1 2014-07-04 Andreas Kling <akling@apple.com>
3 Fast path for jsStringWithCache() when asked for the same string repeatedly.
4 <https://webkit.org/b/134635>
6 Also moved the whole thing from WebCore to JavaScriptCore since it
7 makes more sense here, and inline the lightweight checks, leaving only
8 the hashmap stuff out of line.
10 Reviewed by Darin Adler.
12 * runtime/JSString.cpp:
13 (JSC::jsStringWithCacheSlowCase):
15 (JSC::jsStringWithCache):
18 2014-07-03 Daniel Bates <dabates@apple.com>
21 https://bugs.webkit.org/show_bug.cgi?id=134500
23 Rubber-stamped by Anders Carlsson.
25 Substitute WTF::move() for std::move().
27 * bytecode/CodeBlock.h:
28 * bytecode/UnlinkedCodeBlock.cpp:
29 * bytecompiler/BytecodeGenerator.cpp:
31 * dfg/DFGJITCompiler.cpp:
32 * dfg/DFGStackLayoutPhase.cpp:
33 * dfg/DFGWorklist.cpp:
34 * heap/DelayedReleaseScope.h:
38 2014-07-03 Filip Pizlo <fpizlo@apple.com>
40 SSA DCE should process blocks in forward order
41 https://bugs.webkit.org/show_bug.cgi?id=134611
43 Reviewed by Andreas Kling.
45 * dfg/DFGDCEPhase.cpp:
46 (JSC::DFG::DCEPhase::run):
47 * ftl/FTLLowerDFGToLLVM.cpp:
48 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
49 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
52 2014-07-03 Filip Pizlo <fpizlo@apple.com>
54 JSActivation::symbolTablePut() should invalidate variable watchpoints
55 https://bugs.webkit.org/show_bug.cgi?id=134602
57 Reviewed by Oliver Hunt.
59 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
60 during linking - we essentially assume that if it's at all possible for an inner function to store to a
61 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
62 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
63 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
64 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
66 * runtime/JSActivation.cpp:
67 (JSC::JSActivation::symbolTablePut):
68 * runtime/JSSymbolTableObject.h:
69 (JSC::symbolTablePut):
70 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
73 2014-07-01 Mark Lam <mark.lam@apple.com>
75 Debugger's breakpoint list should not be a Vector.
76 <https://webkit.org/b/134514>
78 Reviewed by Geoffrey Garen.
80 The debugger currently stores breakpoint data as entries in a Vector (see
81 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
82 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
83 compact or reallocate its backing store, this can causes all sorts of havoc.
84 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
87 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
90 * debugger/Breakpoint.h:
91 (JSC::Breakpoint::Breakpoint):
92 (JSC::BreakpointsList::~BreakpointsList):
93 * debugger/Debugger.cpp:
94 (JSC::Debugger::setBreakpoint):
95 (JSC::Debugger::removeBreakpoint):
96 (JSC::Debugger::hasBreakpoint):
97 * debugger/Debugger.h:
99 2014-06-30 Michael Saboff <msaboff@apple.com>
101 Add option to run-jsc-stress-testes to filter out tests that use large heaps
102 https://bugs.webkit.org/show_bug.cgi?id=134458
104 Reviewed by Filip Pizlo.
106 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
108 * tests/mozilla/mozilla-tests.yaml:
110 2014-06-30 Daniel Bates <dabates@apple.com>
112 Avoid copying closed variables vector; actually use move semantics
114 Rubber-stamped by Oliver Hunt.
116 Currently we always copy the closed variables vector passed by Parser::closedVariables()
117 to ProgramNode::setClosedVariables() because these member functions return and take a const
118 rvalue reference, respectively. Instead, these member functions should take an return a non-
119 constant rvalue reference so that we actually move the closed variables vector from the Parser
120 object to the Node object.
123 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
125 (JSC::ScopeNode::setClosedVariables): Ditto.
127 (JSC::Parser::closedVariables): Remove const qualifier on return type.
128 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
129 because Parser::closedVariables() returns an rvalue reference.
131 2014-06-30 Joseph Pecoraro <pecoraro@apple.com>
133 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
134 https://bugs.webkit.org/show_bug.cgi?id=134371
136 Reviewed by Timothy Hatcher.
138 * API/JSContextPrivate.h:
140 (-[JSContext _debuggerRunLoop]):
141 (-[JSContext _setDebuggerRunLoop:]):
142 Private API for setting the CFRunLoop for a debugger to evaluate in.
144 * API/JSContextRefInternal.h: Added.
145 * API/JSContextRef.cpp:
146 (JSGlobalContextGetDebuggerRunLoop):
147 (JSGlobalContextSetDebuggerRunLoop):
148 Internal API for setting a CFRunLoop on a JSContextRef.
149 Set this on the debuggable.
151 * inspector/remote/RemoteInspectorDebuggable.h:
152 * inspector/remote/RemoteInspectorDebuggableConnection.h:
153 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
154 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
155 (Inspector::RemoteInspectorBlock::operator=):
156 (Inspector::RemoteInspectorBlock::operator()):
157 Moved into the header.
159 * runtime/JSGlobalObject.h:
160 (JSC::JSGlobalObject::inspectorDebuggable):
161 Lets store the RunLoop on the debuggable instead of this core
162 platform agnostic class, so expose the debuggable.
164 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
165 (Inspector::RemoteInspectorHandleRunSourceGlobal):
166 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
167 (Inspector::RemoteInspectorInitializeGlobalQueue):
168 Rename the global functions for clarity.
170 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
171 Handler for private run loops.
173 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
174 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
175 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
176 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
177 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
178 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
179 Setup and teardown and use private run loop sources if the debuggable needs it.
181 2014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
183 Add missing ENABLE(DFG_JIT) guards
184 https://bugs.webkit.org/show_bug.cgi?id=134444
186 Reviewed by Darin Adler.
188 * dfg/DFGFunctionWhitelist.cpp:
189 * dfg/DFGFunctionWhitelist.h:
191 2014-06-29 Yoav Weiss <yoav@yoav.ws>
193 Add support for HTMLImageElement's sizes attribute
194 https://bugs.webkit.org/show_bug.cgi?id=133620
196 Reviewed by Dean Jackson.
198 Added an ENABLE_PICTURE_SIZES compile flag.
200 * Configurations/FeatureDefines.xcconfig:
202 2014-06-27 Filip Pizlo <fpizlo@apple.com>
204 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
205 https://bugs.webkit.org/show_bug.cgi?id=134412
207 Reviewed by Mark Hahnenberg.
209 * dfg/DFGCSEPhase.cpp:
210 (JSC::DFG::CSEPhase::setReplacement):
211 * dfg/DFGStrengthReductionPhase.cpp:
212 (JSC::DFG::StrengthReductionPhase::handleNode):
213 * dfg/DFGValidate.cpp:
214 (JSC::DFG::Validate::validate):
215 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
220 2014-06-27 Peyton Randolph <prandolph@apple.com>
222 Add feature flag for link long-press gesture.
223 https://bugs.webkit.org/show_bug.cgi?id=134262
225 Reviewed by Enrica Casucci.
227 * Configurations/FeatureDefines.xcconfig:
228 Add ENABLE_LINK_LONG_PRESS.
230 2014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
232 [JavaScriptCore] FTL buildfix for EFL platform.
233 https://bugs.webkit.org/show_bug.cgi?id=133546
235 Reviewed by Darin Adler.
237 * ftl/FTLAbstractHeap.cpp:
238 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
239 * ftl/FTLLocation.cpp:
240 (JSC::FTL::Location::forStackmaps):
241 * ftl/FTLLowerDFGToLLVM.cpp:
242 (JSC::FTL::LowerDFGToLLVM::opposite):
243 * ftl/FTLOSRExitCompiler.cpp:
244 (JSC::FTL::compileStub):
245 * ftl/FTLStackMaps.cpp:
246 (JSC::FTL::StackMaps::Constant::dump):
247 * llvm/InitializeLLVMPOSIX.cpp:
248 (JSC::initializeLLVMPOSIX):
250 2014-06-26 Benjamin Poulain <benjamin@webkit.org>
252 iOS 8 beta 2 ES6 'Set' clear() broken
253 https://bugs.webkit.org/show_bug.cgi?id=134346
255 Reviewed by Oliver Hunt.
257 The object map was not cleared :(.
259 Kudos to Ashley Gullen for tracking this and making a regression test.
260 Credit to Oliver for finding the missing code.
263 (JSC::MapData::clear):
265 2014-06-25 Brent Fulgham <bfulgham@apple.com>
267 [Win] Expose Cache Information to WinLauncher
268 https://bugs.webkit.org/show_bug.cgi?id=134318
270 Reviewed by Dean Jackson.
272 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
273 MemoryStatistics files to the WIndows build.
274 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
276 2014-06-26 David Kilzer <ddkilzer@apple.com>
278 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
279 <http://webkit.org/b/134343>
280 <rdar://problem/17459487>
282 Reviewed by Michael Saboff.
284 * dfg/DFGFunctionWhitelist.cpp:
285 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
286 Close the file handle, and log an error on failure.
288 2014-06-25 Dana Burkart <dburkart@apple.com>
290 Add support for 5-tuple versioning.
292 Reviewed by David Farler.
294 * Configurations/Version.xcconfig:
296 2014-06-25 Geoffrey Garen <ggaren@apple.com>
302 * runtime/JSDateMath.cpp:
303 (JSC::parseDateFromNullTerminatedCharacters):
305 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
306 constant since that constant doesn't exist anymore.
308 2014-06-25 Geoffrey Garen <ggaren@apple.com>
310 Unreviewed, rolling out r166876.
312 Caused some ECMA test262 failures
316 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
317 https://bugs.webkit.org/show_bug.cgi?id=131248
318 http://trac.webkit.org/changeset/166876
320 2014-06-25 Brent Fulgham <bfulgham@apple.com>
322 [Win] Unreviewed gardening.
324 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
325 put various files in proper IDE categories.
327 2014-06-25 peavo@outlook.com <peavo@outlook.com>
329 [Win64] ASM LLINT is not enabled.
330 https://bugs.webkit.org/show_bug.cgi?id=130638
332 This patch adds a new LLINT assembler backend for Win64, and implements it.
333 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
334 Also, LLINT and JIT is enabled for Win64.
336 Reviewed by Mark Lam.
338 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
339 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
340 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
341 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
342 * assembler/MacroAssemblerX86_64.h:
343 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
344 * jit/JITStubsMSVC64.asm: Added.
346 (JSC::emitPutTransitionStub): Compile fix.
347 * jit/ThunkGenerators.cpp:
348 (JSC::nativeForGenerator): Follow Win64 ABI spec.
349 * llint/LLIntData.cpp:
350 (JSC::LLInt::Data::performAssertions): Ditto.
351 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
352 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
353 * llint/LowLevelInterpreter64.asm: Ditto.
354 * offlineasm/asm.rb: Compile fix.
355 * offlineasm/backends.rb: Add new llint backend for Win64.
356 * offlineasm/settings.rb: Compile fix.
357 * offlineasm/x86.rb: Implement new llint Win64 backend.
359 2014-06-25 Laszlo Gombos <l.gombos@samsung.com>
361 Remove build guard for progress element
362 https://bugs.webkit.org/show_bug.cgi?id=134292
364 Reviewed by Benjamin Poulain.
366 * Configurations/FeatureDefines.xcconfig:
368 2014-06-24 Michael Saboff <msaboff@apple.com>
370 Add support routines to provide descriptive JavaScript backtraces
371 https://bugs.webkit.org/show_bug.cgi?id=134278
373 Reviewed by Mark Lam.
375 * interpreter/CallFrame.cpp:
376 (JSC::CallFrame::dump):
377 (JSC::CallFrame::describeFrame):
378 * interpreter/CallFrame.h:
379 * runtime/JSCJSValue.cpp:
380 (JSC::JSValue::dumpForBacktrace):
381 * runtime/JSCJSValue.h:
383 2014-06-24 Brady Eidson <beidson@apple.com>
385 Enable GAMEPAD in the Mac build, but disabled at runtime.
386 https://bugs.webkit.org/show_bug.cgi?id=134255
388 Reviewed by Dean Jackson.
390 * Configurations/FeatureDefines.xcconfig:
392 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
393 functions at runtime.
395 2014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
397 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
398 https://bugs.webkit.org/show_bug.cgi?id=134046
400 Reviewed by Filip Pizlo.
402 * runtime/GetterSetter.h:
403 (JSC::asGetterSetter):
404 * runtime/JSObject.cpp:
405 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
406 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
407 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
409 2014-06-24 Brent Fulgham <bfulgham@apple.com>
411 [Win] MSVC mishandles enums in bitfields
412 https://bugs.webkit.org/show_bug.cgi?id=134237
414 Reviewed by Michael Saboff.
416 Replace uses of enum types in bit fields with unsigned to
417 avoid losing a bit to hold the sign value. This can result
418 in Windows interpreting the value of the field improperly.
420 * bytecode/StructureStubInfo.h:
423 2014-06-23 Andreas Kling <akling@apple.com>
425 Inline the UnlinkedInstructionStream::Reader logic.
426 <https://webkit.org/b/134203>
428 This class is only used by CodeBlock to unpack the unlinked instructions,
429 and we were spending 0.5% of total time on PLT calling Reader::next().
430 Move the logic to the header file and mark it ALWAYS_INLINE.
432 Reviewed by Geoffrey Garen.
434 * bytecode/UnlinkedInstructionStream.cpp:
435 * bytecode/UnlinkedInstructionStream.h:
436 (JSC::UnlinkedInstructionStream::Reader::Reader):
437 (JSC::UnlinkedInstructionStream::Reader::read8):
438 (JSC::UnlinkedInstructionStream::Reader::read32):
439 (JSC::UnlinkedInstructionStream::Reader::next):
441 2014-06-20 Sam Weinig <sam@webkit.org>
443 Remove static tables for bindings that use eager reification
444 https://bugs.webkit.org/show_bug.cgi?id=134126
446 Reviewed by Oliver Hunt.
448 * runtime/JSObject.cpp:
449 (JSC::JSObject::putDirectCustomAccessor):
450 * runtime/Structure.h:
451 (JSC::Structure::setHasCustomGetterSetterProperties):
452 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
453 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
454 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
455 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
457 2014-06-21 Brady Eidson <beidson@apple.com>
459 Gamepad API - Deprecate the existing implementation
460 https://bugs.webkit.org/show_bug.cgi?id=134108
462 Reviewed by Timothy Hatcher.
464 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
465 -Move some implementation files into a "deprecated" subdirectory.
