1 2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
3 Making more sophisticated cache flush on ARM Linux platform
4 https://bugs.webkit.org/show_bug.cgi?id=111854
6 Reviewed by Zoltan Herczeg.
8 The cache flush on ARM Linux invalidates whole pages
9 instead of just the required area.
11 * assembler/ARMAssembler.h:
13 (JSC::ARMAssembler::linuxPageFlush):
14 (JSC::ARMAssembler::cacheFlush):
15 * assembler/ARMv7Assembler.h:
17 (JSC::ARMv7Assembler::linuxPageFlush):
18 (JSC::ARMv7Assembler::cacheFlush):
20 2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
22 Renaming the armv7.rb LLINT backend to arm.rb
23 https://bugs.webkit.org/show_bug.cgi?id=110565
25 Reviewed by Zoltan Herczeg.
27 This is the first step of a unified ARM backend for
28 all ARM 32 bit architectures in LLInt.
31 * GNUmakefile.list.am:
32 * JavaScriptCore.gypi:
33 * LLIntOffsetsExtractor.pro:
34 * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb.
35 * offlineasm/armv7.rb: Removed.
36 * offlineasm/backends.rb:
39 2013-03-12 Csaba Osztrogonác <ossy@webkit.org>
41 REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform
42 https://bugs.webkit.org/show_bug.cgi?id=112112
44 Reviewed by Oliver Hunt.
46 Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots.
48 * runtime/JSStringJoiner.cpp:
49 (JSC::JSStringJoiner::build):
50 * runtime/JSStringJoiner.h:
52 (JSC::JSStringJoiner::JSStringJoiner):
53 (JSC::JSStringJoiner::append):
55 2013-03-12 Filip Pizlo <fpizlo@apple.com>
57 DFG prediction propagation phase should not rerun forward propagation if double voting has already converged
58 https://bugs.webkit.org/show_bug.cgi?id=111920
60 Reviewed by Oliver Hunt.
62 I don't know why we weren't exiting early after double voting if !m_changed.
64 This change also removes backwards propagation from the voting fixpoint, since at that
65 point short-circuiting loops is probably not particularly profitable. Profiling shows
66 that this reduces the time spent in prediction propagation even further.
68 This change appears to be a 1% SunSpider speed-up.
70 * dfg/DFGPredictionPropagationPhase.cpp:
71 (JSC::DFG::PredictionPropagationPhase::run):
73 2013-03-11 Filip Pizlo <fpizlo@apple.com>
75 DFG overflow check elimination is too smart for its own good
76 https://bugs.webkit.org/show_bug.cgi?id=111832
78 Reviewed by Oliver Hunt and Gavin Barraclough.
80 Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt
81 rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized.
82 It worked by always being false and always disabling the relvant optimization.
84 This improves overflow check elimination in three ways:
86 1) It reduces the amount of time the compiler will spend doing it.
88 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
89 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
90 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
91 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
92 @b->children are int32's and that hence @b might produce a large enough result that doubles would
93 start chopping low bits. The specific implication of this is that for a binary operation to not
94 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
95 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
96 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
97 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
98 large won't even make it into the DFG currently.
100 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
101 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
102 NodeUsedAsNumber to either @a or @b.
104 This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
107 * GNUmakefile.list.am:
108 * JavaScriptCore.xcodeproj/project.pbxproj:
110 * dfg/DFGArrayMode.cpp:
111 (JSC::DFG::ArrayMode::refine):
112 * dfg/DFGBackwardsPropagationPhase.cpp: Added.
114 (BackwardsPropagationPhase):
115 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
116 (JSC::DFG::BackwardsPropagationPhase::run):
117 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
118 (JSC::DFG::BackwardsPropagationPhase::isNotZero):
119 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
120 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
121 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
122 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
123 (JSC::DFG::BackwardsPropagationPhase::propagate):
124 (JSC::DFG::performBackwardsPropagation):
125 * dfg/DFGBackwardsPropagationPhase.h: Added.
127 * dfg/DFGCPSRethreadingPhase.cpp:
128 (JSC::DFG::CPSRethreadingPhase::run):
129 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
130 (CPSRethreadingPhase):
131 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
132 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
136 (JSC::DFG::Graph::dump):
137 * dfg/DFGNodeFlags.cpp:
138 (JSC::DFG::dumpNodeFlags):
140 * dfg/DFGNodeFlags.h:
142 * dfg/DFGPredictionPropagationPhase.cpp:
143 (PredictionPropagationPhase):
144 (JSC::DFG::PredictionPropagationPhase::propagate):
145 * dfg/DFGUnificationPhase.cpp:
146 (JSC::DFG::UnificationPhase::run):
147 * dfg/DFGVariableAccessData.h:
148 (JSC::DFG::VariableAccessData::VariableAccessData):
149 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
150 (VariableAccessData):
151 (JSC::DFG::VariableAccessData::setIsLoadedFrom):
152 (JSC::DFG::VariableAccessData::isLoadedFrom):
154 2013-03-11 Oliver Hunt <oliver@apple.com>
156 Harden JSStringJoiner
157 https://bugs.webkit.org/show_bug.cgi?id=112093
159 Reviewed by Filip Pizlo.
161 Harden JSStringJoiner, make it use our CheckedArithmetic
162 class to simplify everything.
164 * runtime/JSStringJoiner.cpp:
165 (JSC::JSStringJoiner::build):
166 * runtime/JSStringJoiner.h:
168 (JSC::JSStringJoiner::JSStringJoiner):
169 (JSC::JSStringJoiner::append):
171 2013-03-11 Michael Saboff <msaboff@apple.com>
173 Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
174 https://bugs.webkit.org/show_bug.cgi?id=112067
176 Reviewed by Geoffrey Garen.
178 We weren't setting the tag in SetCallee. Therefore set it to CellTag.
180 * dfg/DFGSpeculativeJIT32_64.cpp:
181 (JSC::DFG::SpeculativeJIT::compile):
183 2013-03-11 Oliver Hunt <oliver@apple.com>
185 Make SegmentedVector Noncopyable
186 https://bugs.webkit.org/show_bug.cgi?id=112059
188 Reviewed by Geoffrey Garen.
190 Copying a SegmentedVector is very expensive, and really shouldn't
191 be necessary. So I've taken the one place where we currently copy
192 and replaced it with a regular Vector, and replaced the address
193 dependent logic with a indexing ref instead.
195 * bytecompiler/BytecodeGenerator.cpp:
196 (JSC::BytecodeGenerator::newLabelScope):
197 (JSC::BytecodeGenerator::emitComplexJumpScopes):
198 * bytecompiler/BytecodeGenerator.h:
200 * bytecompiler/LabelScope.h:
202 (JSC::LabelScopePtr::LabelScopePtr):
204 (JSC::LabelScopePtr::operator=):
205 (JSC::LabelScopePtr::~LabelScopePtr):
206 (JSC::LabelScopePtr::operator*):
207 (JSC::LabelScopePtr::operator->):
208 * bytecompiler/NodesCodegen.cpp:
209 (JSC::DoWhileNode::emitBytecode):
210 (JSC::WhileNode::emitBytecode):
211 (JSC::ForNode::emitBytecode):
212 (JSC::ForInNode::emitBytecode):
213 (JSC::SwitchNode::emitBytecode):
214 (JSC::LabelNode::emitBytecode):
216 2013-03-10 Andreas Kling <akling@apple.com>
218 SpeculativeJIT should use OwnPtr<SlowPathGenerator>.
219 <http://webkit.org/b/111942>
221 Reviewed by Anders Carlsson.
223 There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line,
224 so let's use OwnPtr instead of raw pointers + deleteAllValues().
