863
2864 Changed JSC to always record line number information so that error.stack
2865 and window.onerror() can report proper line numbers.
2866 https://bugs.webkit.org/show_bug.cgi?id=89410
2867
2868 Reviewed by Geoffrey Garen.
2869
2870 * bytecode/CodeBlock.cpp:
2871 (JSC::CodeBlock::CodeBlock):
2872 (JSC::CodeBlock::lineNumberForBytecodeOffset):
2873 (JSC::CodeBlock::shrinkToFit): m_lineInfo is now available unconditionally.
2874
2875 * bytecode/CodeBlock.h:
2876 (JSC::CodeBlock::addLineInfo):
2877 (JSC::CodeBlock::hasLineInfo): Unused. Now removed.
2878 (JSC::CodeBlock::needsCallReturnIndices):
2879 (CodeBlock):
2880 (RareData): Hoisted m_lineInfo out of m_rareData. m_lineInfo is now
2881 filled in unconditionally.
2882
2883 * bytecompiler/BytecodeGenerator.h:
2884 (JSC::BytecodeGenerator::addLineInfo):
2885
aestes@apple.comf6d51392012-06-19 03:32:30 +0000[diff] [blame]28862012-06-18 Andy Estes <aestes@apple.com>
2887
aestes@apple.com6cc46942012-06-19 03:34:03 +0000[diff] [blame]2888 Fix r120663, which didn't land the change that was reviewed.
2889
28902012-06-18 Andy Estes <aestes@apple.com>
2891
aestes@apple.comf6d51392012-06-19 03:32:30 +0000[diff] [blame]2892 [JSC] In JSGlobalData.cpp, enableAssembler() sometimes leaks two CF objects
2893 https://bugs.webkit.org/show_bug.cgi?id=89415
2894
2895 Reviewed by Sam Weinig.
2896
2897 In the case where canUseJIT was a non-NULL CFBooleanRef,
2898 enableAssembler() would leak both canUseJITKey and canUseJIT by
2899 returning before calling CFRelease. Fix this by using RetainPtr.
2900
2901 * runtime/JSGlobalData.cpp:
2902 (JSC::enableAssembler):
2903
ggaren@apple.com2318dbc2012-06-18 04:35:21 +0000[diff] [blame]29042012-06-17 Geoffrey Garen <ggaren@apple.com>
2905
2906 GC copy phase spends needless cycles zero-filling blocks
2907 https://bugs.webkit.org/show_bug.cgi?id=89128
2908
2909 Reviewed by Gavin Barraclough.
2910
2911 We only need to zero-fill when we're allocating memory that might not
2912 get fully initialized before GC.
2913
2914 * heap/CopiedBlock.h:
2915 (JSC::CopiedBlock::createNoZeroFill):
2916 (JSC::CopiedBlock::create): Added a way to create without zero-filling.
2917 This is our optimization.
2918
2919 (JSC::CopiedBlock::zeroFillToEnd):
2920 (JSC::CopiedBlock::CopiedBlock): Split zero-filling out from creation,
2921 so we can sometimes create without zero-filling.
2922
2923 * heap/CopiedSpace.cpp:
2924 (JSC::CopiedSpace::init):
2925 (JSC::CopiedSpace::tryAllocateSlowCase):
2926 (JSC::CopiedSpace::doneCopying): Renamed addNewBlock to allocateBlock()
2927 to clarify that the new block is always newly-allocated.
2928
2929 (JSC::CopiedSpace::doneFillingBlock): Make sure to zero-fill to the end
2930 of a block that might be used in the future for allocation. (Most of the
2931 time, this is a no-op, since we've already filled the block completely.)
2932
2933 (JSC::CopiedSpace::getFreshBlock): Removed this function because the
2934 abstraction of "allocation must succeed" is no longer useful.
2935
2936 * heap/CopiedSpace.h: Updated declarations to match.
2937
2938 * heap/CopiedSpaceInlineMethods.h:
2939 (JSC::CopiedSpace::allocateBlockForCopyingPhase): New function, which
2940 knows that it can skip zero-filling.
2941
2942 Added tighter scoping to our lock, to improve parallelism.
2943
2944 (JSC::CopiedSpace::allocateBlock): Folded getFreshBlock functionality
2945 into this function, for simplicity.
2946
2947 * heap/MarkStack.cpp:
2948 (JSC::SlotVisitor::startCopying):
2949 (JSC::SlotVisitor::allocateNewSpace): Use our new zero-fill-free helper
2950 function for great good.
2951
fpizlo@apple.com73df57b2012-06-18 01:59:18 +0000[diff] [blame]29522012-06-17 Filip Pizlo <fpizlo@apple.com>
2953
2954 DFG should attempt to use structure watchpoints for all inlined get_by_id's and put_by_id's
2955 https://bugs.webkit.org/show_bug.cgi?id=89316
2956
2957 Reviewed by Oliver Hunt.
2958
2959 * dfg/DFGByteCodeParser.cpp:
2960 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
2961 (ByteCodeParser):
2962 (JSC::DFG::ByteCodeParser::handleGetById):
2963 (JSC::DFG::ByteCodeParser::parseBlock):
2964
commit-queue@webkit.orgf8968a72012-06-15 22:24:21 +0000[diff] [blame]29652012-06-15 Yong Li <yoli@rim.com>
2966
2967 [BlackBerry] Put platform-specific GC policy in GCActivityCallback
2968 https://bugs.webkit.org/show_bug.cgi?id=89236
2969
2970 Reviewed by Rob Buis.
2971
2972 Add GCActivityCallbackBlackBerry.cpp and implement platform-specific
2973 low memory GC policy there.
2974
2975 * PlatformBlackBerry.cmake:
2976 * heap/Heap.h:
2977 (JSC::Heap::isSafeToCollect): Added.
2978 * runtime/GCActivityCallbackBlackBerry.cpp: Added.
2979 (JSC):
2980 (JSC::DefaultGCActivityCallbackPlatformData::DefaultGCActivityCallbackPlatformData):
2981 (DefaultGCActivityCallbackPlatformData):
2982 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2983 (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
2984 (JSC::DefaultGCActivityCallback::didAllocate):
2985 (JSC::DefaultGCActivityCallback::willCollect):
2986 (JSC::DefaultGCActivityCallback::synchronize):
2987 (JSC::DefaultGCActivityCallback::cancel):
2988
fpizlo@apple.com666a2d52012-06-15 22:21:44 +0000[diff] [blame]29892012-06-15 Filip Pizlo <fpizlo@apple.com>
2990
2991 DFG should be able to set watchpoints on structure transitions in the
2992 method check prototype chain
2993 https://bugs.webkit.org/show_bug.cgi?id=89058
2994
2995 Adding the same assertion to 32-bit that I added to 64-bit. This change
2996 does not affect correctness but it's a good thing for assertion coverage.
2997
2998 * dfg/DFGSpeculativeJIT32_64.cpp:
2999 (JSC::DFG::SpeculativeJIT::compile):
3000
fpizlo@apple.comb75911b2012-06-13 20:53:52 +0000[diff] [blame]30012012-06-13 Filip Pizlo <fpizlo@apple.com>
3002
fpizlo@apple.com04e41152012-06-15 22:14:53 +0000[diff] [blame]3003 DFG should be able to set watchpoints on structure transitions in the
3004 method check prototype chain
3005 https://bugs.webkit.org/show_bug.cgi?id=89058
3006
3007 Reviewed by Gavin Barraclough.
3008
3009 This adds the ability to set watchpoints on Structures, and then does
3010 the most modest thing we can do with this ability: the DFG now sets
3011 watchpoints on structure transitions in the prototype chain of method
3012 checks.
3013
3014 This appears to be a >1% speed-up on V8.
3015
3016 * bytecode/PutByIdStatus.cpp:
3017 (JSC::PutByIdStatus::computeFromLLInt):
3018 (JSC::PutByIdStatus::computeFor):
3019 * bytecode/StructureSet.h:
3020 (JSC::StructureSet::containsOnly):
3021 (StructureSet):
3022 * bytecode/Watchpoint.cpp:
3023 (JSC::WatchpointSet::WatchpointSet):
3024 (JSC::InlineWatchpointSet::add):
3025 (JSC):
3026 (JSC::InlineWatchpointSet::inflateSlow):
3027 (JSC::InlineWatchpointSet::freeFat):
3028 * bytecode/Watchpoint.h:
3029 (WatchpointSet):
3030 (JSC):
3031 (InlineWatchpointSet):
3032 (JSC::InlineWatchpointSet::InlineWatchpointSet):
3033 (JSC::InlineWatchpointSet::~InlineWatchpointSet):
3034 (JSC::InlineWatchpointSet::hasBeenInvalidated):
3035 (JSC::InlineWatchpointSet::isStillValid):
3036 (JSC::InlineWatchpointSet::startWatching):
3037 (JSC::InlineWatchpointSet::notifyWrite):
3038 (JSC::InlineWatchpointSet::isFat):
3039 (JSC::InlineWatchpointSet::fat):
3040 (JSC::InlineWatchpointSet::inflate):
3041 * dfg/DFGAbstractState.cpp:
3042 (JSC::DFG::AbstractState::execute):
3043 * dfg/DFGByteCodeParser.cpp:
3044 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
3045 (ByteCodeParser):
3046 (JSC::DFG::ByteCodeParser::parseBlock):
3047 * dfg/DFGCSEPhase.cpp:
3048 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3049 (CSEPhase):
3050 (JSC::DFG::CSEPhase::performNodeCSE):
3051 * dfg/DFGCommon.h:
3052 * dfg/DFGGraph.cpp:
3053 (JSC::DFG::Graph::dump):
3054 * dfg/DFGGraph.h:
3055 (JSC::DFG::Graph::isCellConstant):
3056 * dfg/DFGJITCompiler.h:
3057 (JSC::DFG::JITCompiler::addWeakReferences):
3058 (JITCompiler):
3059 * dfg/DFGNode.h:
3060 (JSC::DFG::Node::hasStructure):
3061 (Node):
3062 (JSC::DFG::Node::structure):
3063 * dfg/DFGNodeType.h:
3064 (DFG):
3065 * dfg/DFGPredictionPropagationPhase.cpp:
3066 (JSC::DFG::PredictionPropagationPhase::propagate):
3067 * dfg/DFGRepatch.cpp:
3068 (JSC::DFG::emitPutTransitionStub):
3069 * dfg/DFGSpeculativeJIT64.cpp:
3070 (JSC::DFG::SpeculativeJIT::compile):
3071 * jit/JITStubs.cpp:
3072 (JSC::JITThunks::tryCachePutByID):
3073 * llint/LLIntSlowPaths.cpp:
3074 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3075 * runtime/Structure.cpp:
3076 (JSC::Structure::Structure):
3077 * runtime/Structure.h:
3078 (JSC::Structure::transitionWatchpointSetHasBeenInvalidated):
3079 (Structure):
3080 (JSC::Structure::transitionWatchpointSetIsStillValid):
3081 (JSC::Structure::addTransitionWatchpoint):
3082 (JSC::Structure::notifyTransitionFromThisStructure):
3083 (JSC::JSCell::setStructure):
3084 * runtime/SymbolTable.cpp:
3085 (JSC::SymbolTableEntry::attemptToWatch):
3086
30872012-06-13 Filip Pizlo <fpizlo@apple.com>
3088
fpizlo@apple.comb75911b2012-06-13 20:53:52 +0000[diff] [blame]3089 DFG should be able to set watchpoints on global variables
3090 https://bugs.webkit.org/show_bug.cgi?id=88692
3091
3092 Reviewed by Geoffrey Garen.
3093
3094 Rolling back in after fixing Windows build issues, and implementing
3095 branchTest8 for the Qt port's strange assemblers.
3096
3097 This implements global variable constant folding by allowing the optimizing
3098 compiler to set a "watchpoint" on globals that it wishes to constant fold.
3099 If the watchpoint fires, then an OSR exit is forced by overwriting the
3100 machine code that the optimizing compiler generated with a jump.
3101
3102 As such, this patch is adding quite a bit of stuff:
3103
3104 - Jump replacement on those hardware targets supported by the optimizing
3105 JIT. It is now possible to patch in a jump instruction over any recorded
3106 watchpoint label. The jump must be "local" in the sense that it must be
3107 within the range of the largest jump distance supported by a one
3108 instruction jump.
3109
3110 - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
3111 that records the location where a jump must be inserted and the
3112 destination to which it should jump. Watchpoints can be added to a
3113 WatchpointSet. The WatchpointSet can be fired all at once, which plants
3114 all jumps. WatchpointSet also remembers if it had ever been invalidated,
3115 which allows for monotonicity: we typically don't want to optimize using
3116 watchpoints on something for which watchpoints had previously fired. The
3117 act of notifying a WatchpointSet has a trivial fast path in case no
3118 Watchpoints are registered (one-byte load+branch).
3119
3120 - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
3121 except that you don't have to emit branches. But, you need to know what
3122 WatchpointSet to add the resulting Watchpoint to. Not everything that
3123 you could write a speculationCheck() for will have a WatchpointSet that
3124 would get notified if the condition you were speculating against became
3125 invalid.
3126
3127 - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
3128 do so without incurring any space overhead for those entries that don't
3129 have WatchpointSets.
3130
3131 - The bytecode generator infers all global function variables to be
3132 watchable, and makes all stores perform the WatchpointSet's write check,
3133 and marks all loads as being potentially watchable (i.e. you can compile
3134 them to a watchpoint and a constant).
3135
3136 Put together, this allows for fully sleazy inlining of calls to globally
3137 declared functions. The inline prologue will no longer contain the load of
3138 the function, or any checks of the function you're calling. I.e. it's
3139 pretty much like the kind of inlining you would see in Java or C++.
3140 Furthermore, the watchpointing functionality is built to be fairly general,
3141 and should allow setting watchpoints on all sorts of interesting things
3142 in the future.
3143
3144 The sleazy inlining means that we will now sometimes inline in code paths
3145 that have never executed. Previously, to inline we would have either had
3146 to have executed the call (to read the call's inline cache) or have
3147 executed the method check (to read the method check's inline cache). Now,
3148 we might inline when the callee is a watched global variable. This
3149 revealed some humorous bugs. First, constant folding disagreed with CFA
3150 over what kinds of operations can clobber (example: code path A is dead
3151 but stores a String into variable X, all other code paths store 0 into
3152 X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
3153 clobbering constant, but constant folding thought it was clobbering
3154 because it saw the String prediction). Second, inlining would crash if
3155 the inline callee had not been compiled. This patch fixes both bugs,
3156 since otherwise run-javascriptcore-tests would report regressions.
3157
3158 * CMakeLists.txt:
3159 * GNUmakefile.list.am:
3160 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3161 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3162 * JavaScriptCore.xcodeproj/project.pbxproj:
3163 * Target.pri:
3164 * assembler/ARMv7Assembler.h:
3165 (ARMv7Assembler):
3166 (JSC::ARMv7Assembler::ARMv7Assembler):
3167 (JSC::ARMv7Assembler::labelForWatchpoint):
3168 (JSC::ARMv7Assembler::label):
3169 (JSC::ARMv7Assembler::replaceWithJump):
3170 (JSC::ARMv7Assembler::maxJumpReplacementSize):
3171 * assembler/AbstractMacroAssembler.h:
3172 (JSC):
3173 (AbstractMacroAssembler):
3174 (Label):
3175 (JSC::AbstractMacroAssembler::watchpointLabel):
3176 (JSC::AbstractMacroAssembler::readPointer):
3177 * assembler/AssemblerBuffer.h:
3178 * assembler/MacroAssemblerARM.h:
3179 (JSC::MacroAssemblerARM::branchTest8):
3180 (MacroAssemblerARM):
3181 (JSC::MacroAssemblerARM::replaceWithJump):
3182 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
3183 * assembler/MacroAssemblerARMv7.h:
3184 (JSC::MacroAssemblerARMv7::load8Signed):
3185 (JSC::MacroAssemblerARMv7::load16Signed):
3186 (MacroAssemblerARMv7):
3187 (JSC::MacroAssemblerARMv7::replaceWithJump):
3188 (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
3189 (JSC::MacroAssemblerARMv7::branchTest8):
3190 (JSC::MacroAssemblerARMv7::jump):
3191 (JSC::MacroAssemblerARMv7::makeBranch):
3192 * assembler/MacroAssemblerMIPS.h:
3193 (JSC::MacroAssemblerMIPS::branchTest8):
3194 (MacroAssemblerMIPS):
3195 (JSC::MacroAssemblerMIPS::replaceWithJump):
3196 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
3197 * assembler/MacroAssemblerSH4.h:
3198 (JSC::MacroAssemblerSH4::branchTest8):
3199 (MacroAssemblerSH4):
3200 (JSC::MacroAssemblerSH4::replaceWithJump):
3201 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
3202 * assembler/MacroAssemblerX86.h:
3203 (MacroAssemblerX86):
3204 (JSC::MacroAssemblerX86::branchTest8):
3205 * assembler/MacroAssemblerX86Common.h:
3206 (JSC::MacroAssemblerX86Common::replaceWithJump):
3207 (MacroAssemblerX86Common):
3208 (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
3209 * assembler/MacroAssemblerX86_64.h:
3210 (MacroAssemblerX86_64):
3211 (JSC::MacroAssemblerX86_64::branchTest8):
3212 * assembler/X86Assembler.h:
3213 (JSC::X86Assembler::X86Assembler):
3214 (X86Assembler):
3215 (JSC::X86Assembler::cmpb_im):
3216 (JSC::X86Assembler::testb_im):
3217 (JSC::X86Assembler::labelForWatchpoint):
3218 (JSC::X86Assembler::label):
3219 (JSC::X86Assembler::replaceWithJump):
3220 (JSC::X86Assembler::maxJumpReplacementSize):
3221 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
3222 * bytecode/CodeBlock.cpp:
3223 (JSC):
3224 (JSC::CodeBlock::printGetByIdCacheStatus):
3225 (JSC::CodeBlock::dump):
3226 * bytecode/CodeBlock.h:
3227 (JSC::CodeBlock::appendOSRExit):
3228 (JSC::CodeBlock::appendSpeculationRecovery):
3229 (CodeBlock):
3230 (JSC::CodeBlock::appendWatchpoint):
3231 (JSC::CodeBlock::numberOfWatchpoints):
3232 (JSC::CodeBlock::watchpoint):
3233 (DFGData):
3234 * bytecode/DFGExitProfile.h:
3235 (JSC::DFG::exitKindToString):
3236 (JSC::DFG::exitKindIsCountable):
3237 * bytecode/GetByIdStatus.cpp:
3238 (JSC::GetByIdStatus::computeForChain):
3239 * bytecode/Instruction.h:
3240 (Instruction):
3241 (JSC::Instruction::Instruction):
3242 * bytecode/Opcode.h:
3243 (JSC):
3244 (JSC::padOpcodeName):
3245 * bytecode/Watchpoint.cpp: Added.
3246 (JSC):
3247 (JSC::Watchpoint::~Watchpoint):
3248 (JSC::Watchpoint::correctLabels):
3249 (JSC::Watchpoint::fire):
3250 (JSC::WatchpointSet::WatchpointSet):
3251 (JSC::WatchpointSet::~WatchpointSet):
3252 (JSC::WatchpointSet::add):
3253 (JSC::WatchpointSet::notifyWriteSlow):
3254 (JSC::WatchpointSet::fireAllWatchpoints):
3255 * bytecode/Watchpoint.h: Added.
3256 (JSC):
3257 (Watchpoint):
3258 (JSC::Watchpoint::Watchpoint):
3259 (JSC::Watchpoint::setDestination):
3260 (WatchpointSet):
3261 (JSC::WatchpointSet::isStillValid):
3262 (JSC::WatchpointSet::hasBeenInvalidated):
3263 (JSC::WatchpointSet::startWatching):
3264 (JSC::WatchpointSet::notifyWrite):
3265 (JSC::WatchpointSet::addressOfIsWatched):
3266 * bytecompiler/BytecodeGenerator.cpp:
3267 (JSC::ResolveResult::checkValidity):
3268 (JSC::BytecodeGenerator::addGlobalVar):
3269 (JSC::BytecodeGenerator::BytecodeGenerator):
3270 (JSC::BytecodeGenerator::resolve):
3271 (JSC::BytecodeGenerator::emitResolve):
3272 (JSC::BytecodeGenerator::emitResolveWithBase):
3273 (JSC::BytecodeGenerator::emitResolveWithThis):
3274 (JSC::BytecodeGenerator::emitGetStaticVar):
3275 (JSC::BytecodeGenerator::emitPutStaticVar):
3276 * bytecompiler/BytecodeGenerator.h:
3277 (BytecodeGenerator):
3278 * bytecompiler/NodesCodegen.cpp:
3279 (JSC::FunctionCallResolveNode::emitBytecode):
3280 (JSC::PostfixResolveNode::emitBytecode):
3281 (JSC::PrefixResolveNode::emitBytecode):
3282 (JSC::ReadModifyResolveNode::emitBytecode):
3283 (JSC::AssignResolveNode::emitBytecode):
3284 (JSC::ConstDeclNode::emitCodeSingle):
3285 * dfg/DFGAbstractState.cpp:
3286 (JSC::DFG::AbstractState::execute):
3287 (JSC::DFG::AbstractState::clobberStructures):
3288 * dfg/DFGAbstractState.h:
3289 (AbstractState):
3290 (JSC::DFG::AbstractState::didClobber):
3291 * dfg/DFGByteCodeParser.cpp:
3292 (JSC::DFG::ByteCodeParser::handleInlining):
3293 (JSC::DFG::ByteCodeParser::parseBlock):
3294 * dfg/DFGCCallHelpers.h:
3295 (CCallHelpers):
3296 (JSC::DFG::CCallHelpers::setupArguments):
3297 * dfg/DFGCSEPhase.cpp:
3298 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
3299 (CSEPhase):
3300 (JSC::DFG::CSEPhase::globalVarStoreElimination):
3301 (JSC::DFG::CSEPhase::performNodeCSE):
3302 * dfg/DFGCapabilities.h:
3303 (JSC::DFG::canCompileOpcode):
3304 * dfg/DFGConstantFoldingPhase.cpp:
3305 (JSC::DFG::ConstantFoldingPhase::run):
3306 * dfg/DFGCorrectableJumpPoint.h:
3307 (JSC::DFG::CorrectableJumpPoint::isSet):
3308 (CorrectableJumpPoint):
3309 * dfg/DFGJITCompiler.cpp:
3310 (JSC::DFG::JITCompiler::linkOSRExits):
3311 (JSC::DFG::JITCompiler::link):
3312 * dfg/DFGNode.h:
3313 (JSC::DFG::Node::hasIdentifierNumberForCheck):
3314 (Node):
3315 (JSC::DFG::Node::identifierNumberForCheck):
3316 (JSC::DFG::Node::hasRegisterPointer):
3317 * dfg/DFGNodeType.h:
3318 (DFG):
3319 * dfg/DFGOSRExit.cpp:
3320 (JSC::DFG::OSRExit::OSRExit):
3321 * dfg/DFGOSRExit.h:
3322 (OSRExit):
3323 * dfg/DFGOperations.cpp:
3324 * dfg/DFGOperations.h:
3325 * dfg/DFGPredictionPropagationPhase.cpp:
3326 (JSC::DFG::PredictionPropagationPhase::propagate):
3327 * dfg/DFGSpeculativeJIT.h:
3328 (JSC::DFG::SpeculativeJIT::callOperation):
3329 (JSC::DFG::SpeculativeJIT::appendCall):
3330 (SpeculativeJIT):
3331 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
3332 * dfg/DFGSpeculativeJIT32_64.cpp:
3333 (JSC::DFG::SpeculativeJIT::compile):
3334 * dfg/DFGSpeculativeJIT64.cpp:
3335 (JSC::DFG::SpeculativeJIT::compile):
3336 * interpreter/Interpreter.cpp:
3337 (JSC::Interpreter::privateExecute):
3338 * jit/JIT.cpp:
3339 (JSC::JIT::privateCompileMainPass):
3340 (JSC::JIT::privateCompileSlowCases):
3341 * jit/JIT.h:
3342 * jit/JITPropertyAccess.cpp:
3343 (JSC::JIT::emit_op_put_global_var_check):
3344 (JSC):
3345 (JSC::JIT::emitSlow_op_put_global_var_check):
3346 * jit/JITPropertyAccess32_64.cpp:
3347 (JSC::JIT::emit_op_put_global_var_check):
3348 (JSC):
3349 (JSC::JIT::emitSlow_op_put_global_var_check):
3350 * jit/JITStubs.cpp:
3351 (JSC::DEFINE_STUB_FUNCTION):
3352 (JSC):
3353 * jit/JITStubs.h:
3354 * llint/LLIntSlowPaths.cpp:
3355 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3356 (LLInt):
3357 * llint/LLIntSlowPaths.h:
3358 (LLInt):
3359 * llint/LowLevelInterpreter32_64.asm:
3360 * llint/LowLevelInterpreter64.asm:
3361 * runtime/JSObject.cpp:
3362 (JSC::JSObject::removeDirect):
3363 * runtime/JSObject.h:
3364 (JSObject):
3365 * runtime/JSSymbolTableObject.h:
3366 (JSC::symbolTableGet):
3367 (JSC::symbolTablePut):
3368 (JSC::symbolTablePutWithAttributes):
3369 * runtime/SymbolTable.cpp: Added.
3370 (JSC):
3371 (JSC::SymbolTableEntry::copySlow):
3372 (JSC::SymbolTableEntry::freeFatEntrySlow):
3373 (JSC::SymbolTableEntry::couldBeWatched):
3374 (JSC::SymbolTableEntry::attemptToWatch):
3375 (JSC::SymbolTableEntry::addressOfIsWatched):
3376 (JSC::SymbolTableEntry::addWatchpoint):
3377 (JSC::SymbolTableEntry::notifyWriteSlow):
3378 (JSC::SymbolTableEntry::inflateSlow):
3379 * runtime/SymbolTable.h:
3380 (JSC):
3381 (SymbolTableEntry):
3382 (Fast):
3383 (JSC::SymbolTableEntry::Fast::Fast):
3384 (JSC::SymbolTableEntry::Fast::isNull):
3385 (JSC::SymbolTableEntry::Fast::getIndex):
3386 (JSC::SymbolTableEntry::Fast::isReadOnly):
3387 (JSC::SymbolTableEntry::Fast::getAttributes):
3388 (JSC::SymbolTableEntry::Fast::isFat):
3389 (JSC::SymbolTableEntry::SymbolTableEntry):
3390 (JSC::SymbolTableEntry::~SymbolTableEntry):
3391 (JSC::SymbolTableEntry::operator=):
3392 (JSC::SymbolTableEntry::isNull):
3393 (JSC::SymbolTableEntry::getIndex):
3394 (JSC::SymbolTableEntry::getFast):
3395 (JSC::SymbolTableEntry::getAttributes):
3396 (JSC::SymbolTableEntry::isReadOnly):
3397 (JSC::SymbolTableEntry::watchpointSet):
3398 (JSC::SymbolTableEntry::notifyWrite):
3399 (FatEntry):
3400 (JSC::SymbolTableEntry::FatEntry::FatEntry):
3401 (JSC::SymbolTableEntry::isFat):
3402 (JSC::SymbolTableEntry::fatEntry):
3403 (JSC::SymbolTableEntry::inflate):
3404 (JSC::SymbolTableEntry::bits):
3405 (JSC::SymbolTableEntry::freeFatEntry):
3406 (JSC::SymbolTableEntry::pack):
3407 (JSC::SymbolTableEntry::isValidIndex):
3408
zandobersek@gmail.com88d53732012-06-13 09:38:42 +0000[diff] [blame]34092012-06-13 Sheriff Bot <webkit.review.bot@gmail.com>
3410
3411 Unreviewed, rolling out r120172.
3412 http://trac.webkit.org/changeset/120172
3413 https://bugs.webkit.org/show_bug.cgi?id=88976
3414
3415 The patch causes compilation failures on Gtk, Qt and Apple Win
3416 bots (Requested by zdobersek on #webkit).