467 * Configurations/FeatureDefines.xcconfig:
469 2014-06-21 Commit Queue <commit-queue@webkit.org>
471 Unreviewed, rolling out r170244.
472 https://bugs.webkit.org/show_bug.cgi?id=134157
474 GTK/EFL bindings generator works differently, making this
475 patch not work there. Will fix entire patch after a rollout.
476 (Requested by bradee-oh on #webkit).
480 "Gamepad API - Deprecate the existing implementation"
481 https://bugs.webkit.org/show_bug.cgi?id=134108
482 http://trac.webkit.org/changeset/170244
484 2014-06-21 Brady Eidson <beidson@apple.com>
486 Gamepad API - Deprecate the existing implementation
487 https://bugs.webkit.org/show_bug.cgi?id=134108
489 Reviewed by Timothy Hatcher.
491 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
492 -Add the "Deprecated" suffix to some implementation files
494 * Configurations/FeatureDefines.xcconfig:
496 2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
498 Removing PAGE_VISIBILITY_API compile guard.
499 https://bugs.webkit.org/show_bug.cgi?id=133844
501 Reviewed by Gavin Barraclough.
503 * Configurations/FeatureDefines.xcconfig:
505 2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
507 ARM traditional buildfix after r169942.
508 https://bugs.webkit.org/show_bug.cgi?id=134100
510 Reviewed by Zoltan Herczeg.
512 * assembler/MacroAssemblerARM.h:
513 (JSC::MacroAssemblerARM::abortWithReason): Added.
515 2014-06-20 Andreas Kling <akling@apple.com>
517 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
518 <https://webkit.org/b/134112>
520 Reviewed by Mark Hahnenberg.
522 * heap/BlockAllocator.h:
524 2014-06-19 Alex Christensen <achristensen@webkit.org>
526 Unreviewed fix after r170130.
528 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
529 Corrected directory so it can find common.props when opening Visual Studio.
531 2014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
533 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
534 https://bugs.webkit.org/show_bug.cgi?id=130389
536 Reviewed by Mark Lam.
538 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
539 into !ENABLE(JIT) since they are mutually exclusive.
542 * assembler/MacroAssemblerCodeRef.h:
543 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
544 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
545 * assembler/MaxFrameExtentForSlowPathCall.h:
546 * bytecode/CallLinkStatus.cpp:
547 (JSC::CallLinkStatus::computeFromLLInt):
548 * bytecode/CodeBlock.cpp:
549 (JSC::dumpStructure):
550 (JSC::CodeBlock::printGetByIdCacheStatus):
551 (JSC::CodeBlock::printCallOp):
552 (JSC::CodeBlock::CodeBlock):
553 (JSC::CodeBlock::~CodeBlock):
554 (JSC::CodeBlock::propagateTransitions):
555 (JSC::CodeBlock::finalizeUnconditionally):
556 (JSC::CodeBlock::unlinkCalls):
557 (JSC::CodeBlock::unlinkIncomingCalls):
558 (JSC::CodeBlock::linkIncomingCall):
559 (JSC::CodeBlock::frameRegisterCount):
560 * bytecode/CodeBlock.h:
561 * bytecode/GetByIdStatus.cpp:
562 (JSC::GetByIdStatus::computeFromLLInt):
564 (JSC::padOpcodeName):
565 * bytecode/PutByIdStatus.cpp:
566 (JSC::PutByIdStatus::computeFromLLInt):
567 * bytecompiler/BytecodeGenerator.cpp:
568 (JSC::BytecodeGenerator::emitCall):
569 (JSC::BytecodeGenerator::emitConstruct):
571 (JSC::Heap::gatherJSStackRoots):
572 * interpreter/Interpreter.cpp:
573 (JSC::Interpreter::initialize):
574 (JSC::Interpreter::isOpcode):
575 * interpreter/Interpreter.h:
576 (JSC::Interpreter::getOpcodeID):
577 * interpreter/JSStack.cpp:
578 (JSC::JSStack::JSStack):
579 (JSC::JSStack::committedByteCount):
580 * interpreter/JSStack.h:
581 * interpreter/JSStackInlines.h:
582 (JSC::JSStack::ensureCapacityFor):
583 (JSC::JSStack::topOfFrameFor):
584 (JSC::JSStack::setStackLimit):
585 * jit/ExecutableAllocatorFixedVMPool.cpp:
586 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
588 (JSC::JIT::compileCTINativeCall):
589 * jit/JITExceptions.h:
591 (JSC::JITThunks::ctiNativeCall):
592 (JSC::JITThunks::ctiNativeConstruct):
593 * llint/LLIntCLoop.cpp:
594 * llint/LLIntCLoop.h:
595 * llint/LLIntData.cpp:
596 (JSC::LLInt::initialize):
597 (JSC::LLInt::Data::performAssertions):
599 (JSC::LLInt::Data::performAssertions): Deleted.
600 * llint/LLIntEntrypoint.cpp:
601 * llint/LLIntEntrypoint.h:
602 * llint/LLIntExceptions.cpp:
603 * llint/LLIntExceptions.h:
604 * llint/LLIntOfflineAsmConfig.h:
605 * llint/LLIntOffsetsExtractor.cpp:
606 (JSC::LLIntOffsetsExtractor::dummy):
607 * llint/LLIntOpcode.h:
608 * llint/LLIntSlowPaths.cpp:
609 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
610 * llint/LLIntSlowPaths.h:
611 * llint/LLIntThunks.cpp:
612 * llint/LLIntThunks.h:
613 * llint/LowLevelInterpreter.cpp:
614 * llint/LowLevelInterpreter.h:
615 * runtime/CommonSlowPaths.cpp:
616 * runtime/CommonSlowPaths.h:
617 * runtime/ErrorHandlingScope.cpp:
618 (JSC::ErrorHandlingScope::ErrorHandlingScope):
619 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
620 * runtime/Executable.cpp:
622 * runtime/InitializeThreading.cpp:
623 (JSC::initializeThreading):
624 * runtime/JSCJSValue.h:
625 * runtime/JSCJSValueInlines.h:
626 * runtime/Options.cpp:
627 (JSC::recomputeDependentOptions):
630 (JSC::sanitizeStackForVM):
632 (JSC::VM::canUseJIT): Deleted.
634 2014-06-18 Alex Christensen <achristensen@webkit.org>
636 Add FTL to Windows build.
637 https://bugs.webkit.org/show_bug.cgi?id=134015
639 Reviewed by Filip Pizlo.
641 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
642 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
643 Added ftl source files.
644 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
645 Added ftl and llvm directories to include path.
646 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
647 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
648 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
649 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
650 * ftl/FTLLowerDFGToLLVM.cpp:
651 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
652 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
653 * llvm/InitializeLLVMWin.cpp: Added.
654 (JSC::initializeLLVMImpl):
655 Implemented dynamic loading and linking for Windows.
657 2014-06-18 Alex Christensen <achristensen@webkit.org>
659 Unreviewed build fix after r170107.
661 * dfg/DFGSpeculativeJIT.cpp:
662 (JSC::DFG::SpeculativeJIT::compileArithMod):
663 Use non-template sub for armv7s.
665 2014-06-18 David Kilzer <ddkilzer@apple.com>
667 -[JSContext setName:] leaks NSString
668 <http://webkit.org/b/134038>
670 Reviewed by Joseph Pecoraro.
672 Fixes the following static analyzer warning:
674 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
675 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
679 (-[JSContext setName:]): Autorelease the copy of |name|.
681 2014-06-18 Mark Lam <mark.lam@apple.com>
683 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
684 <https://webkit.org/b/133994>
686 Reviewed by Geoffrey Garen.
688 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
689 because it means two unfortunate things:
690 - It will probably break for zero.
691 - It will think that -0 is the same as +0 under some circumstances, size
692 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
694 The fix is to use std::unordered_map which does not require special empty
695 and deleted values, and to use the raw bits instead of the double value as
699 * dfg/DFGJITCompiler.cpp:
700 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
702 2014-06-18 Alex Christensen <achristensen@webkit.org>
704 Remove duplicate code using sdiv.
705 https://bugs.webkit.org/show_bug.cgi?id=133764
707 Reviewed by Daniel Bates.
709 * assembler/ARMv7Assembler.h:
710 (JSC::ARMv7Assembler::sdiv):
711 Make sdiv a template to match arm64.
712 * dfg/DFGSpeculativeJIT.cpp:
713 (JSC::DFG::SpeculativeJIT::compileArithDiv):
714 (JSC::DFG::SpeculativeJIT::compileArithMod):
715 Remove duplicate code that was identical except for sdiv not being a template.
717 2014-06-17 Commit Queue <commit-queue@webkit.org>
719 Unreviewed, rolling out r170082.
720 https://bugs.webkit.org/show_bug.cgi?id=134006
722 Breaks build. (Requested by mlam on #webkit).
726 "DFGGraph::m_doubleConstantMap will not map 0 values
728 https://bugs.webkit.org/show_bug.cgi?id=133994
729 http://trac.webkit.org/changeset/170082
731 2014-06-17 Mark Lam <mark.lam@apple.com>
733 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
734 <https://webkit.org/b/133994>
736 Reviewed by Geoffrey Garen.
738 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
739 because it means two unfortunate things:
740 - It will probably break for zero.
741 - It will think that -0 is the same as +0 under some circumstances, size
742 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
744 The fix is to use std::unordered_map which does not require special empty
745 and deleted values, and to use the raw bits instead of the double value as
749 * dfg/DFGJITCompiler.cpp:
750 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
752 2014-06-17 Oliver Hunt <oliver@apple.com>
754 Fix error messages for incorrect hex literals
755 https://bugs.webkit.org/show_bug.cgi?id=133998
757 Reviewed by Mark Lam.
759 Ensure that the error messages for bogus hex literals actually
763 (JSC::Lexer<T>::lex):
764 * parser/ParserTokens.h:
766 2014-06-17 Matthew Mirman <mmirman@apple.com>
768 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
769 https://bugs.webkit.org/show_bug.cgi?id=133814
771 Reviewed by Filip Pizlo.
773 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
774 script from using "*.o" as a file when no other files in the directory exist.
776 * build-symbol-table-index.sh: Added license.
777 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
779 2014-06-16 Sam Weinig <sam@webkit.org>
781 Move forward declaration of bindings static functions into their implementation files
782 https://bugs.webkit.org/show_bug.cgi?id=133943
784 Reviewed by Geoffrey Garen.
786 * runtime/CommonIdentifiers.h:
787 Add a few identifiers that are needed by the DOM.
789 2014-06-16 Mark Lam <mark.lam@apple.com>
791 Parser statementDepth accounting needs to account for when a function body excludes its braces.
792 <https://webkit.org/b/133832>
794 Reviewed by Oliver Hunt.
796 In some cases (e.g. when a Function object is instantiated from a string), the
797 function body source may not include its braces. The parser needs to account
798 for this when calculating its statementDepth.
800 * bytecode/UnlinkedCodeBlock.cpp:
801 (JSC::generateFunctionCodeBlock):
802 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
803 * bytecode/UnlinkedCodeBlock.h:
805 (JSC::Parser<LexerType>::parseStatement):
806 - Also fixed the error message for declaring nested functions in strict mode
809 (JSC::Parser<LexerType>::parse):
811 * runtime/Executable.cpp:
812 (JSC::ScriptExecutable::newCodeBlockFor):
814 2014-06-16 Juergen Ributzka <juergen@apple.com>
816 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
817 https://bugs.webkit.org/show_bug.cgi?id=133753
819 Reviewed by Geoffrey Garen.
821 The order in which the alias analysis passes are added affects also the
822 order in which they are utilized. Change the order to align with the
823 one use by LLVM itself. The last alias analysis pass added will be
824 evaluated first. With this change we first perform a basic alias
825 analysis and then use the type-based alias analysis (if required).
827 * ftl/FTLCompile.cpp:
830 2014-06-16 Juergen Ributzka <juergen@apple.com>
832 Fix the arguments passed to the LLVM dylib
833 https://bugs.webkit.org/show_bug.cgi?id=133757
835 Reviewed by Geoffrey Garen.
837 The LLVM command line argument parser assumes that the first argument
838 is the program name. We need to add a fake program name, otherwise the
839 first argument will be parsed as program name and ignored.
841 * llvm/library/LLVMExports.cpp:
842 (initializeAndGetJSCLLVMAPI):
844 2014-06-16 Michael Saboff <msaboff@apple.com>
846 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
847 https://bugs.webkit.org/show_bug.cgi?id=133903
849 Reviewed by Mark Hahnenberg.
851 Hardened code by Converting ASSERT to return CannotCompile.
853 * dfg/DFGCapabilities.h:
854 (JSC::DFG::inlineFunctionForCapabilityLevel):
856 2014-06-13 Sam Weinig <sam@webkit.org>
858 Store DOM constants directly in the JS object rather than jumping through a custom accessor
859 https://bugs.webkit.org/show_bug.cgi?id=133898
861 Reviewed by Oliver Hunt.
864 (JSC::HashTableValue::attributes):
865 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
866 and will make adding more flags possibles.
868 (JSC::HashTableValue::propertyGetter):
869 (JSC::HashTableValue::propertyPutter):
870 Change assertion to use BuiltinOrFunctionOrConstant.
872 (JSC::HashTableValue::constantInteger):
875 (JSC::getStaticPropertySlot):
876 (JSC::getStaticValueSlot):
877 Use PropertySlot::setValue() for constants during static lookup.
879 (JSC::reifyStaticProperties):
880 Put the constant directly on the object when eagerly reifying.
882 * runtime/PropertySlot.h:
883 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
885 2014-06-14 Michael Saboff <msaboff@apple.com>
887 operationCreateArguments could cause a GC during OSR exit
888 https://bugs.webkit.org/show_bug.cgi?id=133905
890 Reviewed by Filip Pizlo.
892 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
893 for use by OSR exit stubs.
895 * dfg/DFGOSRExitCompilerCommon.cpp:
896 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
897 * dfg/DFGOperations.cpp:
898 * dfg/DFGOperations.h:
899 * jit/JITOperations.cpp:
900 * jit/JITOperations.h:
902 2014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
904 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
905 https://bugs.webkit.org/show_bug.cgi?id=133880
907 Reviewed by Filip Pizlo.
909 We could have exited due to a value received from an inlined block that's no longer on
910 the stack, so we should just barrier all InlineCallFrames.