226 * dfg/DFGSpeculativeJIT.cpp:
227 (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
228 (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
229 * dfg/DFGSpeculativeJIT.h:
232 2013-03-09 Sheriff Bot <webkit.review.bot@gmail.com>
234 Unreviewed, rolling out r145299.
235 http://trac.webkit.org/changeset/145299
236 https://bugs.webkit.org/show_bug.cgi?id=111928
238 compilation failure with recent clang
239 (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of
240 constant 10 with expression of type 'bool' is always false)
241 (Requested by thorton on #webkit).
244 * GNUmakefile.list.am:
245 * JavaScriptCore.xcodeproj/project.pbxproj:
247 * dfg/DFGArrayMode.cpp:
248 (JSC::DFG::ArrayMode::refine):
249 * dfg/DFGBackwardsPropagationPhase.cpp: Removed.
250 * dfg/DFGBackwardsPropagationPhase.h: Removed.
251 * dfg/DFGCPSRethreadingPhase.cpp:
252 (JSC::DFG::CPSRethreadingPhase::run):
253 (CPSRethreadingPhase):
254 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
255 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
259 (JSC::DFG::Graph::dump):
260 * dfg/DFGNodeFlags.cpp:
261 (JSC::DFG::nodeFlagsAsString):
263 * dfg/DFGNodeFlags.h:
265 * dfg/DFGPredictionPropagationPhase.cpp:
266 (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
267 (PredictionPropagationPhase):
268 (JSC::DFG::PredictionPropagationPhase::isNotZero):
269 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
270 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
271 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
272 (JSC::DFG::PredictionPropagationPhase::propagate):
273 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
274 * dfg/DFGUnificationPhase.cpp:
275 (JSC::DFG::UnificationPhase::run):
276 * dfg/DFGVariableAccessData.h:
277 (JSC::DFG::VariableAccessData::VariableAccessData):
278 (VariableAccessData):
280 2013-03-08 Filip Pizlo <fpizlo@apple.com>
282 DFG overflow check elimination is too smart for its own good
283 https://bugs.webkit.org/show_bug.cgi?id=111832
285 Reviewed by Oliver Hunt and Gavin Barraclough.
287 This improves overflow check elimination in three ways:
289 1) It reduces the amount of time the compiler will spend doing it.
291 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
292 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
293 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
294 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
295 @b->children are int32's and that hence @b might produce a large enough result that doubles would
296 start chopping low bits. The specific implication of this is that for a binary operation to not
297 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
298 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
299 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
300 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
301 large won't even make it into the DFG currently.
303 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
304 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
305 NodeUsedAsNumber to either @a or @b.
307 This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
310 * GNUmakefile.list.am:
311 * JavaScriptCore.xcodeproj/project.pbxproj:
313 * dfg/DFGArrayMode.cpp:
314 (JSC::DFG::ArrayMode::refine):
315 * dfg/DFGBackwardsPropagationPhase.cpp: Added.
317 (BackwardsPropagationPhase):
318 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
319 (JSC::DFG::BackwardsPropagationPhase::run):
320 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
321 (JSC::DFG::BackwardsPropagationPhase::isNotZero):
322 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
323 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
324 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
325 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
326 (JSC::DFG::BackwardsPropagationPhase::propagate):
327 (JSC::DFG::performBackwardsPropagation):
328 * dfg/DFGBackwardsPropagationPhase.h: Added.
330 * dfg/DFGCPSRethreadingPhase.cpp:
331 (JSC::DFG::CPSRethreadingPhase::run):
332 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
333 (CPSRethreadingPhase):
334 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
335 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
339 (JSC::DFG::Graph::dump):
340 * dfg/DFGNodeFlags.cpp:
341 (JSC::DFG::dumpNodeFlags):
343 * dfg/DFGNodeFlags.h:
345 * dfg/DFGPredictionPropagationPhase.cpp:
346 (PredictionPropagationPhase):
347 (JSC::DFG::PredictionPropagationPhase::propagate):
348 * dfg/DFGUnificationPhase.cpp:
349 (JSC::DFG::UnificationPhase::run):
350 * dfg/DFGVariableAccessData.h:
351 (JSC::DFG::VariableAccessData::VariableAccessData):
352 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
353 (VariableAccessData):
354 (JSC::DFG::VariableAccessData::setIsLoadedFrom):
355 (JSC::DFG::VariableAccessData::isLoadedFrom):
357 2013-03-08 Roger Fong <roger_fong@apple.com>
361 * JavaScriptCore.vcxproj/JavaScriptCore.make:
363 2013-03-08 Gabor Rapcsanyi <rgabor@webkit.org>
365 Cache flush problem on ARMv7 JSC
366 https://bugs.webkit.org/show_bug.cgi?id=111441
368 Reviewed by Zoltan Herczeg.
370 Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests.
371 The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712.
372 Change the cache fulsh mechanism similar to ARM traditinal and revert the
375 * assembler/ARMv7Assembler.h:
376 (JSC::ARMv7Assembler::cacheFlush):
378 2013-03-07 Geoffrey Garen <ggaren@apple.com>
380 REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression
381 https://bugs.webkit.org/show_bug.cgi?id=111797
383 Reviewed by Oliver Hunt.
385 The bot's testing configuration stresses the cache's starting guess
388 This patch removes any starting guess, and just uses wall clock time
389 to discover the initial working set size of an app, in code size.
391 * runtime/CodeCache.cpp:
392 (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go.
394 Also fixed a bug where pruning from 0 to 0 would hang -- that case is
395 a possibility now that we start with a capacity of 0.
397 * runtime/CodeCache.h:
399 (JSC::CodeCacheMap::CodeCacheMap):
400 (JSC::CodeCacheMap::add):
401 (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of
402 discovering the working set size of an app, in code size.
404 2013-03-07 Michael Saboff <msaboff@apple.com>
406 Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
407 https://bugs.webkit.org/show_bug.cgi?id=111777
409 Reviewed by Filip Pizlo.
411 Moved register allocations to be above any generated control flow so that any
412 resulting spill would be visible to all subsequently generated code.
414 * dfg/DFGSpeculativeJIT32_64.cpp:
415 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
416 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
417 (JSC::DFG::SpeculativeJIT::compile):
418 * dfg/DFGSpeculativeJIT64.cpp:
419 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
420 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
421 (JSC::DFG::SpeculativeJIT::compile):
423 2013-03-07 Filip Pizlo <fpizlo@apple.com>
425 DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
426 https://bugs.webkit.org/show_bug.cgi?id=111783
428 Reviewed by Mark Hahnenberg.
430 Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
431 But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
432 this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
433 Phantom node that had another Phantom node as one of its kids.
435 * dfg/DFGDCEPhase.cpp:
436 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
438 2013-03-07 Filip Pizlo <fpizlo@apple.com>
440 The DFG fixpoint is not strictly profitable, and should be straight-lined
441 https://bugs.webkit.org/show_bug.cgi?id=111764
443 Reviewed by Oliver Hunt and Geoffrey Garen.
445 The DFG previously ran optimizations to fixpoint because there exists a circular dependency:
447 CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local.
449 CFG simplification depends on CFA and constant folding: constant folding reveals branches on
452 CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations
453 always produce identical values.
455 Arguments simplification also depends on CSE, but it ought not depend on anything else.
457 Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA.
459 Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought
460 not be the case anymore: CFG simplification should not by itself lead to better CFA results.