3417
3418 * CMakeLists.txt:
3419 * GNUmakefile.list.am:
3420 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3421 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3422 * JavaScriptCore.xcodeproj/project.pbxproj:
3423 * Target.pri:
3424 * assembler/ARMv7Assembler.h:
3425 (JSC::ARMv7Assembler::nop):
3426 (JSC::ARMv7Assembler::label):
3427 (JSC::ARMv7Assembler::readPointer):
3428 (ARMv7Assembler):
3429 * assembler/AbstractMacroAssembler.h:
3430 (JSC):
3431 (AbstractMacroAssembler):
3432 (Label):
3433 * assembler/AssemblerBuffer.h:
3434 * assembler/MacroAssemblerARM.h:
3435 * assembler/MacroAssemblerARMv7.h:
3436 (JSC::MacroAssemblerARMv7::nop):
3437 (JSC::MacroAssemblerARMv7::jump):
3438 (JSC::MacroAssemblerARMv7::makeBranch):
3439 * assembler/MacroAssemblerMIPS.h:
3440 * assembler/MacroAssemblerSH4.h:
3441 * assembler/MacroAssemblerX86.h:
3442 (MacroAssemblerX86):
3443 (JSC::MacroAssemblerX86::moveWithPatch):
3444 * assembler/MacroAssemblerX86Common.h:
3445 * assembler/MacroAssemblerX86_64.h:
3446 (JSC::MacroAssemblerX86_64::branchTest8):
3447 * assembler/X86Assembler.h:
3448 (JSC::X86Assembler::cmpb_im):
3449 (JSC::X86Assembler::codeSize):
3450 (JSC::X86Assembler::label):
3451 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
3452 * bytecode/CodeBlock.cpp:
3453 (JSC::CodeBlock::dump):
3454 * bytecode/CodeBlock.h:
3455 (JSC::CodeBlock::appendOSRExit):
3456 (JSC::CodeBlock::appendSpeculationRecovery):
3457 (DFGData):
3458 * bytecode/DFGExitProfile.h:
3459 (JSC::DFG::exitKindToString):
3460 (JSC::DFG::exitKindIsCountable):
3461 * bytecode/Instruction.h:
3462 * bytecode/Opcode.h:
3463 (JSC):
3464 (JSC::padOpcodeName):
3465 * bytecode/Watchpoint.cpp: Removed.
3466 * bytecode/Watchpoint.h: Removed.
3467 * bytecompiler/BytecodeGenerator.cpp:
3468 (JSC::ResolveResult::checkValidity):
3469 (JSC::BytecodeGenerator::addGlobalVar):
3470 (JSC::BytecodeGenerator::BytecodeGenerator):
3471 (JSC::BytecodeGenerator::resolve):
3472 (JSC::BytecodeGenerator::emitResolve):
3473 (JSC::BytecodeGenerator::emitResolveWithBase):
3474 (JSC::BytecodeGenerator::emitResolveWithThis):
3475 (JSC::BytecodeGenerator::emitGetStaticVar):
3476 (JSC::BytecodeGenerator::emitPutStaticVar):
3477 * bytecompiler/BytecodeGenerator.h:
3478 (BytecodeGenerator):
3479 * bytecompiler/NodesCodegen.cpp:
3480 (JSC::FunctionCallResolveNode::emitBytecode):
3481 (JSC::PostfixResolveNode::emitBytecode):
3482 (JSC::PrefixResolveNode::emitBytecode):
3483 (JSC::ReadModifyResolveNode::emitBytecode):
3484 (JSC::AssignResolveNode::emitBytecode):
3485 (JSC::ConstDeclNode::emitCodeSingle):
3486 * dfg/DFGAbstractState.cpp:
3487 (JSC::DFG::AbstractState::execute):
3488 (JSC::DFG::AbstractState::clobberStructures):
3489 * dfg/DFGAbstractState.h:
3490 (AbstractState):
3491 * dfg/DFGByteCodeParser.cpp:
3492 (JSC::DFG::ByteCodeParser::handleInlining):
3493 (JSC::DFG::ByteCodeParser::parseBlock):
3494 * dfg/DFGCCallHelpers.h:
3495 (JSC::DFG::CCallHelpers::setupArguments):
3496 * dfg/DFGCSEPhase.cpp:
3497 (JSC::DFG::CSEPhase::globalVarStoreElimination):
3498 (JSC::DFG::CSEPhase::performNodeCSE):
3499 * dfg/DFGCapabilities.h:
3500 (JSC::DFG::canCompileOpcode):
3501 * dfg/DFGConstantFoldingPhase.cpp:
3502 (JSC::DFG::ConstantFoldingPhase::run):
3503 * dfg/DFGCorrectableJumpPoint.h:
3504 * dfg/DFGJITCompiler.cpp:
3505 (JSC::DFG::JITCompiler::linkOSRExits):
3506 (JSC::DFG::JITCompiler::link):
3507 * dfg/DFGNode.h:
3508 (JSC::DFG::Node::hasRegisterPointer):
3509 * dfg/DFGNodeType.h:
3510 (DFG):
3511 * dfg/DFGOSRExit.cpp:
3512 (JSC::DFG::OSRExit::OSRExit):
3513 * dfg/DFGOSRExit.h:
3514 (OSRExit):
3515 * dfg/DFGOperations.cpp:
3516 * dfg/DFGOperations.h:
3517 * dfg/DFGPredictionPropagationPhase.cpp:
3518 (JSC::DFG::PredictionPropagationPhase::propagate):
3519 * dfg/DFGSpeculativeJIT.h:
3520 (JSC::DFG::SpeculativeJIT::callOperation):
3521 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3522 (JSC::DFG::SpeculativeJIT::speculationCheck):
3523 * dfg/DFGSpeculativeJIT32_64.cpp:
3524 (JSC::DFG::SpeculativeJIT::compile):
3525 * dfg/DFGSpeculativeJIT64.cpp:
3526 (JSC::DFG::SpeculativeJIT::compile):
3527 * jit/JIT.cpp:
3528 (JSC::JIT::privateCompileMainPass):
3529 (JSC::JIT::privateCompileSlowCases):
3530 * jit/JIT.h:
3531 * jit/JITPropertyAccess.cpp:
3532 * jit/JITPropertyAccess32_64.cpp:
3533 * jit/JITStubs.cpp:
3534 * jit/JITStubs.h:
3535 * llint/LLIntSlowPaths.cpp:
3536 * llint/LLIntSlowPaths.h:
3537 (LLInt):
3538 * llint/LowLevelInterpreter32_64.asm:
3539 * llint/LowLevelInterpreter64.asm:
3540 * runtime/JSObject.cpp:
3541 (JSC::JSObject::removeDirect):
3542 * runtime/JSObject.h:
3543 (JSObject):
3544 * runtime/JSSymbolTableObject.h:
3545 (JSC::symbolTableGet):
3546 (JSC::symbolTablePut):
3547 (JSC::symbolTablePutWithAttributes):
3548 * runtime/SymbolTable.cpp: Removed.
3549 * runtime/SymbolTable.h:
3550 (JSC):
3551 (JSC::SymbolTableEntry::isNull):
3552 (JSC::SymbolTableEntry::getIndex):
3553 (SymbolTableEntry):
3554 (JSC::SymbolTableEntry::getAttributes):
3555 (JSC::SymbolTableEntry::isReadOnly):
3556 (JSC::SymbolTableEntry::pack):
3557 (JSC::SymbolTableEntry::isValidIndex):
3558
fpizlo@apple.com3bdd4c92012-06-13 04:56:22 +0000[diff] [blame]35592012-06-12 Filip Pizlo <fpizlo@apple.com>
3560
fpizlo@apple.comb6c5eeb2012-06-13 08:20:39 +0000[diff] [blame]3561 DFG should be able to set watchpoints on global variables
3562 https://bugs.webkit.org/show_bug.cgi?id=88692
3563
3564 Reviewed by Geoffrey Garen.
3565
3566 This implements global variable constant folding by allowing the optimizing
3567 compiler to set a "watchpoint" on globals that it wishes to constant fold.
3568 If the watchpoint fires, then an OSR exit is forced by overwriting the
3569 machine code that the optimizing compiler generated with a jump.
3570
3571 As such, this patch is adding quite a bit of stuff:
3572
3573 - Jump replacement on those hardware targets supported by the optimizing
3574 JIT. It is now possible to patch in a jump instruction over any recorded
3575 watchpoint label. The jump must be "local" in the sense that it must be
3576 within the range of the largest jump distance supported by a one
3577 instruction jump.
3578
3579 - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
3580 that records the location where a jump must be inserted and the
3581 destination to which it should jump. Watchpoints can be added to a
3582 WatchpointSet. The WatchpointSet can be fired all at once, which plants
3583 all jumps. WatchpointSet also remembers if it had ever been invalidated,
3584 which allows for monotonicity: we typically don't want to optimize using
3585 watchpoints on something for which watchpoints had previously fired. The
3586 act of notifying a WatchpointSet has a trivial fast path in case no
3587 Watchpoints are registered (one-byte load+branch).
3588
3589 - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
3590 except that you don't have to emit branches. But, you need to know what
3591 WatchpointSet to add the resulting Watchpoint to. Not everything that
3592 you could write a speculationCheck() for will have a WatchpointSet that
3593 would get notified if the condition you were speculating against became
3594 invalid.
3595
3596 - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
3597 do so without incurring any space overhead for those entries that don't
3598 have WatchpointSets.
3599
3600 - The bytecode generator infers all global function variables to be
3601 watchable, and makes all stores perform the WatchpointSet's write check,
3602 and marks all loads as being potentially watchable (i.e. you can compile
3603 them to a watchpoint and a constant).
3604
3605 Put together, this allows for fully sleazy inlining of calls to globally
3606 declared functions. The inline prologue will no longer contain the load of
3607 the function, or any checks of the function you're calling. I.e. it's
3608 pretty much like the kind of inlining you would see in Java or C++.
3609 Furthermore, the watchpointing functionality is built to be fairly general,
3610 and should allow setting watchpoints on all sorts of interesting things
3611 in the future.
3612
3613 The sleazy inlining means that we will now sometimes inline in code paths
3614 that have never executed. Previously, to inline we would have either had
3615 to have executed the call (to read the call's inline cache) or have
3616 executed the method check (to read the method check's inline cache). Now,
3617 we might inline when the callee is a watched global variable. This
3618 revealed some humorous bugs. First, constant folding disagreed with CFA
3619 over what kinds of operations can clobber (example: code path A is dead
3620 but stores a String into variable X, all other code paths store 0 into
3621 X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
3622 clobbering constant, but constant folding thought it was clobbering
3623 because it saw the String prediction). Second, inlining would crash if
3624 the inline callee had not been compiled. This patch fixes both bugs,
3625 since otherwise run-javascriptcore-tests would report regressions.
3626
3627 * CMakeLists.txt:
3628 * GNUmakefile.list.am:
3629 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3630 * JavaScriptCore.xcodeproj/project.pbxproj:
3631 * Target.pri:
3632 * assembler/ARMv7Assembler.h:
3633 (ARMv7Assembler):
3634 (JSC::ARMv7Assembler::ARMv7Assembler):
3635 (JSC::ARMv7Assembler::labelForWatchpoint):
3636 (JSC::ARMv7Assembler::label):
3637 (JSC::ARMv7Assembler::replaceWithJump):
3638 (JSC::ARMv7Assembler::maxJumpReplacementSize):
3639 * assembler/AbstractMacroAssembler.h:
3640 (JSC):
3641 (AbstractMacroAssembler):
3642 (Label):
3643 (JSC::AbstractMacroAssembler::watchpointLabel):
3644 * assembler/AssemblerBuffer.h:
3645 * assembler/MacroAssemblerARM.h:
3646 (JSC::MacroAssemblerARM::replaceWithJump):
3647 (MacroAssemblerARM):
3648 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
3649 * assembler/MacroAssemblerARMv7.h:
3650 (MacroAssemblerARMv7):
3651 (JSC::MacroAssemblerARMv7::replaceWithJump):
3652 (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
3653 (JSC::MacroAssemblerARMv7::branchTest8):
3654 (JSC::MacroAssemblerARMv7::jump):
3655 (JSC::MacroAssemblerARMv7::makeBranch):
3656 * assembler/MacroAssemblerMIPS.h:
3657 (JSC::MacroAssemblerMIPS::replaceWithJump):
3658 (MacroAssemblerMIPS):
3659 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
3660 * assembler/MacroAssemblerSH4.h:
3661 (JSC::MacroAssemblerSH4::replaceWithJump):
3662 (MacroAssemblerSH4):
3663 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
3664 * assembler/MacroAssemblerX86.h:
3665 (MacroAssemblerX86):
3666 (JSC::MacroAssemblerX86::branchTest8):
3667 * assembler/MacroAssemblerX86Common.h:
3668 (JSC::MacroAssemblerX86Common::replaceWithJump):
3669 (MacroAssemblerX86Common):
3670 (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
3671 * assembler/MacroAssemblerX86_64.h:
3672 (MacroAssemblerX86_64):
3673 (JSC::MacroAssemblerX86_64::branchTest8):
3674 * assembler/X86Assembler.h:
3675 (JSC::X86Assembler::X86Assembler):
3676 (X86Assembler):
3677 (JSC::X86Assembler::cmpb_im):
3678 (JSC::X86Assembler::testb_im):
3679 (JSC::X86Assembler::labelForWatchpoint):
3680 (JSC::X86Assembler::label):
3681 (JSC::X86Assembler::replaceWithJump):
3682 (JSC::X86Assembler::maxJumpReplacementSize):
3683 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
3684 * bytecode/CodeBlock.cpp:
3685 (JSC::CodeBlock::dump):
3686 * bytecode/CodeBlock.h:
3687 (JSC::CodeBlock::appendOSRExit):
3688 (JSC::CodeBlock::appendSpeculationRecovery):
3689 (CodeBlock):
3690 (JSC::CodeBlock::appendWatchpoint):
3691 (JSC::CodeBlock::numberOfWatchpoints):
3692 (JSC::CodeBlock::watchpoint):
3693 (DFGData):
3694 * bytecode/DFGExitProfile.h:
3695 (JSC::DFG::exitKindToString):
3696 (JSC::DFG::exitKindIsCountable):
3697 * bytecode/Instruction.h:
3698 (Instruction):
3699 (JSC::Instruction::Instruction):
3700 * bytecode/Opcode.h:
3701 (JSC):
3702 (JSC::padOpcodeName):
3703 * bytecode/Watchpoint.cpp: Added.
3704 (JSC):
3705 (JSC::Watchpoint::~Watchpoint):
3706 (JSC::Watchpoint::correctLabels):
3707 (JSC::Watchpoint::fire):
3708 (JSC::WatchpointSet::WatchpointSet):
3709 (JSC::WatchpointSet::~WatchpointSet):
3710 (JSC::WatchpointSet::add):
3711 (JSC::WatchpointSet::notifyWriteSlow):
3712 (JSC::WatchpointSet::fireAllWatchpoints):
3713 * bytecode/Watchpoint.h: Added.
3714 (JSC):
3715 (Watchpoint):
3716 (JSC::Watchpoint::Watchpoint):
3717 (JSC::Watchpoint::setDestination):
3718 (WatchpointSet):
3719 (JSC::WatchpointSet::isStillValid):
3720 (JSC::WatchpointSet::hasBeenInvalidated):
3721 (JSC::WatchpointSet::startWatching):
3722 (JSC::WatchpointSet::notifyWrite):
3723 (JSC::WatchpointSet::addressOfIsWatched):
3724 * bytecompiler/BytecodeGenerator.cpp:
3725 (JSC::ResolveResult::checkValidity):
3726 (JSC::BytecodeGenerator::addGlobalVar):
3727 (JSC::BytecodeGenerator::BytecodeGenerator):
3728 (JSC::BytecodeGenerator::resolve):
3729 (JSC::BytecodeGenerator::emitResolve):
3730 (JSC::BytecodeGenerator::emitResolveWithBase):
3731 (JSC::BytecodeGenerator::emitResolveWithThis):
3732 (JSC::BytecodeGenerator::emitGetStaticVar):
3733 (JSC::BytecodeGenerator::emitPutStaticVar):
3734 * bytecompiler/BytecodeGenerator.h:
3735 (BytecodeGenerator):
3736 * bytecompiler/NodesCodegen.cpp:
3737 (JSC::FunctionCallResolveNode::emitBytecode):
3738 (JSC::PostfixResolveNode::emitBytecode):
3739 (JSC::PrefixResolveNode::emitBytecode):
3740 (JSC::ReadModifyResolveNode::emitBytecode):
3741 (JSC::AssignResolveNode::emitBytecode):
3742 (JSC::ConstDeclNode::emitCodeSingle):
3743 * dfg/DFGAbstractState.cpp:
3744 (JSC::DFG::AbstractState::execute):
3745 (JSC::DFG::AbstractState::clobberStructures):
3746 * dfg/DFGAbstractState.h:
3747 (AbstractState):
3748 (JSC::DFG::AbstractState::didClobber):
3749 * dfg/DFGByteCodeParser.cpp:
3750 (JSC::DFG::ByteCodeParser::handleInlining):
3751 (JSC::DFG::ByteCodeParser::parseBlock):
3752 * dfg/DFGCCallHelpers.h:
3753 (CCallHelpers):
3754 (JSC::DFG::CCallHelpers::setupArguments):
3755 * dfg/DFGCSEPhase.cpp:
3756 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
3757 (CSEPhase):
3758 (JSC::DFG::CSEPhase::globalVarStoreElimination):
3759 (JSC::DFG::CSEPhase::performNodeCSE):
3760 * dfg/DFGCapabilities.h:
3761 (JSC::DFG::canCompileOpcode):
3762 * dfg/DFGConstantFoldingPhase.cpp:
3763 (JSC::DFG::ConstantFoldingPhase::run):
3764 * dfg/DFGCorrectableJumpPoint.h:
3765 (JSC::DFG::CorrectableJumpPoint::isSet):
3766 (CorrectableJumpPoint):
3767 * dfg/DFGJITCompiler.cpp:
3768 (JSC::DFG::JITCompiler::linkOSRExits):
3769 (JSC::DFG::JITCompiler::link):
3770 * dfg/DFGNode.h:
3771 (JSC::DFG::Node::hasIdentifierNumberForCheck):
3772 (Node):
3773 (JSC::DFG::Node::identifierNumberForCheck):
3774 (JSC::DFG::Node::hasRegisterPointer):
3775 * dfg/DFGNodeType.h:
3776 (DFG):
3777 * dfg/DFGOSRExit.cpp:
3778 (JSC::DFG::OSRExit::OSRExit):
3779 * dfg/DFGOSRExit.h:
3780 (OSRExit):
3781 * dfg/DFGOperations.cpp:
3782 * dfg/DFGOperations.h:
3783 * dfg/DFGPredictionPropagationPhase.cpp:
3784 (JSC::DFG::PredictionPropagationPhase::propagate):
3785 * dfg/DFGSpeculativeJIT.h:
3786 (JSC::DFG::SpeculativeJIT::callOperation):
3787 (JSC::DFG::SpeculativeJIT::appendCall):
3788 (SpeculativeJIT):
3789 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
3790 * dfg/DFGSpeculativeJIT32_64.cpp:
3791 (JSC::DFG::SpeculativeJIT::compile):
3792 * dfg/DFGSpeculativeJIT64.cpp:
3793 (JSC::DFG::SpeculativeJIT::compile):
3794 * jit/JIT.cpp:
3795 (JSC::JIT::privateCompileMainPass):
3796 (JSC::JIT::privateCompileSlowCases):
3797 * jit/JIT.h:
3798 * jit/JITPropertyAccess.cpp:
3799 (JSC::JIT::emit_op_put_global_var_check):
3800 (JSC):
3801 (JSC::JIT::emitSlow_op_put_global_var_check):
3802 * jit/JITPropertyAccess32_64.cpp:
3803 (JSC::JIT::emit_op_put_global_var_check):
3804 (JSC):
3805 (JSC::JIT::emitSlow_op_put_global_var_check):
3806 * jit/JITStubs.cpp:
3807 (JSC::JITThunks::JITThunks):
3808 (JSC::DEFINE_STUB_FUNCTION):
3809 (JSC):
3810 * jit/JITStubs.h:
3811 * llint/LLIntSlowPaths.cpp:
3812 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3813 (LLInt):
3814 * llint/LLIntSlowPaths.h:
3815 (LLInt):
3816 * llint/LowLevelInterpreter32_64.asm:
3817 * llint/LowLevelInterpreter64.asm:
3818 * runtime/JSObject.cpp:
3819 (JSC::JSObject::removeDirect):
3820 * runtime/JSObject.h:
3821 (JSObject):
3822 * runtime/JSSymbolTableObject.h:
3823 (JSC::symbolTableGet):
3824 (JSC::symbolTablePut):
3825 (JSC::symbolTablePutWithAttributes):
3826 * runtime/SymbolTable.cpp: Added.
3827 (JSC):
3828 (JSC::SymbolTableEntry::copySlow):
3829 (JSC::SymbolTableEntry::freeFatEntrySlow):
3830 (JSC::SymbolTableEntry::couldBeWatched):
3831 (JSC::SymbolTableEntry::attemptToWatch):
3832 (JSC::SymbolTableEntry::addressOfIsWatched):
3833 (JSC::SymbolTableEntry::addWatchpoint):
3834 (JSC::SymbolTableEntry::notifyWriteSlow):
3835 (JSC::SymbolTableEntry::inflateSlow):
3836 * runtime/SymbolTable.h:
3837 (JSC):
3838 (SymbolTableEntry):
3839 (Fast):
3840 (JSC::SymbolTableEntry::Fast::Fast):
3841 (JSC::SymbolTableEntry::Fast::isNull):
3842 (JSC::SymbolTableEntry::Fast::getIndex):
3843 (JSC::SymbolTableEntry::Fast::isReadOnly):
3844 (JSC::SymbolTableEntry::Fast::getAttributes):
3845 (JSC::SymbolTableEntry::Fast::isFat):
3846 (JSC::SymbolTableEntry::SymbolTableEntry):
3847 (JSC::SymbolTableEntry::~SymbolTableEntry):
3848 (JSC::SymbolTableEntry::operator=):
3849 (JSC::SymbolTableEntry::isNull):
3850 (JSC::SymbolTableEntry::getIndex):
3851 (JSC::SymbolTableEntry::getFast):
3852 (JSC::SymbolTableEntry::getAttributes):
3853 (JSC::SymbolTableEntry::isReadOnly):
3854 (JSC::SymbolTableEntry::watchpointSet):
3855 (JSC::SymbolTableEntry::notifyWrite):
3856 (FatEntry):
3857 (JSC::SymbolTableEntry::FatEntry::FatEntry):
3858 (JSC::SymbolTableEntry::isFat):
3859 (JSC::SymbolTableEntry::fatEntry):
3860 (JSC::SymbolTableEntry::inflate):
3861 (JSC::SymbolTableEntry::bits):
3862 (JSC::SymbolTableEntry::freeFatEntry):
3863 (JSC::SymbolTableEntry::pack):
3864 (JSC::SymbolTableEntry::isValidIndex):
3865
38662012-06-12 Filip Pizlo <fpizlo@apple.com>
3867
fpizlo@apple.com3bdd4c92012-06-13 04:56:22 +0000[diff] [blame]3868 Unreviewed build fix for ARMv7 debug builds.
3869
3870 * jit/JITStubs.cpp:
3871 (JSC::JITThunks::JITThunks):
3872
ggaren@apple.com3c89f392012-06-13 02:50:50 +0000[diff] [blame]38732012-06-12 Geoffrey Garen <ggaren@apple.com>
3874
3875 Build fix for case-sensitive file systems: use the right case.
3876
3877 * heap/ListableHandler.h:
3878
ggaren@apple.com639160c2012-06-13 02:06:50 +0000[diff] [blame]38792012-06-11 Geoffrey Garen <ggaren@apple.com>
3880
3881 GC should be 1.7X faster
3882 https://bugs.webkit.org/show_bug.cgi?id=88840
3883
3884 Reviewed by Oliver Hunt.
3885
3886 I profiled, and removed anything that showed up as a concurrency
3887 bottleneck. Then, I added 3 threads to our max thread count, since we
3888 can scale up to more threads now.
3889
3890 * heap/BlockAllocator.cpp:
3891 (JSC::BlockAllocator::BlockAllocator):
3892 (JSC::BlockAllocator::~BlockAllocator):
3893 (JSC::BlockAllocator::releaseFreeBlocks):
3894 (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
3895 (JSC::BlockAllocator::waitForRelativeTime):
3896 (JSC::BlockAllocator::blockFreeingThreadMain):
3897 * heap/BlockAllocator.h:
3898 (BlockAllocator):
3899 (JSC::BlockAllocator::allocate):
3900 (JSC::BlockAllocator::deallocate): Use a spin lock for the common case
3901 where we're just popping a linked list. (A pthread mutex would sleep our
3902 thread even if the lock were only contended for a microsecond.)
3903
3904 Scope the lock to avoid holding it while allocating VM, since that's a
3905 slow activity and it doesn't modify any of our data structures.
3906
3907 We still use a pthread mutex to handle our condition variable since we
3908 have to, and it's not a hot path.
3909
3910 * heap/CopiedSpace.cpp:
3911 (JSC::CopiedSpace::CopiedSpace):
3912 (JSC::CopiedSpace::doneFillingBlock):
3913 * heap/CopiedSpace.h:
3914 (JSC::CopiedSpace::CopiedSpace): Use a spin lock for the to space lock,
3915 since it just guards linked list and hash table manipulation.
3916
3917 * heap/MarkStack.cpp:
3918 (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator):
3919 (JSC::MarkStackSegmentAllocator::allocate):
3920 (JSC::MarkStackSegmentAllocator::release):
3921 (JSC::MarkStackSegmentAllocator::shrinkReserve): Use a spin lock, since
3922 we're just managing a linked list.
3923
3924 (JSC::MarkStackArray::donateSomeCellsTo): Changed donation to be proportional
3925 to our current stack size. This fixes cases where we used to donate too
3926 much. Interestingly, donating too much was starving the donor (when it
3927 ran out of work later) *and* the recipient (since it had to wait on a
3928 long donation operation to complete before it could acquire the lock).
3929
3930 In the worst case, we're still guaranteed to donate N cells in roughly log N time.
3931
3932 This change also fixes cases where we used to donate too little, since
3933 we would always keep a fixed minimum number of cells. In the worst case,
3934 with N marking threads, would could have N large object graph roots in
3935 our stack for the duration of GC, and scale to only 1 thread.
3936
3937 It's an interesting observation that a single object in the mark stack
3938 might represent an arbitrarily large object graph -- and only the act
3939 of marking can find out.
3940
3941 (JSC::MarkStackArray::stealSomeCellsFrom): Steal in proportion to idle
3942 threads. Once again, this fixes cases where constants could cause us
3943 to steal too much or too little.
3944
3945 (JSC::SlotVisitor::donateKnownParallel): Always wake up other threads
3946 if they're idle. We can afford to do this because we're conservative
3947 about when we donate.
3948
3949 (JSC::SlotVisitor::drainFromShared):
3950 * heap/MarkStack.h:
3951 (MarkStackSegmentAllocator):
3952 (MarkStackArray):
3953 (JSC):
3954 * heap/SlotVisitor.h: Merged the "should I donate?" decision into a
3955 single function, for simplicity.
3956
3957 * runtime/Options.cpp:
3958 (minimumNumberOfScansBetweenRebalance): Reduced the delay before donation
3959 a lot. We can afford to do this because, in the common case, donation is
3960 a single branch that decides not to donate.
3961
3962 (cpusToUse): Use more CPUs now, since we scale better now.
3963
3964 * runtime/Options.h:
3965 (Options): Removed now-unused variables.
3966
fpizlo@apple.com53ef1042012-06-13 01:29:07 +0000[diff] [blame]39672012-06-12 Filip Pizlo <fpizlo@apple.com>
3968
3969 REGRESSION(120121): inspector tests crash in DFG
3970 https://bugs.webkit.org/show_bug.cgi?id=88941
3971
3972 Reviewed by Geoffrey Garen.
3973
3974 The CFG simplifier has two different ways of fixing up GetLocal, Phantom, and Flush. If we've
3975 already fixed up the node one way, we shouldn't try the other way. The reason why we shouldn't
3976 is that the second way depends on the node referring to other nodes in the to-be-jettisoned
3977 block. After fixup they potentially will refer to nodes in the block being merged to.
3978
3979 * dfg/DFGCFGSimplificationPhase.cpp:
3980 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
3981 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3982
leo.yang@torchmobile.com.cneac79cd2012-06-13 00:23:49 +0000[diff] [blame]39832012-06-12 Leo Yang <leo.yang@torchmobile.com.cn>
3984
3985 Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
3986 https://bugs.webkit.org/show_bug.cgi?id=87334
3987
3988 Reviewed by Geoffrey Garen.
3989
3990 Add a copy member function to JSC::HasTable. This function will copy all data
3991 members except for *table* which contains thread specific data that prevents
3992 up copying it. When you want to copy a JSC::HashTable that was constructed
3993 on another thread you should call JSC::HashTable::copy().