912 * dfg/DFGOSRExitCompilerCommon.cpp:
913 (JSC::DFG::adjustAndJumpToTarget):
915 2014-06-13 Alex Christensen <achristensen@webkit.org>
917 Make css jit compile for armv7.
918 https://bugs.webkit.org/show_bug.cgi?id=133596
920 Reviewed by Benjamin Poulain.
922 * assembler/MacroAssembler.h:
923 Use branchPtr on ARM_THUMB2.
924 * assembler/MacroAssemblerARMv7.h:
925 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
926 (JSC::MacroAssemblerARMv7::or32):
927 (JSC::MacroAssemblerARMv7::test32):
928 (JSC::MacroAssemblerARMv7::branch):
929 (JSC::MacroAssemblerARMv7::branchPtr):
930 Added macros necessary for css jit.
932 2014-06-13 Filip Pizlo <fpizlo@apple.com>
934 Unreviewed, fix ARMv7.
936 * assembler/MacroAssemblerARMv7.h:
937 (JSC::MacroAssemblerARMv7::abortWithReason):
939 2014-06-12 Filip Pizlo <fpizlo@apple.com>
941 Even better diagnostics from DFG traps
942 https://bugs.webkit.org/show_bug.cgi?id=133836
944 Reviewed by Oliver Hunt.
946 We now stuff the DFG::NodeType into a register before bailing. Also made the
947 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
948 different numbers than any previous abort reasons.
950 * assembler/AbortReason.h:
951 * assembler/MacroAssemblerARM64.h:
952 (JSC::MacroAssemblerARM64::abortWithReason):
953 * assembler/MacroAssemblerARMv7.h:
954 (JSC::MacroAssemblerARMv7::abortWithReason):
955 * assembler/MacroAssemblerX86.h:
956 (JSC::MacroAssemblerX86::abortWithReason):
957 * assembler/MacroAssemblerX86_64.h:
958 (JSC::MacroAssemblerX86_64::abortWithReason):
959 * dfg/DFGSpeculativeJIT.cpp:
960 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
961 (JSC::DFG::SpeculativeJIT::bail):
962 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
963 * dfg/DFGSpeculativeJIT.h:
965 2014-06-12 Simon Fraser <simon.fraser@apple.com>
967 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
968 https://bugs.webkit.org/show_bug.cgi?id=133840
970 Reviewed by Filip Pizlo.
972 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
973 when running DFG tests.
975 * API/JSCTestRunnerUtils.cpp:
976 (JSC::numberOfDFGCompiles):
977 (JSC::setNeverInline):
979 2014-06-12 Brent Fulgham <bfulgham@apple.com>
981 [Win] Avoid fork bomb during build
982 https://bugs.webkit.org/show_bug.cgi?id=133837
983 <rdar://problem/17296034>
985 Reviewed by Tim Horton.
987 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
988 reasonable default value when the 'num-cpus' script is not available.
990 2014-06-12 Mark Lam <mark.lam@apple.com>
992 Remove some dead / unused code.
993 <https://webkit.org/b/133828>
995 Reviewed by Filip Pizlo.
997 * builtins/BuiltinExecutables.cpp:
998 (JSC::BuiltinExecutables::createBuiltinExecutable):
999 * bytecode/UnlinkedCodeBlock.cpp:
1000 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
1001 * bytecode/UnlinkedCodeBlock.h:
1002 (JSC::UnlinkedFunctionExecutable::create):
1003 * bytecompiler/BytecodeGenerator.h:
1004 (JSC::BytecodeGenerator::makeFunction):
1006 (JSC::DepthManager::DepthManager): Deleted.
1007 (JSC::DepthManager::~DepthManager): Deleted.
1008 * runtime/CodeCache.cpp:
1009 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
1011 2014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
1013 Move structureHasRareData out of TypeInfo
1014 https://bugs.webkit.org/show_bug.cgi?id=133800
1016 Reviewed by Andreas Kling.
1018 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
1019 but we have a few spare bits in Structure so it would be nice to remove this hack.
1021 * runtime/JSTypeInfo.h:
1022 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
1023 (JSC::TypeInfo::structureHasRareData): Deleted.
1024 * runtime/Structure.cpp:
1025 (JSC::Structure::Structure):
1026 (JSC::Structure::allocateRareData):
1027 (JSC::Structure::cloneRareDataFrom):
1028 * runtime/Structure.h:
1029 (JSC::Structure::previousID):
1030 (JSC::Structure::objectToStringValue):
1031 (JSC::Structure::setObjectToStringValue):
1032 (JSC::Structure::setPreviousID):
1033 (JSC::Structure::clearPreviousID):
1034 (JSC::Structure::previous):
1035 (JSC::Structure::rareData):
1036 * runtime/StructureInlines.h:
1037 (JSC::Structure::setEnumerationCache):
1038 (JSC::Structure::enumerationCache):
1040 2014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
1042 Allow enum guards to be generated from the replay json files
1043 https://bugs.webkit.org/show_bug.cgi?id=133399
1045 Reviewed by Csaba Osztrogonác.
1047 * replay/scripts/CodeGeneratorReplayInputs.py:
1049 (InputsModel.parse_type_with_framework_name):
1050 (Generator.generate_header):
1051 (Generator.generate_implementation):
1052 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
1053 (Test::HandleWheelEvent::HandleWheelEvent):
1054 (Test::HandleWheelEvent::~HandleWheelEvent):
1055 (JSC::InputTraits<Test::HandleWheelEvent>::type):
1056 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
1057 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
1058 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
1059 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
1060 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
1061 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
1062 (Test::HandleWheelEvent::platformEvent):
1063 * replay/scripts/tests/generate-enum-with-guard.json: Added.
1065 2014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
1067 Unreviewed. Fix GTK+ build after r169823.
1069 Include StructureInlines.h in a few more files to fix linking
1070 issues due to JSC::Structure::get undefined symbol.
1072 * runtime/ArrayIteratorConstructor.cpp:
1073 * runtime/ArrayIteratorPrototype.cpp:
1074 * runtime/JSConsole.cpp:
1075 * runtime/JSMapIterator.cpp:
1076 * runtime/JSSet.cpp:
1077 * runtime/JSSetIterator.cpp:
1078 * runtime/JSWeakMap.cpp:
1079 * runtime/MapIteratorPrototype.cpp:
1080 * runtime/MapPrototype.cpp:
1081 * runtime/SetIteratorPrototype.cpp:
1082 * runtime/SetPrototype.cpp:
1083 * runtime/WeakMapPrototype.cpp:
1085 2014-06-12 Csaba Osztrogonác <ossy@webkit.org>
1087 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
1089 * runtime/JSMap.cpp:
1091 2014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
1093 Inline caching should try to flatten uncacheable dictionaries
1094 https://bugs.webkit.org/show_bug.cgi?id=133683
1096 Reviewed by Geoffrey Garen.
1098 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
1099 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
1100 If properties are deleted out of the object during its initialization, we can enable caching for that object by
1101 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
1102 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
1103 state then we can just give up on caching that object.
1105 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
1106 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
1107 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
1111 (JSC::actionForCell):
1112 (JSC::tryCacheGetByID):
1113 (JSC::repatchGetByID):
1114 (JSC::tryBuildGetByIDList):
1115 (JSC::buildGetByIDList):
1116 (JSC::tryCachePutByID):
1117 (JSC::repatchPutByID):
1118 (JSC::tryBuildPutByIdList):
1119 (JSC::buildPutByIdList):
1120 (JSC::tryRepatchIn):
1122 * runtime/Structure.cpp:
1123 (JSC::Structure::Structure):
1124 (JSC::Structure::flattenDictionaryStructure):
1125 * runtime/Structure.h:
1126 (JSC::Structure::hasBeenFlattenedBefore):
1128 2014-06-11 Csaba Osztrogonác <ossy@webkit.org>
1130 [EFL] URTBF after r169823.
1132 * bindings/ScriptValue.cpp: Missing include added.
1134 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
1136 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
1138 Rubber-stamped by Andreas Kling.
1140 * runtime/JSObject.h:
1141 (JSC::JSObject::fastGetOwnPropertySlot):
1143 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
1145 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
1146 https://bugs.webkit.org/show_bug.cgi?id=133673
1148 Reviewed by Andreas Kling.
1150 Rewrote the property map statistics code because the old code wasn't building,
1151 and it was also mixing numbers for lookups and insertions/removals.
1153 New logging code records the number of calls to PropertyTable::find (finds) and
1154 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
1155 the number of probing during updates and lookups.
1158 * runtime/PropertyMapHashTable.h:
1159 (JSC::PropertyTable::find):
1160 (JSC::PropertyTable::get):
1161 (JSC::PropertyTable::findWithString):
1162 (JSC::PropertyTable::add):
1163 (JSC::PropertyTable::remove):
1164 (JSC::PropertyTable::reinsert):
1165 (JSC::PropertyTable::rehash):
1166 * runtime/Structure.cpp:
1167 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
1168 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1170 2014-06-11 Andreas Kling <akling@apple.com>
1172 Always inline JSValue::get() and Structure::get().
1173 <https://webkit.org/b/133755>
1175 Reviewed by Ryosuke Niwa.
1177 These functions get really hot, so ask the compiler to be more
1178 aggressive about inlining them.
1180 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
1183 * runtime/JSArrayIterator.cpp:
1184 * runtime/JSCJSValue.cpp:
1185 * runtime/JSCJSValueInlines.h:
1186 (JSC::JSValue::get):
1187 * runtime/JSPromiseDeferred.cpp:
1188 * runtime/StructureInlines.h:
1189 (JSC::Structure::get):
1191 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
1193 Structure::get should instantiate DeferGC only when materializing property map
1194 https://bugs.webkit.org/show_bug.cgi?id=133727
1196 Rubber-stamped by Andreas Kling.
1198 Make materializePropertyMapIfNecessary always inline.
1200 This is ~12% improvement on the microbenchmark attached in the bug.
1202 * runtime/Structure.h:
1203 (JSC::Structure::materializePropertyMapIfNecessary):
1204 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1206 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
1208 Structure::get should instantiate DeferGC only when materializing property map
1209 https://bugs.webkit.org/show_bug.cgi?id=133727
1211 Reviewed by Geoffrey Garen.
1213 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
1214 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
1215 when GCSafeConcurrentJITLocker goes out of scope.
1217 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
1218 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
1219 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
1221 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
1222 and immediately storing a pointer to the newly created property table in the stack before DeferGC
1223 goes out of scope so that the property table will be marked.
1225 This shows 13-16% improvement on the microbenchmark attached in the bug.
1227 * runtime/JSCJSValue.cpp:
1228 * runtime/JSObject.h:
1229 (JSC::JSObject::fastGetOwnPropertySlot):
1230 * runtime/Structure.h:
1231 (JSC::Structure::materializePropertyMapIfNecessary):
1232 * runtime/StructureInlines.h:
1233 (JSC::Structure::get):
1235 2014-06-11 Andreas Kling <akling@apple.com>
1237 Some JSValue::get() micro-optimzations.
1238 <https://webkit.org/b/133739>
1240 Tighten some of the property lookup code to improve performance of the
1241 eagerly reified prototype attributes:
1243 - Instead of converting the property name to an integer at every step
1244 in the prototype chain, move that to a separate pass at the end
1245 since it should be a rare case.
1247 - Cache the StructureIDTable in a local instead of fetching it from
1248 the Heap on every step.
1250 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
1251 on the assumption that clients would mostly be cacheable GetByIds,
1252 and it gets pretty hot (~1%) in GetByVal.
1254 - Pass the Structure directly to fillCustomGetterPropertySlot instead
1255 of refetching it from the StructureIDTable.
1257 Reviewed by Geoff Garen.
1259 * runtime/JSObject.cpp:
1260 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
1261 * runtime/JSObject.h:
1262 (JSC::JSObject::inlineGetOwnPropertySlot):
1263 (JSC::JSObject::fillCustomGetterPropertySlot):
1264 (JSC::JSObject::getOwnPropertySlot):
1265 (JSC::JSObject::fastGetOwnPropertySlot):
1266 (JSC::JSObject::getPropertySlot):
1267 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1269 2014-06-10 Sam Weinig <sam@webkit.org>
1271 Don't create a HashTable for JSObjects that use eager reification
1272 https://bugs.webkit.org/show_bug.cgi?id=133705
1274 Reviewed by Geoffrey Garen.
1277 (JSC::reifyStaticProperties):
1278 Add a version of reifyStaticProperties that takes an array of HashTableValues
1279 rather than a HashTable.
1281 2014-06-10 Filip Pizlo <fpizlo@apple.com>
1283 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
1284 https://bugs.webkit.org/show_bug.cgi?id=133698
1286 Reviewed by Geoffrey Garen and Mark Hahnenberg.
1288 * dfg/DFGPredictionPropagationPhase.cpp:
1289 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
1290 * dfg/DFGVariableAccessData.cpp:
1291 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
1292 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
1293 (JSC::DFG::VariableAccessData::flushFormat):
1294 * dfg/DFGVariableAccessData.h:
1295 * tests/stress/int52-inlined-call-argument.js: Added.
1299 2014-06-10 Mark Lam <mark.lam@apple.com>
1301 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
1302 <https://webkit.org/b/133356>
1304 Reviewed by Mark Hahnenberg.
1306 The root cause of this issue is that a nonPropertyTransition can transition
1307 a pinned dictionary structure to an unpinned dictionary structure. The new
1308 structure will get a copy of the property table from the original structure.
1309 However, when a GC occurs, the property table in the new structure will be
1310 cleared because it is unpinned. This leads to complications in subsequent
1311 derivative structures when flattening occurs, which eventually leads to the
1312 assertion failure in this bug.
1314 The fix is to ensure that the new dictionary structure generated by the
1315 nonPropertyTransition will have a copy of its predecessor's property table
1318 * runtime/Structure.cpp:
1319 (JSC::Structure::nonPropertyTransition):
1321 2014-06-10 Michael Saboff <msaboff@apple.com>
1323 In a certain app state, Array.prototype.filter() returns incorrect results
1324 https://bugs.webkit.org/show_bug.cgi?id=133577
1326 Reviewed by Oliver Hunt.
1328 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
1330 * llint/LowLevelInterpreter32_64.asm:
1331 * llint/LowLevelInterpreter64.asm:
1333 2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
1335 Global HashTables contain references to atomic StringImpls
1336 https://bugs.webkit.org/show_bug.cgi?id=133661
1338 Reviewed by Geoffrey Garen.
1340 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
1341 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
1342 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
1343 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
1345 * runtime/JSObject.cpp:
1346 (JSC::getClassPropertyNames):
1347 * runtime/Lookup.cpp:
1348 (JSC::HashTable::createTable):
1349 (JSC::HashTable::deleteTable):
1351 (JSC::HashTable::ConstIterator::key):
1352 (JSC::HashTable::entry):
1354 2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
1356 Build fix after r169703
1358 * JavaScriptCore.xcodeproj/project.pbxproj:
1360 2014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
1362 Eagerly reify DOM prototype attributes
1363 https://bugs.webkit.org/show_bug.cgi?id=133558
1365 Reviewed by Oliver Hunt.
1367 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
1368 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
1369 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
1373 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1374 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1375 * JavaScriptCore.xcodeproj/project.pbxproj:
1376 * llint/LLIntData.cpp:
1377 (JSC::LLInt::Data::performAssertions):
1378 * llint/LowLevelInterpreter.asm:
1379 * runtime/BatchedTransitionOptimizer.h:
1380 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
1381 * runtime/CustomGetterSetter.cpp: Added.