462 My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you
463 CSE too much then you increase register pressure. Hence it's not clear that you always want
464 to CSE after simplifying control flow. This leads to an order of optimization as follows:
466 CSE -> arguments -> CFA -> folding -> CFG
468 This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down
469 on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5%
470 speed-up over a 0.3% V8v7 speed-up.
475 2013-03-07 Roger Fong <roger_fong@apple.com>
477 Build fix for AppleWin VS2010.
479 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
480 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
482 2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
484 Objective-C API: Need a good way to reference event handlers without causing cycles
485 https://bugs.webkit.org/show_bug.cgi?id=111088
487 Reviewed by Geoffrey Garen.
489 JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can
490 supply an Objective-C object as its "owner". As long as the Objective-C owner object remains
491 alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by
492 the global object), the reference to the JavaScript value is strong. As soon as the Objective-C
493 owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference
496 If you do not supply an owner or you use the weakValueWithValue: convenience class method, the
497 returned JSManagedValue behaves as a normal weak reference.
499 This new class allows clients to maintain references to JavaScript values in the Objective-C
500 heap without creating reference cycles/leaking memory.
502 * API/JSAPIWrapperObject.cpp: Added.
504 (JSC::::createStructure):
505 (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows
506 for the purposes of garbage collection/marking that it wraps an opaque Objective-C object.
507 (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of
508 opaque roots so that the weak handle owner for JSManagedValues can find it later.
509 * API/JSAPIWrapperObject.h: Added.
511 (JSAPIWrapperObject):
512 (JSC::JSAPIWrapperObject::wrappedObject):
513 (JSC::JSAPIWrapperObject::setWrappedObject):
515 (JSSynchronousGarbageCollect):
516 * API/JSBasePrivate.h:
517 * API/JSCallbackObject.cpp:
519 * API/JSCallbackObject.h:
520 (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject.
522 (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to
523 the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since
524 not everyone is guaranteed to use the latter.
525 (-[JSContext initWithGlobalContextRef:]):
526 (+[JSContext contextWithGlobalContextRef:]):
527 * API/JSManagedValue.h: Added.
528 * API/JSManagedValue.mm: Added.
529 (JSManagedValueHandleOwner):
530 (managedValueHandleOwner):
531 (+[JSManagedValue weakValueWithValue:]):
532 (+[JSManagedValue managedValueWithValue:owner:]):
533 (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't
534 use ARC when building our framework.
535 (-[JSManagedValue initWithValue:]):
536 (-[JSManagedValue initWithValue:owner:]):
537 (-[JSManagedValue dealloc]):
538 (-[JSManagedValue value]):
539 (-[JSManagedValue weakOwner]):
540 (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field
541 returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the
542 JSObject to which the JSManagedObject refers is still alive.
543 * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects.
544 (JSObjectGetPrivate):
545 (JSObjectSetPrivate):
546 (JSObjectGetPrivateProperty):
547 (JSObjectSetPrivateProperty):
548 (JSObjectDeletePrivateProperty):
550 (objectToValueWithoutCopy):
551 * API/JSValueRef.cpp:
552 (JSValueIsObjectOfClass):
553 * API/JSVirtualMachine.mm:
554 (-[JSVirtualMachine initWithContextGroupRef:]):
555 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
556 * API/JSWrapperMap.mm:
558 (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API
559 version of JSCallbackObjects.
560 (createObjectWithCustomBrand):
561 (-[JSObjCClassInfo wrapperForObject:]):
562 (tryUnwrapObjcObject):
563 * API/JavaScriptCore.h:
564 * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an
565 onclick handler for an Objective-C object inserted into a JSContext.
566 (-[TextXYZ setWeakOnclick:]):
567 (-[TextXYZ setOnclick:]):
568 (-[TextXYZ weakOnclick]):
569 (-[TextXYZ onclick]):
571 * CMakeLists.txt: Various build system additions.
572 * GNUmakefile.list.am:
573 * JavaScriptCore.gypi:
574 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
575 * JavaScriptCore.xcodeproj/project.pbxproj:
576 * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class.
577 (JSC::JSGlobalObject::reset):
579 (JSC::JSGlobalObject::visitChildren):
580 * runtime/JSGlobalObject.h:
582 (JSC::JSGlobalObject::objcWrapperObjectStructure):
584 2013-03-06 Filip Pizlo <fpizlo@apple.com>
586 ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding
587 https://bugs.webkit.org/show_bug.cgi?id=111674
589 Reviewed by Oliver Hunt.
591 This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup
592 convert them to either Identity(Object:@child) if the child is predicted object, or
593 Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other.
595 The goal of this is to ensure that the optimization fixpoint doesn't create
596 Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up
597 but I'm hoping this will be a step towards reducing the need to rerun the fixpoint
598 so as to ultimately reduce compile times.
600 * dfg/DFGAbstractState.cpp:
601 (JSC::DFG::AbstractState::executeEffects):
602 * dfg/DFGAssemblyHelpers.h:
604 * dfg/DFGConstantFoldingPhase.cpp:
605 (JSC::DFG::ConstantFoldingPhase::foldConstants):
606 * dfg/DFGFixupPhase.cpp:
607 (JSC::DFG::FixupPhase::fixupNode):
609 (JSC::DFG::FixupPhase::observeUseKindOnNode):
610 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
612 (JSC::DFG::Graph::globalThisObjectFor):
616 (JSC::DFG::Node::convertToIdentity):
617 (JSC::DFG::Node::convertToWeakConstant):
618 * dfg/DFGSpeculativeJIT32_64.cpp:
619 (JSC::DFG::SpeculativeJIT::compile):
620 * dfg/DFGSpeculativeJIT64.cpp:
621 (JSC::DFG::SpeculativeJIT::compile):
623 2013-03-07 Peter Gal <galpeter@inf.u-szeged.hu>
625 Children method in LLINT AST Not class should return [@child]
626 https://bugs.webkit.org/show_bug.cgi?id=90740
628 Reviewed by Filip Pizlo.
630 * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class.