3994
3995 * runtime/Lookup.h:
3996 (JSC::HashTable::copy):
3997 (HashTable):
3998
fpizlo@apple.comdfd92802012-06-12 21:15:43 +0000[diff] [blame]39992012-06-12 Filip Pizlo <fpizlo@apple.com>
4000
fpizlo@apple.com888325a2012-06-12 23:16:51 +0000[diff] [blame]4001 DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
4002 until after CFG simplification
4003 https://bugs.webkit.org/show_bug.cgi?id=88927
4004 <rdar://problem/11513971>
4005
4006 Reviewed by Geoffrey Garen.
4007
4008 Speculation fixup needs to run if simplification did things, because simplification can change
4009 predictions - particularly if you had a control flow path that stored weird things into a
4010 variable, but that path got axed by the simplifier.
4011
4012 Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
4013 one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.
4014
4015 * dfg/DFGDriver.cpp:
4016 (JSC::DFG::compile):
4017 * dfg/DFGFixupPhase.cpp:
4018 (JSC::DFG::FixupPhase::fixupNode):
4019
40202012-06-12 Filip Pizlo <fpizlo@apple.com>
4021
fpizlo@apple.comdfd92802012-06-12 21:15:43 +0000[diff] [blame]4022 REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
4023 https://bugs.webkit.org/show_bug.cgi?id=88783
4024 <rdar://problem/11640299>
4025
4026 Reviewed by Geoffrey Garen.
4027
4028 If you don't keep alive the base of an object access over the various checks
4029 you do for the prototype chain, you're going to have a bad time.
4030
4031 * dfg/DFGByteCodeParser.cpp:
4032 (JSC::DFG::ByteCodeParser::handleGetById):
4033
commit-queue@webkit.orgce7e7ef2012-06-12 07:08:14 +0000[diff] [blame]40342012-06-12 Hojong Han <hojong.han@samsung.com>
4035
4036 Property names of the built-in object cannot be retrieved
4037 after trying to delete one of its properties
4038 https://bugs.webkit.org/show_bug.cgi?id=86461
4039
4040 Reviewed by Gavin Barraclough.
4041
4042 * runtime/JSObject.cpp:
4043 (JSC::getClassPropertyNames):
4044 (JSC::JSObject::getOwnPropertyNames):
4045
gyuyoung.kim@samsung.com7a201592012-06-12 00:58:24 +0000[diff] [blame]40462012-06-11 Gyuyoung Kim <gyuyoung.kim@samsung.com>
4047
4048 [CMAKE][EFL] Remove duplicated executable output path
4049 https://bugs.webkit.org/show_bug.cgi?id=88765
4050
4051 Reviewed by Daniel Bates.
4052
4053 CMake files for EFL port have redefined executable output path. However, EFL port doesn't
4054 need to define again because it is already defined in top-level CMake file.
4055
4056 * shell/CMakeLists.txt:
4057
carlosgc@webkit.orgf4fbe002012-06-11 15:31:19 +0000[diff] [blame]40582012-06-11 Carlos Garcia Campos <cgarcia@igalia.com>
4059
4060 Unreviewed. Fix make distcheck issues.
4061
4062 * GNUmakefile.list.am: Remove non existent header file.
4063
paroga@webkit.org7a01e282012-06-10 12:25:57 +0000[diff] [blame]40642012-06-10 Patrick Gansterer <paroga@webkit.org>
4065
paroga@webkit.orga601a8b2012-06-10 12:49:32 +0000[diff] [blame]4066 Unreviewed. Build fix for !ENABLE(JIT) after r119844 and r119925.
4067
4068 * runtime/Executable.h:
4069 (ExecutableBase):
4070 (JSC::ExecutableBase::clearCodeVirtual):
4071
40722012-06-10 Patrick Gansterer <paroga@webkit.org>
4073
paroga@webkit.org7a01e282012-06-10 12:25:57 +0000[diff] [blame]4074 Unreviewed. Build fix for !ENABLE(JIT) after r119844.
4075
4076 * runtime/Executable.h:
4077 (ExecutableBase):
4078 (JSC):
4079
dominicc@chromium.org2a95e332012-06-10 06:31:14 +0000[diff] [blame]40802012-06-09 Dominic Cooney <dominicc@chromium.org>
4081
4082 [Chromium] Remove JavaScriptCore dependencies from gyp
4083 https://bugs.webkit.org/show_bug.cgi?id=88510
4084
4085 Reviewed by Adam Barth.
4086
4087 Chromium doesn't support JSC any more and there doesn't seem to be
4088 a strong interest in using GYP as the common build system in other
4089 ports.
4090
4091 * JavaScriptCore.gyp/JavaScriptCore.gyp: WebCore still depends on YARR interpreter.
4092 * JavaScriptCore.gypi: Only include YARR source.
4093 * gyp/JavaScriptCore.gyp: Removed.
4094 * gyp/gtk.gyp: Removed.
4095
ggaren@apple.com642da3e2012-06-09 17:34:30 +0000[diff] [blame]40962012-06-09 Geoffrey Garen <ggaren@apple.com>
4097
4098 Unreviewed, rolling back in part2 of r118646.
4099
4100 This patch removes eager finalization.
4101
4102 Weak pointer finalization should be lazy
4103 https://bugs.webkit.org/show_bug.cgi?id=87599
4104
4105 Reviewed by Sam Weinig.
4106
4107 * heap/Heap.cpp:
4108 (JSC::Heap::collect): Don't finalize eagerly -- we'll do it lazily.
4109
4110 * heap/MarkedBlock.cpp:
4111 (JSC::MarkedBlock::sweep): Do sweep weak sets when sweeping a block,
4112 since we won't get another chance.
4113
4114 * heap/MarkedBlock.h:
4115 (JSC::MarkedBlock::sweepWeakSet):
4116 * heap/MarkedSpace.cpp:
4117 (MarkedSpace::WeakSetSweep):
4118 * heap/MarkedSpace.h:
4119 (JSC::MarkedSpace::sweepWeakSets): Removed now-unused code.
4120
commit-queue@webkit.org5deb7492012-06-09 09:05:22 +0000[diff] [blame]41212012-06-09 Sukolsak Sakshuwong <sukolsak@google.com>
4122
4123 Add UNDO_MANAGER flag
4124 https://bugs.webkit.org/show_bug.cgi?id=87908
4125
4126 Reviewed by Tony Chang.
4127
4128 * Configurations/FeatureDefines.xcconfig:
4129
ggaren@apple.com642da3e2012-06-09 17:34:30 +0000[diff] [blame]41302012-06-08 Geoffrey Garen <ggaren@apple.com>
ggaren@apple.com218a16a2012-06-08 23:57:58 +0000[diff] [blame]4131
4132 Unreviewed, rolling back in part1 of r118646.
4133
4134 This patch includes everything necessary for lazy finalization, but
4135 keeps eager finalization enabled for the time being.
4136
4137 Weak pointer finalization should be lazy
4138 https://bugs.webkit.org/show_bug.cgi?id=87599
4139
4140 Reviewed by Sam Weinig.
4141
4142 * heap/MarkedBlock.cpp:
4143 * heap/MarkedBlock.h:
4144 (JSC::MarkedBlock::resetAllocator):
4145 * heap/MarkedSpace.cpp:
4146 (JSC::MarkedSpace::resetAllocators):
4147 * heap/MarkedSpace.h:
4148 (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
4149 It will happen automatically when a weak set is swept. It's simpler to
4150 have only one canonical way for this to happen, and it wasn't buying
4151 us anything to do it eagerly.
4152 * heap/WeakBlock.cpp:
4153 (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
4154 the sweep would be a no-op. If even one finalizer is pending, we need to
4155 run it, since we won't get another chance.
4156 * heap/WeakSet.cpp:
4157 (JSC::WeakSet::sweep): This loop can be simpler now that
4158 WeakBlock::sweep() does what we mean.
4159 Reset our allocator after a sweep because this is the optimal time to
4160 start trying to recycle old weak pointers.
4161 (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
4162 allocator because we've swept already, and forcing a new sweep would be
4163 wasteful.
4164 * heap/WeakSet.h:
4165 (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
4166 because the shrink may have removed the block the allocator was going to
4167 allocate out of.
4168
barraclough@apple.com9dd771c2012-06-08 21:30:35 +0000[diff] [blame]41692012-06-08 Gavin Barraclough <barraclough@apple.com>
4170
4171 Unreviewed roll out r119795.
4172
4173 This broke jquery/core.html
4174
4175 * dfg/DFGSpeculativeJIT.h:
4176 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
4177 * jit/JITInlineMethods.h:
4178 (JSC::JIT::emitAllocateBasicJSObject):
4179 * llint/LowLevelInterpreter.asm:
4180 * runtime/JSGlobalData.h:
4181 (JSGlobalData):
4182 * runtime/JSGlobalThis.cpp:
4183 (JSC::JSGlobalThis::setUnwrappedObject):
4184 * runtime/JSObject.cpp:
4185 (JSC::JSObject::visitChildren):
4186 (JSC::JSObject::createInheritorID):
4187 * runtime/JSObject.h:
4188 (JSObject):
4189 (JSC::JSObject::resetInheritorID):
4190 (JSC):
4191 (JSC::JSObject::offsetOfInheritorID):
4192 (JSC::JSObject::inheritorID):
4193
fpizlo@apple.com0bcbc112012-06-08 20:02:57 +0000[diff] [blame]41942012-06-08 Filip Pizlo <fpizlo@apple.com>
4195
4196 PredictedType should be called SpeculatedType
4197 https://bugs.webkit.org/show_bug.cgi?id=88477
4198
4199 Unreviewed, fix a renaming goof from http://trac.webkit.org/changeset/119660.
4200 I accidentally renamed ByteCodeParser::getPrediction to
4201 ByteCodeParser::getSpeculation. That was not the intent. This changes it
4202 back.
4203
4204 * dfg/DFGByteCodeParser.cpp:
4205 (JSC::DFG::ByteCodeParser::addCall):
4206 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
4207 (JSC::DFG::ByteCodeParser::getPrediction):
4208 (JSC::DFG::ByteCodeParser::handleCall):
4209 (JSC::DFG::ByteCodeParser::parseBlock):
4210
wingo@igalia.com332e9bf2012-06-08 19:57:40 +0000[diff] [blame]42112012-06-08 Andy Wingo <wingo@igalia.com>
4212
4213 Explictly mark stubs called by JIT as being internal
4214 https://bugs.webkit.org/show_bug.cgi?id=88552
4215
4216 Reviewed by Filip Pizlo.
4217
4218 * dfg/DFGOSRExitCompiler.h:
4219 * dfg/DFGOperations.cpp:
4220 * dfg/DFGOperations.h:
4221 * jit/HostCallReturnValue.h:
4222 * jit/JITStubs.cpp:
4223 * jit/JITStubs.h:
4224 * jit/ThunkGenerators.cpp:
4225 * llint/LLIntSlowPaths.h: Mark a bunch of stubs as being
4226 WTF_INTERNAL. Change most calls to SYMBOL_STRING_RELOCATION to
4227 LOCAL_REFERENCE, or GLOBAL_REFERENCE in the case of the wrappers
4228 to truly global symbols.
4229 * offlineasm/asm.rb: Generate LOCAL_REFERENCE instead of
4230 SYMBOL_STRING_RELOCATION.
4231
fpizlo@apple.comf4a2ac32012-06-08 20:04:47 +0000[diff] [blame]42322012-06-08 Geoffrey Garen <ggaren@apple.com>
4233
ggaren@apple.comd7147572012-06-08 18:17:16 +0000[diff] [blame]4234 Don't rely on weak pointers for eager CodeBlock finalization
4235 https://bugs.webkit.org/show_bug.cgi?id=88465
4236
4237 Reviewed by Gavin Barraclough.
4238
4239 This is incompatible with lazy weak pointer finalization.
4240
4241 I considered just making CodeBlock finalization lazy-friendly, but it
4242 turns out that the heap is already way up in CodeBlock's business when
4243 it comes to finalization, so I decided to finish the job and move full
4244 responsibility for CodeBlock finalization into the heap.
4245
4246 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Maybe this
4247 will build.
4248
4249 * debugger/Debugger.cpp: Updated for rename.
4250
4251 * heap/Heap.cpp:
4252 (JSC::Heap::deleteAllCompiledCode): Renamed for consistency. Fixed a bug
4253 where we would not delete code for a code block that had been previously
4254 jettisoned. I don't know if this happens in practice -- I mostly did
4255 this to improve consistency with deleteUnmarkedCompiledCode.
4256
4257 (JSC::Heap::deleteUnmarkedCompiledCode): New function, responsible for
4258 eager finalization of unmarked code blocks.
4259
4260 (JSC::Heap::collect): Updated for rename. Updated to call
4261 deleteUnmarkedCompiledCode(), which takes care of jettisoned DFG code
4262 blocks too.
4263
4264 (JSC::Heap::addCompiledCode): Renamed, since this points to all code
4265 now, not just functions.
4266
4267 * heap/Heap.h:
4268 (Heap): Keep track of all user code, not just functions. This is a
4269 negligible additional overhead, since most code is function code.
4270
4271 * runtime/Executable.cpp:
4272 (JSC::*::finalize): Removed these functions, since we don't rely on
4273 weak pointer finalization anymore.
4274
4275 (JSC::FunctionExecutable::FunctionExecutable): Moved linked-list stuff
4276 into base class so all executables can be in the list.
4277
4278 (JSC::EvalExecutable::clearCode):
4279 (JSC::ProgramExecutable::clearCode):
4280 (JSC::FunctionExecutable::clearCode): All we need to do is delete our
4281 CodeBlock -- that will delete all of its internal data structures.
4282
4283 (JSC::FunctionExecutable::clearCodeIfNotCompiling): Factored out a helper
4284 function to improve clarity.
4285
4286 * runtime/Executable.h:
4287 (JSC::ExecutableBase): Moved linked-list stuff
4288 into base class so all executables can be in the list.
4289
4290 (JSC::NativeExecutable::create):
4291 (NativeExecutable):
4292 (ScriptExecutable):
4293 (JSC::ScriptExecutable::finishCreation):
4294 (JSC::EvalExecutable::create):
4295 (EvalExecutable):
4296 (JSC::ProgramExecutable::create):
4297 (ProgramExecutable):
4298 (FunctionExecutable):
4299 (JSC::FunctionExecutable::create): Don't use a finalizer -- the heap
4300 will call us back to destroy our code block.
4301
4302 (JSC::FunctionExecutable::discardCode): Renamed to clearCodeIfNotCompiling()
4303 for clarity.
4304
4305 (JSC::FunctionExecutable::isCompiling): New helper function, for clarity.
4306
4307 (JSC::ScriptExecutable::clearCodeVirtual): New helper function, since
4308 the heap needs to make polymorphic calls to clear code.
4309
4310 * runtime/JSGlobalData.cpp:
4311 (JSC::StackPreservingRecompiler::operator()):
4312 * runtime/JSGlobalObject.cpp:
4313 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Updated for
4314 renames.
4315
fpizlo@apple.comfd598b92012-06-08 01:31:21 +0000[diff] [blame]43162012-06-07 Filip Pizlo <fpizlo@apple.com>
4317
4318 DFG should inline prototype chain accesses, and do the right things if the
4319 specific function optimization is available
4320 https://bugs.webkit.org/show_bug.cgi?id=88594
4321
4322 Reviewed by Gavin Barraclough.
4323
4324 Looks like a 3% win on V8.
4325
4326 * bytecode/CodeBlock.h:
4327 (JSC::Structure::prototypeForLookup):
4328 (JSC):
4329 * bytecode/GetByIdStatus.cpp:
4330 (JSC::GetByIdStatus::computeFromLLInt):
4331 (JSC):
4332 (JSC::GetByIdStatus::computeForChain):
4333 (JSC::GetByIdStatus::computeFor):
4334 * bytecode/GetByIdStatus.h:
4335 (JSC::GetByIdStatus::GetByIdStatus):
4336 (JSC::GetByIdStatus::isSimple):
4337 (JSC::GetByIdStatus::chain):
4338 (JSC::GetByIdStatus::specificValue):
4339 (GetByIdStatus):
4340 * bytecode/StructureSet.h:
4341 (StructureSet):
4342 (JSC::StructureSet::singletonStructure):
4343 * bytecode/StructureStubInfo.h:
4344 (JSC::StructureStubInfo::initGetByIdProto):
4345 (JSC::StructureStubInfo::initGetByIdChain):
4346 * dfg/DFGByteCodeParser.cpp:
4347 (JSC::DFG::ByteCodeParser::handleGetById):
4348 * dfg/DFGRepatch.cpp:
4349 (JSC::DFG::tryCacheGetByID):
4350 * jit/JITStubs.cpp:
4351 (JSC::JITThunks::tryCacheGetByID):
4352 * runtime/JSGlobalObject.h:
4353 (JSC::Structure::prototypeForLookup):
4354 (JSC):
4355 * runtime/Structure.h:
4356 (Structure):
4357
barraclough@apple.com48386932012-06-08 00:29:27 +0000[diff] [blame]43582012-06-07 Gavin Barraclough <barraclough@apple.com>
4359
barraclough@apple.com64b74e02012-06-08 04:25:58 +0000[diff] [blame]4360 Remove JSObject::m_inheritorID
4361 https://bugs.webkit.org/show_bug.cgi?id=88378
4362
4363 Reviewed by Geoff Garen.
4364
4365 This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
4366 and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
4367 Instead use a private named value in the object's property storage.
4368
4369 * dfg/DFGSpeculativeJIT.h:
4370 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
4371 - No need m_inheritorID to initialize!
4372 * jit/JITInlineMethods.h:
4373 (JSC::JIT::emitAllocateBasicJSObject):
4374 - No need m_inheritorID to initialize!
4375 * llint/LowLevelInterpreter.asm:
4376 - No need m_inheritorID to initialize!
4377 * runtime/JSGlobalData.h:
4378 (JSGlobalData):
4379 - Added private name 'm_inheritorIDKey'.
4380 * runtime/JSGlobalThis.cpp:
4381 (JSC::JSGlobalThis::setUnwrappedObject):
4382 - resetInheritorID is now passed a JSGlobalData&.
4383 * runtime/JSObject.cpp:
4384 (JSC::JSObject::visitChildren):
4385 - No m_inheritorID to be marked.
4386 (JSC::JSObject::createInheritorID):
4387 - Store the newly created inheritorID in the property map.
4388 * runtime/JSObject.h:
4389 (JSC::JSObject::resetInheritorID):
4390 - Remove the inheritorID from property storage.
4391 (JSC::JSObject::inheritorID):
4392 - Read the inheritorID from property storage.
4393
43942012-06-07 Gavin Barraclough <barraclough@apple.com>
4395
barraclough@apple.com48386932012-06-08 00:29:27 +0000[diff] [blame]4396 Math.pow on iOS does not support denormal numbers.
4397 https://bugs.webkit.org/show_bug.cgi?id=88592
4398
4399 Reviewed by Filip Pizlo.
4400
4401 Import an implementation from fdlibm, detect cases where it is safe to use the system
4402 implementation & where we should fall back to fdlibm.
4403
4404 * runtime/MathObject.cpp:
4405 (JSC::isDenormal):
4406 (JSC::isEdgeCase):
4407 (JSC::mathPow):
4408 - On iOS, detect cases where denormal support may be required & use fdlibm in these cases.
4409 (JSC::mathProtoFuncPow):
4410 - Changed to use mathPow.
4411 (JSC::fdlibmScalbn):
4412 (JSC::fdlibmPow):
4413 - These functions imported from fdlibm; original style retained to ease future merging.
4414
paroga@webkit.orga334f732012-06-07 23:24:14 +0000[diff] [blame]44152012-06-07 Patrick Gansterer <paroga@webkit.org>
4416
4417 Unreviewed. Build fix for !ENABLE(JIT) after r119441.
4418
4419 * interpreter/Interpreter.cpp:
4420 (JSC::Interpreter::privateExecute):
4421
wingo@igalia.comb8305a82012-06-07 16:05:19 +0000[diff] [blame]44222012-06-07 Andy Wingo <wingo@igalia.com>
4423
4424 Unreviewed build fix after r119593.
4425
4426 * llint/LLIntOfflineAsmConfig.h (OFFLINE_ASM_GLOBAL_LABEL): Fix
4427 uses of "name" to be "label", the macro's parameter. Otherwise we
4428 serialize mentions of the literal symbol "name" into the objcode.
4429 Causes a build error using GNU ld (not gold).
4430
rniwa@webkit.org475cf8d2012-06-07 02:47:14 +0000[diff] [blame]44312012-06-06 Ryosuke Niwa <rniwa@webkit.org>
4432
4433 Chromium build fix attempt. Why do we need to list these files in gyp!?
4434
4435 * JavaScriptCore.gypi:
4436
fpizlo@apple.comd5547492012-06-07 00:23:36 +0000[diff] [blame]44372012-06-06 Filip Pizlo <fpizlo@apple.com>
4438
fpizlo@apple.com62336162012-06-07 01:35:59 +0000[diff] [blame]4439 PredictedType should be called SpeculatedType
4440 https://bugs.webkit.org/show_bug.cgi?id=88477
4441
4442 Rubber stamped by Gavin Barraclough.
4443
4444 * CMakeLists.txt:
4445 * GNUmakefile.list.am:
4446 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
4447 * JavaScriptCore.xcodeproj/project.pbxproj:
4448 * Target.pri:
4449 * bytecode/CodeBlock.cpp:
4450 (JSC::CodeBlock::shouldOptimizeNow):
4451 (JSC::CodeBlock::dumpValueProfiles):
4452 * bytecode/CodeBlock.h:
4453 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
4454 * bytecode/LazyOperandValueProfile.cpp:
4455 (JSC::LazyOperandValueProfileParser::prediction):
4456 * bytecode/LazyOperandValueProfile.h:
4457 (LazyOperandValueProfileParser):
4458 * bytecode/PredictedType.cpp: Removed.
4459 * bytecode/PredictedType.h: Removed.
4460 * bytecode/SpeculatedType.cpp: Copied from Source/JavaScriptCore/bytecode/PredictedType.cpp.
4461 (JSC::speculationToString):
4462 (JSC::speculationToAbbreviatedString):
4463 (JSC::speculationFromClassInfo):
4464 (JSC::speculationFromStructure):
4465 (JSC::speculationFromCell):
4466 (JSC::speculationFromValue):
4467 * bytecode/SpeculatedType.h: Copied from Source/JavaScriptCore/bytecode/PredictedType.h.
4468 (JSC):
4469 (JSC::isAnySpeculation):
4470 (JSC::isCellSpeculation):
4471 (JSC::isObjectSpeculation):
4472 (JSC::isFinalObjectSpeculation):
4473 (JSC::isFinalObjectOrOtherSpeculation):
4474 (JSC::isFixedIndexedStorageObjectSpeculation):
4475 (JSC::isStringSpeculation):
4476 (JSC::isArraySpeculation):
4477 (JSC::isFunctionSpeculation):
4478 (JSC::isInt8ArraySpeculation):
4479 (JSC::isInt16ArraySpeculation):
4480 (JSC::isInt32ArraySpeculation):
4481 (JSC::isUint8ArraySpeculation):
4482 (JSC::isUint8ClampedArraySpeculation):
4483 (JSC::isUint16ArraySpeculation):
4484 (JSC::isUint32ArraySpeculation):
4485 (JSC::isFloat32ArraySpeculation):
4486 (JSC::isFloat64ArraySpeculation):
4487 (JSC::isArgumentsSpeculation):
4488 (JSC::isActionableIntMutableArraySpeculation):
4489 (JSC::isActionableFloatMutableArraySpeculation):
4490 (JSC::isActionableTypedMutableArraySpeculation):
4491 (JSC::isActionableMutableArraySpeculation):
4492 (JSC::isActionableArraySpeculation):
4493 (JSC::isArrayOrOtherSpeculation):
4494 (JSC::isMyArgumentsSpeculation):
4495 (JSC::isInt32Speculation):
4496 (JSC::isDoubleRealSpeculation):
4497 (JSC::isDoubleSpeculation):
4498 (JSC::isNumberSpeculation):
4499 (JSC::isBooleanSpeculation):
4500 (JSC::isOtherSpeculation):
4501 (JSC::isEmptySpeculation):
4502 (JSC::mergeSpeculations):
4503 (JSC::mergeSpeculation):
4504 * bytecode/StructureSet.h:
4505 (JSC::StructureSet::speculationFromStructures):
4506 * bytecode/ValueProfile.h:
4507 (JSC::ValueProfileBase::ValueProfileBase):
4508 (JSC::ValueProfileBase::dump):
4509 (JSC::ValueProfileBase::computeUpdatedPrediction):
4510 (ValueProfileBase):
4511 * dfg/DFGAbstractState.cpp:
4512 (JSC::DFG::AbstractState::initialize):
4513 (JSC::DFG::AbstractState::execute):
4514 (JSC::DFG::AbstractState::mergeStateAtTail):
4515 * dfg/DFGAbstractState.h:
4516 (JSC::DFG::AbstractState::speculateInt32Unary):
4517 (JSC::DFG::AbstractState::speculateNumberUnary):
4518 (JSC::DFG::AbstractState::speculateBooleanUnary):
4519 (JSC::DFG::AbstractState::speculateInt32Binary):
4520 (JSC::DFG::AbstractState::speculateNumberBinary):
4521 * dfg/DFGAbstractValue.h:
4522 (JSC::DFG::StructureAbstractValue::filter):
4523 (JSC::DFG::StructureAbstractValue::speculationFromStructures):
4524 (JSC::DFG::AbstractValue::AbstractValue):
4525 (JSC::DFG::AbstractValue::clear):
4526 (JSC::DFG::AbstractValue::isClear):
4527 (JSC::DFG::AbstractValue::makeTop):
4528 (JSC::DFG::AbstractValue::clobberStructures):
4529 (JSC::DFG::AbstractValue::isTop):
4530 (JSC::DFG::AbstractValue::set):
4531 (JSC::DFG::AbstractValue::merge):
4532 (JSC::DFG::AbstractValue::filter):
4533 (JSC::DFG::AbstractValue::validateIgnoringValue):
4534 (JSC::DFG::AbstractValue::validate):
4535 (JSC::DFG::AbstractValue::checkConsistency):
4536 (JSC::DFG::AbstractValue::dump):
4537 (AbstractValue):
4538 * dfg/DFGArgumentPosition.h:
4539 (JSC::DFG::ArgumentPosition::ArgumentPosition):
4540 (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
4541 (JSC::DFG::ArgumentPosition::prediction):
4542 (ArgumentPosition):
4543 * dfg/DFGArgumentsSimplificationPhase.cpp:
4544 (JSC::DFG::ArgumentsSimplificationPhase::run):
4545 * dfg/DFGByteCodeParser.cpp:
4546 (ByteCodeParser):
4547 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
4548 (JSC::DFG::ByteCodeParser::getLocal):
4549 (JSC::DFG::ByteCodeParser::getArgument):
4550 (JSC::DFG::ByteCodeParser::addCall):
4551 (JSC::DFG::ByteCodeParser::getSpeculationWithoutOSRExit):
4552 (JSC::DFG::ByteCodeParser::getSpeculation):
4553 (InlineStackEntry):
4554 (JSC::DFG::ByteCodeParser::handleCall):
4555 (JSC::DFG::ByteCodeParser::handleIntrinsic):
4556 (JSC::DFG::ByteCodeParser::handleGetById):
4557 (JSC::DFG::ByteCodeParser::parseBlock):
4558 (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
4559 (JSC::DFG::ByteCodeParser::parse):
4560 * dfg/DFGCSEPhase.cpp:
4561 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
4562 (JSC::DFG::CSEPhase::performNodeCSE):
4563 * dfg/DFGConstantFoldingPhase.cpp:
4564 (JSC::DFG::ConstantFoldingPhase::run):
4565 * dfg/DFGFixupPhase.cpp:
4566 (JSC::DFG::FixupPhase::fixupNode):
4567 (JSC::DFG::FixupPhase::fixDoubleEdge):
4568 * dfg/DFGGraph.cpp:
4569 (JSC::DFG::Graph::nameOfVariableAccessData):
4570 (JSC::DFG::Graph::dump):
4571 (JSC::DFG::Graph::predictArgumentTypes):
4572 * dfg/DFGGraph.h:
4573 (JSC::DFG::Graph::getJSConstantSpeculation):
4574 (JSC::DFG::Graph::isPredictedNumerical):
4575 (JSC::DFG::Graph::byValIsPure):
4576 * dfg/DFGJITCompiler.h:
4577 (JSC::DFG::JITCompiler::getSpeculation):
4578 * dfg/DFGNode.h:
4579 (JSC::DFG::Node::Node):
4580 (JSC::DFG::Node::getHeapPrediction):
4581 (JSC::DFG::Node::predictHeap):
4582 (JSC::DFG::Node::prediction):
4583 (JSC::DFG::Node::predict):
4584 (JSC::DFG::Node::shouldSpeculateInteger):
4585 (JSC::DFG::Node::shouldSpeculateDouble):
4586 (JSC::DFG::Node::shouldSpeculateNumber):
4587 (JSC::DFG::Node::shouldSpeculateBoolean):
4588 (JSC::DFG::Node::shouldSpeculateFinalObject):
4589 (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
4590 (JSC::DFG::Node::shouldSpeculateArray):
4591 (JSC::DFG::Node::shouldSpeculateArguments):
4592 (JSC::DFG::Node::shouldSpeculateInt8Array):
4593 (JSC::DFG::Node::shouldSpeculateInt16Array):
4594 (JSC::DFG::Node::shouldSpeculateInt32Array):
4595 (JSC::DFG::Node::shouldSpeculateUint8Array):
4596 (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
4597 (JSC::DFG::Node::shouldSpeculateUint16Array):
4598 (JSC::DFG::Node::shouldSpeculateUint32Array):
4599 (JSC::DFG::Node::shouldSpeculateFloat32Array):
4600 (JSC::DFG::Node::shouldSpeculateFloat64Array):
4601 (JSC::DFG::Node::shouldSpeculateArrayOrOther):
4602 (JSC::DFG::Node::shouldSpeculateObject):
4603 (JSC::DFG::Node::shouldSpeculateCell):
4604 (Node):
4605 * dfg/DFGPredictionPropagationPhase.cpp:
4606 (JSC::DFG::PredictionPropagationPhase::setPrediction):
4607 (JSC::DFG::PredictionPropagationPhase::mergePrediction):
4608 (JSC::DFG::PredictionPropagationPhase::propagate):
4609 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
4610 * dfg/DFGSpeculativeJIT.cpp:
4611 (JSC::DFG::SpeculativeJIT::fillStorage):
4612 (JSC::DFG::SpeculativeJIT::writeBarrier):
4613 (JSC::DFG::GPRTemporary::GPRTemporary):
4614 (JSC::DFG::FPRTemporary::FPRTemporary):
4615 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
4616 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
4617 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
4618 (JSC::DFG::SpeculativeJIT::compile):
4619 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
4620 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
4621 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
4622 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
4623 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
4624 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
4625 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
4626 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
4627 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
4628 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
4629 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
4630 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
4631 (JSC::DFG::SpeculativeJIT::compileAdd):
4632 (JSC::DFG::SpeculativeJIT::compileArithSub):
4633 (JSC::DFG::SpeculativeJIT::compileArithNegate):
4634 (JSC::DFG::SpeculativeJIT::compileArithMul):
4635 (JSC::DFG::SpeculativeJIT::compileArithMod):
4636 (JSC::DFG::SpeculativeJIT::compare):
4637 (JSC::DFG::SpeculativeJIT::compileStrictEq):
4638 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
4639 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
4640 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
4641 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
4642 * dfg/DFGSpeculativeJIT.h:
4643 (DFG):
4644 (JSC::DFG::ValueSource::forSpeculation):
4645 (SpeculativeJIT):
4646 (GPRTemporary):
4647 (FPRTemporary):
4648 (JSC::DFG::SpecDoubleOperand::SpecDoubleOperand):
4649 (JSC::DFG::SpecDoubleOperand::~SpecDoubleOperand):
4650 (JSC::DFG::SpecDoubleOperand::fpr):
4651 (JSC::DFG::SpecCellOperand::SpecCellOperand):
4652 (JSC::DFG::SpecCellOperand::~SpecCellOperand):
4653 (JSC::DFG::SpecCellOperand::gpr):
4654 (JSC::DFG::SpecBooleanOperand::SpecBooleanOperand):
4655 (JSC::DFG::SpecBooleanOperand::~SpecBooleanOperand):
4656 (JSC::DFG::SpecBooleanOperand::gpr):
4657 * dfg/DFGSpeculativeJIT32_64.cpp:
4658 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
4659 (JSC::DFG::SpeculativeJIT::fillSpecDouble):
4660 (JSC::DFG::SpeculativeJIT::fillSpecCell):
4661 (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
4662 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
4663 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
4664 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
4665 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
4666 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
4667 (JSC::DFG::SpeculativeJIT::emitBranch):
4668 (JSC::DFG::SpeculativeJIT::compile):
4669 * dfg/DFGSpeculativeJIT64.cpp:
4670 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
4671 (JSC::DFG::SpeculativeJIT::fillSpecDouble):
4672 (JSC::DFG::SpeculativeJIT::fillSpecCell):
4673 (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
4674 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
4675 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
4676 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
4677 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
4678 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
4679 (JSC::DFG::SpeculativeJIT::emitBranch):
4680 (JSC::DFG::SpeculativeJIT::compile):
4681 * dfg/DFGVariableAccessData.h:
4682 (JSC::DFG::VariableAccessData::VariableAccessData):
4683 (JSC::DFG::VariableAccessData::predict):
4684 (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
4685 (JSC::DFG::VariableAccessData::prediction):
4686 (JSC::DFG::VariableAccessData::argumentAwarePrediction):
4687 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
4688 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
4689 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
4690 (VariableAccessData):
4691
46922012-06-06 Filip Pizlo <fpizlo@apple.com>
4693
fpizlo@apple.com26af9b62012-06-07 00:49:34 +0000[diff] [blame]4694 Global object variable accesses should not require an extra load