1382 (JSC::callCustomSetter):
1383 * runtime/CustomGetterSetter.h: Added.
1384 (JSC::CustomGetterSetter::create):
1385 (JSC::CustomGetterSetter::getter):
1386 (JSC::CustomGetterSetter::setter):
1387 (JSC::CustomGetterSetter::createStructure):
1388 (JSC::CustomGetterSetter::CustomGetterSetter):
1389 * runtime/JSCJSValue.cpp:
1390 (JSC::JSValue::putToPrimitive):
1391 * runtime/JSCJSValue.h:
1392 * runtime/JSCJSValueInlines.h:
1393 (JSC::JSValue::isCustomGetterSetter):
1395 * runtime/JSCellInlines.h:
1396 (JSC::JSCell::isCustomGetterSetter):
1397 (JSC::JSCell::canUseFastGetOwnProperty):
1398 * runtime/JSFunction.cpp:
1399 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
1400 (JSC::JSFunction::isBuiltinFunction): Deleted.
1401 * runtime/JSFunction.h:
1402 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
1403 (JSC::JSFunction::isBuiltinFunction):
1404 (JSC::JSFunction::isHostOrBuiltinFunction):
1405 * runtime/JSObject.cpp:
1406 (JSC::JSObject::put):
1407 (JSC::JSObject::putDirectCustomAccessor):
1408 (JSC::JSObject::fillGetterPropertySlot):
1409 (JSC::JSObject::fillCustomGetterPropertySlot):
1410 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
1411 * runtime/JSObject.h:
1412 (JSC::JSObject::hasCustomGetterSetterProperties):
1413 (JSC::JSObject::convertToDictionary):
1414 (JSC::JSObject::inlineGetOwnPropertySlot):
1415 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
1416 (JSC::JSObject::putOwnDataProperty):
1417 (JSC::JSObject::putDirect):
1418 (JSC::JSObject::putDirectWithoutTransition):
1421 (JSC::reifyStaticProperties):
1422 * runtime/PropertyDescriptor.h:
1423 (JSC::PropertyDescriptor::PropertyDescriptor):
1424 * runtime/Structure.cpp:
1425 (JSC::Structure::Structure):
1426 (JSC::nextOutOfLineStorageCapacity): Deleted.
1427 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
1428 (JSC::Structure::get): Deleted.
1429 * runtime/Structure.h:
1430 (JSC::Structure::hasCustomGetterSetterProperties):
1431 (JSC::Structure::setHasCustomGetterSetterProperties):
1432 * runtime/StructureInlines.h:
1433 (JSC::Structure::get): Inlined due to hotness.
1434 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
1435 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
1439 * runtime/WriteBarrier.h:
1440 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
1442 2014-06-07 Mark Lam <mark.lam@apple.com>
1444 Structure should initialize its previousID in its constructor.
1445 <https://webkit.org/b/133606>
1447 Reviewed by Mark Hahnenberg.
1449 Currently, the Structure constructor that takes a previous structure will
1450 initialize its previousID to point to the previous structure's previousID.
1451 This is incorrect. However, the caller of the Structure::create() factory
1452 method (which instantiated the Structure) will later call setPreviousID()
1453 to set the previousID to the correct previous structure. This makes the
1454 code confusing to read and more error prone in that the structure relies
1455 on client code to fix its invalid previousID.
1457 This patch fixes this by making the Structure constructor initialize
1458 previousID correctly.
1460 * runtime/Structure.cpp:
1461 (JSC::Structure::Structure):
1462 (JSC::Structure::addPropertyTransition):
1463 (JSC::Structure::nonPropertyTransition):
1464 * runtime/Structure.h:
1465 * runtime/StructureInlines.h:
1466 (JSC::Structure::create):
1468 2014-06-06 Andreas Kling <akling@apple.com>
1470 Indexed getters should return values directly on the PropertySlot.
1471 <https://webkit.org/b/133586>
1473 Remove PropertySlot's custom index mode.
1475 Reviewed by Darin Adler.
1477 * runtime/JSObject.h:
1478 (JSC::PropertySlot::getValue):
1479 * runtime/PropertySlot.h:
1480 (JSC::PropertySlot::setCustomIndex): Deleted.
1482 2014-06-04 Timothy Horton <timothy_horton@apple.com>
1486 Rubber-stamped by Filip Pizlo.
1488 * Configurations/LLVMForJSC.xcconfig:
1489 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
1491 2014-06-04 Oliver Hunt <oliver@apple.com>
1493 ArrayIterator should not be exposed in Safari 8
1494 https://bugs.webkit.org/show_bug.cgi?id=133494
1496 Reviewed by Michael Saboff.
1498 Separate out types that require constructor objects, and don't
1499 include the iterator types in that list.
1501 * runtime/JSGlobalObject.cpp:
1502 (JSC::JSGlobalObject::reset):
1503 * runtime/JSGlobalObject.h:
1505 2014-06-04 Filip Pizlo <fpizlo@apple.com>
1507 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
1508 https://bugs.webkit.org/show_bug.cgi?id=133525
1509 <rdar://problem/16790296>
1511 Reviewed by Oliver Hunt.
1513 * dfg/DFGSafepoint.cpp:
1514 (JSC::DFG::Safepoint::begin):
1516 2014-06-03 Filip Pizlo <fpizlo@apple.com>
1518 LLVM soft-linking should be truly fail-silent
1519 https://bugs.webkit.org/show_bug.cgi?id=133482
1521 Reviewed by Mark Lam.
1523 * llvm/InitializeLLVMPOSIX.cpp:
1524 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
1526 2014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1528 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
1529 https://bugs.webkit.org/show_bug.cgi?id=133149
1531 Reviewed by Csaba Osztrogonác.
1533 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
1535 2014-05-31 Anders Carlsson <andersca@apple.com>
1537 Add a LazyNeverDestroyed class template and use it
1538 https://bugs.webkit.org/show_bug.cgi?id=133425
1540 Reviewed by Darin Adler.
1542 * dfg/DFGFunctionWhitelist.cpp:
1543 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1544 * dfg/DFGFunctionWhitelist.h:
1546 2014-05-28 Filip Pizlo <fpizlo@apple.com>
1548 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
1549 https://bugs.webkit.org/show_bug.cgi?id=133368
1551 Reviewed by Mark Lam.
1553 * dfg/DFGDCEPhase.cpp:
1554 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
1555 * tests/stress/new-array-dead.js: Added.
1558 2014-05-28 Filip Pizlo <fpizlo@apple.com>
1560 Unreviewed, fix not-x86 32-bit.
1562 * llint/LowLevelInterpreter32_64.asm:
1564 2014-05-27 Filip Pizlo <fpizlo@apple.com>
1566 Arrayify neglects to inform the clobberizer that it might fire watchpoints
1567 https://bugs.webkit.org/show_bug.cgi?id=133340
1569 Reviewed by Mark Lam.
1571 * dfg/DFGClobberize.h:
1572 (JSC::DFG::clobberize): Be honest.
1573 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
1574 * tests/stress/arrayify-fires-watchpoint.js: Added.
1578 * tests/stress/arrayify-structure-bad-test.js: Added.
1582 2014-05-27 Jon Lee <jonlee@apple.com>
1584 Update ENABLE(MEDIA_SOURCE) on Mac
1585 https://bugs.webkit.org/show_bug.cgi?id=133141
1587 Reviewed by Darin Adler.
1589 * Configurations/FeatureDefines.xcconfig:
1591 2014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1594 https://bugs.webkit.org/show_bug.cgi?id=132863
1596 Reviewed by Csaba Osztrogonác.
1598 * Configurations/FeatureDefines.xcconfig:
1600 2014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
1602 Allow building CMake based ports with WEB_REPLAY
1603 https://bugs.webkit.org/show_bug.cgi?id=133154
1605 Reviewed by Csaba Osztrogonác.
1609 2014-05-25 Filip Pizlo <fpizlo@apple.com>
1611 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
1612 https://bugs.webkit.org/show_bug.cgi?id=133136
1614 Reviewed by Oliver Hunt.
1618 - Except for the prediction propagation and type fixup phases, which are super early in
1619 the pipeline, nobody has to know about the fact that booleans may flow into numerical
1620 operations because there will just be a BooleanToNumber node that will take a value
1621 and, if that value is a boolean, will convert it to the equivalent numerical value. It
1622 will have a BooleanUse mode where it will also speculate that the input is a boolean
1623 but it can also do UntypedUse in which case it will pass through any non-booleans.
1624 This operation is very easy to model in all of the compiler tiers.
1626 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
1627 inputs require taking the slow path and it will still report that it took slow path
1628 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
1629 path profiling on operations that were known to have had boolean inputs. That's a
1630 little quirky, but it's probably easier than modifying the baseline JIT to track
1633 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
1635 * bytecode/SpeculatedType.h:
1636 (JSC::isInt32OrBooleanSpeculation):
1637 (JSC::isInt32SpeculationForArithmetic):
1638 (JSC::isInt32OrBooleanSpeculationForArithmetic):
1639 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
1640 (JSC::isInt52Speculation):
1641 (JSC::isMachineIntSpeculation):
1642 (JSC::isFullNumberOrBooleanSpeculation):
1643 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
1644 (JSC::isInt32SpeculationExpectingDefined): Deleted.
1645 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
1646 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
1647 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
1648 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
1649 * dfg/DFGAbstractInterpreterInlines.h:
1650 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1651 * dfg/DFGAllocator.h:
1652 (JSC::DFG::Allocator<T>::indexOf):
1653 * dfg/DFGByteCodeParser.cpp:
1654 (JSC::DFG::ByteCodeParser::makeSafe):
1655 (JSC::DFG::ByteCodeParser::makeDivSafe):
1656 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1657 * dfg/DFGCSEPhase.cpp:
1658 (JSC::DFG::CSEPhase::performNodeCSE):
1659 * dfg/DFGClobberize.h:
1660 (JSC::DFG::clobberize):
1662 * dfg/DFGConstantFoldingPhase.cpp:
1663 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1664 * dfg/DFGFixupPhase.cpp:
1665 (JSC::DFG::FixupPhase::fixupNode):
1666 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1667 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1668 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1669 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
1670 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
1672 (JSC::DFG::Graph::addSpeculationMode):
1673 (JSC::DFG::Graph::valueAddSpeculationMode):
1674 (JSC::DFG::Graph::arithAddSpeculationMode):
1675 (JSC::DFG::Graph::addShouldSpeculateInt32):
1676 (JSC::DFG::Graph::mulShouldSpeculateInt32):
1677 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
1678 (JSC::DFG::Graph::negateShouldSpeculateInt32):
1679 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
1680 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1681 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
1683 (JSC::DFG::Node::sawBooleans):
1684 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
1685 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
1686 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
1687 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
1688 (JSC::DFG::Node::shouldSpeculateMachineInt):
1689 (JSC::DFG::Node::shouldSpeculateDouble):
1690 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
1691 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
1692 (JSC::DFG::Node::shouldSpeculateNumber):
1693 (JSC::DFG::Node::canSpeculateInt32):
1694 (JSC::DFG::Node::canSpeculateInt52):
1695 (JSC::DFG::Node::sourceFor):
1696 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
1697 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
1698 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
1699 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
1700 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
1701 * dfg/DFGNodeFlags.cpp:
1702 (JSC::DFG::dumpNodeFlags):
1703 * dfg/DFGNodeFlags.h:
1704 (JSC::DFG::nodeMayOverflow):
1705 (JSC::DFG::nodeMayNegZero):
1706 (JSC::DFG::nodeCanSpeculateInt32):
1707 (JSC::DFG::nodeCanSpeculateInt52):
1708 * dfg/DFGNodeType.h:
1709 * dfg/DFGPredictionPropagationPhase.cpp:
1710 (JSC::DFG::PredictionPropagationPhase::run):
1711 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
1712 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
1713 (JSC::DFG::PredictionPropagationPhase::propagate):
1714 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1715 * dfg/DFGSafeToExecute.h:
1716 (JSC::DFG::safeToExecute):
1717 * dfg/DFGSpeculativeJIT.cpp:
1718 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1719 * dfg/DFGSpeculativeJIT32_64.cpp:
1720 (JSC::DFG::SpeculativeJIT::compile):
1721 * dfg/DFGSpeculativeJIT64.cpp:
1722 (JSC::DFG::SpeculativeJIT::compile):
1723 * ftl/FTLCapabilities.cpp:
1724 (JSC::FTL::canCompile):
1725 * ftl/FTLLowerDFGToLLVM.cpp:
1726 (JSC::FTL::LowerDFGToLLVM::compileNode):
1727 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1728 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
1729 * runtime/JSCJSValue.h:
1730 * runtime/JSCJSValueInlines.h:
1731 (JSC::JSValue::asInt32ForArithmetic):
1732 * tests/stress/max-boolean-exit.js: Added.
1735 * tests/stress/mul-boolean-exit.js: Added.
1738 * tests/stress/plus-boolean-exit.js: Added.
1741 * tests/stress/plus-boolean-or-double.js: Added.
1744 * tests/stress/plus-boolean-or-int.js: Added.
1748 2014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
1750 Remove dead code from VM.cpp
1751 https://bugs.webkit.org/show_bug.cgi?id=133284
1753 Reviewed by Darin Adler.
1755 This workaround was added in r127505. Since the clang is the
1756 only used compiler in this case, this workaround is obsolete.
1759 (JSC::enableAssembler):
1761 2014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1763 JSC CLoop warning fix
1764 https://bugs.webkit.org/show_bug.cgi?id=133259
1766 Reviewed by Darin Adler.
1768 * llint/LLIntSlowPaths.cpp:
1769 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1771 2014-05-24 Andreas Kling <akling@apple.com>
1773 Object.prototype.toString() should use cached strings for null/undefined.
1774 <https://webkit.org/b/133261>
1776 Normally, when calling Object.prototype.toString() on a regular object,
1777 we'd cache the result of the stringification on the object's structure,
1778 making repeated calls fast.
1780 For null and undefined, we were not as smart. We'd instead construct a
1781 new string with either "[object Null]" or "[object Undefined]" each time.
1783 This was exposed by Dromaeo's JS library tests, where some prototype.js
1784 subtests generate millions of strings this way.