632 2013-03-05 Oliver Hunt <oliver@apple.com>
634 Bring back eager resolution of function scoped variables
635 https://bugs.webkit.org/show_bug.cgi?id=111497
637 Reviewed by Geoffrey Garen.
639 This reverts the get/put_scoped_var part of the great non-local
640 variable resolution refactoring. This still leaves all the lazy
641 variable resolution logic as it's necessary for global property
642 resolution, and i don't want to make the patch bigger than it
645 * bytecode/CodeBlock.cpp:
646 (JSC::CodeBlock::dumpBytecode):
647 (JSC::CodeBlock::CodeBlock):
648 * bytecode/CodeBlock.h:
652 (JSC::padOpcodeName):
653 * bytecode/UnlinkedCodeBlock.cpp:
654 (JSC::generateFunctionCodeBlock):
655 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
656 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
657 * bytecode/UnlinkedCodeBlock.h:
659 (UnlinkedFunctionExecutable):
661 (JSC::UnlinkedCodeBlock::usesGlobalObject):
662 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
663 (JSC::UnlinkedCodeBlock::globalObjectRegister):
664 * bytecompiler/BytecodeGenerator.cpp:
665 (JSC::ResolveResult::checkValidity):
666 (JSC::BytecodeGenerator::BytecodeGenerator):
667 (JSC::BytecodeGenerator::emitLoadGlobalObject):
669 (JSC::BytecodeGenerator::resolve):
670 (JSC::BytecodeGenerator::resolveConstDecl):
671 (JSC::BytecodeGenerator::emitResolve):
672 (JSC::BytecodeGenerator::emitResolveBase):
673 (JSC::BytecodeGenerator::emitResolveBaseForPut):
674 (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
675 (JSC::BytecodeGenerator::emitResolveWithThis):
676 (JSC::BytecodeGenerator::emitGetStaticVar):
677 (JSC::BytecodeGenerator::emitPutStaticVar):
678 * bytecompiler/BytecodeGenerator.h:
679 (JSC::ResolveResult::lexicalResolve):
680 (JSC::ResolveResult::isStatic):
681 (JSC::ResolveResult::depth):
682 (JSC::ResolveResult::index):
684 (JSC::ResolveResult::ResolveResult):
686 * bytecompiler/NodesCodegen.cpp:
687 (JSC::ResolveNode::isPure):
688 (JSC::FunctionCallResolveNode::emitBytecode):
689 (JSC::PostfixNode::emitResolve):
690 (JSC::TypeOfResolveNode::emitBytecode):
691 (JSC::PrefixNode::emitResolve):
692 (JSC::ReadModifyResolveNode::emitBytecode):
693 (JSC::AssignResolveNode::emitBytecode):
694 (JSC::ConstDeclNode::emitCodeSingle):
695 * dfg/DFGByteCodeParser.cpp:
696 (JSC::DFG::ByteCodeParser::parseBlock):
697 * dfg/DFGCapabilities.cpp:
698 (JSC::DFG::debugFail):
699 * dfg/DFGCapabilities.h:
700 (JSC::DFG::canCompileOpcode):
701 (JSC::DFG::canInlineOpcode):
703 (JSC::JIT::privateCompileMainPass):
706 * jit/JITPropertyAccess.cpp:
707 (JSC::JIT::emit_op_get_scoped_var):
709 (JSC::JIT::emit_op_put_scoped_var):
710 * jit/JITPropertyAccess32_64.cpp:
711 (JSC::JIT::emit_op_get_scoped_var):
713 (JSC::JIT::emit_op_put_scoped_var):
714 * llint/LowLevelInterpreter32_64.asm:
715 * llint/LowLevelInterpreter64.asm:
716 * runtime/CodeCache.cpp:
717 (JSC::CodeCache::getCodeBlock):
718 (JSC::CodeCache::getProgramCodeBlock):
719 (JSC::CodeCache::getEvalCodeBlock):
720 * runtime/CodeCache.h:
723 * runtime/Executable.cpp:
724 (JSC::EvalExecutable::compileInternal):
725 (JSC::FunctionExecutable::produceCodeBlockFor):
726 * runtime/JSGlobalObject.cpp:
727 (JSC::JSGlobalObject::createEvalCodeBlock):
728 * runtime/JSGlobalObject.h:
730 * runtime/Options.cpp:
731 (JSC::Options::initialize):
733 2013-03-06 Filip Pizlo <fpizlo@apple.com>
735 Unreviewed, roll out http://trac.webkit.org/changeset/144989
737 I think we want the assertion that I removed.
739 * dfg/DFGAbstractState.cpp:
740 (JSC::DFG::AbstractState::merge):
741 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
742 * dfg/DFGAbstractState.h:
745 2013-03-06 Filip Pizlo <fpizlo@apple.com>
747 DFG::AbstractState::merge() is still more complicated than it needs to be
748 https://bugs.webkit.org/show_bug.cgi?id=111619
750 Reviewed by Mark Hahnenberg.
752 This method is the one place where we still do some minimal amount of liveness pruning, but the style with
753 which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated
754 by https://bugs.webkit.org/show_bug.cgi?id=111539.
756 * dfg/DFGAbstractState.cpp:
757 (JSC::DFG::AbstractState::merge):
758 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
759 * dfg/DFGAbstractState.h:
762 2013-03-06 Filip Pizlo <fpizlo@apple.com>
764 DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
765 https://bugs.webkit.org/show_bug.cgi?id=111536
767 Reviewed by Oliver Hunt and Mark Hahnenberg.
769 The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
770 On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
771 Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
772 the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
773 that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
774 time spent doing load elimination after the fixpoint, since that is just wasted cycles.
776 * dfg/DFGCSEPhase.cpp:
777 (JSC::DFG::CSEPhase::CSEPhase):
778 (JSC::DFG::CSEPhase::run):
779 (JSC::DFG::CSEPhase::performNodeCSE):
780 (JSC::DFG::CSEPhase::performBlockCSE):
781 (JSC::DFG::performCSE):
783 (JSC::DFG::performStoreElimination):
789 2013-03-06 Andreas Kling <akling@apple.com>
791 Pack Structure members better.
792 <http://webkit.org/b/111593>
793 <rdar://problem/13359200>
795 Reviewed by Mark Hahnenberg.
797 Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better.
799 * runtime/Structure.cpp:
800 (JSC::Structure::Structure):
801 * runtime/Structure.h:
804 2013-03-06 Andreas Kling <akling@apple.com>
806 Unreviewed, fix Windows build after r144910.
808 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
810 2013-03-05 Filip Pizlo <fpizlo@apple.com>
812 DFG should not check if nodes are shouldGenerate prior to DCE
813 https://bugs.webkit.org/show_bug.cgi?id=111520
815 Reviewed by Geoffrey Garen.
817 All nodes are live before DCE. We don't need to check that they aren't, because they
820 * dfg/DFGArgumentsSimplificationPhase.cpp:
821 (JSC::DFG::ArgumentsSimplificationPhase::run):
822 * dfg/DFGCFAPhase.cpp:
823 (JSC::DFG::CFAPhase::performBlockCFA):
824 * dfg/DFGCFGSimplificationPhase.cpp:
825 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
826 * dfg/DFGCSEPhase.cpp:
827 (JSC::DFG::CSEPhase::pureCSE):
828 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
829 (JSC::DFG::CSEPhase::constantCSE):
830 (JSC::DFG::CSEPhase::weakConstantCSE):
831 (JSC::DFG::CSEPhase::getCalleeLoadElimination):
832 (JSC::DFG::CSEPhase::getArrayLengthElimination):
833 (JSC::DFG::CSEPhase::globalVarLoadElimination):
834 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
835 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
836 (JSC::DFG::CSEPhase::globalVarStoreElimination):
837 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
838 (JSC::DFG::CSEPhase::getByValLoadElimination):
839 (JSC::DFG::CSEPhase::checkStructureElimination):
840 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
841 (JSC::DFG::CSEPhase::putStructureStoreElimination):
842 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
843 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
844 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
845 (JSC::DFG::CSEPhase::checkArrayElimination):
846 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
847 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
848 (JSC::DFG::CSEPhase::getLocalLoadElimination):
849 (JSC::DFG::CSEPhase::setLocalStoreElimination):
850 (JSC::DFG::CSEPhase::performNodeCSE):
851 * dfg/DFGFixupPhase.cpp:
852 (JSC::DFG::FixupPhase::fixupNode):
853 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
854 * dfg/DFGPredictionPropagationPhase.cpp:
855 (JSC::DFG::PredictionPropagationPhase::propagate):
856 * dfg/DFGStructureCheckHoistingPhase.cpp:
857 (JSC::DFG::StructureCheckHoistingPhase::run):
859 2013-03-06 Csaba Osztrogonác <ossy@webkit.org>
861 Fix unused parameter warnings in ARM assembler
862 https://bugs.webkit.org/show_bug.cgi?id=111433
864 Reviewed by Kentaro Hara.
866 * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346.
867 * assembler/MacroAssemblerARM.h:
868 (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM.
869 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter.
870 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters.