4695 https://bugs.webkit.org/show_bug.cgi?id=88385
4696
4697 Reviewed by Gavin Barraclough and Geoffrey Garen.
4698
4699 Previously, if you wanted to access a global variable, you'd first have
4700 to load the register array from the appropriate global object and then
4701 either load or store at an offset to the register array. This is because
4702 JSGlobalObject inherited from JSVariableObject, and JSVariableObject is
4703 designed with the pessimistic assumption that its register array may
4704 point into the call stack. This is never the case for global objects.
4705 Hence, even though the global object may add more registers at any time,
4706 it does not need to store them in a contiguous array. It can use a
4707 SegmentedVector or similar.
4708
4709 This patch refactors global objects and variable objects as follows:
4710
4711 - The functionality to track variables in an indexable array using a
4712 SymbolTable to map names to indices is moved into JSSymbolTableObject,
4713 which is now a supertype of JSVariableObject. JSVariableObject is now
4714 just a holder for a registers array and implements the registerAt()
4715 method that is left abstract in JSSymbolTableObject. Because all users
4716 of JSVariableObject know whether they are a JSStaticScopeObject,
4717 JSActivation, or JSGlobalObject, this "abstract" method is not virtual;
4718 instead the utility methods that would call registerAt() are now
4719 template functions that require you to know statically what subtype of
4720 JSSymbolTableObject you're using (JSVariableObject or something else),
4721 so that registerAt() can be statically bound.
4722
4723 - A new class is added called JSSegmentedVariableObject, which only
4724 differs from JSVariableObject in how it allocates registers. It uses a
4725 SegmentedVector instead of manually managing a pointer to a contiguous
4726 slab of registers. This changes the interface somewhat; for example
4727 with JSVariableObject if you wanted to add a register you had to do
4728 it yourself since the JSVariableObject didn't know how the registers
4729 array ought to be allocated. With JSSegmentedVariableObject you can
4730 just call addRegisters(). JSSegmentedVariableObject preserves the
4731 invariant that once you get a pointer into a register, that pointer
4732 will continue to be valid so long as the JSSegmentedVariableObject is
4733 alive. This allows the JITs and interpreters to skip the extra load.
4734
4735 - JSGlobalObject now inherits from JSSegmentedVariableObject. For now
4736 (and possibly forever) it is the only subtype of this new class.
4737
4738 - The bytecode format is changed so that get_global_var and
4739 put_global_var have a pointer to the register directly rather than
4740 having an index. A convenience method is provided in
4741 JSSegmentedVariableObject to get the index given a a pointer, which is
4742 used for assertions and debug dumps.
4743
4744 This appears to be a 1% across the board win.
4745
4746 * CMakeLists.txt:
4747 * GNUmakefile.list.am:
4748 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
4749 * JavaScriptCore.xcodeproj/project.pbxproj:
4750 * Target.pri:
4751 * bytecode/CodeBlock.cpp:
4752 (JSC::CodeBlock::dump):
4753 * bytecode/Instruction.h:
4754 (Instruction):
4755 (JSC::Instruction::Instruction):
4756 * bytecompiler/BytecodeGenerator.cpp:
4757 (JSC::ResolveResult::registerPointer):
4758 (JSC):
4759 (JSC::BytecodeGenerator::BytecodeGenerator):
4760 (JSC::BytecodeGenerator::retrieveLastUnaryOp):
4761 (JSC::BytecodeGenerator::resolve):
4762 (JSC::BytecodeGenerator::resolveConstDecl):
4763 (JSC::BytecodeGenerator::emitGetStaticVar):
4764 (JSC::BytecodeGenerator::emitPutStaticVar):
4765 * bytecompiler/BytecodeGenerator.h:
4766 (ResolveResult):
4767 (BytecodeGenerator):
4768 * dfg/DFGAssemblyHelpers.h:
4769 (AssemblyHelpers):
4770 * dfg/DFGByteCodeParser.cpp:
4771 (JSC::DFG::ByteCodeParser::parseBlock):
4772 * dfg/DFGCSEPhase.cpp:
4773 (JSC::DFG::CSEPhase::globalVarLoadElimination):
4774 (JSC::DFG::CSEPhase::globalVarStoreElimination):
4775 (JSC::DFG::CSEPhase::performNodeCSE):
4776 * dfg/DFGGraph.cpp:
4777 (JSC::DFG::Graph::dump):
4778 * dfg/DFGGraph.h:
4779 (JSC::DFG::Graph::globalObjectFor):
4780 (Graph):
4781 * dfg/DFGNode.h:
4782 (JSC::DFG::Node::hasVarNumber):
4783 (Node):
4784 (JSC::DFG::Node::hasRegisterPointer):
4785 (JSC::DFG::Node::registerPointer):
4786 * dfg/DFGSpeculativeJIT32_64.cpp:
4787 (JSC::DFG::SpeculativeJIT::compile):
4788 * dfg/DFGSpeculativeJIT64.cpp:
4789 (JSC::DFG::SpeculativeJIT::compile):
4790 * heap/Heap.h:
4791 (Heap):
4792 (JSC::Heap::isWriteBarrierEnabled):
4793 (JSC):
4794 * interpreter/Interpreter.cpp:
4795 (JSC::Interpreter::execute):
4796 (JSC::Interpreter::privateExecute):
4797 * jit/JITPropertyAccess.cpp:
4798 (JSC::JIT::emit_op_get_global_var):
4799 (JSC::JIT::emit_op_put_global_var):
4800 * jit/JITPropertyAccess32_64.cpp:
4801 (JSC::JIT::emit_op_get_global_var):
4802 (JSC::JIT::emit_op_put_global_var):
4803 * llint/LowLevelInterpreter32_64.asm:
4804 * llint/LowLevelInterpreter64.asm:
4805 * runtime/JSGlobalObject.cpp:
4806 (JSC):
4807 (JSC::JSGlobalObject::put):
4808 (JSC::JSGlobalObject::putDirectVirtual):
4809 (JSC::JSGlobalObject::defineOwnProperty):
4810 (JSC::JSGlobalObject::visitChildren):
4811 (JSC::JSGlobalObject::addStaticGlobals):
4812 (JSC::JSGlobalObject::getOwnPropertySlot):
4813 (JSC::JSGlobalObject::getOwnPropertyDescriptor):
4814 * runtime/JSGlobalObject.h:
4815 (JSGlobalObject):
4816 (JSC::JSGlobalObject::JSGlobalObject):
4817 (JSC):
4818 (JSC::JSGlobalObject::hasOwnPropertyForWrite):
4819 * runtime/JSSegmentedVariableObject.cpp: Added.
4820 (JSC):
4821 (JSC::JSSegmentedVariableObject::findRegisterIndex):
4822 (JSC::JSSegmentedVariableObject::addRegisters):
4823 (JSC::JSSegmentedVariableObject::visitChildren):
4824 * runtime/JSSegmentedVariableObject.h: Added.
4825 (JSC):
4826 (JSSegmentedVariableObject):
4827 (JSC::JSSegmentedVariableObject::registerAt):
4828 (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject):
4829 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
4830 (JSC::JSSegmentedVariableObject::finishCreation):
4831 * runtime/JSStaticScopeObject.cpp:
4832 (JSC::JSStaticScopeObject::put):
4833 (JSC::JSStaticScopeObject::putDirectVirtual):
4834 (JSC::JSStaticScopeObject::getOwnPropertySlot):
4835 * runtime/JSSymbolTableObject.cpp: Added.
4836 (JSC):
4837 (JSC::JSSymbolTableObject::destroy):
4838 (JSC::JSSymbolTableObject::deleteProperty):
4839 (JSC::JSSymbolTableObject::getOwnPropertyNames):
4840 (JSC::JSSymbolTableObject::putDirectVirtual):
4841 (JSC::JSSymbolTableObject::isDynamicScope):
4842 * runtime/JSSymbolTableObject.h: Added.
4843 (JSC):
4844 (JSSymbolTableObject):
4845 (JSC::JSSymbolTableObject::symbolTable):
4846 (JSC::JSSymbolTableObject::JSSymbolTableObject):
4847 (JSC::JSSymbolTableObject::finishCreation):
4848 (JSC::symbolTableGet):
4849 (JSC::symbolTablePut):
4850 (JSC::symbolTablePutWithAttributes):
4851 * runtime/JSVariableObject.cpp:
4852 (JSC):
4853 * runtime/JSVariableObject.h:
4854 (JSVariableObject):
4855 (JSC::JSVariableObject::JSVariableObject):
4856 (JSC::JSVariableObject::finishCreation):
4857 (JSC):
4858 * runtime/WriteBarrier.h:
4859
48602012-06-06 Filip Pizlo <fpizlo@apple.com>
4861
fpizlo@apple.comd5547492012-06-07 00:23:36 +0000[diff] [blame]4862 DFG arguments access slow path should not crash if the arguments haven't been created
4863 https://bugs.webkit.org/show_bug.cgi?id=88471
4864
4865 Reviewed by Gavin Barraclough.
4866
4867 * dfg/DFGCCallHelpers.h:
4868 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
4869 (CCallHelpers):
4870 * dfg/DFGOperations.cpp:
4871 * dfg/DFGOperations.h:
4872 * dfg/DFGSpeculativeJIT.h:
4873 (JSC::DFG::SpeculativeJIT::callOperation):
4874 * dfg/DFGSpeculativeJIT32_64.cpp:
4875 (JSC::DFG::SpeculativeJIT::compile):
4876 * dfg/DFGSpeculativeJIT64.cpp:
4877 (JSC::DFG::SpeculativeJIT::compile):
4878
msaboff@apple.com9d9eab62012-06-06 23:11:09 +0000[diff] [blame]48792012-06-06 Michael Saboff <msaboff@apple.com>
4880
4881 ENH: Add Logging to GC Marking Phase
4882 https://bugs.webkit.org/show_bug.cgi?id=88364
4883
4884 Reviewed by Filip Pizlo.
4885
4886 Log GC marking to stderr or a file. The logging in controlled
4887 with the define ENABLE_OBJECT_MARK_LOGGING in wtf/Platform.h.
4888 If DATA_LOG_TO_FILE in wtf/DataLog.cpp is set to 1, output is
4889 logged to a file otherwise it is logged to stderr.
4890
4891 When logging is enabled, the GC is built single threaded since the
4892 log output from the various threads isn't buffered and output in a
4893 thread safe manner.
4894
4895 * heap/Heap.cpp:
4896 (JSC::Heap::markRoots):
4897 * heap/MarkStack.cpp:
4898 (JSC::MarkStackThreadSharedData::resetChildren):
4899 (JSC::MarkStackThreadSharedData::childVisitCount):
4900 (JSC::MarkStackThreadSharedData::markingThreadMain):
4901 (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
4902 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
4903 (JSC::MarkStackThreadSharedData::reset):
4904 * heap/MarkStack.h:
4905 (MarkStackThreadSharedData):
4906 (MarkStack):
4907 (JSC::MarkStack::sharedData):
4908 (JSC::MarkStack::resetChildCount):
4909 (JSC::MarkStack::childCount):
4910 (JSC::MarkStack::incrementChildCount):
4911 * runtime/JSArray.cpp:
4912 (JSC::JSArray::visitChildren):
4913 * runtime/JSCell.cpp:
4914 (JSC::JSCell::className):
4915 * runtime/JSCell.h:
4916 (JSCell):
4917 (JSC::JSCell::visitChildren):
4918 * runtime/JSString.cpp:
4919 (JSC::JSString::visitChildren):
4920 * runtime/JSString.h:
4921 (JSString):
4922 * runtime/Structure.h:
4923 (JSC::MarkStack::internalAppend):
4924
barraclough@apple.com799e44e2012-06-06 22:09:44 +0000[diff] [blame]49252012-06-06 Gavin Barraclough <barraclough@apple.com>
4926
4927 Assigning to a static property should not change iteration order
4928 https://bugs.webkit.org/show_bug.cgi?id=88401
4929
4930 Reviewed by Geoff Garen.
4931
4932 A specific iteration order is not defined by the spec, but test-262 somewhat tenuously
4933 requires that it is at least stable, e.g. ch10/10.4/10.4.2/S10.4.2_A1.1_T1.js
4934
4935 Whilst it is not clear that this behavior really arises from the specification, it
4936 would seem like common sense to conform to this.
4937
4938 The problem here is that we allow properties in the structure to shadow those in the
4939 static table, and we iterate the properties in the structure first - which means that
4940 as values of existing properties are modified, their iteration order changes too.
4941
4942 The easy fix is to iterate the properties from the static table first. This has a
4943 further benefit, since it will mean that user added properties will come after those
4944 present in the static table (respected the expected insertion-order).
4945
4946 * runtime/JSObject.cpp:
4947 (JSC::JSObject::getOwnPropertyNames):
4948 - Iterate static properties first.
4949
wingo@igalia.combe8ecb92012-06-06 09:39:04 +0000[diff] [blame]49502012-06-06 Andy Wingo <wingo@igalia.com>
4951
wingo@igalia.comc2fb5ba2012-06-06 18:59:35 +0000[diff] [blame]4952 Ensure consistent order of evaluation in LLInt slow paths
4953 https://bugs.webkit.org/show_bug.cgi?id=88409
4954
4955 Reviewed by Geoffrey Garen.
4956
4957 * llint/LLIntSlowPaths.cpp:
4958 (slow_path_mul)
4959 (slow_path_sub)
4960 (slow_path_div)
4961 (slow_path_mod)
4962 (slow_path_lshift)
4963 (slow_path_rshift)
4964 (slow_path_urshift)
4965 (slow_path_bitand)
4966 (slow_path_bitor)
4967 (slow_path_bitxor): Avoid calling toNumber, toInt32, or toUInt32
4968 multiple times without intervening sequence points. Fixes
4969 fast/js/exception-sequencing-binops.html with GCC 4.7 on x86-64
4970 Linux, which reordered evaluation of the arguments to fmod.
4971
49722012-06-06 Andy Wingo <wingo@igalia.com>
4973
wingo@igalia.com4990fe82012-06-06 16:00:38 +0000[diff] [blame]4974 [GTK] Enable the LLInt
4975 https://bugs.webkit.org/show_bug.cgi?id=88315
4976
4977 Reviewed by Filip Pizlo.
4978
4979 * GNUmakefile.am: Add rules to generate LLIntDesiredOffsets.h and
4980 LLIntAssembly.h.
4981 * GNUmakefile.list.am: Add offlineasm and llint files to the
4982 dist. Add LLInt source files to the build.
4983 * llint/LowLevelInterpreter.asm (crash): Generate a store of
4984 0xbbadbeef to a register, not to a constant. Otherwise, gas was
4985 failing to assemble result.
4986 * offlineasm/asm.rb (labelReference): Generate a
4987 SYMBOL_STRING_RELOCATION instead of a SYMBOL_STRING, so that we go
4988 through the PLT on ELF systems.
4989
49902012-06-06 Andy Wingo <wingo@igalia.com>
4991
wingo@igalia.combe8ecb92012-06-06 09:39:04 +0000[diff] [blame]4992 REGRESSION (r106478): None of the Paper.js JavaScript examples work
4993 https://bugs.webkit.org/show_bug.cgi?id=87158
4994
4995 Reviewed by Michael Saboff.
4996
4997 * bytecompiler/BytecodeGenerator.cpp:
4998 (JSC::BytecodeGenerator::resolve): If we have to bail out to
4999 dynamicResolve(), only skip static scopes from the head of the
5000 scope chain. Before, we were also skipping activations with
5001 direct eval as well, which was incorrect.
5002
mitz@apple.com115e6642012-06-06 07:37:05 +0000[diff] [blame]50032012-06-06 Dan Bernstein <mitz@apple.com>
5004
5005 Reverted r119567, the fix for <http://webkit.org/b/88378>, because it broke the 32-bit build.
5006
5007 * dfg/DFGSpeculativeJIT.h:
5008 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
5009 * jit/JITInlineMethods.h:
5010 (JSC::JIT::emitAllocateBasicJSObject):
5011 * llint/LowLevelInterpreter.asm:
5012 * runtime/JSGlobalData.h:
5013 (JSGlobalData):
5014 * runtime/JSGlobalThis.cpp:
5015 (JSC::JSGlobalThis::setUnwrappedObject):
5016 * runtime/JSObject.cpp:
5017 (JSC::JSObject::visitChildren):
5018 (JSC::JSObject::createInheritorID):
5019 * runtime/JSObject.h:
5020 (JSObject):
5021 (JSC::JSObject::resetInheritorID):
5022 (JSC):
5023 (JSC::JSObject::offsetOfInheritorID):
5024 (JSC::JSObject::inheritorID):
5025
yuqiang.xian@intel.come8adde62012-06-06 05:25:54 +0000[diff] [blame]50262012-06-05 Yuqiang Xian <yuqiang.xian@intel.com>
5027
5028 Improve Math.round and Math.floor intrinsic
5029 https://bugs.webkit.org/show_bug.cgi?id=88314
5030
5031 Reviewed by Filip Pizlo.
5032
5033 Currently we call a native function from the JIT code to complete the
5034 "round" and "floor" operations. We could inline some fast paths
5035 especially for those positive values on the platforms where floating
5036 point truncation is supported.
5037 This brings 3% gain on Kraken, especially 32% on audio-oscillator,
5038 and slight win on SunSpider, measured on IA32.
5039
5040 * jit/ThunkGenerators.cpp:
5041 (JSC::floorThunkGenerator):
5042 (JSC):
5043 (JSC::roundThunkGenerator):
5044
barraclough@apple.comc48fc1b2012-06-06 05:08:45 +0000[diff] [blame]50452012-06-05 Gavin Barraclough <barraclough@apple.com>
5046
5047 Remove JSObject::m_inheritorID
5048 https://bugs.webkit.org/show_bug.cgi?id=88378
5049
5050 Reviewed by Geoff Garen.
5051
5052 This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
5053 and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
5054 Instead use a private named value in the object's property storage.
5055
5056 * dfg/DFGSpeculativeJIT.h:
5057 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
5058 - No need m_inheritorID to initialize!
5059 * jit/JITInlineMethods.h:
5060 (JSC::JIT::emitAllocateBasicJSObject):
5061 - No need m_inheritorID to initialize!
5062 * llint/LowLevelInterpreter.asm:
5063 - No need m_inheritorID to initialize!
5064 * runtime/JSGlobalData.h:
5065 (JSGlobalData):
5066 - Added private name 'm_inheritorIDKey'.
5067 * runtime/JSGlobalThis.cpp:
5068 (JSC::JSGlobalThis::setUnwrappedObject):
5069 - resetInheritorID is now passed a JSGlobalData&.
5070 * runtime/JSObject.cpp:
5071 (JSC::JSObject::visitChildren):
5072 - No m_inheritorID to be marked.
5073 (JSC::JSObject::createInheritorID):
5074 - Store the newly created inheritorID in the property map.
5075 * runtime/JSObject.h:
5076 (JSC::JSObject::resetInheritorID):
5077 - Remove the inheritorID from property storage.
5078 (JSC::JSObject::inheritorID):
5079 - Read the inheritorID from property storage.
5080
fpizlo@apple.come7bee132012-06-05 21:32:18 +0000[diff] [blame]50812012-06-05 Filip Pizlo <fpizlo@apple.com>
5082
5083 DFG CFG simplification should not attempt to deref nodes inside of an unreachable subgraph
5084 https://bugs.webkit.org/show_bug.cgi?id=88362
5085
5086 Reviewed by Gavin Barraclough.
5087
5088 * dfg/DFGCFGSimplificationPhase.cpp:
5089 (JSC::DFG::CFGSimplificationPhase::fixPhis):
5090 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
5091
mhahnenberg@apple.com47c9c532012-06-05 20:38:21 +0000[diff] [blame]50922012-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
5093
5094 Entry into JSC should CRASH() if the Heap is busy
5095 https://bugs.webkit.org/show_bug.cgi?id=88355
5096
5097 Reviewed by Geoffrey Garen.
5098
5099 Interpreter::execute() returns jsNull() right now if we try to enter it while
5100 the Heap is busy (e.g. with a collection), which is okay, but some code paths
5101 that call Interpreter::execute() allocate objects before checking if the Heap
5102 is busy. Attempting to execute JS code while the Heap is busy should not be
5103 allowed and should be enforced by a release-mode CRASH() to prevent vague,
5104 unhelpful backtraces later on if somebody makes a mistake. Normally, recursively
5105 executing JS code is okay, e.g. for evals, but it should not occur during a
5106 Heap allocation or collection because the Heap is not guaranteed to be in a
5107 consistent state (especially during collections). We are protected from
5108 executing JS on the same Heap concurrently on two separate threads because
5109 they must each take a JSLock first. However, we are not protected from reentrant
5110 execution of JS on the same thread because JSLock allows reentrancy. Therefore,
5111 we should fail early if we detect an entrance into JS code while the Heap is busy.
5112
5113 * heap/Heap.cpp: Changed Heap::collect so that it sets the m_operationInProgress field
5114 at the beginning of collection and then unsets it at the end so that it is set at all
5115 times throughout the duration of a collection rather than sporadically during various
5116 phases. There is no reason to unset during a collection because our collector does
5117 not currently support running additional JS between the phases of a collection.
5118 (JSC::Heap::getConservativeRegisterRoots):
5119 (JSC::Heap::markRoots):
5120 (JSC::Heap::collect):
5121 * interpreter/Interpreter.cpp:
5122 (JSC::Interpreter::execute): Crash if the Heap is busy.
5123 * runtime/Completion.cpp: Crash if the Heap is busy. We do it here before we call
5124 Interpreter::execute() because we do some allocation prior to calling execute() which
5125 could cause Heap corruption if, for example, that allocation caused a collection.
5126 (JSC::evaluate):
5127
commit-queue@webkit.org3401b2d2012-06-05 11:32:22 +0000[diff] [blame]51282012-06-05 Dongwoo Im <dw.im@samsung.com>
5129
5130 Add 'isProtocolHandlerRegistered' and 'unregisterProtocolHandler'.
5131 https://bugs.webkit.org/show_bug.cgi?id=73176
5132
5133 Reviewed by Adam Barth.
5134
5135 Two more APIs are added in Custom Scheme Handler specification.
5136 http://dev.w3.org/html5/spec/Overview.html#custom-handlers
5137 One is 'isProtocolHandlerRegistered' to query whether the specific URL
5138 is registered or not.
5139 The other is 'unregisterProtocolHandler' to remove the registered URL.
5140
5141 * Configurations/FeatureDefines.xcconfig: Add a macro 'ENABLE_CUSTOM_SCHEME_HANDLER'.
5142
fpizlo@apple.com9cce18d2012-06-05 06:40:48 +0000[diff] [blame]51432012-06-04 Filip Pizlo <fpizlo@apple.com>
5144
5145 DFG CFG simplification should correct the variables at the head of the predecessor block
5146 https://bugs.webkit.org/show_bug.cgi?id=88284
5147
5148 Reviewed by Geoffrey Garen.
5149
5150 * dfg/DFGCFGSimplificationPhase.cpp:
5151 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
5152
ggaren@apple.com825cc102012-06-05 03:17:15 +0000[diff] [blame]51532012-06-04 Geoffrey Garen <ggaren@apple.com>
5154
5155 Unreviewed.
5156
5157 Rolled out r119364 because it's still causing crashes (when running
5158 v8-earley in release builds of DRT)
5159
5160 This time for sure!
5161
5162 * heap/Heap.cpp:
5163 (JSC::Heap::collect):
5164 * heap/MarkedBlock.cpp:
5165 (JSC::MarkedBlock::sweep):
5166 * heap/MarkedBlock.h:
5167 (JSC::MarkedBlock::resetAllocator):
5168 (JSC):
5169 * heap/MarkedSpace.cpp:
5170 (JSC::ResetAllocator::operator()):
5171 (JSC):
5172 (JSC::MarkedSpace::resetAllocators):
5173 (JSC::MarkedSpace::sweepWeakSets):
5174 * heap/MarkedSpace.h:
5175 (MarkedSpace):
5176 * heap/WeakBlock.cpp:
5177 (JSC::WeakBlock::sweep):
5178 * heap/WeakSet.cpp:
5179 (JSC::WeakSet::sweep):
5180 (JSC::WeakSet::tryFindAllocator):
5181 * heap/WeakSet.h:
5182 (JSC::WeakSet::shrink):
5183
fpizlo@apple.com9cd38a62012-06-05 00:28:49 +0000[diff] [blame]51842012-06-04 Filip Pizlo <fpizlo@apple.com>
5185
5186 DFG arguments simplification should have rationalized handling of TearOffArguments
5187 https://bugs.webkit.org/show_bug.cgi?id=88206
5188
5189 Reviewed by Geoffrey Garen.
5190
5191 - Accesses to the unmodified arguments register ought to have the same effect on
5192 alias/escape analysis of arguments as accesses to the mutable arguments register.