1786 This patch adds two VM-permanent cached strings to the SmallStrings.
1787 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
1789 Reviewed by Darin Adler.
1791 * runtime/ObjectPrototype.cpp:
1792 (JSC::objectProtoFuncToString):
1793 * runtime/SmallStrings.cpp:
1794 (JSC::SmallStrings::SmallStrings):
1795 (JSC::SmallStrings::initializeCommonStrings):
1796 (JSC::SmallStrings::visitStrongReferences):
1797 * runtime/SmallStrings.h:
1798 (JSC::SmallStrings::nullObjectString):
1799 (JSC::SmallStrings::undefinedObjectString):
1801 2014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
1803 Remove operationCallGetter
1805 Rubber stamped by Filip Pizlo.
1807 Nobody calls this function.
1809 * JavaScriptCore.order:
1810 * jit/JITOperations.cpp:
1811 * jit/JITOperations.h:
1813 2014-05-23 Andreas Kling <akling@apple.com>
1815 Templatize GC's destructor invocation for dtor type.
1816 <https://webkit.org/b/133231>
1818 Get rid of a branch in callDestructor() by templatizing it for
1819 the DestructorType. Removed JSCell::methodTableForDestruction()
1820 since this was the only call site and it was jumping through
1821 a bunch of unnecessary hoops.
1823 Reviewed by Geoffrey Garen.
1825 * heap/MarkedBlock.cpp:
1826 (JSC::MarkedBlock::callDestructor):
1827 (JSC::MarkedBlock::specializedSweep):
1828 * heap/MarkedBlock.h:
1830 * runtime/JSCellInlines.h:
1831 (JSC::JSCell::methodTableForDestruction): Deleted.
1833 2014-05-23 Andreas Kling <akling@apple.com>
1835 Support inline caching of RegExpMatchesArray.length
1836 <https://webkit.org/b/133234>
1838 Give RegExpMatchesArray.length the same treatment as JSArray in
1839 repatch so we don't have to go out of line on every access.
1841 ~13% speed-up on Octane/regexp.
1843 Reviewed by Geoffrey Garen.
1846 (JSC::tryCacheGetByID):
1847 * runtime/RegExpMatchesArray.h:
1848 (JSC::isRegExpMatchesArray):
1850 2014-05-22 Mark Lam <mark.lam@apple.com>
1852 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
1853 <https://webkit.org/b/133182>
1855 Reviewed by Oliver Hunt.
1857 Before r154797, we used to clear the VM exception before calling into the
1858 debugger. After r154797, we don't. This patch will restore this clearing
1859 of the exception before calling into the debugger.
1861 Also added assertions after returning from calls into the debugger to
1862 ensure that the debugger did not introduce any exceptions.
1864 * interpreter/Interpreter.cpp:
1865 (JSC::unwindCallFrame):
1866 (JSC::Interpreter::unwind):
1867 (JSC::Interpreter::debug):
1868 - Fixed the assertion here. Interpreter::debug() should never be called
1869 with a pending exception. Debugger callbacks for exceptions should be
1870 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
1872 2014-05-21 Filip Pizlo <fpizlo@apple.com>
1874 Store barrier elision should run after DCE in both the DFG path and the FTL path
1875 https://bugs.webkit.org/show_bug.cgi?id=129718
1877 Rubber stamped by Mark Hahnenberg.
1880 (JSC::DFG::Plan::compileInThreadImpl):
1882 2014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
1884 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
1885 https://bugs.webkit.org/show_bug.cgi?id=132907
1887 Reviewed by Gyuyoung Kim.
1891 2014-05-16 Martin Robinson <mrobinson@igalia.com>
1893 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
1894 https://bugs.webkit.org/show_bug.cgi?id=132819
1896 Reviewed by Carlos Garcia Campos.
1898 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
1899 use the common CMake ones directly.
1901 2014-05-21 Filip Pizlo <fpizlo@apple.com>
1903 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
1905 This was a unilateral change and wasn't properly reviewed.
1907 * tests/mozilla/mozilla-tests.yaml:
1909 2014-05-21 Antoine Quint <graouts@webkit.org>
1911 Array.prototype.find and findIndex should skip holes
1912 https://bugs.webkit.org/show_bug.cgi?id=132658
1914 Reviewed by Geoffrey Garen.
1916 Skip holes in the array when iterating such that callback isn't called.
1918 * builtins/Array.prototype.js:
1922 2014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1924 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
1925 https://bugs.webkit.org/show_bug.cgi?id=133149
1927 Reviewed by Csaba Osztrogonác.
1929 * tests/mozilla/mozilla-tests.yaml:
1931 2014-05-20 Geoffrey Garen <ggaren@apple.com>
1933 Rolled out <http://trac.webkit.org/changeset/166184>
1934 https://bugs.webkit.org/show_bug.cgi?id=133144
1936 Reviewed by Gavin Barraclough.
1938 It caused a performance regression.
1940 * heap/BlockAllocator.cpp:
1941 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
1943 2014-05-20 Filip Pizlo <fpizlo@apple.com>
1945 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
1946 https://bugs.webkit.org/show_bug.cgi?id=133134
1948 Reviewed by Mark Hahnenberg.
1950 Make prediction propagator use ArrayMode refinement to decide the return type.
1952 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
1953 like this. The only way we'll see a mismatch like this in the real world is probably
1954 through a gnarly race condition.
1956 * dfg/DFGByteCodeParser.cpp:
1957 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1959 (JSC::DFG::Node::setHeapPrediction):
1960 * dfg/DFGPredictionPropagationPhase.cpp:
1961 (JSC::DFG::PredictionPropagationPhase::propagate):
1963 (GlobalObject::finishCreation):
1966 (functionUndefined1):
1967 (functionUndefined2):
1968 (functionFalse): Deleted.
1969 (functionOtherFalse): Deleted.
1970 (functionUndefined): Deleted.
1971 * runtime/Intrinsic.h:
1972 * tests/stress/get-by-val-double-predicted-int.js: Added.
1975 2014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
1977 Watchdog timer should be lazily allocated
1978 https://bugs.webkit.org/show_bug.cgi?id=133135
1980 Reviewed by Geoffrey Garen.
1982 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
1983 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
1984 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
1986 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
1987 these two API functions (which is true of most clients).
1989 * API/JSContextRef.cpp:
1990 (JSContextGroupSetExecutionTimeLimit):
1991 (JSContextGroupClearExecutionTimeLimit):
1992 * dfg/DFGByteCodeParser.cpp:
1993 (JSC::DFG::ByteCodeParser::parseBlock):
1994 * dfg/DFGSpeculativeJIT32_64.cpp:
1995 (JSC::DFG::SpeculativeJIT::compile):
1996 * dfg/DFGSpeculativeJIT64.cpp:
1997 (JSC::DFG::SpeculativeJIT::compile):
1998 * interpreter/Interpreter.cpp:
1999 (JSC::Interpreter::execute):
2000 (JSC::Interpreter::executeCall):
2001 (JSC::Interpreter::executeConstruct):
2002 * jit/JITOpcodes.cpp:
2003 (JSC::JIT::emit_op_loop_hint):
2004 (JSC::JIT::emitSlow_op_loop_hint):
2005 * jit/JITOperations.cpp:
2006 * llint/LLIntSlowPaths.cpp:
2007 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2009 * runtime/Watchdog.cpp:
2010 (JSC::Watchdog::Scope::Scope): Deleted.
2011 (JSC::Watchdog::Scope::~Scope): Deleted.
2012 * runtime/Watchdog.h:
2013 (JSC::Watchdog::Scope::Scope):
2014 (JSC::Watchdog::Scope::~Scope):
2016 2014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
2018 JSArray::shiftCountWith* could be more efficient
2019 https://bugs.webkit.org/show_bug.cgi?id=133011
2021 Reviewed by Geoffrey Garen.
2023 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
2024 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
2025 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
2027 * runtime/ArrayStorage.h:
2028 (JSC::ArrayStorage::indexingHeader):
2029 (JSC::ArrayStorage::length):
2030 (JSC::ArrayStorage::hasHoles):
2031 * runtime/IndexingHeader.h:
2032 (JSC::IndexingHeader::publicLength):
2033 (JSC::IndexingHeader::from):
2034 * runtime/JSArray.cpp:
2035 (JSC::JSArray::shiftCountWithArrayStorage):
2036 (JSC::JSArray::shiftCountWithAnyIndexingType):
2037 (JSC::JSArray::unshiftCountWithArrayStorage):
2038 * runtime/JSArray.h:
2039 (JSC::JSArray::shiftCountForShift):
2040 (JSC::JSArray::shiftCountForSplice):
2041 (JSC::JSArray::shiftCount):
2042 * runtime/Structure.cpp:
2043 (JSC::Structure::holesRequireSpecialBehavior):
2044 * runtime/Structure.h:
2046 2014-05-19 Filip Pizlo <fpizlo@apple.com>
2048 Test gardening: skip some failing tests on not-X86.
2050 * tests/mozilla/mozilla-tests.yaml:
2052 2014-05-19 Mark Lam <mark.lam@apple.com>
2054 operationOptimize() should defer the GC for a while.
2055 <https://webkit.org/b/133103>
2057 Reviewed by Filip Pizlo.
2059 Currently, operationOptimize() only defers the GC until its end. As a result,
2060 a GC may be triggered just before we return from operationOptimize(), and it may
2061 jettison the optimize codeBlock that we're planning to OSR enter into when we
2062 return from this function. This is because the OSR entry on-ramp code hasn't
2063 been executed yet, and hence, there is not yet a reference to this new codeBlock
2064 from the stack, and there won't be until we've had a chance to return out of
2065 operationOptimize() to run the OSR entry on-ramp code.
2067 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
2068 ensures that the GC will be deferred until after the OSR entry on-ramp can be
2071 * jit/JITOperations.cpp:
2073 2014-05-19 Filip Pizlo <fpizlo@apple.com>
2075 Take care of some ARM64 test failures
2076 https://bugs.webkit.org/show_bug.cgi?id=133090
2078 Reviewed by Geoffrey Garen.
2080 Constant blinding on ARM64 cannot use the scratch register.
2082 * assembler/MacroAssembler.h:
2083 (JSC::MacroAssembler::convertInt32ToDouble):
2084 (JSC::MacroAssembler::branchPtr):
2085 (JSC::MacroAssembler::storePtr):
2086 (JSC::MacroAssembler::store64):
2087 * assembler/MacroAssemblerARM64.h:
2088 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2090 2014-05-19 Tanay C <tanay.c@samsung.com>
2092 Removing some check-webkit-style warnings from ./dfg
2093 https://bugs.webkit.org/show_bug.cgi?id=132854
2095 Reviewed by Darin Adler.
2097 * dfg/DFGAbstractInterpreter.h:
2098 * dfg/DFGAbstractValue.h:
2099 * dfg/DFGBlockInsertionSet.h:
2100 * dfg/DFGCommonData.h:
2101 * dfg/DFGDominators.h:
2103 * dfg/DFGInPlaceAbstractState.h:
2104 * dfg/DFGPredictionPropagationPhase.h:
2106 2014-05-18 Filip Pizlo <fpizlo@apple.com>
2108 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
2109 That was a long time ago.
2111 * ftl/FTLLowerDFGToLLVM.cpp:
2112 (JSC::FTL::LowerDFGToLLVM::compileReturn):
2114 2014-05-18 Rik Cabanier <cabanier@adobe.com>
2116 support for navigator.hardwareConcurrency
2117 https://bugs.webkit.org/show_bug.cgi?id=132588
2119 Reviewed by Filip Pizlo.
2121 * Configurations/FeatureDefines.xcconfig:
2123 2014-05-16 Michael Saboff <msaboff@apple.com>
2125 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
2126 https://bugs.webkit.org/show_bug.cgi?id=133009
2128 Reviewed by Oliver Hunt.
2130 If we determine that any alternative requires a minumum match size greater than
2131 INT_MAX, we handle the match in the interpreter.
2133 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
2134 * runtime/RegExp.cpp:
2135 (JSC::RegExp::compile):
2136 (JSC::RegExp::compileMatchOnly):
2138 * tests/stress/large-regexp.js: New test added.
2140 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
2141 doesn't fit in an int.
2142 * yarr/YarrPattern.cpp:
2143 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
2145 Clear new m_containsUnsignedLengthPattern flag.
2146 * yarr/YarrPattern.cpp:
2147 (JSC::Yarr::YarrPattern::YarrPattern):
2148 * yarr/YarrPattern.h:
2149 (JSC::Yarr::YarrPattern::reset):
2150 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2152 2014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
2154 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
2155 https://bugs.webkit.org/show_bug.cgi?id=132918
2157 Reviewed by Geoffrey Garen.
2160 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2162 2014-05-15 Alex Christensen <achristensen@webkit.org>
2164 Add pointer lock to features without enabling it.
2165 https://bugs.webkit.org/show_bug.cgi?id=132961
2167 Reviewed by Sam Weinig.
2169 * Configurations/FeatureDefines.xcconfig:
2170 Added ENABLE_POINTER_LOCK to list of features.
2172 2014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
2174 Inline caching for proxies clobbers baseGPR too early
2175 https://bugs.webkit.org/show_bug.cgi?id=132916
2177 Reviewed by Filip Pizlo.
2179 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
2180 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
2181 until we know the inline cache is going to succeed.
2184 (JSC::generateByIdStub):
2186 2014-05-14 Brent Fulgham <bfulgham@apple.com>
2188 [Win] Unreviewed build fix.
2190 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
2191 was missing commands to build LLInt portions of JSC.
2192 * llint/LLIntData.cpp: 64-bit build fix.
2194 2014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2196 ARM Traditional buildfix after r168776.
2197 https://bugs.webkit.org/show_bug.cgi?id=132903
2199 Reviewed by Darin Adler.
2201 * assembler/MacroAssemblerARM.h:
2202 (JSC::MacroAssemblerARM::abortWithReason): Added.
2204 2014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2206 Remove CSS_STICKY_POSITION guards
2207 https://bugs.webkit.org/show_bug.cgi?id=132676
2209 Reviewed by Simon Fraser.
2211 * Configurations/FeatureDefines.xcconfig:
2213 2014-05-13 Filip Pizlo <fpizlo@apple.com>
2215 JIT breakpoints should be more informative
2216 https://bugs.webkit.org/show_bug.cgi?id=132882
2218 Reviewed by Oliver Hunt.
2220 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
2221 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
2222 at that platform's abort reason register (r11 on X86-64 for example).
2224 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2225 * JavaScriptCore.xcodeproj/project.pbxproj:
2226 * assembler/AbortReason.h: Added.