872 2013-03-06 Andreas Kling <akling@apple.com>
874 Unused Structure property tables waste 14MB on Membuster.
875 <http://webkit.org/b/110854>
876 <rdar://problem/13292104>
878 Reviewed by Geoffrey Garen.
880 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
881 14 MB progression on Membuster3.
883 This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
884 The issue with the last version was that Structure::m_offset could be used uninitialized
885 when re-materializing a previously GC'd property table, causing some sanity checks to fail.
888 * GNUmakefile.list.am:
889 * JavaScriptCore.gypi:
890 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
891 * JavaScriptCore.xcodeproj/project.pbxproj:
894 Added PropertyTable.cpp.
896 * runtime/PropertyTable.cpp: Added.
897 (JSC::PropertyTable::create):
898 (JSC::PropertyTable::clone):
899 (JSC::PropertyTable::PropertyTable):
900 (JSC::PropertyTable::destroy):
901 (JSC::PropertyTable::~PropertyTable):
902 (JSC::PropertyTable::visitChildren):
904 Moved marking of property table values here from Structure::visitChildren().
906 * runtime/WriteBarrier.h:
907 (JSC::WriteBarrierBase::get):
909 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
910 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
911 zaps the property table.
913 * runtime/Structure.h:
914 (JSC::Structure::materializePropertyMapIfNecessary):
915 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
916 * runtime/StructureInlines.h:
917 (JSC::Structure::propertyTable):
919 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
920 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
921 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
923 (JSC::Structure::putWillGrowOutOfLineStorage):
924 (JSC::Structure::checkOffsetConsistency):
926 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
928 * runtime/Structure.cpp:
929 (JSC::Structure::visitChildren):
931 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
933 (JSC::Structure::takePropertyTableOrCloneIfPinned):
935 Added for setting up the property table in a new transition, this code is now shared between
936 addPropertyTransition() and nonPropertyTransition().
938 * runtime/JSGlobalData.h:
939 * runtime/JSGlobalData.cpp:
940 (JSC::JSGlobalData::JSGlobalData):
942 Add a global propertyTableStructure.
944 * runtime/PropertyMapHashTable.h:
946 (JSC::PropertyTable::createStructure):
947 (JSC::PropertyTable::copy):
949 Make PropertyTable a GC object.
951 * runtime/Structure.cpp:
952 (JSC::Structure::dumpStatistics):
953 (JSC::Structure::materializePropertyMap):
954 (JSC::Structure::despecifyDictionaryFunction):
955 (JSC::Structure::addPropertyTransition):
956 (JSC::Structure::changePrototypeTransition):
957 (JSC::Structure::despecifyFunctionTransition):
958 (JSC::Structure::attributeChangeTransition):
959 (JSC::Structure::toDictionaryTransition):
960 (JSC::Structure::sealTransition):
961 (JSC::Structure::freezeTransition):
962 (JSC::Structure::preventExtensionsTransition):
963 (JSC::Structure::nonPropertyTransition):
964 (JSC::Structure::isSealed):
965 (JSC::Structure::isFrozen):
966 (JSC::Structure::flattenDictionaryStructure):
967 (JSC::Structure::pin):
968 (JSC::Structure::copyPropertyTable):
969 (JSC::Structure::copyPropertyTableForPinning):
970 (JSC::Structure::get):
971 (JSC::Structure::despecifyFunction):
972 (JSC::Structure::despecifyAllFunctions):
973 (JSC::Structure::putSpecificValue):
974 (JSC::Structure::remove):
975 (JSC::Structure::createPropertyMap):
976 (JSC::Structure::getPropertyNamesFromStructure):
977 (JSC::Structure::checkConsistency):
979 2013-03-05 Filip Pizlo <fpizlo@apple.com>
981 Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode
982 https://bugs.webkit.org/show_bug.cgi?id=105624
984 Reviewed by Oliver Hunt.
986 All callers pass invert = false, which is the default value of the argument. So, get
987 rid of the argument and fold away all code that checks it.
989 * dfg/DFGSpeculativeJIT.cpp:
990 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
991 * dfg/DFGSpeculativeJIT.h:
994 2013-03-05 Filip Pizlo <fpizlo@apple.com>
996 Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code.
998 * dfg/DFGDCEPhase.cpp:
999 (JSC::DFG::DCEPhase::run):
1001 2013-03-04 Filip Pizlo <fpizlo@apple.com>
1003 DFG DCE might eliminate checks unsoundly
1004 https://bugs.webkit.org/show_bug.cgi?id=109389
1006 Reviewed by Oliver Hunt.
1008 This gets rid of all eager reference counting, and does all dead code elimination
1009 in one phase - the DCEPhase. This phase also sets up the node reference counts,
1010 which are then used not just for DCE but also register allocation and stack slot
1013 Doing this required a number of surgical changes in places that previously relied
1014 on always having liveness information. For example, the structure check hoisting
1015 phase must now consult whether a VariableAccessData is profitable for unboxing to
1016 make sure that it doesn't try to do hoisting on set SetLocals. The arguments
1017 simplification phase employs its own light-weight liveness analysis. Both phases
1018 previously just used reference counts.
1020 The largest change is that now, dead nodes get turned into Phantoms. Those
1021 Phantoms will retain those child edges that are not proven. This ensures that any
1022 type checks performed by a dead node remain even after the node is killed. On the
1023 other hand, this Phantom conversion means that we need special handling for
1024 SetLocal. I decided to make the four forms of SetLocal explicit:
1026 MovHint(@a, rK): Just indicates that node @a contains the value that would have
1027 now been placed into virtual register rK. Does not actually cause @a to be
1028 stored into rK. This would have previously been a dead SetLocal with @a
1029 being live. MovHints are always dead.
1031 ZombieHint(rK): Indicates that at this point, register rK will contain a dead
1032 value and OSR should put Undefined into it. This would have previously been
1033 a dead SetLocal with @a being dead also. ZombieHints are always dead.
1035 MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
1036 according to whatever UseKind the edge to @a has. The type check is always a
1037 forward exit. MovHintAndChecks are always live, since they are
1038 NodeMustGenerate. Previously this would have been a dead SetLocal with a
1039 live @a, and the check would have disappeared. This is one of the bugs that
1042 SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
1045 Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
1046 ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
1047 also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
1048 has a type check and @a's type hasn't been proven to have that type then you get
1049 a MovHintAndCheck. Otherwise you get a MovHint.
1051 This is performance neutral.
1054 * GNUmakefile.list.am:
1055 * JavaScriptCore.xcodeproj/project.pbxproj:
1057 * dfg/DFGAbstractState.cpp:
1058 (JSC::DFG::AbstractState::executeEffects):
1059 (JSC::DFG::AbstractState::mergeStateAtTail):
1060 * dfg/DFGArgumentsSimplificationPhase.cpp:
1061 (JSC::DFG::ArgumentsSimplificationPhase::run):
1062 (ArgumentsSimplificationPhase):
1063 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1064 * dfg/DFGBasicBlock.h:
1066 * dfg/DFGBasicBlockInlines.h:
1068 * dfg/DFGByteCodeParser.cpp:
1069 (JSC::DFG::ByteCodeParser::addToGraph):
1070 (JSC::DFG::ByteCodeParser::insertPhiNode):
1071 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1072 * dfg/DFGCFAPhase.cpp:
1073 (JSC::DFG::CFAPhase::run):
1074 * dfg/DFGCFGSimplificationPhase.cpp:
1075 (JSC::DFG::CFGSimplificationPhase::run):
1076 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1077 * dfg/DFGCPSRethreadingPhase.cpp:
1078 (JSC::DFG::CPSRethreadingPhase::run):
1079 (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1080 * dfg/DFGCSEPhase.cpp:
1081 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1082 (JSC::DFG::CSEPhase::setReplacement):
1083 (JSC::DFG::CSEPhase::performNodeCSE):
1084 * dfg/DFGCommon.cpp:
1085 (WTF::printInternal):
1089 * dfg/DFGConstantFoldingPhase.cpp:
1090 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1091 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1092 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1093 * dfg/DFGDCEPhase.cpp: Added.