5193
5194 - The existence of TearOffArguments should not get in the way of arguments aliasing.
5195
5196 - TearOffArguments should be eliminated if CreateArguments is eliminated.
5197
5198 * dfg/DFGArgumentsSimplificationPhase.cpp:
5199 (JSC::DFG::ArgumentsSimplificationPhase::run):
5200 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
5201
barraclough@apple.com282d26a2012-06-05 00:00:17 +0000[diff] [blame]52022012-06-04 Gavin Barraclough <barraclough@apple.com>
5203
5204 Remove enabledProfilerReference
5205 https://bugs.webkit.org/show_bug.cgi?id=88258
5206
5207 Reviewed by Michael Saboff.
5208
5209 Make the enabled profiler a member of JSGlobalData, and switch code that accesses it to do so directly
5210 via the JSGlobalData, rather than holding a Profiler** reference to it. Do not pass the Profiler**
5211 reference to JIT code. This patch does not change the stack layout on entry into JIT code (passing an
5212 unused void* instead), since this is an intrusive change better handled in a separate patch.
5213
5214 * interpreter/Interpreter.cpp:
5215 (JSC::Interpreter::throwException):
5216 (JSC::Interpreter::execute):
5217 (JSC::Interpreter::executeCall):
5218 (JSC::Interpreter::executeConstruct):
5219 (JSC::Interpreter::privateExecute):
5220 * jit/JITCode.h:
5221 (JSC::JITCode::execute):
5222 - Don't pass Profiler** to JIT code.
5223 * jit/JITOpcodes.cpp:
5224 (JSC::JIT::emit_op_profile_will_call):
5225 (JSC::JIT::emit_op_profile_did_call):
5226 * jit/JITOpcodes32_64.cpp:
5227 (JSC::JIT::emit_op_profile_will_call):
5228 (JSC::JIT::emit_op_profile_did_call):
5229 * jit/JITStubs.cpp:
5230 (JSC):
5231 (JSC::ctiTrampoline):
5232 (JSC::ctiVMThrowTrampoline):
5233 (JSC::ctiOpThrowNotCaught):
5234 (JSC::JITThunks::JITThunks):
5235 (JSC::DEFINE_STUB_FUNCTION):
5236 - For ARM_THUMB2, rename ENABLE_PROFILER_REFERENCE_OFFSET to FIRST_STACK_ARGUMENT (which is how it is being used).
5237 - For MIPS, remove ENABLE_PROFILER_REFERENCE_OFFSET.
5238 * jit/JITStubs.h:
5239 (JITStackFrame):
5240 (JSC):
5241 - Renamed enabledProfilerReference to unusedX.
5242 * llint/LLIntSlowPaths.cpp:
5243 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
5244 * llint/LowLevelInterpreter.asm:
5245 * profiler/Profiler.cpp:
5246 (JSC):
5247 (JSC::Profiler::startProfiling):
5248 (JSC::Profiler::stopProfiling):
5249 * profiler/Profiler.h:
5250 (Profiler):
5251 - Removed s_sharedEnabledProfilerReference, enabledProfilerReference().
5252 * runtime/JSGlobalData.cpp:
5253 (JSC::JSGlobalData::JSGlobalData):
5254 * runtime/JSGlobalData.h:
5255 (JSC):
5256 (JSC::JSGlobalData::enabledProfiler):
5257 (JSGlobalData):
5258 - Added m_enabledProfiler, enabledProfiler().
5259 * runtime/JSGlobalObject.cpp:
5260 (JSC::JSGlobalObject::~JSGlobalObject):
5261
fpizlo@apple.com3d579cc2012-06-04 23:27:34 +0000[diff] [blame]52622012-06-04 Filip Pizlo <fpizlo@apple.com>
5263
fpizlo@apple.com477ce382012-06-04 23:32:57 +0000[diff] [blame]5264 get_argument_by_val should be profiled everywhere
5265 https://bugs.webkit.org/show_bug.cgi?id=88205
5266
5267 Reviewed by Geoffrey Garen.
5268
5269 * jit/JITOpcodes32_64.cpp:
5270 (JSC::JIT::emitSlow_op_get_argument_by_val):
5271 * llint/LLIntSlowPaths.cpp:
5272 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
5273
52742012-06-04 Filip Pizlo <fpizlo@apple.com>
5275
fpizlo@apple.com3d579cc2012-06-04 23:27:34 +0000[diff] [blame]5276 DFG arguments simplification takes unkindly to direct accesses to the arguments register
5277 https://bugs.webkit.org/show_bug.cgi?id=88261
5278
5279 Reviewed by Geoffrey Garen.
5280
5281 Fixed arguments simplification for direct accesses to the arguments register, which may
5282 arise if CSE had not run. Fixed CSE so that it does run prior to arguments simplification,
5283 by making it a full-fledged member of the fixpoint. Fixed other issues in arguments
5284 simplification, like realizing that it needs to bail if there is a direct assignment to
5285 the arguments register, and failing to turn CreateArguments into PhantomArguments. Also
5286 fixed CSE's handling of store elimination of captured locals in the presence of a
5287 GetMyArgumentByVal (or one of its friends), and fixed CSE to correctly fixup variables at
5288 tail if the Flush it removes is the last operation on a local in a basic block.
5289
5290 * bytecode/CodeBlock.cpp:
5291 (JSC::CodeBlock::dump):
5292 * dfg/DFGArgumentsSimplificationPhase.cpp:
5293 (JSC::DFG::ArgumentsSimplificationPhase::run):
5294 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
5295 * dfg/DFGCSEPhase.cpp:
5296 (JSC::DFG::CSEPhase::run):
5297 (JSC::DFG::CSEPhase::setLocalStoreElimination):
5298 (JSC::DFG::CSEPhase::performNodeCSE):
5299 (CSEPhase):
5300 * dfg/DFGDriver.cpp:
5301 (JSC::DFG::compile):
5302
andersca@apple.comea6c6b22012-06-04 21:56:32 +0000[diff] [blame]53032012-06-04 Anders Carlsson <andersca@apple.com>
5304
5305 Fix a struct/class mismatch.
5306
5307 * heap/Handle.h:
5308 (Handle):
5309
ddkilzer@apple.comba58a612012-06-04 14:55:26 +0000[diff] [blame]53102012-06-04 David Kilzer <ddkilzer@apple.com>
5311
5312 BUILD FIX: FeatureDefines.xcconfig should match across projects
5313
5314 * Configurations/FeatureDefines.xcconfig:
5315 - Add missing ENABLE_LEGACY_CSS_VENDOR_PREFIXES.
5316
ggaren@apple.com02dec622012-06-03 21:16:55 +0000[diff] [blame]53172012-06-02 Geoffrey Garen <ggaren@apple.com>
5318
5319 Weak pointer finalization should be lazy
5320 https://bugs.webkit.org/show_bug.cgi?id=87599
5321
5322 Reviewed by Sam Weinig.
5323
5324 This time for sure!
5325
5326 * heap/Heap.cpp:
5327 (JSC::Heap::collect): Don't sweep eagerly -- we'll sweep lazily instead.
5328
5329 * heap/MarkedBlock.cpp:
5330 (JSC::MarkedBlock::sweep): Sweep our weak set before we sweep our other
5331 destructors -- this is our last chance to run weak set finalizers before
5332 we recycle our memory.
5333
5334 * heap/MarkedBlock.h:
5335 (JSC::MarkedBlock::resetAllocator):
5336 * heap/MarkedSpace.cpp:
5337 (JSC::MarkedSpace::resetAllocators):
5338 * heap/MarkedSpace.h:
5339 (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
5340 It will happen automatically when a weak set is swept. It's simpler to
5341 have only one canonical way for this to happen, and it wasn't buying
5342 us anything to do it eagerly.
5343
5344 * heap/WeakBlock.cpp:
5345 (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
5346 the sweep would be a no-op. If even one finalizer is pending, we need to
5347 run it, since we won't get another chance.
5348
5349 * heap/WeakSet.cpp:
5350 (JSC::WeakSet::sweep): This loop can be simpler now that
5351 WeakBlock::sweep() does what we mean.
5352
5353 Reset our allocator after a sweep because this is the optimal time to
5354 start trying to recycle old weak pointers.
5355
5356 (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
5357 allocator because we've swept already, and forcing a new sweep would be
5358 wasteful.
5359
5360 * heap/WeakSet.h:
5361 (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
5362 because the shrink may have removed the block the allocator was going to
5363 allocate out of.
5364
fpizlo@apple.comb80bc2a32012-06-02 22:58:48 +0000[diff] [blame]53652012-06-02 Filip Pizlo <fpizlo@apple.com>
5366
fpizlo@apple.come0c200c2012-06-03 00:41:08 +0000[diff] [blame]5367 If the DFG bytecode parser detects that op_method_check has gone polymorphic, it
5368 shouldn't revert all the way to GetById/GetByIdFlush
5369 https://bugs.webkit.org/show_bug.cgi?id=88176
5370
5371 Reviewed by Geoffrey Garen.
5372
5373 Refactored the code so that the op_method_check case of the parser gracefully falls
5374 through to all of the goodness of the normal op_get_by_id case.
5375
5376 * dfg/DFGByteCodeParser.cpp:
5377 (ByteCodeParser):
5378 (JSC::DFG::ByteCodeParser::handleGetById):
5379 (DFG):
5380 (JSC::DFG::ByteCodeParser::parseBlock):
5381
53822012-06-02 Filip Pizlo <fpizlo@apple.com>
5383
fpizlo@apple.comb80bc2a32012-06-02 22:58:48 +0000[diff] [blame]5384 DFG CSE should be able to eliminate unnecessary flushes of arguments and captured variables
5385 https://bugs.webkit.org/show_bug.cgi?id=87929
5386
5387 Reviewed by Geoffrey Garen.
5388
5389 Slight speed-up on V8. Big win (up to 50%) on programs that inline very small functions.
5390
5391 This required a bunch of changes:
5392
5393 - The obvious change is making CSE essentially ignore whether or not the set of
5394 operations between the Flush and the SetLocal can exit, and instead focus on whether or
5395 not that set of operations can clobber the world or access local variables. This code
5396 is now refactored to return a set of flags indicating any of these events, and the CSE
5397 decides what to do based on those flags. If the set of operations is non-clobbering
5398 and non-accessing, then the Flush is turned into a Phantom on the child of the
5399 SetLocal. This expands the liveness of the relevant variable but virtually guarantees
5400 that it will be register allocated and not flushed to the stack. So, yeah, this patch
5401 is a lot of work to save a few stores to the stack.
5402
5403 - Previously, CheckArgumentsNotCreated was optimized "lazily" in that you only knew if
5404 it was a no-op if you were holding onto a CFA abstract state. But this would make the
5405 CSE act pessimistically, since it doesn't use the CFA. Hence, this patch changes the
5406 constant folding phase into something more broad; it now fixes up
5407 CheckArgumentsNotCreated nodes by turning them into phantoms if it knows that they are
5408 no-ops.
5409
5410 - Arguments simplification was previously relying on this very strange PhantomArguments
5411 node, which had two different meanings: for normal execution it meant the empty value
5412 but for OSR exit it meant that the arguments should be reified. This produces problems
5413 when set SetLocals to the captured arguments registers are CSE'd away, since we'd be
5414 triggering reification of arguments without having initialized the arguments registers
5415 to empty. The cleanest solution was to fix PhantomArguments to have one meaning:
5416 namely, arguments reification on OSR exit. Hence, this patch changes arguments
5417 simplification to change SetLocal of CreateArguments on the arguments registers to be
5418 a SetLocal of Empty.
5419
5420 - Argument value recoveries were previously derived from the value source of the
5421 arguments at the InlineStart. But that relies on all SetLocals to arguments having
5422 been flushed. It's possible that we could have elided the SetLocal to the arguments
5423 at the callsite because there were subsequent SetLocals to the arguments inside of the
5424 callee, in which case the InlineStart would get the wrong information. Hence, this
5425 patch changes argument value recovery computation to operate over the ArgumentPositions
5426 directly.
5427
5428 - But that doesn't actually work, because previously, there was no way to link an
5429 InlineStart back to the corresponding ArgumentPositions, at least not without some
5430 ugliness. So this patch instates the rule that the m_argumentPositions vector consists
5431 of disjoint subsequences such that each subsequence corresponds to an inline callsite
5432 and can be identified by its first index, and within each subsequence are the
5433 ArgumentPositions of all of the arguments ordered by argument index. This required
5434 flipping the order in which ArgumentPositions are added to the vector, and giving
5435 InlineStart an operand that indicates the start of that inline callsite's
5436 ArgumentPosition subsequence.
5437
5438 - This patch also revealed a nasty bug in the reification of arguments in inline call
5439 frames on OSR exit. Since the reification was happening after the values of virtual
5440 registers were recovered, the value recoveries of the inline arguments were wrong.
5441 Hence using operationCreateInlinedArguments is wrong. For example a value recovery
5442 might say that you have to box a double, but if we had already boxed it then boxing
5443 it a second time will result in garbage. The specific case of this bug was this patch
5444 uncovered was that now it is possible for an inline call frame to not have any valid
5445 value recoveries for any inline arguments, if the optimization elides all argument
5446 flushes, while at the same time optimizing away arguments creation. Then OSR exit
5447 would try to recover the arguments using the inline call frame, which had bogus
5448 information, and humorous crashes would ensue. This patch fixes this issue by moving
5449 arguments reification to after call frame reification, so that arguments reification
5450 can always use operationCreateArguments instead of operationCreateInlinedArguments.
5451
5452 - This patch may turn a Flush into a Phantom. That's kind of the whole point. But that
5453 broke forward speculation checks, which knew to look for a Flush prior to a SetLocal
5454 but didn't know that there could alternatively be a Phantom in place of the Flush.
5455 This patch fixes that by augmenting the forward speculation check logic.
5456
5457 - Finally, in the process of having fun with all of the above, I realized that my DFG
5458 validation was not actually running on every phase like I had originally designed it
5459 to. In fact it was only running just after bytecode parsing. I initially tried to
5460 make it run in every phase but found that this causes some tests to timeout
5461 (specifically the evil fuzzing ones), so I decided on a compromise where: (i) in
5462 release mode validation never runs, (ii) in debug mode validation will run just
5463 after parsing and just before the backend, and (iii) it's possible with a simple
5464 switch to enable validation to run on every phase.
5465
5466 Luckily all of the above issues were already covered by the 77 or so DFG-specific
5467 layout tests. Hence, this patch does not introduce any new tests despite being so
5468 meaty.
5469
5470 * dfg/DFGAbstractState.cpp:
5471 (JSC::DFG::AbstractState::execute):
5472 * dfg/DFGArgumentPosition.h:
5473 (JSC::DFG::ArgumentPosition::prediction):
5474 (JSC::DFG::ArgumentPosition::doubleFormatState):
5475 (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
5476 (ArgumentPosition):
5477 * dfg/DFGArgumentsSimplificationPhase.cpp:
5478 (JSC::DFG::ArgumentsSimplificationPhase::run):
5479 * dfg/DFGByteCodeParser.cpp:
5480 (JSC::DFG::ByteCodeParser::handleInlining):
5481 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5482 * dfg/DFGCSEPhase.cpp:
5483 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult):
5484 (SetLocalStoreEliminationResult):
5485 (JSC::DFG::CSEPhase::setLocalStoreElimination):
5486 (JSC::DFG::CSEPhase::performNodeCSE):
5487 * dfg/DFGCommon.h:
5488 * dfg/DFGConstantFoldingPhase.cpp:
5489 (JSC::DFG::ConstantFoldingPhase::run):
5490 * dfg/DFGDriver.cpp:
5491 (JSC::DFG::compile):
5492 * dfg/DFGNode.h:
5493 (Node):
5494 (JSC::DFG::Node::hasArgumentPositionStart):
5495 (JSC::DFG::Node::argumentPositionStart):
5496 * dfg/DFGOSRExitCompiler32_64.cpp:
5497 (JSC::DFG::OSRExitCompiler::compileExit):
5498 * dfg/DFGOSRExitCompiler64.cpp:
5499 (JSC::DFG::OSRExitCompiler::compileExit):
5500 * dfg/DFGPhase.cpp:
5501 (DFG):
5502 * dfg/DFGPhase.h:
5503 (Phase):
5504 * dfg/DFGSpeculativeJIT.cpp:
5505 (JSC::DFG::SpeculativeJIT::compile):
5506 * dfg/DFGSpeculativeJIT.h:
5507 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
5508 * dfg/DFGSpeculativeJIT32_64.cpp:
5509 (JSC::DFG::SpeculativeJIT::compile):
5510 * dfg/DFGSpeculativeJIT64.cpp:
5511 (JSC::DFG::SpeculativeJIT::compile):
5512
ggaren@apple.com32eb24b2012-06-02 22:49:05 +0000[diff] [blame]55132012-06-02 Geoffrey Garen <ggaren@apple.com>
5514
5515 DOM string cache should hash pointers, not characters
5516 https://bugs.webkit.org/show_bug.cgi?id=88175
5517
5518 Reviewed by Phil Pizlo and Sam Weinig.
5519
5520 * heap/Weak.h:
5521 (JSC::weakAdd):
5522 (JSC::weakRemove): Made these function templates slightly more generic
5523 to accommodate new client types.
5524
fpizlo@apple.comcc5b61b2012-06-01 21:32:45 +0000[diff] [blame]55252012-06-01 Filip Pizlo <fpizlo@apple.com>
5526
fpizlo@apple.coma4754892012-06-02 00:22:31 +0000[diff] [blame]5527 DFG CFA should know that PutByVal can clobber the world
5528 https://bugs.webkit.org/show_bug.cgi?id=88155
5529
5530 Reviewed by Gavin Barraclough.
5531
5532 * dfg/DFGAbstractState.cpp:
5533 (JSC::DFG::AbstractState::execute):
5534
55352012-06-01 Filip Pizlo <fpizlo@apple.com>
5536
fpizlo@apple.com8e537cd2012-06-01 23:54:36 +0000[diff] [blame]5537 DFG CFA should mark basic blocks as having constants if local accesses yield constants
5538 https://bugs.webkit.org/show_bug.cgi?id=88153
5539
5540 Reviewed by Gavin Barraclough.
5541
5542 * dfg/DFGAbstractState.cpp:
5543 (JSC::DFG::AbstractState::execute):
5544
55452012-06-01 Filip Pizlo <fpizlo@apple.com>
5546
fpizlo@apple.comacc9dd22012-06-01 23:47:28 +0000[diff] [blame]5547 DFG arguments simplification phase uses a node.codeOrigin after appending a node
5548 https://bugs.webkit.org/show_bug.cgi?id=88151
5549
5550 Reviewed by Geoffrey Garen.
5551
5552 The right thing to do is to save the CodeOrigin before appending to the graph.
5553
5554 * dfg/DFGArgumentsSimplificationPhase.cpp:
5555 (JSC::DFG::ArgumentsSimplificationPhase::run):
5556
55572012-06-01 Filip Pizlo <fpizlo@apple.com>
5558
fpizlo@apple.com4f337c22012-06-01 23:18:59 +0000[diff] [blame]5559 DFG should not emit unnecessary speculation checks when performing an int32 to double conversion on
5560 a value that is proved to be a number, predicted to be an int32, but not proved to be an int32
5561 https://bugs.webkit.org/show_bug.cgi?id=88146
5562
5563 Reviewed by Gavin Barraclough.
5564
5565 * dfg/DFGSpeculativeJIT.cpp:
5566 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5567
55682012-06-01 Filip Pizlo <fpizlo@apple.com>
5569
fpizlo@apple.comafc07412012-06-01 22:44:43 +0000[diff] [blame]5570 DFG constant folding search for the last local access skips the immediately previous local access
5571 https://bugs.webkit.org/show_bug.cgi?id=88141
5572
5573 Reviewed by Michael Saboff.
5574
5575 If you use a loop in the style of:
5576
5577 for (i = start; i--;)
5578
5579 then you need to remember that the first value of 'i' that the loop body will see is 'start - 1'.
5580 Hence the following is probably wrong:
5581
5582 for (i = start - 1; i--;)
5583
5584 * dfg/DFGConstantFoldingPhase.cpp:
5585 (JSC::DFG::ConstantFoldingPhase::run):
5586
55872012-06-01 Filip Pizlo <fpizlo@apple.com>
5588
fpizlo@apple.comcc5b61b2012-06-01 21:32:45 +0000[diff] [blame]5589 DFG constant folding should be OK with GetLocal of captured variables having a constant
5590 https://bugs.webkit.org/show_bug.cgi?id=88137
5591
5592 Reviewed by Gavin Barraclough.
5593
5594 * dfg/DFGConstantFoldingPhase.cpp:
5595 (JSC::DFG::ConstantFoldingPhase::run):
5596
mhahnenberg@apple.com016c5782012-06-01 00:02:09 +0000[diff] [blame]55972012-05-31 Mark Hahnenberg <mhahnenberg@apple.com>
5598
5599 JSGlobalObject does not mark m_privateNameStructure
5600 https://bugs.webkit.org/show_bug.cgi?id=88023
5601
5602 Rubber stamped by Gavin Barraclough.
5603
5604 * runtime/JSGlobalObject.cpp:
5605 (JSC::JSGlobalObject::visitChildren): We need to mark this so it doesn't get
5606 inadvertently garbage collected.
5607
arv@chromium.org31fddbc2012-05-31 18:00:03 +0000[diff] [blame]56082012-05-31 Erik Arvidsson <arv@chromium.org>
5609
5610 Make DOM Exceptions Errors
5611 https://bugs.webkit.org/show_bug.cgi?id=85078
5612
5613 Reviewed by Oliver Hunt.
5614
5615 WebIDL mandates that exceptions should have Error.prototype on its prototype chain.
5616
5617 For JSC we have access to the Error.prototype from the binding code.
5618
5619 For V8 we set a field in the WrapperTypeInfo and when the constructor function is created we
5620 set the prototype as needed.
5621
5622 Updated test: fast/dom/DOMException/prototype-object.html
5623
5624 * JavaScriptCore.xcodeproj/project.pbxproj:
5625 * runtime/JSGlobalObject.cpp:
5626 (JSC::JSGlobalObject::reset):
5627 * runtime/JSGlobalObject.h:
5628 (JSC):
5629 (JSGlobalObject):
5630 (JSC::JSGlobalObject::errorPrototype):
5631
wingo@igalia.com8de6a8a2012-05-31 17:28:21 +0000[diff] [blame]56322012-05-31 Andy Wingo <wingo@igalia.com>
5633
5634 Fix reference to unset variable in debug mode
5635 https://bugs.webkit.org/show_bug.cgi?id=87981
5636
5637 Reviewed by Geoffrey Garen.
5638
5639 * runtime/JSONObject.cpp (Stringifier::Holder::Holder):
5640 Initialize m_size in debug mode, as we check it later in an assert.
5641
mhahnenberg@apple.comeb39abc2012-05-31 03:04:00 +0000[diff] [blame]56422012-05-30 Mark Hahnenberg <mhahnenberg@apple.com>
5643
5644 Heap should sweep incrementally
5645 https://bugs.webkit.org/show_bug.cgi?id=85429
5646
5647 We shouldn't have to wait for the opportunistic GC timer to fire in order
5648 to call object destructors. Instead, we should incrementally sweep some
5649 subset of the blocks requiring sweeping periodically. We tie this sweeping
5650 to a timer rather than to collections because we want to reclaim this memory
5651 even if we stop allocating. This way, our memory usage scales smoothly with
5652 actual use, regardless of whether we've recently done an opportunistic GC or not.
5653
5654 Reviewed by Geoffrey Garen.
5655
5656 * CMakeLists.txt:
5657 * GNUmakefile.list.am:
5658 * JavaScriptCore.gypi:
5659 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
5660 * JavaScriptCore.xcodeproj/project.pbxproj:
5661 * Target.pri:
5662 * heap/Heap.cpp:
5663 (JSC::Heap::Heap):
5664 (JSC::Heap::collect): We no longer sweep during a full sweep. We only shrink now,
5665 which we will switch over to being done during incremental sweeping too as soon as
5666 all finalizers can be run lazily (and, by extension, incrementally).
5667 (JSC::Heap::sweeper):
5668 (JSC):
5669 * heap/Heap.h:
5670 (JSC):
5671 (Heap):
5672 * heap/IncrementalSweeper.cpp: Added.
5673 (JSC):
5674 (JSC::IncrementalSweeper::timerDidFire): The IncrementalSweeper works very similarly to
5675 GCActivityCallback. It is tied to a run-loop based timer that fires periodically based
5676 on how long the previous sweep increment took to run. The IncrementalSweeper doesn't do
5677 anything if the platform doesn't support CoreFoundation.
5678 (JSC::IncrementalSweeper::IncrementalSweeper):
5679 (JSC::IncrementalSweeper::~IncrementalSweeper):
5680 (JSC::IncrementalSweeper::create):
5681 (JSC::IncrementalSweeper::scheduleTimer):
5682 (JSC::IncrementalSweeper::cancelTimer):
5683 (JSC::IncrementalSweeper::doSweep): Iterates over the snapshot of the MarkedSpace taken
5684 during the last collection, checking to see which blocks need sweeping. If it successfully
5685 gets to the end of the blocks that need sweeping then it cancels the timer.
5686 (JSC::IncrementalSweeper::startSweeping): We take a snapshot of the Heap and store it in
5687 a Vector that the incremental sweep will iterate over. We also reset our index into this Vector.
5688 * heap/IncrementalSweeper.h: Added.
5689 (JSC):
5690 (IncrementalSweeper):
5691 * heap/MarkedBlock.h:
5692 (JSC::MarkedBlock::needsSweeping): If a block is in the Marked state it needs sweeping
5693 to be usable and to run any destructors that need to be run.
5694
paroga@webkit.orgecd0fb62012-05-31 01:38:17 +0000[diff] [blame]56952012-05-30 Patrick Gansterer <paroga@webkit.org>
5696
5697 [WINCE] Fix JSString after r115516.
5698 https://bugs.webkit.org/show_bug.cgi?id=87892
5699
5700 Reviewed by Geoffrey Garen.
5701
5702 r115516 splitted JSString into two classes, with addition nested classes.
5703 Add a workaround for the WinCE compiler since it can't resolve the friend class
5704 declerations corretly and denies the access to protected members of JSString.
5705
5706 * runtime/JSString.h:
5707 (JSC::JSRopeString::RopeBuilder::append):
5708 (JSC::JSRopeString::append):
5709 (JSRopeString):
5710
oliver@apple.com3c996382012-05-30 23:47:27 +0000[diff] [blame]57112012-05-30 Oliver Hunt <oliver@apple.com>
5712
5713 Really provide error information with the inspector disabled
5714 https://bugs.webkit.org/show_bug.cgi?id=87910
5715
5716 Reviewed by Filip Pizlo.
5717
5718 Don't bother checking for anything other than pre-existing error info.
5719 In the absence of complete line number information you'll only get the
5720 line a function starts on, but at least it's something.
5721
5722 * interpreter/Interpreter.cpp:
5723 (JSC::Interpreter::throwException):
5724
fpizlo@apple.com074918c2012-05-30 20:18:00 +0000[diff] [blame]57252012-05-30 Filip Pizlo <fpizlo@apple.com>
5726
fpizlo@apple.com5673fe62012-05-30 23:09:45 +0000[diff] [blame]5727 LLInt broken on x86-32 with JIT turned off
5728 https://bugs.webkit.org/show_bug.cgi?id=87906
5729
5730 Reviewed by Geoffrey Garen.
5731
5732 Fixed the code to not clobber registers that contain important things, like the call frame.
5733
5734 * llint/LowLevelInterpreter32_64.asm:
5735
57362012-05-30 Filip Pizlo <fpizlo@apple.com>
5737
fpizlo@apple.com074918c2012-05-30 20:18:00 +0000[diff] [blame]5738 ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
5739 https://bugs.webkit.org/show_bug.cgi?id=87887
5740
fpizlo@apple.comd55e8152012-05-30 21:04:23 +0000[diff] [blame]5741 Reviewed by Darin Adler.