2227 * assembler/AbstractMacroAssembler.h:
2228 * assembler/MacroAssemblerARM64.h:
2229 (JSC::MacroAssemblerARM64::abortWithReason):
2230 * assembler/MacroAssemblerARMv7.h:
2231 (JSC::MacroAssemblerARMv7::abortWithReason):
2232 * assembler/MacroAssemblerX86.h:
2233 (JSC::MacroAssemblerX86::abortWithReason):
2234 * assembler/MacroAssemblerX86_64.h:
2235 (JSC::MacroAssemblerX86_64::abortWithReason):
2236 * dfg/DFGSlowPathGenerator.h:
2237 (JSC::DFG::SlowPathGenerator::generate):
2238 * dfg/DFGSpeculativeJIT.cpp:
2239 (JSC::DFG::SpeculativeJIT::bail):
2240 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2241 (JSC::DFG::SpeculativeJIT::compileMakeRope):
2242 * dfg/DFGSpeculativeJIT.h:
2243 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
2244 * dfg/DFGSpeculativeJIT32_64.cpp:
2245 (JSC::DFG::SpeculativeJIT::compile):
2246 * dfg/DFGSpeculativeJIT64.cpp:
2247 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2248 (JSC::DFG::SpeculativeJIT::compile):
2249 * dfg/DFGThunks.cpp:
2250 (JSC::DFG::osrEntryThunkGenerator):
2251 * jit/AssemblyHelpers.cpp:
2252 (JSC::AssemblyHelpers::jitAssertIsInt32):
2253 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
2254 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
2255 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
2256 (JSC::AssemblyHelpers::jitAssertIsCell):
2257 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
2258 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
2259 (JSC::AssemblyHelpers::jitAssertIsNull):
2260 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
2261 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
2262 * jit/AssemblyHelpers.h:
2263 (JSC::AssemblyHelpers::checkStackPointerAlignment):
2264 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
2266 * jit/JITArithmetic.cpp:
2267 (JSC::JIT::emitSlow_op_div):
2268 * jit/JITOpcodes.cpp:
2269 (JSC::JIT::emitSlow_op_loop_hint):
2270 * jit/JITOpcodes32_64.cpp:
2271 (JSC::JIT::privateCompileCTINativeCall):
2272 * jit/JITPropertyAccess.cpp:
2273 (JSC::JIT::emit_op_get_by_val):
2274 (JSC::JIT::compileGetDirectOffset):
2275 (JSC::JIT::addStructureTransitionCheck): Deleted.
2276 (JSC::JIT::testPrototype): Deleted.
2277 * jit/JITPropertyAccess32_64.cpp:
2278 (JSC::JIT::emit_op_get_by_val):
2279 (JSC::JIT::compileGetDirectOffset):
2280 * jit/RegisterPreservationWrapperGenerator.cpp:
2281 (JSC::generateRegisterRestoration):
2283 (JSC::addStructureTransitionCheck):
2284 (JSC::linkClosureCall):
2285 * jit/ThunkGenerators.cpp:
2286 (JSC::emitPointerValidation):
2287 (JSC::nativeForGenerator):
2289 (JSC::Yarr::YarrGenerator::generate):
2291 2014-05-13 peavo@outlook.com <peavo@outlook.com>
2293 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2294 https://bugs.webkit.org/show_bug.cgi?id=132772
2296 Reviewed by Geoffrey Garen.
2298 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2299 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2300 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2301 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2303 * assembler/MacroAssemblerARM.h:
2304 (JSC::MacroAssemblerARM::loadDouble):
2305 (JSC::MacroAssemblerARM::storeDouble):
2306 * assembler/MacroAssemblerARM64.h:
2307 (JSC::MacroAssemblerARM64::loadDouble):
2308 (JSC::MacroAssemblerARM64::storeDouble):
2309 * assembler/MacroAssemblerARMv7.h:
2310 (JSC::MacroAssemblerARMv7::loadDouble):
2311 (JSC::MacroAssemblerARMv7::storeDouble):
2312 * assembler/MacroAssemblerMIPS.h:
2313 (JSC::MacroAssemblerMIPS::loadDouble):
2314 (JSC::MacroAssemblerMIPS::storeDouble):
2315 * assembler/MacroAssemblerSH4.h:
2316 (JSC::MacroAssemblerSH4::loadDouble):
2317 (JSC::MacroAssemblerSH4::storeDouble):
2318 * assembler/MacroAssemblerX86.h:
2319 (JSC::MacroAssemblerX86::storeDouble):
2320 * assembler/MacroAssemblerX86Common.h:
2321 (JSC::MacroAssemblerX86Common::absDouble):
2322 (JSC::MacroAssemblerX86Common::negateDouble):
2323 (JSC::MacroAssemblerX86Common::loadDouble):
2324 * dfg/DFGSpeculativeJIT.cpp:
2325 (JSC::DFG::SpeculativeJIT::silentFill):
2326 (JSC::DFG::compileClampDoubleToByte):
2327 * dfg/DFGSpeculativeJIT32_64.cpp:
2328 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2329 (JSC::DFG::SpeculativeJIT::compile):
2330 * jit/AssemblyHelpers.cpp:
2331 (JSC::AssemblyHelpers::purifyNaN):
2333 (JSC::JIT::emitLoadDouble):
2334 * jit/JITPropertyAccess.cpp:
2335 (JSC::JIT::emitFloatTypedArrayGetByVal):
2336 * jit/ThunkGenerators.cpp:
2337 (JSC::floorThunkGenerator):
2338 (JSC::roundThunkGenerator):
2339 (JSC::powThunkGenerator):
2341 2014-05-12 Commit Queue <commit-queue@webkit.org>
2343 Unreviewed, rolling out r168642.
2344 https://bugs.webkit.org/show_bug.cgi?id=132839
2346 Broke ARM build (Requested by jpfau on #webkit).
2350 "[Win] Enum type with value zero is compatible with void*,
2351 potential cause of crashes."
2352 https://bugs.webkit.org/show_bug.cgi?id=132772
2353 http://trac.webkit.org/changeset/168642
2355 2014-05-12 peavo@outlook.com <peavo@outlook.com>
2357 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
2358 https://bugs.webkit.org/show_bug.cgi?id=132772
2360 Reviewed by Geoffrey Garen.
2362 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
2363 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
2364 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
2365 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
2367 * assembler/MacroAssemblerARM.h:
2368 (JSC::MacroAssemblerARM::loadDouble):
2369 (JSC::MacroAssemblerARM::storeDouble):
2370 * assembler/MacroAssemblerARM64.h:
2371 (JSC::MacroAssemblerARM64::loadDouble):
2372 (JSC::MacroAssemblerARM64::storeDouble):
2373 * assembler/MacroAssemblerARMv7.h:
2374 (JSC::MacroAssemblerARMv7::loadDouble):
2375 (JSC::MacroAssemblerARMv7::storeDouble):
2376 * assembler/MacroAssemblerMIPS.h:
2377 (JSC::MacroAssemblerMIPS::loadDouble):
2378 (JSC::MacroAssemblerMIPS::storeDouble):
2379 * assembler/MacroAssemblerSH4.h:
2380 (JSC::MacroAssemblerSH4::loadDouble):
2381 (JSC::MacroAssemblerSH4::storeDouble):
2382 * assembler/MacroAssemblerX86.h:
2383 (JSC::MacroAssemblerX86::storeDouble):
2384 * assembler/MacroAssemblerX86Common.h:
2385 (JSC::MacroAssemblerX86Common::absDouble):
2386 (JSC::MacroAssemblerX86Common::negateDouble):
2387 (JSC::MacroAssemblerX86Common::loadDouble):
2388 * dfg/DFGSpeculativeJIT.cpp:
2389 (JSC::DFG::SpeculativeJIT::silentFill):
2390 (JSC::DFG::compileClampDoubleToByte):
2391 * dfg/DFGSpeculativeJIT32_64.cpp:
2392 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2393 (JSC::DFG::SpeculativeJIT::compile):
2394 * jit/AssemblyHelpers.cpp:
2395 (JSC::AssemblyHelpers::purifyNaN):
2397 (JSC::JIT::emitLoadDouble):
2398 * jit/JITPropertyAccess.cpp:
2399 (JSC::JIT::emitFloatTypedArrayGetByVal):
2400 * jit/ThunkGenerators.cpp:
2401 (JSC::floorThunkGenerator):
2402 (JSC::roundThunkGenerator):
2403 (JSC::powThunkGenerator):
2405 2014-05-12 Andreas Kling <akling@apple.com>
2407 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
2408 <https://webkit.org/b/132828>
2409 <rdar://problem/16886285>
2411 Reviewed by Michael Saboff.
2413 * runtime/JSObject.cpp:
2414 (JSC::JSObject::visitButterfly):
2415 (JSC::JSObject::visitChildren):
2417 Use JSCell::structure(VM&) to reduce the number of hoops we jump
2418 through to find Structures during marking.
2420 2014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
2422 [cmake] Add missing FTL source files to the build system.
2424 Reviewed by Csaba Osztrogonác.
2428 2014-05-09 Joseph Pecoraro <pecoraro@apple.com>
2430 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
2431 https://bugs.webkit.org/show_bug.cgi?id=132409
2433 Reviewed by Timothy Hatcher.
2435 Proxy applications are applications which hold WebViews for other
2436 applications. The WebProcess (Web Content Service) is a proxy application.
2437 For legacy reasons we were supporting a scenario where proxy applications
2438 could potentially host WebViews for more then one other application. That
2439 was never the case for WebProcess and it is now a scenario we don't need
2440 to worry about supporting.
2442 With this change, a proxy application more naturally only holds WebViews
2443 for a single parent / host application. The proxy process can set the
2444 parent pid / audit_token data on the RemoteInspector singleton, and
2445 that data will be sent on to webinspectord later on to be validated.
2446 In the WebProcess<->UIProcess relationship that information is known
2447 and set immediately. In the Legacy iOS case that information is set
2448 soon after, but not immediately known at the point the WebView is created.
2450 This allows us to simplify the RemoteInspectorDebuggable interface.
2451 We no longer need a pid per-Debuggable.
2453 * inspector/remote/RemoteInspector.h:
2454 * inspector/remote/RemoteInspector.mm:
2455 (Inspector::RemoteInspector::RemoteInspector):
2456 (Inspector::RemoteInspector::setParentProcessInformation):
2457 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2458 (Inspector::RemoteInspector::listingForDebuggable):
2459 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
2460 Handle new proxy application setup message, and provide an API
2461 for a proxy application to set the parent process information.
2463 * inspector/remote/RemoteInspectorConstants.h:
2464 New setup and response message for proxy applications to pass
2465 their parent / host application information to webinspectord.
2467 * inspector/remote/RemoteInspectorDebuggable.cpp:
2468 (Inspector::RemoteInspectorDebuggable::info):
2469 * inspector/remote/RemoteInspectorDebuggable.h:
2470 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
2471 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
2472 pid per debuggable is no longer needed.
2474 2014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
2476 JSDOMWindow should disable property caching after a certain point
2477 https://bugs.webkit.org/show_bug.cgi?id=132751
2479 Reviewed by Filip Pizlo.
2481 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
2482 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
2483 that it has provided a cacheable value.
2485 * runtime/PropertySlot.h:
2486 (JSC::PropertySlot::PropertySlot):
2487 (JSC::PropertySlot::isCacheable):
2488 (JSC::PropertySlot::disableCaching):
2490 2014-05-09 Andreas Kling <akling@apple.com>
2492 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
2493 <https://webkit.org/b/132749>
2495 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
2496 in Object.prototype.* by using JSString::toIdentifier() in the cases where
2497 we are converting JSString -> String -> Identifier.
2499 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
2500 "The Great HTML5 Gaming Performance Test: 2014 edition"
2501 <http://www.scirra.com/demos/c2/sbperftest/>
2503 Reviewed by Oliver Hunt.
2505 * runtime/ObjectPrototype.cpp:
2506 (JSC::objectProtoFuncHasOwnProperty):
2507 (JSC::objectProtoFuncDefineGetter):
2508 (JSC::objectProtoFuncDefineSetter):
2509 (JSC::objectProtoFuncLookupGetter):
2510 (JSC::objectProtoFuncLookupSetter):
2512 2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
2514 JSDOMWindow should have a WatchpointSet to fire on window close
2515 https://bugs.webkit.org/show_bug.cgi?id=132721
2517 Reviewed by Filip Pizlo.
2519 This patch allows us to reset the inline caches that assumed they could skip
2520 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
2521 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
2523 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
2524 to see if it should create a new Watchpoint for that particular inline cache site.
2526 * bytecode/Watchpoint.h:
2528 (JSC::generateByIdStub):
2529 (JSC::tryBuildGetByIDList):
2530 (JSC::tryCachePutByID):
2531 (JSC::tryBuildPutByIdList):
2532 * runtime/PropertySlot.h:
2533 (JSC::PropertySlot::PropertySlot):
2534 (JSC::PropertySlot::watchpointSet):
2535 (JSC::PropertySlot::setWatchpointSet):
2537 2014-05-09 Tanay C <tanay.c@samsung.com>
2539 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
2540 https://bugs.webkit.org/show_bug.cgi?id=132331
2542 Reviewed by Darin Adler.
2544 * dfg/DFGFixupPhase.cpp:
2545 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2547 2014-05-09 peavo@outlook.com <peavo@outlook.com>
2549 [Win] Crash when enabling DFG JIT.
2550 https://bugs.webkit.org/show_bug.cgi?id=132683
2552 Reviewed by Geoffrey Garen.
2554 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
2555 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
2556 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
2557 This causes the register to be written to address 0, hence the crash.
2559 * dfg/DFGOSRExitCompiler32_64.cpp:
2560 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
2561 * dfg/DFGOSRExitCompiler64.cpp:
2562 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2564 2014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
2566 REGRESSION(r167094): JSC crashes on ARM Traditional
2567 https://bugs.webkit.org/show_bug.cgi?id=132738
2569 Reviewed by Zoltan Herczeg.
2571 PC is two instructions ahead of the current instruction
2572 on ARM Traditional, so the distance is 8 bytes not 2.
2574 * llint/LowLevelInterpreter.asm:
2576 2014-05-09 Alberto Garcia <berto@igalia.com>
2578 jsmin.py license header confusing, mentions non-free license
2579 https://bugs.webkit.org/show_bug.cgi?id=123665
2581 Reviewed by Darin Adler.
2583 Pull the most recent version from upstream, which has a clear
2586 * inspector/scripts/jsmin.py:
2588 2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
2590 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
2591 https://bugs.webkit.org/show_bug.cgi?id=132695
2593 Reviewed by Filip Pizlo.
2595 We check in the case where we're accessing something other than the base object (e.g. the prototype),
2596 but we fail to do so for the base object.
2599 (JSC::tryCacheGetByID):
2600 (JSC::tryBuildGetByIDList):
2601 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
2602 because all of the values that are returned that could be impure are set to uncacheable anyways.