1096 (JSC::DFG::DCEPhase::DCEPhase):
1097 (JSC::DFG::DCEPhase::run):
1098 (JSC::DFG::DCEPhase::findTypeCheckRoot):
1099 (JSC::DFG::DCEPhase::countEdge):
1100 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1101 (JSC::DFG::performDCE):
1102 * dfg/DFGDCEPhase.h: Added.
1104 * dfg/DFGDriver.cpp:
1105 (JSC::DFG::compile):
1106 * dfg/DFGFixupPhase.cpp:
1107 (JSC::DFG::FixupPhase::fixupNode):
1108 (JSC::DFG::FixupPhase::checkArray):
1109 (JSC::DFG::FixupPhase::blessArrayOperation):
1110 (JSC::DFG::FixupPhase::fixIntEdge):
1111 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1112 (JSC::DFG::FixupPhase::truncateConstantToInt32):
1114 (JSC::DFG::Graph::Graph):
1115 (JSC::DFG::Graph::dump):
1118 (JSC::DFG::Graph::changeChild):
1119 (JSC::DFG::Graph::changeEdge):
1120 (JSC::DFG::Graph::compareAndSwap):
1121 (JSC::DFG::Graph::clearAndDerefChild):
1122 (JSC::DFG::Graph::performSubstitution):
1123 (JSC::DFG::Graph::performSubstitutionForEdge):
1125 (JSC::DFG::Graph::substitute):
1126 * dfg/DFGInsertionSet.h:
1129 (JSC::DFG::Node::Node):
1130 (JSC::DFG::Node::convertToConstant):
1131 (JSC::DFG::Node::convertToGetLocalUnlinked):
1132 (JSC::DFG::Node::containsMovHint):
1134 (JSC::DFG::Node::hasVariableAccessData):
1135 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1136 * dfg/DFGNodeType.h:
1138 * dfg/DFGPredictionPropagationPhase.cpp:
1139 (JSC::DFG::PredictionPropagationPhase::propagate):
1140 * dfg/DFGSpeculativeJIT.cpp:
1141 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1142 (JSC::DFG::SpeculativeJIT::compileMovHint):
1143 (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
1145 (JSC::DFG::SpeculativeJIT::compileInlineStart):
1146 (JSC::DFG::SpeculativeJIT::compile):
1147 * dfg/DFGSpeculativeJIT.h:
1149 * dfg/DFGSpeculativeJIT32_64.cpp:
1150 (JSC::DFG::SpeculativeJIT::compile):
1151 * dfg/DFGSpeculativeJIT64.cpp:
1152 (JSC::DFG::SpeculativeJIT::compile):
1153 * dfg/DFGStructureCheckHoistingPhase.cpp:
1154 (JSC::DFG::StructureCheckHoistingPhase::run):
1155 (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
1156 (StructureCheckHoistingPhase):
1157 * dfg/DFGValidate.cpp:
1158 (JSC::DFG::Validate::validate):
1160 2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
1162 Objective-C API: JSValue should implement init and return nil in exceptional cases
1163 https://bugs.webkit.org/show_bug.cgi?id=111487
1165 Reviewed by Darin Adler.
1168 (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state
1169 without a JSContext.
1170 (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0.
1172 2013-03-05 Sheriff Bot <webkit.review.bot@gmail.com>
1174 Unreviewed, rolling out r144708.
1175 http://trac.webkit.org/changeset/144708
1176 https://bugs.webkit.org/show_bug.cgi?id=111447
1178 random assertion crashes in inspector tests on qt+mac bots
1179 (Requested by kling on #webkit).
1182 * GNUmakefile.list.am:
1183 * JavaScriptCore.gypi:
1184 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1185 * JavaScriptCore.xcodeproj/project.pbxproj:
1187 * runtime/JSGlobalData.cpp:
1188 (JSC::JSGlobalData::JSGlobalData):
1189 * runtime/JSGlobalData.h:
1191 * runtime/PropertyMapHashTable.h:
1193 (JSC::PropertyTable::PropertyTable):
1195 (JSC::PropertyTable::~PropertyTable):
1196 (JSC::PropertyTable::copy):
1197 * runtime/PropertyTable.cpp: Removed.
1198 * runtime/Structure.cpp:
1199 (JSC::Structure::dumpStatistics):
1200 (JSC::Structure::materializePropertyMap):
1201 (JSC::Structure::despecifyDictionaryFunction):
1202 (JSC::Structure::addPropertyTransition):
1203 (JSC::Structure::changePrototypeTransition):
1204 (JSC::Structure::despecifyFunctionTransition):
1205 (JSC::Structure::attributeChangeTransition):
1206 (JSC::Structure::toDictionaryTransition):
1207 (JSC::Structure::sealTransition):
1208 (JSC::Structure::freezeTransition):
1209 (JSC::Structure::preventExtensionsTransition):
1210 (JSC::Structure::nonPropertyTransition):
1211 (JSC::Structure::isSealed):
1212 (JSC::Structure::isFrozen):
1213 (JSC::Structure::flattenDictionaryStructure):
1214 (JSC::Structure::pin):
1215 (JSC::Structure::copyPropertyTable):
1216 (JSC::Structure::copyPropertyTableForPinning):
1217 (JSC::Structure::get):
1218 (JSC::Structure::despecifyFunction):
1219 (JSC::Structure::despecifyAllFunctions):
1220 (JSC::Structure::putSpecificValue):
1221 (JSC::Structure::remove):
1222 (JSC::Structure::createPropertyMap):
1223 (JSC::Structure::getPropertyNamesFromStructure):
1224 (JSC::Structure::visitChildren):
1225 (JSC::Structure::checkConsistency):
1226 * runtime/Structure.h:
1228 (JSC::Structure::putWillGrowOutOfLineStorage):
1229 (JSC::Structure::materializePropertyMapIfNecessary):
1230 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1231 (JSC::Structure::checkOffsetConsistency):
1233 * runtime/StructureInlines.h:
1234 (JSC::Structure::get):
1235 * runtime/WriteBarrier.h:
1236 (JSC::WriteBarrierBase::get):
1238 2013-03-05 David Kilzer <ddkilzer@apple.com>
1240 BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac
1241 <http://webkit.org/b/106742>
1243 Fixes the following build failures:
1245 Undefined symbols for architecture i386:
1246 "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from:
1247 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
1248 NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
1249 "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from:
1250 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
1251 ld: symbol(s) not found for architecture i386
1253 * Configurations/FeatureDefines.xcconfig:
1254 - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match
1255 other FeatureDefines.xcconfig files.
1256 - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform.
1258 2013-03-04 Andreas Kling <akling@apple.com>
1260 Unused Structure property tables waste 14MB on Membuster.
1261 <http://webkit.org/b/110854>
1262 <rdar://problem/13292104>
1264 Reviewed by Geoffrey Garen.
1266 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
1267 14 MB progression on Membuster3.