5742
5743 Better fix - we now never call SourceProvider::asID() if SourceProvider* is 0.
5744
5745 * parser/Nodes.h:
5746 (JSC::ScopeNode::sourceID):
5747 * parser/SourceCode.h:
5748 (JSC::SourceCode::providerID):
5749 (SourceCode):
5750 * parser/SourceProvider.h:
5751 (SourceProvider):
5752 (JSC::SourceProvider::asID):
5753 * runtime/Executable.h:
5754 (JSC::ScriptExecutable::sourceID):
5755
57562012-05-30 Filip Pizlo <fpizlo@apple.com>
5757
5758 ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
5759 https://bugs.webkit.org/show_bug.cgi?id=87887
5760
fpizlo@apple.com074918c2012-05-30 20:18:00 +0000[diff] [blame]5761 Reviewed by Geoffrey Garen.
5762
5763 * parser/SourceProvider.h:
5764 (JSC::SourceProvider::asID):
5765
oliver@apple.comc55314a2012-05-30 19:45:20 +0000[diff] [blame]57662012-05-30 Oliver Hunt <oliver@apple.com>
5767
5768 DFG does not correctly handle exceptions caught in the LLInt
5769 https://bugs.webkit.org/show_bug.cgi?id=87885
5770
5771 Reviewed by Filip Pizlo.
5772
5773 Make the DFG use genericThrow, rather than reimplementing a small portion of it.
5774 Also make the LLInt slow paths validate that their PC is correct.
5775
5776 * dfg/DFGOperations.cpp:
5777 * llint/LLIntSlowPaths.cpp:
5778 (LLInt):
5779
fpizlo@apple.com75824e82012-05-30 17:02:49 +0000[diff] [blame]57802012-05-29 Filip Pizlo <fpizlo@apple.com>
5781
5782 DFG CFA should infer types and values of captured variables
5783 https://bugs.webkit.org/show_bug.cgi?id=87813
5784
5785 Reviewed by Gavin Barraclough.
5786
5787 Slight speed-up in V8/earley-boyer (~1%).
5788
5789 * bytecode/CodeBlock.h:
5790 (JSC::CodeBlock::argumentsAreCaptured):
5791 (JSC::CodeBlock::argumentIsCaptured):
5792 (CodeBlock):
5793 * dfg/DFGAbstractState.cpp:
5794 (DFG):
5795 (JSC::DFG::AbstractState::beginBasicBlock):
5796 (JSC::DFG::AbstractState::initialize):
5797 (JSC::DFG::AbstractState::endBasicBlock):
5798 (JSC::DFG::AbstractState::execute):
5799 (JSC::DFG::AbstractState::clobberWorld):
5800 (JSC::DFG::AbstractState::clobberStructures):
5801 (JSC::DFG::AbstractState::mergeStateAtTail):
5802 (JSC::DFG::AbstractState::merge):
5803 (JSC::DFG::AbstractState::mergeToSuccessors):
5804 * dfg/DFGAbstractState.h:
5805 (JSC::DFG::AbstractState::variables):
5806 (AbstractState):
5807 * dfg/DFGSpeculativeJIT32_64.cpp:
5808 (JSC::DFG::SpeculativeJIT::compile):
5809 * dfg/DFGSpeculativeJIT64.cpp:
5810 (JSC::DFG::SpeculativeJIT::compile):
5811
paroga@webkit.orge373ab72012-05-30 16:44:03 +0000[diff] [blame]58122012-05-30 Patrick Gansterer <paroga@webkit.org>
5813
5814 Unreviewed. Build fix for !ENABLE(JIT) after r117823.
5815
5816 * bytecode/CodeBlock.cpp:
5817 (JSC::CodeBlock::dump):
5818
commit-queue@webkit.org4ac40e0d2012-05-30 07:17:05 +0000[diff] [blame]58192012-05-30 Sheriff Bot <webkit.review.bot@gmail.com>
5820
5821 Unreviewed, rolling out r118868.
5822 http://trac.webkit.org/changeset/118868
5823 https://bugs.webkit.org/show_bug.cgi?id=87828
5824
5825 introduced ~20 crashes on Mac and Qt bots (Requested by pizlo_
5826 on #webkit).
5827
5828 * heap/Heap.cpp:
5829 (JSC::Heap::collect):
5830 * heap/MarkedBlock.cpp:
5831 (JSC::MarkedBlock::sweep):
5832 * heap/MarkedBlock.h:
5833 (JSC::MarkedBlock::sweepWeakSet):
5834 (JSC):
5835 * heap/MarkedSpace.cpp:
5836 (JSC::SweepWeakSet::operator()):
5837 (JSC):
5838 (JSC::MarkedSpace::sweepWeakSets):
5839 * heap/MarkedSpace.h:
5840 (MarkedSpace):
5841
ggaren@apple.com15344ae2012-05-30 01:05:35 +0000[diff] [blame]58422012-05-29 Geoffrey Garen <ggaren@apple.com>
5843
5844 Rolled back in r118646, now that
5845 https://bugs.webkit.org/show_bug.cgi?id=87784 is fixed.
5846
5847 http://trac.webkit.org/changeset/118646
5848 https://bugs.webkit.org/show_bug.cgi?id=87599
5849
5850 * heap/Heap.cpp:
5851 (JSC::Heap::collect):
5852 * heap/MarkedBlock.cpp:
5853 (JSC::MarkedBlock::sweep):
5854 * heap/MarkedBlock.h:
5855 (JSC):
5856 * heap/MarkedSpace.cpp:
5857 (JSC):
5858 * heap/MarkedSpace.h:
5859 (MarkedSpace):
5860
fpizlo@apple.com4c0875e2012-05-29 23:43:16 +0000[diff] [blame]58612012-05-29 Filip Pizlo <fpizlo@apple.com>
5862
5863 DFG should keep captured variables alive until the (inline) return.
5864 https://bugs.webkit.org/show_bug.cgi?id=87205
5865
5866 Reviewed by Gavin Barraclough.
5867
5868 Changes the way we do flushing for captured variables and arguments. Instead of flushing
5869 each SetLocal immediately, we flush at kill points. So a SetLocal will cause a Flush of
5870 whatever was live in the variable previously, and a return will cause a Flush of all
5871 captured variables and all arguments.
5872
5873 * dfg/DFGByteCodeParser.cpp:
5874 (JSC::DFG::ByteCodeParser::setDirect):
5875 (JSC::DFG::ByteCodeParser::set):
5876 (JSC::DFG::ByteCodeParser::setLocal):
5877 (JSC::DFG::ByteCodeParser::getArgument):
5878 (JSC::DFG::ByteCodeParser::setArgument):
5879 (JSC::DFG::ByteCodeParser::findArgumentPositionForArgument):
5880 (ByteCodeParser):
5881 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
5882 (JSC::DFG::ByteCodeParser::findArgumentPosition):
5883 (JSC::DFG::ByteCodeParser::flush):
5884 (JSC::DFG::ByteCodeParser::flushDirect):
5885 (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
5886 (JSC::DFG::ByteCodeParser::handleInlining):
5887 (JSC::DFG::ByteCodeParser::parseBlock):
5888 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5889 * dfg/DFGCSEPhase.cpp:
5890 (JSC::DFG::CSEPhase::setLocalStoreElimination):
5891 (JSC::DFG::CSEPhase::performNodeCSE):
5892 * dfg/DFGSpeculativeJIT.cpp:
5893 (JSC::DFG::SpeculativeJIT::compile):
5894 * dfg/DFGSpeculativeJIT.h:
5895 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
5896
ggaren@apple.com7cc57362012-05-29 23:40:26 +0000[diff] [blame]58972012-05-29 Geoffrey Garen <ggaren@apple.com>
5898
5899 WeakGCMap should be lazy-finalization-safe
5900 https://bugs.webkit.org/show_bug.cgi?id=87784
5901
5902 Reviewed by Darin Adler.
5903
5904 * runtime/WeakGCMap.h:
5905 (JSC::WeakGCMap::get): Since this is a map of raw WeakImpl pointers, and
5906 not Weak<T>, we need to verify manually that the WeakImpl is live before
5907 we return its payload.
5908
mhahnenberg@apple.com7ea7e8f2012-05-29 18:38:14 +0000[diff] [blame]59092012-05-29 Mark Hahnenberg <mhahnenberg@apple.com>
5910
5911 CopiedSpace::doneCopying could start another collection
5912 https://bugs.webkit.org/show_bug.cgi?id=86538
5913
5914 Reviewed by Geoffrey Garen.
5915
5916 It's possible that if we don't have anything at the head of to-space
5917 after a collection and the BlockAllocator doesn't have any fresh blocks
5918 to give us right now we could start another collection while still in
5919 the middle of the first collection when we call CopiedSpace::addNewBlock().
5920
5921 One way to resolve this would be to have Heap::shouldCollect() check that
5922 m_operationInProgress is NoOperation. This would prevent the path in
5923 getFreshBlock() that starts the collection if we're already in the middle of one.
5924
5925 I could not come up with a test case to reproduce this crash on ToT.
5926
5927 * heap/Heap.h:
5928 (JSC::Heap::shouldCollect): We shouldn't collect if we're already in the middle
5929 of a collection, i.e. the current operation should be NoOperation.
5930
commit-queue@webkit.orgd5058402012-05-29 14:44:38 +0000[diff] [blame]59312012-05-29 David Barr <davidbarr@chromium.org>
5932
5933 Introduce ENABLE_CSS_IMAGE_RESOLUTION compile flag
5934 https://bugs.webkit.org/show_bug.cgi?id=87685
5935
5936 Reviewed by Eric Seidel.
5937
5938 Add a configuration option for CSS image-resolution support, disabling it by default.
5939
5940 * Configurations/FeatureDefines.xcconfig:
5941
commit-queue@webkit.org10c0df22012-05-29 03:24:49 +0000[diff] [blame]59422012-05-28 Sheriff Bot <webkit.review.bot@gmail.com>
5943
5944 Unreviewed, rolling out r118646.
5945 http://trac.webkit.org/changeset/118646
5946 https://bugs.webkit.org/show_bug.cgi?id=87691
5947
5948 broke V8 raytrace benchmark (Requested by pizlo_ on #webkit).
5949
5950 * heap/Heap.cpp:
5951 (JSC::Heap::collect):
5952 * heap/MarkedBlock.cpp:
5953 (JSC::MarkedBlock::sweep):
5954 * heap/MarkedBlock.h:
5955 (JSC::MarkedBlock::sweepWeakSet):
5956 (JSC):
5957 * heap/MarkedSpace.cpp:
5958 (JSC::SweepWeakSet::operator()):
5959 (JSC):
5960 (JSC::MarkedSpace::sweepWeakSets):
5961 * heap/MarkedSpace.h:
5962 (MarkedSpace):
5963
fpizlo@apple.com26ece8e2012-05-29 02:43:30 +0000[diff] [blame]59642012-05-28 Filip Pizlo <fpizlo@apple.com>
5965
5966 DFG should not generate code for code that the CFA proves to be unreachable
5967 https://bugs.webkit.org/show_bug.cgi?id=87682
5968
5969 Reviewed by Sam Weinig.
5970
5971 This also fixes a small performance bug where CFA was not marking blocks
5972 as having constants (and hence not triggering constant folding) if the only
5973 constants were on GetLocals.
5974
5975 And fixing that bug revealed another bug: constant folding was assuming that
5976 a GetLocal must be the first access to a local in a basic block. This isn't
5977 true. The first access may be a Flush. This patch fixes that issue using the
5978 safest approach possible, since we don't need to be clever for something that
5979 only happens in one of our benchmarks.
5980
5981 * dfg/DFGAbstractState.cpp:
5982 (JSC::DFG::AbstractState::execute):
5983 * dfg/DFGConstantFoldingPhase.cpp:
5984 (JSC::DFG::ConstantFoldingPhase::run):
5985 * dfg/DFGJITCompiler.h:
5986 (JSC::DFG::JITCompiler::noticeOSREntry):
5987 * dfg/DFGSpeculativeJIT.cpp:
5988 (JSC::DFG::SpeculativeJIT::compile):
5989
carlosgc@webkit.orgb69727c2012-05-28 10:21:31 +0000[diff] [blame]59902012-05-28 Carlos Garcia Campos <cgarcia@igalia.com>
5991
5992 Unreviewed. Fix make distcheck.
5993
5994 * GNUmakefile.list.am: Add missing header file.
5995
ggaren@apple.comb816d752012-05-28 04:56:01 +0000[diff] [blame]59962012-05-27 Geoffrey Garen <ggaren@apple.com>
5997
5998 Weak pointer finalization should be lazy
5999 https://bugs.webkit.org/show_bug.cgi?id=87599
6000
6001 Reviewed by Darin Adler.
6002
6003 * heap/Heap.cpp:
6004 (JSC::Heap::collect): Don't force immediate finalization -- it will
6005 happen lazily.
6006
6007 * heap/MarkedBlock.cpp:
6008 (JSC::MarkedBlock::sweep): Sweep a block's weak set when sweeping the
6009 block. The weak set may not have been swept yet, and this is our last
6010 chance to run weak finalizers before we recycle the memory they reference.
6011
6012 * heap/MarkedBlock.h:
6013 * heap/MarkedSpace.cpp:
6014 (JSC::MarkedBlock::sweepWeakSets):
6015 * heap/MarkedSpace.h:
6016 (JSC::MarkedSpace::sweepWeakSets): Nixed sweepWeakSets because it's unused
6017 now.
6018
ggaren@apple.com72da8112012-05-26 22:40:46 +0000[diff] [blame]60192012-05-26 Geoffrey Garen <ggaren@apple.com>
6020
6021 WebKit should be lazy-finalization-safe (esp. the DOM) v2
6022 https://bugs.webkit.org/show_bug.cgi?id=87581
6023
6024 Reviewed by Oliver Hunt.
6025
6026 * heap/MarkedBlock.cpp:
6027 (JSC::MarkedBlock::callDestructor):
6028 * heap/WeakBlock.h:
6029 * heap/WeakSetInlines.h:
6030 (JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
6031 it's not valid to access GC pointers like the Structure pointer during
6032 finalization. We NULL out the structure pointer in debug builds to try
6033 to make this programming mistake more obvious.
6034
6035 * API/JSCallbackConstructor.cpp:
6036 (JSC::JSCallbackConstructor::destroy):
6037 * API/JSCallbackObject.cpp:
6038 (JSC::::destroy):
6039 (JSC::JSCallbackObjectData::finalize):
6040 * runtime/Arguments.cpp:
6041 (JSC::Arguments::destroy):
6042 * runtime/DateInstance.cpp:
6043 (JSC::DateInstance::destroy):
6044 * runtime/Error.cpp:
6045 (JSC::StrictModeTypeErrorFunction::destroy):
6046 * runtime/Executable.cpp:
6047 (JSC::ExecutableBase::destroy):
6048 (JSC::NativeExecutable::destroy):
6049 (JSC::ScriptExecutable::destroy):
6050 (JSC::EvalExecutable::destroy):
6051 (JSC::ProgramExecutable::destroy):
6052 (JSC::FunctionExecutable::destroy):
6053 * runtime/JSGlobalObject.cpp:
6054 (JSC::JSGlobalObject::destroy):
6055 * runtime/JSPropertyNameIterator.cpp:
6056 (JSC::JSPropertyNameIterator::destroy):
6057 * runtime/JSStaticScopeObject.cpp:
6058 (JSC::JSStaticScopeObject::destroy):
6059 * runtime/JSString.cpp:
6060 (JSC::JSString::destroy):
6061 * runtime/JSVariableObject.cpp:
6062 (JSC::JSVariableObject::destroy):
6063 * runtime/NameInstance.cpp:
6064 (JSC::NameInstance::destroy):
6065 * runtime/RegExp.cpp:
6066 (JSC::RegExp::destroy):
6067 * runtime/RegExpConstructor.cpp:
6068 (JSC::RegExpConstructor::destroy):
6069 * runtime/Structure.cpp:
6070 (JSC::Structure::destroy):
6071 * runtime/StructureChain.cpp:
6072 (JSC::StructureChain::destroy): Use static_cast instead of jsCast because
6073 jsCast does Structure-based validation, and our Structure is not guaranteed
6074 to be alive when we get finalized.
6075
fpizlo@apple.com7e0f6502012-05-25 22:45:57 +0000[diff] [blame]60762012-05-22 Filip Pizlo <fpizlo@apple.com>
6077
fpizlo@apple.com190f5252012-05-25 23:00:26 +0000[diff] [blame]6078 DFG CSE should eliminate redundant WeakJSConstants
6079 https://bugs.webkit.org/show_bug.cgi?id=87179
6080
6081 Reviewed by Gavin Barraclough.
6082
6083 Merged r118141 from dfgopt.
6084
6085 * dfg/DFGCSEPhase.cpp:
6086 (JSC::DFG::CSEPhase::weakConstantCSE):
6087 (CSEPhase):
6088 (JSC::DFG::CSEPhase::performNodeCSE):
6089 * dfg/DFGNode.h:
6090 (JSC::DFG::Node::weakConstant):
6091
60922012-05-22 Filip Pizlo <fpizlo@apple.com>
6093
fpizlo@apple.com7e0f6502012-05-25 22:45:57 +0000[diff] [blame]6094 DFG CSE should do redundant store elimination
6095 https://bugs.webkit.org/show_bug.cgi?id=87161
6096
6097 Reviewed by Oliver Hunt.
6098
6099 Merge r118138 from dfgopt.
6100
6101 This patch adds redundant store elimination. For example, consider this
6102 code:
6103
6104 o.x = 42;
6105 o.x = 84;
6106
6107 If o.x is speculated to be a well-behaved field, the first assignment is
6108 unnecessary, since the second just overwrites it. We would like to
6109 eliminate the first assignment in these cases. The need for this
6110 optimization arises mostly from stores that our runtime requires. For
6111 example:
6112
6113 o = {f:1, g:2, h:3};
6114
6115 This will have four assignments to the structure for the newly created
6116 object - one assignment for the empty structure, one for {f}, one for
6117 {f, g}, and one for {f, g, h}. We would like to only have the last of
6118 those assigments in this case.
6119
6120 Intriguingly, doing so for captured variables breaks the way arguments
6121 simplification used to work. Consider that prior to either arguments
6122 simplification or store elimination we will have IR that looks like:
6123
6124 a: SetLocal(r0, Empty)
6125 b: SetLocal(r1, Empty)
6126 c: GetLocal(r0)
6127 d: CreateArguments(@c)
6128 e: SetLocal(r0, @d)
6129 f: SetLocal(r1, @d)
6130
6131 Then redundant store elimination will eliminate the stores that
6132 initialize the arguments registers to Empty, but then arguments
6133 simplification eliminates the stores that initialize the arguments to
6134 the newly created arguments - and at this point we no longer have any
6135 stores to the arguments register, leading to hilarious crashes. This
6136 patch therefore changes arguments simplification to replace
6137 CreateArguments with JSConstant(Empty) rather than eliminating the
6138 SetLocals. But this revealed bugs where arguments simplification was
6139 being overzealous, so I fixed those bugs.
6140
6141 This is a minor speed-up on V8/early and a handful of other tests.
6142
6143 * bytecode/CodeBlock.h:
6144 (JSC::CodeBlock::uncheckedActivationRegister):
6145 * dfg/DFGAbstractState.cpp:
6146 (JSC::DFG::AbstractState::execute):
6147 * dfg/DFGArgumentsSimplificationPhase.cpp:
6148 (JSC::DFG::ArgumentsSimplificationPhase::run):
6149 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6150 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
6151 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6152 * dfg/DFGCSEPhase.cpp:
6153 (JSC::DFG::CSEPhase::globalVarStoreElimination):
6154 (CSEPhase):
6155 (JSC::DFG::CSEPhase::putStructureStoreElimination):
6156 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
6157 (JSC::DFG::CSEPhase::setLocalStoreElimination):
6158 (JSC::DFG::CSEPhase::setReplacement):
6159 (JSC::DFG::CSEPhase::eliminate):
6160 (JSC::DFG::CSEPhase::performNodeCSE):
6161 * dfg/DFGGraph.h:
6162 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
6163 (Graph):
6164 * dfg/DFGNode.h:
6165 (JSC::DFG::Node::isPhantomArguments):
6166 (Node):
6167 (JSC::DFG::Node::hasConstant):
6168 (JSC::DFG::Node::valueOfJSConstant):
6169 (JSC::DFG::Node::hasStructureTransitionData):
6170 * dfg/DFGNodeType.h:
6171 (DFG):
6172 * dfg/DFGPredictionPropagationPhase.cpp:
6173 (JSC::DFG::PredictionPropagationPhase::propagate):
6174 * dfg/DFGSpeculativeJIT.cpp:
6175 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
6176 * dfg/DFGSpeculativeJIT32_64.cpp:
6177 (JSC::DFG::SpeculativeJIT::compile):
6178 * dfg/DFGSpeculativeJIT64.cpp:
6179 (JSC::DFG::SpeculativeJIT::compile):
6180
fpizlo@apple.com016fd682012-05-25 20:19:55 +0000[diff] [blame]61812012-05-21 Filip Pizlo <fpizlo@apple.com>
6182
6183 DFG ConvertThis should just be a CheckStructure if the structure is known
6184 https://bugs.webkit.org/show_bug.cgi?id=87057
6185
6186 Reviewed by Gavin Barraclough.
6187
6188 Merged r118021 from dfgopt.
6189
6190 This gives ValueProfile the ability to track singleton values - i.e. profiling
6191 sites that always see the same value.
6192
6193 That is then used to profile the structure in op_convert_this.
6194
6195 This is then used to optimize op_convert_this into a CheckStructure if the
6196 structure is always the same.
6197
6198 That then results in better CSE in inlined code that uses 'this', since
6199 previously we couldn't CSE accesses on 'this' from different inline call frames.
6200
6201 Also fixed a bug where we were unnecessarily flushing 'this'.
6202
6203 * bytecode/CodeBlock.cpp:
6204 (JSC::CodeBlock::dump):
6205 (JSC::CodeBlock::stronglyVisitStrongReferences):
6206 * bytecode/LazyOperandValueProfile.cpp:
6207 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
6208 * bytecode/LazyOperandValueProfile.h:
6209 (CompressedLazyOperandValueProfileHolder):
6210 * bytecode/Opcode.h:
6211 (JSC):
6212 (JSC::padOpcodeName):
6213 * bytecode/ValueProfile.h:
6214 (JSC::ValueProfileBase::ValueProfileBase):
6215 (JSC::ValueProfileBase::dump):
6216 (JSC::ValueProfileBase::computeUpdatedPrediction):
6217 (ValueProfileBase):
6218 * bytecompiler/BytecodeGenerator.cpp:
6219 (JSC::BytecodeGenerator::BytecodeGenerator):
6220 * dfg/DFGByteCodeParser.cpp:
6221 (JSC::DFG::ByteCodeParser::setArgument):
6222 (JSC::DFG::ByteCodeParser::parseBlock):
6223 * jit/JITOpcodes.cpp:
6224 (JSC::JIT::emit_op_convert_this):
6225 (JSC::JIT::emitSlow_op_convert_this):
6226 * jit/JITOpcodes32_64.cpp:
6227 (JSC::JIT::emit_op_convert_this):
6228 (JSC::JIT::emitSlow_op_convert_this):
6229 * llint/LLIntSlowPaths.cpp:
6230 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6231 * llint/LowLevelInterpreter32_64.asm:
6232 * llint/LowLevelInterpreter64.asm:
6233 * runtime/JSValue.h:
6234 (JSValue):
6235 * runtime/Structure.h:
6236 (JSC::JSValue::structureOrUndefined):
6237 (JSC):
6238
timothy_horton@apple.com3f03ac12012-05-25 06:53:27 +0000[diff] [blame]62392012-05-24 Tim Horton <timothy_horton@apple.com>
6240
6241 Add feature defines for web-facing parts of CSS Regions and Exclusions
6242 https://bugs.webkit.org/show_bug.cgi?id=87442
6243 <rdar://problem/10887709>
6244
6245 Reviewed by Dan Bernstein.
6246
6247 * Configurations/FeatureDefines.xcconfig:
6248
ggaren@apple.com9e1789f2012-05-25 06:52:00 +0000[diff] [blame]62492012-05-24 Geoffrey Garen <ggaren@apple.com>
6250
6251 WebKit should be lazy-finalization-safe (esp. the DOM)
6252 https://bugs.webkit.org/show_bug.cgi?id=87456
6253
6254 Reviewed by Filip Pizlo.
6255
6256 Lazy finalization adds one twist to weak pointer use:
6257
6258 A HashMap of weak pointers may contain logically null entries.
6259 (Weak pointers behave as-if null once their payloads die.)
6260 Insertion must not assume that a pre-existing entry is
6261 necessarily valid, and iteration must not assume that all
6262 entries can be dereferenced.
6263
6264 (Previously, I thought that it also added a second twist:
6265
6266 A demand-allocated weak pointer may replace a dead payload
6267 before the payload's finalizer runs. In that case, when the
6268 payload's finalizer runs, the payload has already been
6269 overwritten, and the finalizer should not clear the payload,
6270 which now points to something new.
6271
6272 But that's not the case here, since we cancel the old payload's
6273 finalizer when we over-write it. I've added ASSERTs to verify this
6274 assumption, in case it ever changes.)
6275
6276 * API/JSClassRef.cpp:
6277 (OpaqueJSClass::prototype): No need to specify null; that's the default.
6278
6279 * API/JSWeakObjectMapRefPrivate.cpp: Use remove, since take() is gone.
6280
6281 * heap/PassWeak.h:
6282 (WeakImplAccessor::was): This is no longer a debug-only function, since
6283 it's required to reason about lazily finalized pointers.
6284
6285 * heap/Weak.h:
6286 (JSC::weakAdd):
6287 (JSC::weakRemove):
6288 (JSC::weakClear): Added these helper functions for the common idioms of
6289 what clients want to do in their weak pointer finalizers.
6290
6291 * jit/JITStubs.cpp:
6292 (JSC::JITThunks::hostFunctionStub): Use the new idioms. Otherwise, we
6293 would return NULL for a "zombie" executable weak pointer that was waiting
6294 for finalization (item (2)), and finalizing a dead executable weak pointer
6295 would potentially destroy a new, live one (item (1)).
6296
6297 * runtime/RegExpCache.cpp:
6298 (JSC::RegExpCache::lookupOrCreate):
6299 (JSC::RegExpCache::finalize): Ditto.
6300
6301 (JSC::RegExpCache::invalidateCode): Check for null while iterating. (See
6302 item (2).)
6303
6304 * runtime/Structure.cpp:
6305 (JSC::StructureTransitionTable::contains):
6306 (JSC::StructureTransitionTable::add): Use get and set instead of add and
6307 contains, since add and contains are not compatible with lazy finalization.
6308
6309 * runtime/WeakGCMap.h:
6310 (WeakGCMap):
6311 (JSC::WeakGCMap::clear):
6312 (JSC::WeakGCMap::remove): Removed a bunch of code that was incompatible with
6313 lazy finalization because I didn't feel like making it compatible, and I had
6314 no way to test it.
6315
fpizlo@apple.com0b9b37a2012-05-25 03:29:18 +0000[diff] [blame]63162012-05-24 Filip Pizlo <fpizlo@apple.com>
6317
fpizlo@apple.com9d899a42012-05-25 05:41:03 +0000[diff] [blame]6318 REGRESSION (r118013-r118031): Loops/Reloads under www.yahoo.com, quits after three tries with error
6319 https://bugs.webkit.org/show_bug.cgi?id=87327
6320
6321 Reviewed by Geoffrey Garen.
6322
6323 If you use AbstractValue::filter(StructureSet) to test subset relationships between TOP and a
6324 set containing >=2 elements, you're going to have a bad time.
6325
6326 That's because AbstractValue considers a set with >=2 elements to be equivalent to TOP, in order
6327 to save space and speed up convergence. So filtering has no effect in this case, which made
6328 the code think that the abstract value was proving that the structure check was unnecessary.
6329 The correct thing to do is to use isSubsetOf() on the StructureAbstractValue, which does the
6330 right thingies for TOP and >=2 elements.