2603 (WTF::ImpureGetter::ImpureGetter):
2604 (WTF::ImpureGetter::createStructure):
2605 (WTF::ImpureGetter::create):
2606 (WTF::ImpureGetter::finishCreation):
2607 (WTF::ImpureGetter::getOwnPropertySlot):
2608 (WTF::ImpureGetter::visitChildren):
2609 (WTF::ImpureGetter::setDelegate):
2610 (GlobalObject::finishCreation):
2611 (functionCreateImpureGetter):
2612 (functionSetImpureGetterDelegate):
2613 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
2616 2014-05-08 Filip Pizlo <fpizlo@apple.com>
2618 deleteAllCompiledCode() shouldn't use the suspension worklist
2619 https://bugs.webkit.org/show_bug.cgi?id=132708
2621 Reviewed by Mark Hahnenberg.
2623 * bytecode/CodeBlock.cpp:
2624 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2626 (JSC::DFG::Plan::isStillValid):
2628 (JSC::Heap::deleteAllCompiledCode):
2630 2014-05-08 Filip Pizlo <fpizlo@apple.com>
2632 SSA conversion should delete PhantomLocals for captured variables
2633 https://bugs.webkit.org/show_bug.cgi?id=132693
2635 Reviewed by Mark Hahnenberg.
2637 * dfg/DFGCommon.cpp:
2638 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
2640 * dfg/DFGFixupPhase.cpp:
2641 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
2642 * dfg/DFGLivenessAnalysisPhase.cpp:
2643 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
2644 * dfg/DFGSSAConversionPhase.cpp:
2645 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
2646 * dfg/DFGValidate.cpp: Use the workaround.
2647 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
2651 2014-05-07 Commit Queue <commit-queue@webkit.org>
2653 Unreviewed, rolling out r168451.
2654 https://bugs.webkit.org/show_bug.cgi?id=132670
2656 Not a speed-up, just do what other compilers do. (Requested by
2661 "[X86] Emit BT instruction for single-bit tests."
2662 https://bugs.webkit.org/show_bug.cgi?id=132650
2663 http://trac.webkit.org/changeset/168451
2665 2014-05-07 Filip Pizlo <fpizlo@apple.com>
2667 Make Executable::clearCode() actually clear all of the entrypoints, and
2668 clean up some other FTL-related calling convention stuff.
2669 <rdar://problem/16720172>
2671 Rubber stamped by Mark Hahnenberg.
2673 * dfg/DFGOperations.cpp:
2674 * dfg/DFGOperations.h:
2675 * dfg/DFGWorklist.cpp:
2676 (JSC::DFG::Worklist::Worklist):
2677 (JSC::DFG::Worklist::finishCreation):
2678 (JSC::DFG::Worklist::create):
2679 (JSC::DFG::ensureGlobalDFGWorklist):
2680 (JSC::DFG::ensureGlobalFTLWorklist):
2681 * dfg/DFGWorklist.h:
2682 * heap/CodeBlockSet.cpp:
2683 (JSC::CodeBlockSet::dump):
2684 * heap/CodeBlockSet.h:
2685 * runtime/Executable.cpp:
2686 (JSC::ExecutableBase::clearCode):
2688 2014-05-07 Andreas Kling <akling@apple.com>
2690 [X86] Emit BT instruction for single-bit tests.
2691 <https://webkit.org/b/132650>
2693 Implement test-bit-and-branch slightly more efficiently by using
2694 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
2697 Reviewed by Michael Saboff.
2699 * assembler/MacroAssemblerX86Common.h:
2700 (JSC::MacroAssemblerX86Common::singleBitIndex):
2701 (JSC::MacroAssemblerX86Common::branchTest32):
2702 * assembler/X86Assembler.h:
2703 (JSC::X86Assembler::bt_i8r):
2704 (JSC::X86Assembler::bt_i8m):
2706 2014-05-07 Mark Lam <mark.lam@apple.com>
2708 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
2709 <https://webkit.org/b/131356>
2711 Reviewed by Geoffrey Garen.
2713 The issue is that GC needs to be made aware of writes to m_inferredValue
2714 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
2715 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
2716 does not survive an eden GC shortly after, we will end up with a stale
2717 JSCell pointer left in the m_inferredValue.
2719 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
2720 using DumpRenderTree with the VM heap in zombie mode.
2722 The fix is to change VariableWatchpointSet m_inferredValue to type
2723 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
2724 is executed by all the execution engines so that the WriteBarrier semantics
2727 We still check if the value to be written is the same as the one in the
2728 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
2729 values are the same.
2731 * JavaScriptCore.xcodeproj/project.pbxproj:
2732 * bytecode/CodeBlock.cpp:
2733 (JSC::CodeBlock::CodeBlock):
2734 - need to pass the symbolTable to prepareToWatch() because it will be needed
2735 for instantiating the VariableWatchpointSet in prepareToWatch().
2737 * bytecode/VariableWatchpointSet.h:
2738 (JSC::VariableWatchpointSet::VariableWatchpointSet):
2739 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
2740 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
2741 (JSC::VariableWatchpointSet::inferredValue):
2742 (JSC::VariableWatchpointSet::invalidate):
2743 (JSC::VariableWatchpointSet::finalizeUnconditionally):
2744 (JSC::VariableWatchpointSet::addressOfInferredValue):
2745 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
2746 * bytecode/VariableWatchpointSetInlines.h: Added.
2747 (JSC::VariableWatchpointSet::notifyWrite):
2749 * dfg/DFGByteCodeParser.cpp:
2750 (JSC::DFG::ByteCodeParser::cellConstant):
2751 - Added an assert in case we try to make constants of zombified JSCells again.
2753 * dfg/DFGOperations.cpp:
2754 * dfg/DFGOperations.h:
2755 * dfg/DFGSpeculativeJIT.h:
2756 (JSC::DFG::SpeculativeJIT::callOperation):
2757 * dfg/DFGSpeculativeJIT32_64.cpp:
2758 (JSC::DFG::SpeculativeJIT::compile):
2759 * dfg/DFGSpeculativeJIT64.cpp:
2760 (JSC::DFG::SpeculativeJIT::compile):
2761 - We now let the slow path handle the cases when the VariableWatchpointSet is
2762 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
2763 we handle the needed write barrier semantics correctly.
2764 We will by-pass the slow path if the value being written is the same as the
2767 * ftl/FTLIntrinsicRepository.h:
2768 * ftl/FTLLowerDFGToLLVM.cpp:
2769 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
2770 - Let the slow path handle the cases when the VariableWatchpointSet is
2771 in state ClearWatchpoint and IsWatched.
2772 We will by-pass the slow path if the value being written is the same as the
2776 (JSC::Zombify::operator()):
2777 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
2778 which is used everywhere else).
2780 (JSC::Heap::isZombified):
2781 - Provide a convenience test function to check if JSCells are zombified. This is
2782 currently only used in an assertion in the DFG bytecode parser, but the intent
2783 it that we'll apply this test in other strategic places later to help with early
2784 detection of usage of GC'ed objects when we run in zombie mode.
2786 * jit/JITOpcodes.cpp:
2787 (JSC::JIT::emitSlow_op_captured_mov):
2788 * jit/JITOperations.h:
2789 * jit/JITPropertyAccess.cpp:
2790 (JSC::JIT::emitNotifyWrite):
2791 * jit/JITPropertyAccess32_64.cpp:
2792 (JSC::JIT::emitNotifyWrite):
2793 (JSC::JIT::emitSlow_op_put_to_scope):
2794 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2795 is in state ClearWatchpoint and IsWatched.
2796 We will by-pass the slow path if the value being written is the same as the
2799 * llint/LowLevelInterpreter32_64.asm:
2800 * llint/LowLevelInterpreter64.asm:
2801 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
2802 is in state ClearWatchpoint and IsWatched.
2803 We will by-pass the slow path if the value being written is the same as the
2806 * runtime/CommonSlowPaths.cpp:
2808 * runtime/JSCJSValue.h: Fixed some typos in the comments.
2809 * runtime/JSGlobalObject.cpp:
2810 (JSC::JSGlobalObject::addGlobalVar):
2811 (JSC::JSGlobalObject::addFunction):
2812 * runtime/JSSymbolTableObject.h:
2813 (JSC::symbolTablePut):
2814 (JSC::symbolTablePutWithAttributes):
2815 * runtime/SymbolTable.cpp:
2816 (JSC::SymbolTableEntry::prepareToWatch):
2817 (JSC::SymbolTableEntry::notifyWriteSlow):
2818 * runtime/SymbolTable.h:
2819 (JSC::SymbolTableEntry::notifyWrite):
2821 2014-05-06 Michael Saboff <msaboff@apple.com>
2823 Unreviewd build fix for C-LOOP after r168396.
2825 * runtime/TestRunnerUtils.cpp:
2826 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2828 2014-05-06 Michael Saboff <msaboff@apple.com>
2830 Add test for deleteAllCompiledCode
2831 https://bugs.webkit.org/show_bug.cgi?id=132632
2833 Reviewed by Phil Pizlo.
2835 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
2836 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
2837 to write a test that will queue up loads of DFG compiles and then call
2838 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
2839 code as well as code being compiled.
2842 (GlobalObject::finishCreation):
2843 (functionDeleteAllCompiledCode):
2844 (functionOptimizeNextInvocation):
2845 * runtime/TestRunnerUtils.cpp:
2846 (JSC::optimizeNextInvocation):
2847 * runtime/TestRunnerUtils.h:
2848 * tests/stress/deleteAllCompiledCode.js: Added.
2852 2014-05-06 Andreas Kling <akling@apple.com>
2854 JSString::toAtomicString() should return AtomicString.
2855 <https://webkit.org/b/132627>
2857 Remove premature optimization where I was trying to avoid refcount
2858 churn when returning an already atomicized String.
2860 Instead of using reinterpret_cast to mangle the String member into
2861 a const AtomicString& return value, just return AtomicString.
2863 Reviewed by Geoff Garen.
2865 * runtime/JSString.h:
2866 (JSC::JSString::toAtomicString):
2868 2014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
2872 Rubber stamped by Geoff Garen.
2874 It broke some websites.
2876 * runtime/JSPropertyNameIterator.cpp:
2877 (JSC::JSPropertyNameIterator::create):
2878 * runtime/PropertyMapHashTable.h:
2879 (JSC::PropertyTable::hasDeletedOffset):
2880 (JSC::PropertyTable::hadDeletedOffset): Deleted.
2881 * runtime/Structure.cpp:
2882 (JSC::Structure::Structure):
2883 (JSC::Structure::materializePropertyMap):
2884 (JSC::Structure::removePropertyTransition):
2885 (JSC::Structure::changePrototypeTransition):
2886 (JSC::Structure::despecifyFunctionTransition):
2887 (JSC::Structure::attributeChangeTransition):
2888 (JSC::Structure::toDictionaryTransition):
2889 (JSC::Structure::preventExtensionsTransition):
2890 (JSC::Structure::addPropertyWithoutTransition):
2891 (JSC::Structure::removePropertyWithoutTransition):
2892 (JSC::Structure::pin):
2893 (JSC::Structure::pinAndPreventTransitions): Deleted.
2894 * runtime/Structure.h:
2895 * runtime/StructureInlines.h:
2896 (JSC::Structure::setEnumerationCache):
2897 (JSC::Structure::propertyTable):
2898 (JSC::Structure::checkOffsetConsistency):
2899 (JSC::Structure::hadDeletedOffsets): Deleted.
2900 * tests/stress/for-in-after-delete.js:
2903 2014-05-05 Andreas Kling <akling@apple.com>
2907 * runtime/JSCellInlines.h:
2908 (JSC::JSCell::fastGetOwnProperty):
2910 2014-05-05 Andreas Kling <akling@apple.com>
2912 Optimize GetByVal when subscript is a rope string.
2913 <https://webkit.org/b/132590>
2915 Use JSString::toIdentifier() in the various GetByVal implementations
2916 to try and avoid allocating extra strings.
2918 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
2919 in that, to avoid calling JSString::value() which always resolves ropes
2920 into new strings and de-optimizes subsequent toIdentifier() calls.
2922 My iMac says ~9% progression on Dromaeo/dom-attr.html
2924 Reviewed by Phil Pizlo.
2926 * dfg/DFGOperations.cpp:
2927 * jit/JITOperations.cpp:
2929 * llint/LLIntSlowPaths.cpp:
2930 (JSC::LLInt::getByVal):
2932 * runtime/JSCellInlines.h:
2933 (JSC::JSCell::fastGetOwnProperty):
2934 (JSC::JSCell::canUseFastGetOwnProperty):
2936 2014-05-05 Andreas Kling <akling@apple.com>
2938 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
2939 <https://webkit.org/b/168256>
2940 <rdar://problem/16816316>
2942 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
2943 clear the fibers. The caller takes care of this.
2945 Test: fast/dom/getElementById-with-rope-string-arg.html
2947 Reviewed by Geoffrey Garen.
2949 * runtime/JSString.cpp:
2950 (JSC::JSRopeString::resolveRopeSlowCase8):
2952 2014-05-05 Michael Saboff <msaboff@apple.com>
2954 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
2955 https://bugs.webkit.org/show_bug.cgi?id=132581
2957 Reviewed by Filip Pizlo.
2960 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
2961 started compiling for is still the same at the end of compilation.
2962 Also did some minor restructuring.
2964 2014-05-05 Andreas Kling <akling@apple.com>
2966 Optimize PutByVal when subscript is a rope string.
2967 <https://webkit.org/b/132572>
2969 Add a JSString::toIdentifier() that is smarter when the JSString is
2970 really a rope string. Use this in baseline & DFG's PutByVal to avoid
2971 allocating new StringImpls that we immediately deduplicate anyway.
2973 Reviewed by Antti Koivisto.
2975 * dfg/DFGOperations.cpp:
2976 (JSC::DFG::operationPutByValInternal):
2977 * jit/JITOperations.cpp:
2978 * runtime/JSString.h:
2979 (JSC::JSString::toIdentifier):
2981 2014-05-05 Andreas Kling <akling@apple.com>
2983 Remove two now-incorrect assertions after r168256.
2985 * runtime/JSString.cpp:
2986 (JSC::JSRopeString::resolveRopeSlowCase8):
2987 (JSC::JSRopeString::resolveRopeSlowCase):
2989 2014-05-04 Andreas Kling <akling@apple.com>
2991 Optimize JSRopeString for resolving directly to AtomicString.
2992 <https://webkit.org/b/132548>
2994 If we know that the JSRopeString we are resolving is going to be used
2995 as an AtomicString, we can try to avoid creating a new string.
2997 We do this by first resolving the rope into a stack buffer, and using
2998 that buffer as a key into the AtomicString table. If there is already
2999 an AtomicString with the same characters, we reuse that instead of
3000 constructing a new StringImpl.