1270 * GNUmakefile.list.am:
1271 * JavaScriptCore.gypi:
1272 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1273 * JavaScriptCore.xcodeproj/project.pbxproj:
1276 Added PropertyTable.cpp.
1278 * runtime/PropertyTable.cpp: Added.
1279 (JSC::PropertyTable::create):
1280 (JSC::PropertyTable::clone):
1281 (JSC::PropertyTable::PropertyTable):
1282 (JSC::PropertyTable::destroy):
1283 (JSC::PropertyTable::~PropertyTable):
1284 (JSC::PropertyTable::visitChildren):
1286 Moved marking of property table values here from Structure::visitChildren().
1288 * runtime/WriteBarrier.h:
1289 (JSC::WriteBarrierBase::get):
1291 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
1292 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
1293 zaps the property table.
1295 * runtime/Structure.h:
1296 (JSC::Structure::materializePropertyMapIfNecessary):
1297 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1298 * runtime/StructureInlines.h:
1299 (JSC::Structure::propertyTable):
1301 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
1302 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
1303 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
1305 (JSC::Structure::putWillGrowOutOfLineStorage):
1306 (JSC::Structure::checkOffsetConsistency):
1308 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
1310 * runtime/Structure.cpp:
1311 (JSC::Structure::visitChildren):
1313 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
1315 * runtime/JSGlobalData.h:
1316 * runtime/JSGlobalData.cpp:
1317 (JSC::JSGlobalData::JSGlobalData):
1319 Add a global propertyTableStructure.
1321 * runtime/PropertyMapHashTable.h:
1323 (JSC::PropertyTable::createStructure):
1324 (JSC::PropertyTable::copy):
1326 Make PropertyTable a GC object.
1328 * runtime/Structure.cpp:
1329 (JSC::Structure::dumpStatistics):
1330 (JSC::Structure::materializePropertyMap):
1331 (JSC::Structure::despecifyDictionaryFunction):
1332 (JSC::Structure::addPropertyTransition):
1333 (JSC::Structure::changePrototypeTransition):
1334 (JSC::Structure::despecifyFunctionTransition):
1335 (JSC::Structure::attributeChangeTransition):
1336 (JSC::Structure::toDictionaryTransition):
1337 (JSC::Structure::sealTransition):
1338 (JSC::Structure::freezeTransition):
1339 (JSC::Structure::preventExtensionsTransition):
1340 (JSC::Structure::nonPropertyTransition):
1341 (JSC::Structure::isSealed):
1342 (JSC::Structure::isFrozen):
1343 (JSC::Structure::flattenDictionaryStructure):
1344 (JSC::Structure::pin):
1345 (JSC::Structure::copyPropertyTable):
1346 (JSC::Structure::copyPropertyTableForPinning):
1347 (JSC::Structure::get):
1348 (JSC::Structure::despecifyFunction):
1349 (JSC::Structure::despecifyAllFunctions):
1350 (JSC::Structure::putSpecificValue):
1351 (JSC::Structure::remove):
1352 (JSC::Structure::createPropertyMap):
1353 (JSC::Structure::getPropertyNamesFromStructure):
1354 (JSC::Structure::checkConsistency):
1356 2013-03-04 Chris Fleizach <cfleizach@apple.com>
1358 Support WebSpeech - Speech Synthesis
1359 https://bugs.webkit.org/show_bug.cgi?id=106742
1361 Reviewed by Simon Fraser.
1363 Enable speech synthesis for the Mac.
1365 * Configurations/FeatureDefines.xcconfig:
1367 2013-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
1369 Remove contextInternalContext from JSContextInternal.h
1370 https://bugs.webkit.org/show_bug.cgi?id=111356
1372 Reviewed by Geoffrey Garen.
1374 We don't need it any more since we have globalContextRef in JSContext.
1377 * API/JSContextInternal.h:
1379 (+[JSValue valueWithBool:inContext:]):
1380 (+[JSValue valueWithDouble:inContext:]):
1381 (+[JSValue valueWithInt32:inContext:]):
1382 (+[JSValue valueWithUInt32:inContext:]):
1383 (+[JSValue valueWithNewObjectInContext:]):
1384 (+[JSValue valueWithNewArrayInContext:]):
1385 (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
1386 (+[JSValue valueWithNewErrorFromMessage:inContext:]):
1387 (+[JSValue valueWithNullInContext:]):
1388 (+[JSValue valueWithUndefinedInContext:]):
1389 (-[JSValue toBool]):
1390 (-[JSValue toDouble]):
1391 (-[JSValue toNumber]):
1392 (-[JSValue toString]):
1393 (-[JSValue toDate]):
1394 (-[JSValue toArray]):
1395 (-[JSValue toDictionary]):
1396 (-[JSValue valueForProperty:]):
1397 (-[JSValue setValue:forProperty:]):
1398 (-[JSValue deleteProperty:]):
1399 (-[JSValue hasProperty:]):
1400 (-[JSValue valueAtIndex:]):
1401 (-[JSValue setValue:atIndex:]):
1402 (-[JSValue isUndefined]):
1403 (-[JSValue isNull]):
1404 (-[JSValue isBoolean]):
1405 (-[JSValue isNumber]):
1406 (-[JSValue isString]):
1407 (-[JSValue isObject]):
1408 (-[JSValue isEqualToObject:]):
1409 (-[JSValue isEqualWithTypeCoercionToObject:]):
1410 (-[JSValue isInstanceOf:]):
1411 (-[JSValue callWithArguments:]):
1412 (-[JSValue constructWithArguments:]):
1413 (-[JSValue invokeMethod:withArguments:]):
1415 (objectToValueWithoutCopy):
1417 (-[JSValue initWithValue:inContext:]):
1418 (-[JSValue dealloc]):
1419 (-[JSValue description]):
1420 * API/JSWrapperMap.mm:
1421 (createObjectWithCustomBrand):
1422 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
1423 (-[JSObjCClassInfo wrapperForObject:]):
1424 (-[JSWrapperMap jsWrapperForObject:]):
1425 * API/ObjCCallbackFunction.mm:
1426 (ObjCCallbackFunction::call):
1427 (objCCallbackFunctionForInvocation):
1429 2013-03-04 Andreas Kling <akling@apple.com>
1431 Add simple vector traits for JSC::Identifier.
1432 <http://webkit.org/b/111323>
1434 Reviewed by Geoffrey Garen.
1436 Identifiers are really just Strings, giving them simple vector traits makes
1437 Vector move them with memcpy() instead of churning the refcounts.
1439 * runtime/Identifier.h:
1442 2013-03-04 Kunihiko Sakamoto <ksakamoto@chromium.org>
1444 Add build flag for FontLoader
1445 https://bugs.webkit.org/show_bug.cgi?id=111289
1447 Reviewed by Benjamin Poulain.
1449 Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default).
1451 * Configurations/FeatureDefines.xcconfig:
1453 2013-03-03 Andreas Kling <akling@apple.com>
1455 Shrink JSC::HashTable entries.
1456 <http://webkit.org/b/111275>
1457 <rdar://problem/13333511>
1459 Reviewed by Anders Carlsson.
1461 Move the Intrinsic value out of the function-specific part of the union,
1462 and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes.
1464 990 kB progression on Membuster3. (PTUS: 797 kB)
1467 (JSC::HashEntry::initialize):
1468 (JSC::HashEntry::intrinsic):
1471 2013-03-01 David Kilzer <ddkilzer@apple.com>
1473 BUILD FIX: testapi should link to Foundation, not CoreFoundation
1475 * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
1476 link to Foundation.framework instead of CoreFoundation.framework
1477 since it uses NS types.