6331
6332 * dfg/DFGAbstractState.cpp:
6333 (JSC::DFG::AbstractState::execute):
6334 * dfg/DFGSpeculativeJIT32_64.cpp:
6335 (JSC::DFG::SpeculativeJIT::compile):
6336 * dfg/DFGSpeculativeJIT64.cpp:
6337 (JSC::DFG::SpeculativeJIT::compile):
6338
63392012-05-24 Filip Pizlo <fpizlo@apple.com>
6340
fpizlo@apple.com0b9b37a2012-05-25 03:29:18 +0000[diff] [blame]6341 new test fast/js/dfg-arguments-mixed-alias.html fails on JSVALUE32_64
6342 https://bugs.webkit.org/show_bug.cgi?id=87378
6343
6344 Reviewed by Gavin Barraclough.
6345
6346 - Captured variable tracking forgot did not consistently handle arguments, leading to OSR
6347 badness.
6348
6349 - Nodes capable of exiting were tracked in a non-monotonic way, leading to compiler errors.
6350
6351 * dfg/DFGByteCodeParser.cpp:
6352 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6353 * dfg/DFGCSEPhase.cpp:
6354 (JSC::DFG::CSEPhase::CSEPhase):
6355 (CSEPhase):
6356 (JSC::DFG::performCSE):
6357 * dfg/DFGCSEPhase.h:
6358 (DFG):
6359 * dfg/DFGCommon.h:
6360 * dfg/DFGDriver.cpp:
6361 (JSC::DFG::compile):
6362 * dfg/DFGGraph.cpp:
6363 (JSC::DFG::Graph::resetExitStates):
6364 (DFG):
6365 * dfg/DFGGraph.h:
6366 (Graph):
6367 * dfg/DFGPhase.h:
6368 (DFG):
6369 (JSC::DFG::runPhase):
6370
ggaren@apple.com39281e22012-05-24 21:18:10 +0000[diff] [blame]63712012-05-24 Geoffrey Garen <ggaren@apple.com>
6372
6373 Made WeakSet per-block instead of per-heap
6374 https://bugs.webkit.org/show_bug.cgi?id=87401
6375
6376 Reviewed by Oliver Hunt.
6377
6378 This allows us fast access to the set of all weak pointers for a block,
6379 which is a step toward lazy finalization.
6380
6381 No performance change.
6382
6383 * heap/Heap.cpp:
6384 (JSC::Heap::Heap):
6385 (JSC::Heap::lastChanceToFinalize): Removed the per-heap weak set, since
6386 it's per-block now.
6387
6388 (JSC::Heap::markRoots): Delegate weak set visiting to the marked space,
6389 since it knows how to iterate all blocks.
6390
6391 (JSC::Heap::collect): Moved the reaping outside of markRoots, since it
6392 doesn't mark anything.
6393
6394 Make sure to reset allocators after shrinking, since shrinking may
6395 deallocate the current allocator.
6396
6397 * heap/Heap.h:
6398 (Heap): No more per-heap weak set, since it's per-block now.
6399
6400 * heap/MarkedBlock.cpp:
6401 (JSC::MarkedBlock::MarkedBlock):
6402 * heap/MarkedBlock.h:
6403 (MarkedBlock):
6404 (JSC::MarkedBlock::lastChanceToFinalize): Migrated finalization logic
6405 here from the heap, so the heap doesn't need to know about our internal
6406 data structures like our weak set.
6407
6408 (JSC::MarkedBlock::heap):
6409 (JSC::MarkedBlock::weakSet):
6410 (JSC::MarkedBlock::shrink):
6411 (JSC::MarkedBlock::resetAllocator):
6412 (JSC::MarkedBlock::visitWeakSet):
6413 (JSC::MarkedBlock::reapWeakSet):
6414 (JSC::MarkedBlock::sweepWeakSet):
6415 * heap/MarkedSpace.cpp:
6416 (JSC::VisitWeakSet::VisitWeakSet):
6417 (JSC::VisitWeakSet::operator()):
6418 (VisitWeakSet):
6419 (JSC):
6420 (JSC::ReapWeakSet::operator()):
6421 (JSC::SweepWeakSet::operator()):
6422 (JSC::LastChanceToFinalize::operator()):
6423 (JSC::MarkedSpace::lastChanceToFinalize):
6424 (JSC::ResetAllocator::operator()):
6425 (JSC::MarkedSpace::resetAllocators):
6426 (JSC::MarkedSpace::visitWeakSets):
6427 (JSC::MarkedSpace::reapWeakSets):
6428 (JSC::MarkedSpace::sweepWeakSets):
6429 (JSC::Shrink::operator()):
6430 (JSC::MarkedSpace::shrink):
6431 * heap/MarkedSpace.h:
6432 (MarkedSpace): Make sure to account for our weak sets when sweeping,
6433 shrinking, etc.
6434
6435 * heap/WeakSet.cpp:
6436 (JSC):
6437 * heap/WeakSet.h:
6438 (WeakSet):
6439 (JSC::WeakSet::heap):
6440 (JSC):
6441 (JSC::WeakSet::lastChanceToFinalize):
6442 (JSC::WeakSet::visit):
6443 (JSC::WeakSet::reap):
6444 (JSC::WeakSet::shrink):
6445 (JSC::WeakSet::resetAllocator): Inlined some things since they're called
6446 once per block now instead of once per heap.
6447
6448 * heap/WeakSetInlines.h:
6449 (JSC::WeakSet::allocate): Use the per-block weak set since there is no
6450 per-heap weak set anymore.
6451
barraclough@apple.comefdbf472012-05-24 21:14:07 +0000[diff] [blame]64522012-05-24 Gavin Barraclough <barraclough@apple.com>
6453
barraclough@apple.com8ca6a7a2012-05-24 21:17:38 +0000[diff] [blame]6454 Fix arm build
6455
6456 Rubber stamped by Geoff Garen
6457
6458 * dfg/DFGGPRInfo.h:
6459 (GPRInfo):
6460
64612012-05-24 Gavin Barraclough <barraclough@apple.com>
6462
barraclough@apple.comefdbf472012-05-24 21:14:07 +0000[diff] [blame]6463 Move cacheFlush from ExecutableAllocator to Assembler classes
6464 https://bugs.webkit.org/show_bug.cgi?id=87420
6465
6466 Reviewed by Oliver Hunt.
6467
6468 Makes more sense there, & remove a pile of #ifdefs.
6469
6470 * assembler/ARMAssembler.cpp:
6471 (JSC):
6472 (JSC::ARMAssembler::cacheFlush):
6473 * assembler/ARMAssembler.h:
6474 (ARMAssembler):
6475 (JSC::ARMAssembler::cacheFlush):
6476 * assembler/ARMv7Assembler.h:
6477 (JSC::ARMv7Assembler::relinkJump):
6478 (JSC::ARMv7Assembler::cacheFlush):
6479 (ARMv7Assembler):
6480 (JSC::ARMv7Assembler::setInt32):
6481 (JSC::ARMv7Assembler::setUInt7ForLoad):
6482 * assembler/AbstractMacroAssembler.h:
6483 (JSC::AbstractMacroAssembler::cacheFlush):
6484 * assembler/LinkBuffer.h:
6485 (JSC::LinkBuffer::performFinalization):
6486 * assembler/MIPSAssembler.h:
6487 (JSC::MIPSAssembler::relinkJump):
6488 (JSC::MIPSAssembler::relinkCall):
6489 (JSC::MIPSAssembler::repatchInt32):
6490 (JSC::MIPSAssembler::cacheFlush):
6491 (MIPSAssembler):
6492 * assembler/SH4Assembler.h:
6493 (JSC::SH4Assembler::repatchCompact):
6494 (JSC::SH4Assembler::cacheFlush):
6495 (SH4Assembler):
6496 * assembler/X86Assembler.h:
6497 (X86Assembler):
6498 (JSC::X86Assembler::cacheFlush):
6499 * jit/ExecutableAllocator.cpp:
6500 (JSC):
6501 * jit/ExecutableAllocator.h:
6502 (ExecutableAllocator):
6503
commit-queue@webkit.org2c8bcde2012-05-24 20:01:53 +0000[diff] [blame]65042012-05-24 John Mellor <johnme@chromium.org>
6505
6506 Font Boosting: Add compile flag and runtime setting
6507 https://bugs.webkit.org/show_bug.cgi?id=87394
6508
6509 Reviewed by Adam Barth.
6510
6511 Add ENABLE_FONT_BOOSTING.
6512
6513 * Configurations/FeatureDefines.xcconfig:
6514
commit-queue@webkit.orgd553c622012-05-24 10:50:40 +0000[diff] [blame]65152012-05-24 Allan Sandfeld Jensen <allan.jensen@nokia.com>
6516
6517 cti_vm_throw gets kicked out by gcc 4.6 -flto
6518 https://bugs.webkit.org/show_bug.cgi?id=56088
6519
6520 Reviewed by Darin Adler.
6521
6522 Add REFERENCED_FROM_ASM to functions only referenced from assembler.
6523
6524 * dfg/DFGOperations.cpp:
6525 * jit/HostCallReturnValue.h:
6526 * jit/JITStubs.h:
6527 * jit/ThunkGenerators.cpp:
6528
fpizlo@apple.com36f14462012-05-24 07:35:05 +0000[diff] [blame]65292012-05-24 Filip Pizlo <fpizlo@apple.com>
6530
6531 Incorrect merge of r117542 from dfg opt branch in r118323 is leading to fast/js/dfg-arguments-osr-exit.html failing
6532 https://bugs.webkit.org/show_bug.cgi?id=87350
6533
6534 Reviewed by Maciej Stachowiak.
6535
6536 The dfgopt branch introduced the notion of a local variable being killed because it was aliased
6537 to the Arguments object as in cases like:
6538
6539 var a = arguments;
6540 return a.length;
6541
6542 This required changes to OSR exit handling - if the variable is dead but aliased to arguments, then
6543 OSR exit should reify the arguments. But meanwhile, in tip of tree we introduced special handling for
6544 dead variables on OSR exit. When the two were merged in r118323, the structure of the if/else branches
6545 ended up being such that we would treat dead arguments variables as totally dead as opposed to treating
6546 them as variables that need arguments reification.
6547
6548 This fixes the structure of the relevant if/else block so that variables that are dead-but-arguments
6549 end up being treated as reified arguments objects, while variables that are dead but not aliased to
6550 arguments are treated as tip of tree would have treated them (initialize to Undefined).
6551
6552 * dfg/DFGSpeculativeJIT.cpp:
6553 (JSC::DFG::SpeculativeJIT::compile):
6554
ossy@webkit.orgbc0d6372012-05-24 07:05:31 +0000[diff] [blame]65552012-05-24 Csaba Osztrogonác <ossy@webkit.org>
6556
6557 Unreviewed 32 bit buildfix after r118325.
6558
6559 * dfg/DFGSpeculativeJIT32_64.cpp:
6560 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): Use ASSERT_UNUSED instead ASSERT.
6561
fpizlo@apple.comd96eb4e2012-05-24 06:58:52 +0000[diff] [blame]65622012-05-23 Filip Pizlo <fpizlo@apple.com>
6563
fpizlo@apple.comb3ac2422012-05-24 07:00:24 +0000[diff] [blame]6564 DFG operationTearOffActivation should return after handling the null activation case
6565 https://bugs.webkit.org/show_bug.cgi?id=87348
6566 <rdar://problem/11522295>
6567
6568 Reviewed by Oliver Hunt.
6569
6570 * dfg/DFGOperations.cpp:
6571
65722012-05-23 Filip Pizlo <fpizlo@apple.com>
6573
fpizlo@apple.comd96eb4e2012-05-24 06:58:52 +0000[diff] [blame]6574 Unreviewed, merge the arguments fix in r118138 to get bots green.
6575
6576 * dfg/DFGArgumentsSimplificationPhase.cpp:
6577 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6578
fpizlo@apple.comb9c94622012-05-24 05:51:05 +0000[diff] [blame]65792012-05-20 Filip Pizlo <fpizlo@apple.com>
6580
fpizlo@apple.com91b2c682012-05-24 06:24:36 +0000[diff] [blame]6581 DFG CFA should record if a node can OSR exit
6582 https://bugs.webkit.org/show_bug.cgi?id=86905
6583
6584 Reviewed by Oliver Hunt.
6585
6586 Merged r117931 from dfgopt.
6587
6588 Adds a NodeFlag that denotes nodes that are known to not have OSR exits.
6589 This ought to aid any backwards analyses that need to know when a
6590 backward flow merge might happen due to a side exit.
6591
6592 Also added assertions into speculationCheck() that ensure that we did not
6593 mark a node as non-exiting and then promptly compile in an exit. This
6594 helped catch some minor bugs where we were doing unnecessary speculation
6595 checks.
6596
6597 This is a perf-neutral change. The speculation checks that this removes
6598 were not on hot paths of major benchmarks.
6599
6600 * bytecode/PredictedType.h:
6601 (JSC):
6602 (JSC::isAnyPrediction):
6603 * dfg/DFGAbstractState.cpp:
6604 (JSC::DFG::AbstractState::execute):
6605 * dfg/DFGAbstractState.h:
6606 (JSC::DFG::AbstractState::speculateInt32Unary):
6607 (AbstractState):
6608 (JSC::DFG::AbstractState::speculateNumberUnary):
6609 (JSC::DFG::AbstractState::speculateBooleanUnary):
6610 (JSC::DFG::AbstractState::speculateInt32Binary):
6611 (JSC::DFG::AbstractState::speculateNumberBinary):
6612 * dfg/DFGNode.h:
6613 (JSC::DFG::Node::mergeFlags):
6614 (JSC::DFG::Node::filterFlags):
6615 (Node):
6616 (JSC::DFG::Node::setCanExit):
6617 (JSC::DFG::Node::canExit):
6618 * dfg/DFGNodeFlags.cpp:
6619 (JSC::DFG::nodeFlagsAsString):
6620 * dfg/DFGNodeFlags.h:
6621 (DFG):
6622 * dfg/DFGSpeculativeJIT.cpp:
6623 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
6624 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
6625 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6626 * dfg/DFGSpeculativeJIT.h:
6627 (JSC::DFG::SpeculativeJIT::speculationCheck):
6628 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
6629 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
6630 (SpeculativeJIT):
6631 * dfg/DFGSpeculativeJIT32_64.cpp:
6632 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
6633 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6634 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6635 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6636 (JSC::DFG::SpeculativeJIT::compile):
6637 * dfg/DFGSpeculativeJIT64.cpp:
6638 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
6639 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6640 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6641 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6642 (JSC::DFG::SpeculativeJIT::compile):
6643
66442012-05-20 Filip Pizlo <fpizlo@apple.com>
6645
fpizlo@apple.comb9c94622012-05-24 05:51:05 +0000[diff] [blame]6646 DFG should not do unnecessary indirections when storing to objects
6647 https://bugs.webkit.org/show_bug.cgi?id=86959
6648
6649 Reviewed by Oliver Hunt.
6650
6651 Merged r117819 from dfgopt.
6652
6653 * dfg/DFGByteCodeParser.cpp:
6654 (JSC::DFG::ByteCodeParser::parseBlock):
6655 * dfg/DFGCSEPhase.cpp:
6656 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
6657 * dfg/DFGSpeculativeJIT32_64.cpp:
6658 (JSC::DFG::SpeculativeJIT::compile):
6659 * dfg/DFGSpeculativeJIT64.cpp:
6660 (JSC::DFG::SpeculativeJIT::compile):
6661
fpizlo@apple.com9a548f12012-05-24 05:33:09 +0000[diff] [blame]66622012-05-17 Filip Pizlo <fpizlo@apple.com>
6663
6664 DFG should optimize aliased uses of the Arguments object of the current call frame
6665 https://bugs.webkit.org/show_bug.cgi?id=86552
6666
6667 Reviewed by Geoff Garen.
6668
6669 Merged r117542 and r117543 from dfgopt.
6670
6671 Performs must-alias and escape analysis on uses of CreateArguments, and if
6672 a variable is must-aliased to CreateArguments and does not escape, then we
6673 turn all uses of that variable into direct arguments accesses.
6674
6675 36% speed-up on V8/earley leading to a 2.3% speed-up overall in V8.
6676
6677 * bytecode/CodeBlock.h:
6678 (JSC::CodeBlock::uncheckedArgumentsRegister):
6679 * bytecode/ValueRecovery.h:
6680 (JSC::ValueRecovery::argumentsThatWereNotCreated):
6681 (ValueRecovery):
6682 (JSC::ValueRecovery::dump):
6683 * dfg/DFGAbstractState.cpp:
6684 (JSC::DFG::AbstractState::execute):
6685 * dfg/DFGAdjacencyList.h:
6686 (AdjacencyList):
6687 (JSC::DFG::AdjacencyList::removeEdgeFromBag):
6688 * dfg/DFGArgumentsSimplificationPhase.cpp:
6689 (JSC::DFG::ArgumentsSimplificationPhase::run):
6690 (ArgumentsSimplificationPhase):
6691 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6692 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
6693 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6694 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
6695 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
6696 * dfg/DFGAssemblyHelpers.h:
6697 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
6698 (AssemblyHelpers):
6699 * dfg/DFGByteCodeParser.cpp:
6700 (JSC::DFG::ByteCodeParser::parseBlock):
6701 * dfg/DFGCFGSimplificationPhase.cpp:
6702 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
6703 * dfg/DFGGPRInfo.h:
6704 (GPRInfo):
6705 * dfg/DFGGraph.cpp:
6706 (JSC::DFG::Graph::collectGarbage):
6707 (DFG):
6708 * dfg/DFGGraph.h:
6709 (Graph):
6710 (JSC::DFG::Graph::executableFor):
6711 (JSC::DFG::Graph::argumentsRegisterFor):
6712 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
6713 (JSC::DFG::Graph::clobbersWorld):
6714 * dfg/DFGNode.h:
6715 (JSC::DFG::Node::hasHeapPrediction):
6716 * dfg/DFGNodeType.h:
6717 (DFG):
6718 * dfg/DFGOSRExitCompiler.cpp:
6719 * dfg/DFGOSRExitCompiler.h:
6720 (JSC::DFG::OSRExitCompiler::OSRExitCompiler):
6721 (OSRExitCompiler):
6722 * dfg/DFGOSRExitCompiler32_64.cpp:
6723 (JSC::DFG::OSRExitCompiler::compileExit):
6724 * dfg/DFGOSRExitCompiler64.cpp:
6725 (JSC::DFG::OSRExitCompiler::compileExit):
6726 * dfg/DFGOperations.cpp:
6727 * dfg/DFGPredictionPropagationPhase.cpp:
6728 (JSC::DFG::PredictionPropagationPhase::propagate):
6729 * dfg/DFGSpeculativeJIT.cpp:
6730 (JSC::DFG::ValueSource::dump):
6731 (JSC::DFG::SpeculativeJIT::compile):
6732 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
6733 * dfg/DFGSpeculativeJIT.h:
6734 * dfg/DFGSpeculativeJIT32_64.cpp:
6735 (JSC::DFG::SpeculativeJIT::compile):
6736 * dfg/DFGSpeculativeJIT64.cpp:
6737 (JSC::DFG::SpeculativeJIT::compile):
6738 * dfg/DFGVariableAccessData.h:
6739 (JSC::DFG::VariableAccessData::VariableAccessData):
6740 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
6741 (VariableAccessData):
6742 (JSC::DFG::VariableAccessData::isArgumentsAlias):
6743 * jit/JITOpcodes.cpp:
6744 (JSC::JIT::emitSlow_op_get_argument_by_val):
6745
fpizlo@apple.comdb7ba192012-05-24 02:28:52 +0000[diff] [blame]67462012-05-23 Filip Pizlo <fpizlo@apple.com>
6747
fpizlo@apple.comae3413b2012-05-24 02:34:09 +0000[diff] [blame]6748 DFGCapabilities should not try to get an arguments register from code blocks that don't have one
6749 https://bugs.webkit.org/show_bug.cgi?id=87332
6750
6751 Reviewed by Andy Estes.
6752
6753 * dfg/DFGCapabilities.h:
6754 (JSC::DFG::canInlineOpcode):
6755
67562012-05-23 Filip Pizlo <fpizlo@apple.com>
6757
fpizlo@apple.comdb7ba192012-05-24 02:28:52 +0000[diff] [blame]6758 DFG should have sparse conditional constant propagation
6759 https://bugs.webkit.org/show_bug.cgi?id=86580
6760
6761 Reviewed by Oliver Hunt.
6762
6763 Merged r117370 from dfgopt.
6764
6765 This enhances CFA so that if it suspects at any point during the fixpoint that a
6766 branch will only go one way, then it only propagates in that one way.
6767
6768 This vastly increases the opportunities for CFG simplification. For example, it
6769 enables us to evaporate this loop:
6770
6771 for (var i = 0; i < 1; ++i) doThings(i);
6772
6773 As a result, it uncovered loads of bugs in the CFG simplifier. In particular:
6774
6775 - Phi fixup was assuming that all Phis worth fixing up are shouldGenerate().
6776 That's not true; we also fixup Phis that are dead.
6777
6778 - GetLocal fixup was assuming that it's only necessary to rewire links to a
6779 GetLocal, and that the GetLocal's own links don't need to be rewired. Untrue,
6780 because the GetLocal may not be rewirable (first block has no GetLocal for r42
6781 but second block does have a GetLocal), in which case it will refer to a Phi
6782 in the second block. We need it to refer to a Phi from the first block to
6783 ensure that subsequent transformations work.
6784
6785 - Tail operand fixup was ignoring the fact that Phis in successors may contain
6786 references to the children of our tail variables. Hence, successor Phi child
6787 substitution needs to use the original second block variable table as its
6788 prior, rather than trying to reconstruct the prior later (since by that point
6789 the children of the second block's tail variables will have been fixed up, so
6790 we will not know what the prior would have been).
6791
6792 * dfg/DFGAbstractState.cpp:
6793 (JSC::DFG::AbstractState::beginBasicBlock):
6794 (JSC::DFG::AbstractState::endBasicBlock):
6795 (JSC::DFG::AbstractState::reset):
6796 (JSC::DFG::AbstractState::execute):
6797 (JSC::DFG::AbstractState::mergeToSuccessors):
6798 * dfg/DFGAbstractState.h:
6799 (JSC::DFG::AbstractState::branchDirectionToString):
6800 (AbstractState):
6801 * dfg/DFGCFGSimplificationPhase.cpp:
6802 (JSC::DFG::CFGSimplificationPhase::run):
6803 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
6804 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
6805 (OperandSubstitution):
6806 (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
6807 (JSC::DFG::CFGSimplificationPhase::recordPossibleIncomingReference):
6808 (CFGSimplificationPhase):
6809 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
6810 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
6811 * dfg/DFGGraph.h:
6812 (JSC::DFG::Graph::changeEdge):
6813
ojan@chromium.org959e4a22012-05-24 02:03:04 +0000[diff] [blame]68142012-05-23 Ojan Vafai <ojan@chromium.org>
6815
6816 add back the ability to disable flexbox
6817 https://bugs.webkit.org/show_bug.cgi?id=87147
6818
6819 Reviewed by Tony Chang.
6820
6821 * Configurations/FeatureDefines.xcconfig:
6822
fpizlo@apple.com9b928722012-05-24 00:18:55 +0000[diff] [blame]68232012-05-23 Filip Pizlo <fpizlo@apple.com>
6824
fpizlo@apple.com16faaea2012-05-24 01:04:55 +0000[diff] [blame]6825 Unreviewed, fix Windows build.
6826
6827 * bytecode/CodeBlock.h:
6828 * dfg/DFGCapabilities.h:
6829 (JSC::DFG::canCompileOpcode):
6830 (JSC::DFG::canCompileOpcodes):
6831 * dfg/DFGCommon.h:
6832 (DFG):
6833
68342012-05-23 Filip Pizlo <fpizlo@apple.com>
6835
fpizlo@apple.com9b928722012-05-24 00:18:55 +0000[diff] [blame]6836 DFG should optimize inlined uses of arguments.length and arguments[i]
6837 https://bugs.webkit.org/show_bug.cgi?id=86327
6838
6839 Reviewed by Gavin Barraclough.
6840
6841 Merged r117017 from dfgopt.
6842
6843 Turns inlined uses of arguments.length into a constant.
6844
6845 Turns inlined uses of arguments[constant] into a direct reference to the
6846 argument.
6847
6848 Big win on micro-benchmarks. Not yet a win on V8 because the hot uses of
6849 arguments.length and arguments[i] are aliased. I'll leave the aliasing
6850 optimizations to a later patch.
6851
6852 * CMakeLists.txt:
6853 * GNUmakefile.list.am:
6854 * JavaScriptCore.xcodeproj/project.pbxproj:
6855 * Target.pri:
6856 * bytecode/DFGExitProfile.h:
6857 (FrequentExitSite):
6858 (JSC::DFG::FrequentExitSite::FrequentExitSite):
6859 (JSC::DFG::QueryableExitProfile::hasExitSite):
6860 (QueryableExitProfile):
6861 * dfg/DFGAbstractState.cpp:
6862 (JSC::DFG::AbstractState::execute):
6863 * dfg/DFGArgumentsSimplificationPhase.cpp: Added.
6864 (DFG):
6865 (ArgumentsSimplificationPhase):
6866 (JSC::DFG::ArgumentsSimplificationPhase::ArgumentsSimplificationPhase):
6867 (JSC::DFG::ArgumentsSimplificationPhase::run):
6868 (JSC::DFG::performArgumentsSimplification):
6869 * dfg/DFGArgumentsSimplificationPhase.h: Added.
6870 (DFG):
6871 * dfg/DFGAssemblyHelpers.cpp:
6872 (JSC::DFG::AssemblyHelpers::executableFor):
6873 (DFG):
6874 * dfg/DFGAssemblyHelpers.h:
6875 (AssemblyHelpers):
6876 * dfg/DFGByteCodeParser.cpp:
6877 (JSC::DFG::ByteCodeParser::parseBlock):
6878 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6879 * dfg/DFGCSEPhase.cpp:
6880 (JSC::DFG::CSEPhase::getLocalLoadElimination):
6881 (JSC::DFG::CSEPhase::performNodeCSE):
6882 * dfg/DFGDriver.cpp:
6883 (JSC::DFG::compile):
6884 * dfg/DFGGraph.h:
6885 (JSC::DFG::Graph::Graph):
6886 (JSC::DFG::Graph::executableFor):
6887 (Graph):
6888 (JSC::DFG::Graph::clobbersWorld):
6889 * dfg/DFGNode.h:
6890 (JSC::DFG::Node::convertToConstant):
6891 (JSC::DFG::Node::convertToGetLocalUnlinked):
6892 (Node):
6893 (JSC::DFG::Node::unlinkedLocal):
6894 * dfg/DFGNodeType.h:
6895 (DFG):
6896 * dfg/DFGOSRExit.cpp:
6897 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
6898 * dfg/DFGPredictionPropagationPhase.cpp:
6899 (JSC::DFG::PredictionPropagationPhase::propagate):
6900 * dfg/DFGSpeculativeJIT32_64.cpp:
6901 (JSC::DFG::SpeculativeJIT::compile):
6902 * dfg/DFGSpeculativeJIT64.cpp:
6903 (JSC::DFG::SpeculativeJIT::compile):
6904
fpizlo@apple.com5e3852d2012-05-24 00:05:21 +0000[diff] [blame]69052012-05-13 Filip Pizlo <fpizlo@apple.com>
6906
6907 DFG should be able to optimize foo.apply(bar, arguments)
6908 https://bugs.webkit.org/show_bug.cgi?id=86306
6909
6910 Reviewed by Gavin Barraclough.
6911
6912 Merge r116912 from dfgopt.
6913
6914 Enables compilation of op_jneq_ptr and some forms of op_call_varargs.
6915
6916 Also includes a bunch of bug fixes that were made necessary by the increased
6917 pressure on the CFG simplifier.