3002 JSString gains these two public functions:
3004 - AtomicString toAtomicString()
3006 Returns an AtomicString, tries to avoid allocating a new string
3009 - AtomicStringImpl* toExistingAtomicString()
3011 Returns a non-null AtomicStringImpl* if one already exists in the
3012 AtomicString table. If none is found, the rope is left unresolved.
3014 Reviewed by Filip Pizlo.
3016 * runtime/JSString.cpp:
3017 (JSC::JSRopeString::resolveRopeInternal8):
3018 (JSC::JSRopeString::resolveRopeInternal16):
3019 (JSC::JSRopeString::resolveRopeToAtomicString):
3020 (JSC::JSRopeString::clearFibers):
3021 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
3022 (JSC::JSRopeString::resolveRope):
3023 (JSC::JSRopeString::outOfMemory):
3024 * runtime/JSString.h:
3025 (JSC::JSString::toAtomicString):
3026 (JSC::JSString::toExistingAtomicString):
3028 2014-05-04 Andreas Kling <akling@apple.com>
3030 Unreviewed, rolling out r168254.
3032 Very crashy on debug JSC tests.
3036 "jsSubstring() should be lazy"
3037 https://bugs.webkit.org/show_bug.cgi?id=132556
3038 http://trac.webkit.org/changeset/168254
3040 2014-05-04 Filip Pizlo <fpizlo@apple.com>
3042 jsSubstring() should be lazy
3043 https://bugs.webkit.org/show_bug.cgi?id=132556
3045 Reviewed by Andreas Kling.
3047 jsSubstring() is now lazy by using a special rope that is a substring instead of a
3048 concatenation. To make this patch super simple, we require that a substring's base is
3049 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
3050 path, or we go down a concatenation path which may see exactly one level of substrings in
3053 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
3055 * heap/MarkedBlock.cpp:
3056 (JSC::MarkedBlock::specializedSweep):
3057 * runtime/JSString.cpp:
3058 (JSC::JSRopeString::visitFibers):
3059 (JSC::JSRopeString::resolveRope):
3060 (JSC::JSRopeString::resolveRopeSlowCase8):
3061 (JSC::JSRopeString::resolveRopeSlowCase):
3062 (JSC::JSRopeString::outOfMemory):
3063 * runtime/JSString.h:
3064 (JSC::JSRopeString::finishCreation):
3065 (JSC::JSRopeString::append):
3066 (JSC::JSRopeString::create):
3067 (JSC::JSRopeString::offsetOfFibers):
3068 (JSC::JSRopeString::fiber):
3069 (JSC::JSRopeString::substringBase):
3070 (JSC::JSRopeString::substringOffset):
3071 (JSC::JSRopeString::substringSentinel):
3072 (JSC::JSRopeString::isSubstring):
3074 * runtime/RegExpMatchesArray.cpp:
3075 (JSC::RegExpMatchesArray::reifyAllProperties):
3076 * runtime/StringPrototype.cpp:
3077 (JSC::stringProtoFuncSubstring):
3079 2014-05-02 Michael Saboff <msaboff@apple.com>
3081 "arm64 function not 4-byte aligned" warnings when building JSC
3082 https://bugs.webkit.org/show_bug.cgi?id=132495
3084 Reviewed by Geoffrey Garen.
3086 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
3088 * llint/LowLevelInterpreter.cpp:
3090 2014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
3092 Fix cloop build after r168178
3094 * bytecode/CodeBlock.cpp:
3096 2014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
3098 Add a DFG function whitelist
3099 https://bugs.webkit.org/show_bug.cgi?id=132437
3101 Reviewed by Geoffrey Garen.
3103 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
3104 particular DFG block that's causing issues. This patch adds the ability to whitelist
3105 specific functions specified in a file to enable further filtering without having to recompile.
3108 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3109 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3110 * JavaScriptCore.xcodeproj/project.pbxproj:
3111 * dfg/DFGCapabilities.cpp:
3112 (JSC::DFG::isSupported):
3113 (JSC::DFG::mightInlineFunctionForCall):
3114 (JSC::DFG::mightInlineFunctionForClosureCall):
3115 (JSC::DFG::mightInlineFunctionForConstruct):
3116 * dfg/DFGFunctionWhitelist.cpp: Added.
3117 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3118 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
3119 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
3120 (JSC::DFG::FunctionWhitelist::contains):
3121 * dfg/DFGFunctionWhitelist.h: Added.
3122 * runtime/Options.cpp:
3124 (JSC::Options::dumpOption):
3125 * runtime/Options.h:
3127 2014-05-02 Filip Pizlo <fpizlo@apple.com>
3129 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
3130 https://bugs.webkit.org/show_bug.cgi?id=132446
3132 Reviewed by Mark Hahnenberg.
3134 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
3135 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
3136 to indicate a bound on the value. This is useful for knowing, for example, that
3137 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
3138 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
3139 But this means that all arithmetic operations must be careful to note that they may
3140 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
3142 * dfg/DFGAbstractInterpreterInlines.h:
3143 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3144 * dfg/DFGByteCodeParser.cpp:
3145 (JSC::DFG::ByteCodeParser::makeSafe):
3146 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
3148 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
3150 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
3152 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
3154 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
3156 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
3159 2014-05-01 Geoffrey Garen <ggaren@apple.com>
3161 JavaScriptCore fails to build with some versions of clang
3162 https://bugs.webkit.org/show_bug.cgi?id=132436
3164 Reviewed by Anders Carlsson.
3166 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
3167 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
3168 and both are marked inline, it's valid for the compiler to decide
3169 to inline both and emit neither in the binary. Therefore, we need
3170 both inline definitions to be available in the translation unit at
3171 compile time, or we'll try to link against a function that doesn't exist.
3173 2014-05-01 Commit Queue <commit-queue@webkit.org>
3175 Unreviewed, rolling out r167964.
3176 https://bugs.webkit.org/show_bug.cgi?id=132431
3178 Memory improvements should not regress memory usage (Requested
3179 by olliej on #webkit).
3183 "Don't hold on to parameter BindingNodes forever"
3184 https://bugs.webkit.org/show_bug.cgi?id=132360
3185 http://trac.webkit.org/changeset/167964
3187 2014-05-01 Filip Pizlo <fpizlo@apple.com>
3189 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
3190 https://bugs.webkit.org/show_bug.cgi?id=132427
3192 Reviewed by Mark Hahnenberg.
3194 * bytecode/CallLinkStatus.cpp:
3195 (JSC::CallLinkStatus::computeFor):
3197 2014-04-30 Simon Fraser <simon.fraser@apple.com>
3199 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
3200 https://bugs.webkit.org/show_bug.cgi?id=132396
3202 Reviewed by Eric Carlson.
3204 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
3206 * Configurations/FeatureDefines.xcconfig:
3208 2014-04-30 Filip Pizlo <fpizlo@apple.com>
3210 Argument flush formats should not be presumed to be JSValue since 'this' is weird
3211 https://bugs.webkit.org/show_bug.cgi?id=132404
3213 Reviewed by Michael Saboff.
3215 * dfg/DFGSpeculativeJIT.cpp:
3216 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
3217 * dfg/DFGSpeculativeJIT32_64.cpp:
3218 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
3219 * dfg/DFGSpeculativeJIT64.cpp:
3220 (JSC::DFG::SpeculativeJIT::compile): Ditto.
3221 * dfg/DFGValueSource.cpp:
3222 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
3223 * dfg/DFGValueSource.h:
3224 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
3225 * ftl/FTLOSREntry.cpp:
3226 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
3227 * tests/stress/strict-to-this-int.js: Added.
3229 (Number.prototype.valueOf):
3232 2014-04-29 Oliver Hunt <oliver@apple.com>
3234 Don't hold on to parameterBindingNodes forever
3235 https://bugs.webkit.org/show_bug.cgi?id=132360
3237 Reviewed by Geoffrey Garen.
3239 Don't keep the parameter nodes anymore. Instead we store the
3240 original parameter string and reparse whenever we actually
3241 need them. Because we only actually need them for compilation
3242 this only results in a single extra parse.
3244 * bytecode/UnlinkedCodeBlock.cpp:
3245 (JSC::generateFunctionCodeBlock):
3246 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3247 (JSC::UnlinkedFunctionExecutable::visitChildren):
3248 (JSC::UnlinkedFunctionExecutable::finishCreation):
3249 (JSC::UnlinkedFunctionExecutable::paramString):
3250 (JSC::UnlinkedFunctionExecutable::parameters):
3251 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
3252 * bytecode/UnlinkedCodeBlock.h:
3253 (JSC::UnlinkedFunctionExecutable::create):
3254 (JSC::UnlinkedFunctionExecutable::parameterCount):
3255 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
3256 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
3257 * parser/ASTBuilder.h:
3258 (JSC::ASTBuilder::ASTBuilder):
3259 (JSC::ASTBuilder::setFunctionBodyParameters):
3261 (JSC::FunctionBodyNode::parametersStartOffset):
3262 (JSC::FunctionBodyNode::parametersEndOffset):
3263 (JSC::FunctionBodyNode::setParameterLocation):
3264 * parser/Parser.cpp:
3265 (JSC::Parser<LexerType>::parseFunctionInfo):
3266 (JSC::parseParameters):
3269 * parser/SourceCode.h:
3270 (JSC::SourceCode::subExpression):
3271 * parser/SyntaxChecker.h:
3272 (JSC::SyntaxChecker::setFunctionBodyParameters):
3274 2014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
3276 JSProxies should be cacheable
3277 https://bugs.webkit.org/show_bug.cgi?id=132351
3279 Reviewed by Geoffrey Garen.
3281 Whenever we encounter a proxy in an inline cache we should try to cache on the
3282 proxy's target instead of giving up.
3284 This patch adds support for a simple "recursive" inline cache if the base object
3285 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
3286 are the only ones to benefit from this right now.
3288 This is performance neutral on the benchmarks we track. Currently we won't
3289 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
3292 (JSC::generateByIdStub):
3293 (JSC::tryBuildGetByIDList):
3294 (JSC::tryCachePutByID):
3295 (JSC::tryBuildPutByIdList):
3297 (GlobalObject::finishCreation):
3298 (functionCreateProxy):
3299 * runtime/IntendedStructureChain.cpp:
3300 (JSC::IntendedStructureChain::isNormalized):
3301 * runtime/JSCellInlines.h:
3302 (JSC::JSCell::isProxy):
3303 * runtime/JSGlobalObject.h:
3304 (JSC::JSGlobalObject::finishCreation):
3305 * runtime/JSProxy.h:
3306 (JSC::JSProxy::createStructure):
3307 (JSC::JSProxy::targetOffset):
3309 * runtime/Operations.h:
3310 (JSC::isPrototypeChainNormalized):
3311 * runtime/Structure.h:
3312 (JSC::Structure::isProxy):
3313 * tests/stress/proxy-inline-cache.js: Added.
3314 (cacheOnTarget.getX):
3316 (cacheOnPrototypeOfTarget.getX):
3317 (cacheOnPrototypeOfTarget):
3318 (dontCacheOnProxyInPrototypeChain.getX):
3319 (dontCacheOnProxyInPrototypeChain):
3320 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
3321 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
3323 2014-04-29 Filip Pizlo <fpizlo@apple.com>
3325 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
3326 https://bugs.webkit.org/show_bug.cgi?id=112840
3328 Rubber stamped by Geoffrey Garen.
3330 * Configurations/FeatureDefines.xcconfig:
3332 2014-04-29 Geoffrey Garen <ggaren@apple.com>
3334 String.prototype.trim removes U+200B from strings.
3335 https://bugs.webkit.org/show_bug.cgi?id=130184
3337 Reviewed by Michael Saboff.
3339 * runtime/StringPrototype.cpp:
3341 (JSC::isTrimWhitespace): Deleted.
3343 2014-04-29 Mark Lam <mark.lam@apple.com>
3345 Zombifying sweep should ignore retired blocks.
3346 <https://webkit.org/b/132344>
3348 Reviewed by Mark Hahnenberg.
3350 By definition, retired blocks do not have "dead" objects, or at least
3351 none that we know of yet until the next marking phase has been run
3352 over it. So, we should not be sweeping them (even for zombie mode).
3355 (JSC::Heap::zombifyDeadObjects):
3356 * heap/MarkedSpace.cpp:
3357 (JSC::MarkedSpace::zombifySweep):
3358 * heap/MarkedSpace.h:
3359 (JSC::ZombifySweep::operator()):
3361 2014-04-29 Mark Lam <mark.lam@apple.com>
3363 Fix bit rot in zombie mode heap code.
3364 <https://webkit.org/b/132342>
3366 Reviewed by Mark Hahnenberg.
3368 Need to enter a DelayedReleaseScope before doing a sweep.
3371 (JSC::Heap::zombifyDeadObjects):
3373 2014-04-29 Tomas Popela <tpopela@redhat.com>
3375 LLINT loadisFromInstruction doesn't need special case for big endians
3376 https://bugs.webkit.org/show_bug.cgi?id=132330
3378 Reviewed by Mark Lam.
3380 The change introduced in r167076 was wrong. We should not apply the offset
3381 adjustment on loadisFromInstruction usage as the instruction
3382 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
3383 operand variable). The offset of the other union members will be the
3384 same as the offset of the first one, that is 0. The behavior here is the
3385 same on little and big endian architectures. Thus we don't need
3386 special case for big endians.
3388 * llint/LowLevelInterpreter.asm:
3390 2014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
3392 Simplify tryCacheGetById
3393 https://bugs.webkit.org/show_bug.cgi?id=132314
3395 Reviewed by Oliver Hunt and Filip Pizlo.
3397 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
3400 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
3402 2014-04-28 Michael Saboff <msaboff@apple.com>
3404 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
3405 https://bugs.webkit.org/show_bug.cgi?id=132315
3407 Reviewed by Mark Hahnenberg.
3409 Used the StringImpl version of utf8() instead of creating a String first.
3411 * bytecode/CodeBlock.cpp:
3412 (JSC::CodeBlock::dumpBytecode):
3414 2014-04-28 Filip Pizlo <fpizlo@apple.com>
3416 The LLInt is awesome and it should get more of the action.
3418 Rubber stamped by Geoffrey Garen.
3420 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
3422 * runtime/Options.h:
3424 2014-04-27 Filip Pizlo <fpizlo@apple.com>
3426 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
3427 https://bugs.webkit.org/show_bug.cgi?id=132166
3429 Reviewed by Oliver Hunt and Mark Hahnenberg.
3431 The GC can aid type inference by removing structures that are dead and jettisoning
3432 code that relies on those structures. This can dramatically accelerate type inference
3433 for some tricky programs.
3435 Unfortunately, we previously pinned any structures that enqueued compilations depended
3436 on. This means that if you're on a machine that only runs a single compilation thread
3437 and where compilations are relatively slow,&nb