6918
6919 This is a 1-2% win on V8.
6920
6921 * bytecode/CodeBlock.cpp:
6922 (JSC::CodeBlock::printCallOp):
6923 (JSC::CodeBlock::CodeBlock):
6924 (JSC::ProgramCodeBlock::canCompileWithDFGInternal):
6925 (JSC::EvalCodeBlock::canCompileWithDFGInternal):
6926 (JSC::FunctionCodeBlock::canCompileWithDFGInternal):
6927 * bytecode/CodeBlock.h:
6928 (CodeBlock):
6929 (JSC::CodeBlock::canCompileWithDFG):
6930 (JSC::CodeBlock::canCompileWithDFGState):
6931 (ProgramCodeBlock):
6932 (EvalCodeBlock):
6933 (FunctionCodeBlock):
6934 * dfg/DFGAbstractState.cpp:
6935 (JSC::DFG::AbstractState::execute):
6936 * dfg/DFGByteCodeParser.cpp:
6937 (JSC::DFG::ByteCodeParser::parseBlock):
6938 (JSC::DFG::ByteCodeParser::processPhiStack):
6939 (JSC::DFG::ByteCodeParser::parse):
6940 * dfg/DFGCFGSimplificationPhase.cpp:
6941 (JSC::DFG::CFGSimplificationPhase::run):
6942 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
6943 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
6944 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
6945 * dfg/DFGCSEPhase.cpp:
6946 (JSC::DFG::CSEPhase::getLocalLoadElimination):
6947 (CSEPhase):
6948 (JSC::DFG::CSEPhase::setReplacement):
6949 (JSC::DFG::CSEPhase::performNodeCSE):
6950 * dfg/DFGCapabilities.cpp:
6951 (JSC::DFG::debugFail):
6952 (DFG):
6953 (JSC::DFG::canHandleOpcodes):
6954 (JSC::DFG::canCompileOpcodes):
6955 (JSC::DFG::canInlineOpcodes):
6956 * dfg/DFGCapabilities.h:
6957 (JSC::DFG::canCompileOpcode):
6958 (JSC::DFG::canInlineOpcode):
6959 (DFG):
6960 (JSC::DFG::canCompileOpcodes):
6961 (JSC::DFG::canCompileEval):
6962 (JSC::DFG::canCompileProgram):
6963 (JSC::DFG::canCompileFunctionForCall):
6964 (JSC::DFG::canCompileFunctionForConstruct):
6965 * dfg/DFGCommon.h:
6966 * dfg/DFGGraph.cpp:
6967 (JSC::DFG::Graph::dump):
6968 * dfg/DFGNodeType.h:
6969 (DFG):
6970 * dfg/DFGPredictionPropagationPhase.cpp:
6971 (JSC::DFG::PredictionPropagationPhase::propagate):
6972 * dfg/DFGSpeculativeJIT32_64.cpp:
6973 (JSC::DFG::SpeculativeJIT::compile):
6974 * dfg/DFGSpeculativeJIT64.cpp:
6975 (JSC::DFG::SpeculativeJIT::emitCall):
6976 (JSC::DFG::SpeculativeJIT::compile):
6977 * dfg/DFGValidate.cpp:
6978 (Validate):
6979 (JSC::DFG::Validate::validate):
6980 (JSC::DFG::Validate::checkOperand):
6981 (JSC::DFG::Validate::reportValidationContext):
6982 * jit/JIT.cpp:
6983 (JSC::JIT::emitOptimizationCheck):
6984 (JSC::JIT::privateCompileSlowCases):
6985 (JSC::JIT::privateCompile):
6986 * jit/JIT.h:
6987 * jit/JITArithmetic.cpp:
6988 (JSC::JIT::compileBinaryArithOp):
6989 * jit/JITPropertyAccess.cpp:
6990 (JSC::JIT::privateCompilePutByIdTransition):
6991 * jit/JITPropertyAccess32_64.cpp:
6992 (JSC::JIT::privateCompilePutByIdTransition):
6993 * tools/CodeProfile.cpp:
6994 (JSC::CodeProfile::sample):
6995
ggaren@apple.com7070d422012-05-23 23:55:27 +0000[diff] [blame]69962012-05-23 Geoffrey Garen <ggaren@apple.com>
6997
6998 Refactored WeakBlock to use malloc, clarify behavior
6999 https://bugs.webkit.org/show_bug.cgi?id=87318
7000
7001 Reviewed by Filip Pizlo.
7002
7003 We want to use malloc so we can make these smaller than 4KB,
7004 since an individual MarkedBlock will usually have fewer than
7005 4KB worth of weak pointers.
7006
7007 * heap/Heap.cpp:
7008 (JSC::Heap::markRoots): Renamed visitLiveWeakImpls to visit, since
7009 we no longer need to distinguish from "visitDeadWeakImpls".
7010
7011 Renamed "visitDeadWeakImpls" to "reap" because we're not actually
7012 doing any visiting -- we're just tagging things as dead.
7013
7014 * heap/WeakBlock.cpp:
7015 (JSC::WeakBlock::create):
7016 (JSC::WeakBlock::destroy):
7017 (JSC::WeakBlock::WeakBlock): Malloc!
7018
7019 (JSC::WeakBlock::visit):
7020 (JSC::WeakBlock::reap): Renamed as above.
7021
7022 * heap/WeakBlock.h:
7023 (WeakBlock): Reduced to 3KB, as explained above.
7024
7025 * heap/WeakSet.cpp:
7026 (JSC::WeakSet::visit):
7027 (JSC::WeakSet::reap):
7028 * heap/WeakSet.h:
7029 (WeakSet): Updated for renames, and to match WebKit style.
7030
fpizlo@apple.com11e2f372012-05-23 22:25:21 +0000[diff] [blame]70312012-05-23 Filip Pizlo <fpizlo@apple.com>
7032
fpizlo@apple.combc96e8f2012-05-23 23:12:59 +0000[diff] [blame]7033 Use after free in JSC::DFG::ByteCodeParser::processPhiStack
7034 https://bugs.webkit.org/show_bug.cgi?id=87312
7035 <rdar://problem/11518848>
7036
7037 Reviewed by Oliver Hunt.
7038
7039 * dfg/DFGByteCodeParser.cpp:
7040 (JSC::DFG::ByteCodeParser::processPhiStack):
7041 (JSC::DFG::ByteCodeParser::parse):
7042
70432012-05-23 Filip Pizlo <fpizlo@apple.com>
7044
fpizlo@apple.com11e2f372012-05-23 22:25:21 +0000[diff] [blame]7045 It should be possible to make C function calls from DFG code on ARM in debug mode
7046 https://bugs.webkit.org/show_bug.cgi?id=87313
7047
7048 Reviewed by Gavin Barraclough.
7049
7050 * dfg/DFGSpeculativeJIT.h:
7051 (SpeculativeJIT):
7052
fpizlo@apple.comc6446112012-05-23 20:52:42 +0000[diff] [blame]70532012-05-11 Filip Pizlo <fpizlo@apple.com>
7054
7055 DFG should be able to inline functions that use arguments reflectively
7056 https://bugs.webkit.org/show_bug.cgi?id=86132
7057
7058 Reviewed by Oliver Hunt.
7059
7060 Merged r116838 from dfgopt.
7061
7062 This turns on inlining of functions that use arguments reflectively, but it
7063 does not do any of the obvious optimizations that this exposes. I'll save that
7064 for another patch - the important thing for now is that this contains all of
7065 the plumbing necessary to make this kind of inlining sound even in bizarro
7066 cases like an inline callee escaping the arguments object to parts of the
7067 inline caller where the arguments are otherwise dead. Or even more fun cases
7068 like where you've inlined to an inline stack that is three-deep, and the
7069 function on top of the inline stack reflectively accesses the arguments of a
7070 function that is in the middle of the inline stack. Any subsequent
7071 optimizations that we do for the obvious cases of arguments usage in inline
7072 functions will have to take care not to break the baseline functionality that
7073 this patch plumbs together.
7074
7075 * bytecode/CodeBlock.cpp:
7076 (JSC::CodeBlock::printCallOp):
7077 (JSC::CodeBlock::dump):
7078 * bytecode/CodeBlock.h:
7079 * dfg/DFGAssemblyHelpers.h:
7080 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
7081 (AssemblyHelpers):
7082 * dfg/DFGByteCodeParser.cpp:
7083 (InlineStackEntry):
7084 (JSC::DFG::ByteCodeParser::handleCall):
7085 (JSC::DFG::ByteCodeParser::handleInlining):
7086 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
7087 (JSC::DFG::ByteCodeParser::parse):
7088 * dfg/DFGCCallHelpers.h:
7089 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
7090 (CCallHelpers):
7091 * dfg/DFGCapabilities.h:
7092 (JSC::DFG::canInlineOpcode):
7093 * dfg/DFGDriver.cpp:
7094 (JSC::DFG::compile):
7095 * dfg/DFGFixupPhase.cpp:
7096 (JSC::DFG::FixupPhase::fixupNode):
7097 * dfg/DFGOperations.cpp:
7098 * dfg/DFGOperations.h:
7099 * dfg/DFGSpeculativeJIT.h:
7100 (JSC::DFG::SpeculativeJIT::callOperation):
7101 * dfg/DFGSpeculativeJIT32_64.cpp:
7102 (JSC::DFG::SpeculativeJIT::compile):
7103 * dfg/DFGSpeculativeJIT64.cpp:
7104 (JSC::DFG::SpeculativeJIT::compile):
7105 * interpreter/CallFrame.cpp:
7106 (JSC):
7107 (JSC::CallFrame::someCodeBlockForPossiblyInlinedCode):
7108 * interpreter/CallFrame.h:
7109 (ExecState):
7110 (JSC::ExecState::someCodeBlockForPossiblyInlinedCode):
7111 * interpreter/Interpreter.cpp:
7112 (JSC::Interpreter::retrieveArgumentsFromVMCode):
7113 * runtime/Arguments.cpp:
7114 (JSC::Arguments::tearOff):
7115 (JSC):
7116 (JSC::Arguments::tearOffForInlineCallFrame):
7117 * runtime/Arguments.h:
7118 (Arguments):
7119 (JSC::Arguments::create):
7120 (JSC::Arguments::finishCreation):
7121 (JSC):
7122
fpizlo@apple.comfe244b02012-05-23 20:51:21 +0000[diff] [blame]71232012-05-23 Filip Pizlo <fpizlo@apple.com>
7124
7125 Every OSR exit on ARM results in a crash
7126 https://bugs.webkit.org/show_bug.cgi?id=87307
7127
7128 Reviewed by Geoffrey Garen.
7129
7130 * dfg/DFGThunks.cpp:
7131 (JSC::DFG::osrExitGenerationThunkGenerator):
7132
ggaren@apple.com96fa0e72012-05-23 20:47:46 +0000[diff] [blame]71332012-05-23 Geoffrey Garen <ggaren@apple.com>
7134
7135 Refactored heap tear-down to use normal value semantics (i.e., destructors)
7136 https://bugs.webkit.org/show_bug.cgi?id=87302
7137
7138 Reviewed by Oliver Hunt.
7139
7140 This is a step toward incremental DOM finalization.
7141
7142 * heap/CopiedSpace.cpp:
7143 (JSC::CopiedSpace::~CopiedSpace):
7144 * heap/CopiedSpace.h:
7145 (CopiedSpace): Just use our destructor, instead of relying on the heap
7146 to send us a special message at a special time.
7147
7148 * heap/Heap.cpp:
7149 (JSC::Heap::Heap): Use OwnPtr for m_markListSet because this is not Sparta.
7150
7151 (JSC::Heap::~Heap): No need for delete or freeAllBlocks because normal
7152 destructors do this work automatically now.
7153
7154 (JSC::Heap::lastChanceToFinalize): Just call lastChanceToFinalize on our
7155 sub-objects, and assume it does the right thing. This improves encapsulation,
7156 so we can add items requiring finalization to our sub-objects.
7157
7158 * heap/Heap.h: Moved m_blockAllocator to get the right destruction order.
7159
7160 * heap/MarkedSpace.cpp:
7161 (Take):
7162 (JSC):
7163 (JSC::Take::Take):
7164 (JSC::Take::operator()):
7165 (JSC::Take::returnValue): Moved to the top of the file so it can be used
7166 in another function.
7167
7168 (JSC::MarkedSpace::~MarkedSpace): Delete all outstanding memory, like a good
7169 destructor should.
7170
7171 (JSC::MarkedSpace::lastChanceToFinalize): Moved some code here from the heap,
7172 since it pertains to our internal implementation details.
7173
7174 * heap/MarkedSpace.h:
7175 (MarkedSpace):
7176 * heap/WeakBlock.cpp:
7177 (JSC::WeakBlock::lastChanceToFinalize):
7178 * heap/WeakBlock.h:
7179 (WeakBlock):
7180 * heap/WeakSet.cpp:
7181 (JSC::WeakSet::lastChanceToFinalize):
7182 * heap/WeakSet.h:
7183 (WeakSet): Stop using a special freeAllBlocks() callback and just implement
7184 lastChanceToFinalize.
7185
ggaren@apple.comd6376d22012-05-23 18:29:55 +0000[diff] [blame]71862011-05-22 Geoffrey Garen <ggaren@apple.com>
7187
7188 Encapsulated some calculations for whether portions of the heap are empty
7189 https://bugs.webkit.org/show_bug.cgi?id=87210
7190
7191 Reviewed by Gavin Barraclough.
7192
7193 This is a step toward incremental DOM finalization.
7194
7195 * heap/Heap.cpp:
7196 (JSC::Heap::~Heap): Explicitly call freeAllBlocks() instead of relying
7197 implicitly on all blocks thinking they're empty. In future, we may
7198 choose to tear down the heap without first setting all data structures
7199 to "empty".
7200
7201 * heap/MarkedBlock.h:
7202 (JSC::MarkedBlock::isEmpty):
7203 (JSC::MarkedBlock::gatherDirtyCells): Renamed markCountIsZero to isEmpty,
7204 in preparation for making it check for outstanding finalizers in addition
7205 to marked cells.
7206
7207 * heap/MarkedSpace.cpp:
7208 (Take):
7209 (JSC::Take::Take):
7210 (JSC::Take::operator()):
7211 (JSC::Take::returnValue):
7212 (JSC::MarkedSpace::shrink):
7213 (JSC::MarkedSpace::freeAllBlocks): Refactored the "Take" functor to support
7214 a conditional isEmpty check, so it dould be shared by shrink() and freeAllBlocks().
7215
7216 * heap/WeakBlock.cpp:
7217 (JSC::WeakBlock::WeakBlock):
7218 (JSC::WeakBlock::visitLiveWeakImpls):
7219 (JSC::WeakBlock::visitDeadWeakImpls):
7220 * heap/WeakBlock.h:
7221 (WeakBlock):
7222 (JSC::WeakBlock::isEmpty):
7223 * heap/WeakSet.cpp:
7224 (JSC::WeakSet::sweep):
7225 (JSC::WeakSet::shrink): Use isEmpty(), in preparation for changes in
7226 its implementation.
7227
vestbo@webkit.orgb1f6e922012-05-23 10:50:53 +0000[diff] [blame]72282012-05-23 Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
7229
7230 [Qt] Remove references to $$QT_SOURCE_TREE
7231
7232 With a modularized Qt, it's ambigious. What we really want is qtbase,
7233 which qtcore is a proxy for (we assume it will always live in qtbase).
7234
7235 Reviewed by Tor Arne Vestbø.
7236
7237 * JavaScriptCore.pri:
7238 * Target.pri:
7239
fpizlo@apple.comb6b454cd2012-05-23 07:53:44 +0000[diff] [blame]72402012-05-09 Filip Pizlo <fpizlo@apple.com>
7241
7242 DFG should allow inlining in case of certain arity mismatches
7243 https://bugs.webkit.org/show_bug.cgi?id=86059
7244
7245 Reviewed by Geoff Garen.
fpizlo@apple.comb92907c2012-05-23 07:55:12 +0000[diff] [blame]7246
7247 Merge r116620 from dfgopt.
fpizlo@apple.comb6b454cd2012-05-23 07:53:44 +0000[diff] [blame]7248
7249 * dfg/DFGByteCodeParser.cpp:
7250 (JSC::DFG::ByteCodeParser::handleInlining):
7251
fpizlo@apple.com6d4456e2012-05-23 03:48:52 +0000[diff] [blame]72522012-05-08 Filip Pizlo <fpizlo@apple.com>
7253
fpizlo@apple.com1688cc12012-05-23 07:29:02 +0000[diff] [blame]7254 DFG variable capture analysis should work even if the variables arose through inlining
7255 https://bugs.webkit.org/show_bug.cgi?id=85945
7256
7257 Reviewed by Oliver Hunt.
7258
7259 Merged r116555 from dfgopt.
7260
7261 This just changes how the DFG queries whether a variable is captured. It does not
7262 change any user-visible behavior.
7263
7264 As part of this change, I further solidified the policy that the CFA behaves in an
7265 undefined way for captured locals and queries about their values will not yield
7266 reliable results. This will likely be changed in the future, but for now it makes
7267 sense.
7268
7269 One fun part about this change is that it recognizes that the same variable may
7270 be both captured and not, at the same time, because their live interval spans
7271 inlining boundaries. This only happens in the case of arguments to functions that
7272 capture their arguments, and this change treats them with just the right touch of
7273 conservatism: they will be treated as if captured by the caller as well as the
7274 callee.
7275
7276 Finally, this also adds captured variable reasoning to the InlineCallFrame, which
7277 I thought might be useful for later tooling.
7278
7279 This is perf-neutral, since it does it does not make the DFG take advantage of this
7280 new functionality in any way. In particular, it is still the case that the DFG will
7281 not inline functions that use arguments reflectively or that create activations.
7282
7283 * bytecode/CodeBlock.h:
7284 (CodeBlock):
7285 (JSC::CodeBlock::needsActivation):
7286 (JSC::CodeBlock::argumentIsCaptured):
7287 (JSC::CodeBlock::localIsCaptured):
7288 (JSC::CodeBlock::isCaptured):
7289 * bytecode/CodeOrigin.h:
7290 (InlineCallFrame):
7291 * dfg/DFGAbstractState.cpp:
7292 (JSC::DFG::AbstractState::initialize):
7293 (JSC::DFG::AbstractState::endBasicBlock):
7294 (JSC::DFG::AbstractState::execute):
7295 (JSC::DFG::AbstractState::merge):
7296 * dfg/DFGByteCodeParser.cpp:
7297 (JSC::DFG::ByteCodeParser::newVariableAccessData):
7298 (JSC::DFG::ByteCodeParser::getLocal):
7299 (JSC::DFG::ByteCodeParser::setLocal):
7300 (JSC::DFG::ByteCodeParser::getArgument):
7301 (JSC::DFG::ByteCodeParser::setArgument):
7302 (JSC::DFG::ByteCodeParser::flushArgument):
7303 (JSC::DFG::ByteCodeParser::parseBlock):
7304 (JSC::DFG::ByteCodeParser::processPhiStack):
7305 (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
7306 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
7307 * dfg/DFGCFGSimplificationPhase.cpp:
7308 (CFGSimplificationPhase):
7309 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
7310 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
7311 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
7312 * dfg/DFGCommon.h:
7313 * dfg/DFGFixupPhase.cpp:
7314 (JSC::DFG::FixupPhase::fixupNode):
7315 * dfg/DFGGraph.cpp:
7316 (JSC::DFG::Graph::nameOfVariableAccessData):
7317 * dfg/DFGGraph.h:
7318 (JSC::DFG::Graph::needsActivation):
7319 (JSC::DFG::Graph::usesArguments):
7320 * dfg/DFGPredictionPropagationPhase.cpp:
7321 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
7322 * dfg/DFGSpeculativeJIT.cpp:
7323 (JSC::DFG::SpeculativeJIT::compile):
7324 * dfg/DFGSpeculativeJIT32_64.cpp:
7325 (JSC::DFG::SpeculativeJIT::compile):
7326 * dfg/DFGSpeculativeJIT64.cpp:
7327 (JSC::DFG::SpeculativeJIT::compile):
7328 * dfg/DFGVariableAccessData.h:
7329 (JSC::DFG::VariableAccessData::VariableAccessData):
7330 (JSC::DFG::VariableAccessData::mergeIsCaptured):
7331 (VariableAccessData):
7332 (JSC::DFG::VariableAccessData::isCaptured):
7333
73342012-05-08 Filip Pizlo <fpizlo@apple.com>
7335
fpizlo@apple.com6d4456e2012-05-23 03:48:52 +0000[diff] [blame]7336 DFG should support op_get_argument_by_val and op_get_arguments_length
7337 https://bugs.webkit.org/show_bug.cgi?id=85911
7338
7339 Reviewed by Oliver Hunt.
7340
7341 Merged r116467 from dfgopt.
7342
7343 This adds a simple and relatively conservative implementation of op_get_argument_by_val
7344 and op_get_arguments_length. We can optimize these later. For now it's great to have
7345 the additional coverage.
7346
7347 This patch appears to be perf-neutral.
7348
7349 * dfg/DFGAbstractState.cpp:
7350 (JSC::DFG::AbstractState::execute):
7351 * dfg/DFGAssemblyHelpers.h:
7352 (JSC::DFG::AssemblyHelpers::addressFor):
7353 (JSC::DFG::AssemblyHelpers::tagFor):
7354 (JSC::DFG::AssemblyHelpers::payloadFor):
7355 * dfg/DFGByteCodeParser.cpp:
7356 (JSC::DFG::ByteCodeParser::parseBlock):
7357 * dfg/DFGCapabilities.h:
7358 (JSC::DFG::canCompileOpcode):
7359 (JSC::DFG::canInlineOpcode):
7360 * dfg/DFGNode.h:
7361 (JSC::DFG::Node::hasHeapPrediction):
7362 * dfg/DFGNodeType.h:
7363 (DFG):
7364 * dfg/DFGOperations.cpp:
7365 * dfg/DFGOperations.h:
7366 * dfg/DFGPredictionPropagationPhase.cpp:
7367 (JSC::DFG::PredictionPropagationPhase::propagate):
7368 * dfg/DFGSpeculativeJIT.h:
7369 (JSC::DFG::SpeculativeJIT::callOperation):
7370 (SpeculativeJIT):
7371 * dfg/DFGSpeculativeJIT32_64.cpp:
7372 (JSC::DFG::SpeculativeJIT::compile):
7373 * dfg/DFGSpeculativeJIT64.cpp:
7374 (JSC::DFG::SpeculativeJIT::compile):
7375 * jit/JITOpcodes.cpp:
7376 (JSC::JIT::emit_op_get_argument_by_val):
7377 * jit/JITOpcodes32_64.cpp:
7378 (JSC::JIT::emit_op_get_argument_by_val):
7379 * llint/LowLevelInterpreter32_64.asm:
7380 * llint/LowLevelInterpreter64.asm:
7381
fpizlo@apple.com15c03c72012-05-23 02:34:13 +0000[diff] [blame]73822012-05-07 Filip Pizlo <fpizlo@apple.com>
7383
7384 DFG should support op_tear_off_arguments
7385 https://bugs.webkit.org/show_bug.cgi?id=85847
7386
7387 Reviewed by Michael Saboff.
7388
7389 Merged r116378 from dfgopt.
7390
7391 * dfg/DFGAbstractState.cpp:
7392 (JSC::DFG::AbstractState::execute):
7393 * dfg/DFGByteCodeParser.cpp:
7394 (JSC::DFG::ByteCodeParser::parseBlock):
7395 * dfg/DFGCapabilities.h:
7396 (JSC::DFG::canCompileOpcode):
7397 (JSC::DFG::canInlineOpcode):
7398 * dfg/DFGNodeType.h:
7399 (DFG):
7400 * dfg/DFGOperations.cpp:
7401 * dfg/DFGOperations.h:
7402 * dfg/DFGPredictionPropagationPhase.cpp:
7403 (JSC::DFG::PredictionPropagationPhase::propagate):
7404 * dfg/DFGSpeculativeJIT.h:
7405 (SpeculativeJIT):
7406 (JSC::DFG::SpeculativeJIT::callOperation):
7407 * dfg/DFGSpeculativeJIT32_64.cpp:
7408 (JSC::DFG::SpeculativeJIT::compile):
7409 * dfg/DFGSpeculativeJIT64.cpp:
7410 (JSC::DFG::SpeculativeJIT::compile):
7411
mhahnenberg@apple.com3041bc12012-05-23 01:28:03 +0000[diff] [blame]74122012-05-22 Mark Hahnenberg <mhahnenberg@apple.com>
7413
7414 CopiedSpace::contains doesn't check for oversize blocks
7415 https://bugs.webkit.org/show_bug.cgi?id=87180
7416
7417 Reviewed by Geoffrey Garen.
7418
7419 When doing a conservative scan we use CopiedSpace::contains to determine if a particular
7420 address points into the CopiedSpace. Currently contains() only checks if the address
7421 points to a block in to-space, which means that pointers to oversize blocks may not get scanned.
7422
7423 * heap/CopiedSpace.cpp:
7424 (JSC::CopiedSpace::tryAllocateOversize):
7425 (JSC::CopiedSpace::tryReallocateOversize):
7426 (JSC::CopiedSpace::doneFillingBlock):
7427 (JSC::CopiedSpace::doneCopying):
7428 * heap/CopiedSpace.h: Refactored CopiedSpace so that all blocks (oversize and to-space) are
7429 in a single hash set and bloom filter for membership testing.
7430 (CopiedSpace):
7431 * heap/CopiedSpaceInlineMethods.h:
7432 (JSC::CopiedSpace::contains): We check for the normal block first. Since the oversize blocks are
7433 only page aligned, rather than block aligned, we have to re-mask the ptr to check if it's in
7434 CopiedSpace. Also added a helper function of the same name that takes a CopiedBlock* and checks
7435 if it's in CopiedSpace so that check isn't typed out twice.
7436 (JSC):
7437 (JSC::CopiedSpace::startedCopying):
7438 (JSC::CopiedSpace::addNewBlock):
7439
ggaren@apple.coma68a6502012-05-22 23:59:51 +0000[diff] [blame]74402012-05-22 Geoffrey Garen <ggaren@apple.com>
7441
7442 CopiedBlock and MarkedBlock should have proper value semantics (i.e., destructors)
7443 https://bugs.webkit.org/show_bug.cgi?id=87172
7444
7445 Reviewed by Oliver Hunt and Phil Pizlo.
7446
7447 This enables MarkedBlock to own non-trivial sub-objects that require
7448 destruction. It also fixes a FIXME about casting a CopiedBlock to a
7449 MarkedBlock at destroy time.
7450
7451 CopiedBlock and MarkedBlock now accept an allocation chunk at create
7452 time and return it at destroy time. Their client is expected to
7453 allocate, recycle, and destroy these chunks.
7454
7455 * heap/BlockAllocator.cpp:
7456 (JSC::BlockAllocator::releaseFreeBlocks):
7457 (JSC::BlockAllocator::blockFreeingThreadMain): Don't call MarkedBlock::destroy
7458 because we expect that to be called before a block is put on our free
7459 list now. Do manually deallocate our allocation chunk because that's
7460 our job now.
7461
7462 * heap/BlockAllocator.h:
7463 (BlockAllocator):
7464 (JSC::BlockAllocator::allocate): Allocate never fails now. This is a
7465 cleaner abstraction because only one object does all the VM allocation
7466 and deallocation. Caching is an implementation detail.
7467
7468 (JSC::BlockAllocator::deallocate): We take an allocation chunk argument
7469 instead of a block because we now expect the block to have been destroyed
7470 before we recycle its memory. For convenience, we still use the HeapBlock
7471 class as our linked list node. This is OK because HeapBlock is a POD type.
7472
7473 * heap/CopiedBlock.h:
7474 (CopiedBlock):
7475 (JSC::CopiedBlock::create):
7476 (JSC::CopiedBlock::destroy):
7477 (JSC::CopiedBlock::CopiedBlock): Added proper create and destroy functions,
7478 to match MarkedBlock.
7479
7480 * heap/CopiedSpace.cpp:
7481 (JSC::CopiedSpace::tryAllocateOversize):
7482 (JSC::CopiedSpace::tryReallocateOversize):
7483 (JSC::CopiedSpace::doneCopying):
7484 (JSC::CopiedSpace::getFreshBlock):
7485 (JSC::CopiedSpace::freeAllBlocks):
7486 * heap/CopiedSpaceInlineMethods.h:
7487 (JSC::CopiedSpace::recycleBlock): Make sure to call destroy before
7488 returning a block to the BlockAllocator. Otherwise, our destructors
7489 won't run. (If we get this wrong now, we'll get a compile error.)
7490
7491 * heap/HeapBlock.h:
7492 (JSC::HeapBlock::HeapBlock): const!
7493
7494 * heap/MarkedAllocator.cpp:
7495 (JSC::MarkedAllocator::allocateBlock): No need to distinguish between
7496 create and recycle -- MarkedBlock always accepts memory allocated by
7497 its client now.
7498
7499 * heap/MarkedBlock.cpp:
7500 (JSC::MarkedBlock::create): Don't allocate memory -- we assume that we're
7501 passed already-allocated memory, to clarify the responsibility for VM
7502 recycling.
7503
7504 (JSC::MarkedBlock::destroy): Do run our destructor before giving back
7505 our VM -- that is the whole point of this patch.
7506
7507 (JSC::MarkedBlock::MarkedBlock):
7508 * heap/MarkedBlock.h:
7509 (MarkedBlock):
7510 * heap/MarkedSpace.cpp: const!
7511
7512 (JSC::MarkedSpace::freeBlocks): Make sure to call destroy before
7513 returning a block to the BlockAllocator. Otherwise, our destructors
7514 won't run. (If we get this wrong now, we'll get a compile error.)
7515
simon.fraser@apple.com9bd2c702012-05-22 20:37:14 +0000[diff] [blame]7516== Rolled over to ChangeLog-2012-05-22 ==