1479 2013-03-01 Mark Hahnenberg <mhahnenberg@apple.com>
1481 Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak
1482 https://bugs.webkit.org/show_bug.cgi?id=107836
1484 Reviewed by Oliver Hunt.
1486 We've decided to remove support for this feature from the API because there's no way to automatically manage
1487 the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods,
1488 but the methods must accept plain JSValues instead of Objective-C blocks.
1490 We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments.
1492 * API/JSBlockAdaptor.h: Removed.
1493 * API/JSBlockAdaptor.mm: Removed.
1494 * API/ObjCCallbackFunction.mm:
1495 (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it
1496 to the object from the protocol.
1497 * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol
1498 that have block arguments.
1499 (-[TestObject bogusCallback:]):
1500 * JavaScriptCore.gypi: Updated build files.
1501 * JavaScriptCore.xcodeproj/project.pbxproj:
1503 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1505 DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live
1506 https://bugs.webkit.org/show_bug.cgi?id=111209
1508 Reviewed by Oliver Hunt.
1510 Even if it is then everything will work just fine. It's not necessary to check the ref count here.
1512 * dfg/DFGFixupPhase.cpp:
1513 (JSC::DFG::FixupPhase::fixupNode):
1515 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1517 DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to
1518 https://bugs.webkit.org/show_bug.cgi?id=111205
1520 Reviewed by Oliver Hunt.
1522 I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
1523 is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
1524 and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
1525 is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
1526 from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
1527 the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
1528 basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
1529 alive by one count rather than being solely responsible for its liveness.
1531 * dfg/DFGCSEPhase.cpp:
1532 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1533 (JSC::DFG::CSEPhase::eliminate):
1534 (JSC::DFG::CSEPhase::performNodeCSE):
1536 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1538 Rename MovHint to MovHintEvent so I can create a NodeType called MovHint
1540 Rubber stamped by Mark Hahnenberg.
1542 This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the
1543 NodeType and SetLocalEvent is the VariableEventKind.
1545 * dfg/DFGVariableEvent.cpp:
1546 (JSC::DFG::VariableEvent::dump):
1547 * dfg/DFGVariableEvent.h:
1548 (JSC::DFG::VariableEvent::movHint):
1549 (JSC::DFG::VariableEvent::id):
1550 (JSC::DFG::VariableEvent::operand):
1552 * dfg/DFGVariableEventStream.cpp:
1553 (JSC::DFG::VariableEventStream::reconstruct):
1555 2013-03-01 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
1557 [JSC] Fix sign comparison warning/error after r144340.
1558 https://bugs.webkit.org/show_bug.cgi?id=111164
1560 Reviewed by Mark Hahnenberg.
1562 gcc (both 4.2.1 and 4.7.2) complain about comparing signed and
1563 unsigned terms (clang accepts it just fine).
1565 Work around that by casting the 1 to an uintptr_t as well.
1568 (JSC::DFG::Edge::makeWord):
1570 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1572 DFG CFA should not do liveness pruning
1573 https://bugs.webkit.org/show_bug.cgi?id=111119
1575 Reviewed by Mark Hahnenberg.
1577 It adds complexity and probably buys nothing. Moreover, I'm transitioning to having
1578 liveness only available at the bitter end of compilation, so this will stop working
1579 after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway.
1581 * dfg/DFGAbstractState.cpp:
1582 (JSC::DFG::AbstractState::initialize):
1583 (JSC::DFG::AbstractState::mergeStateAtTail):
1585 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1587 Don't try to emit profiling if you don't have the DFG JIT.
1589 Rubber stamped by Mark Hahnenberg.
1592 (JSC::JIT::shouldEmitProfiling):
1594 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1596 DFG Phantom node should be honest about the fact that it can exit
1597 https://bugs.webkit.org/show_bug.cgi?id=111115
1599 Reviewed by Mark Hahnenberg.
1601 The chances of this having cause serious issues are low, since most clients of the
1602 NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible
1603 case of badness is if the ByteCodeParser inserted a Phantom with a type check in
1604 between a LogicalNot and a Branch; then that peephole optimization in Fixup might
1607 * dfg/DFGNodeType.h:
1610 2013-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
1612 Add casts in DFGGPRInfo.h to suppress warnings
1613 https://bugs.webkit.org/show_bug.cgi?id=111104
1615 Reviewed by Filip Pizlo.
1617 With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away.
1620 (JSC::DFG::GPRInfo::toIndex):
1621 (JSC::DFG::GPRInfo::debugName):
1623 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1625 It should be easy to determine if a DFG node exits forward or backward when doing type checks
1626 https://bugs.webkit.org/show_bug.cgi?id=111102
1628 Reviewed by Mark Hahnenberg.
1630 This adds a NodeExitsForward flag, which tells you the exit directionality of
1631 type checks performed by the node. Even if you convert the node to a Phantom
1632 and use the Edge UseKind for type checks, you'll still get the same exit
1633 directionality that the original node would have wanted.
1635 * dfg/DFGArgumentsSimplificationPhase.cpp:
1636 (JSC::DFG::ArgumentsSimplificationPhase::run):
1637 * dfg/DFGArrayifySlowPathGenerator.h:
1638 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
1639 * dfg/DFGCFGSimplificationPhase.cpp:
1640 (JSC::DFG::CFGSimplificationPhase::run):
1641 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1642 * dfg/DFGCPSRethreadingPhase.cpp:
1643 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1644 * dfg/DFGCSEPhase.cpp:
1645 (JSC::DFG::CSEPhase::setReplacement):
1646 (JSC::DFG::CSEPhase::eliminate):
1647 (JSC::DFG::CSEPhase::performNodeCSE):
1648 * dfg/DFGConstantFoldingPhase.cpp:
1649 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1650 * dfg/DFGFixupPhase.cpp:
1651 (JSC::DFG::FixupPhase::checkArray):
1654 (JSC::DFG::Node::setOpAndDefaultNonExitFlags):
1655 (JSC::DFG::Node::convertToPhantom):
1656 * dfg/DFGNodeFlags.cpp:
1657 (JSC::DFG::nodeFlagsAsString):
1658 * dfg/DFGNodeFlags.h:
1660 * dfg/DFGNodeType.h:
1662 * dfg/DFGSpeculativeJIT.cpp:
1663 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
1665 (JSC::DFG::SpeculativeJIT::speculationCheck):
1666 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1667 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1668 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
1669 (JSC::DFG::SpeculativeJIT::typeCheck):
1670 (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
1671 (JSC::DFG::SpeculativeJIT::fillStorage):
1672 (JSC::DFG::SpeculativeJIT::compile):
1673 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1674 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1675 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1676 * dfg/DFGSpeculativeJIT.h:
1678 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1679 (JSC::DFG::SpeculateIntegerOperand::gpr):
1680 (SpeculateIntegerOperand):
1681 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1682 (JSC::DFG::SpeculateDoubleOperand::fpr):
1683 (SpeculateDoubleOperand):
1684 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1685 (JSC::DFG::SpeculateCellOperand::gpr):
1686 (SpeculateCellOperand):
1687 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1688 (JSC::DFG::SpeculateBooleanOperand::gpr):
1689 (SpeculateBooleanOperand):
1690 * dfg/DFGSpeculativeJIT32_64.cpp:
1691 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1692 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1693 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1694 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1695 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1696 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1697 (JSC::DFG::SpeculativeJIT::compile):
1698 * dfg/DFGSpeculativeJIT64.cpp:
1699 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1700 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1701 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1702 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1703 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1704 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1705 (JSC::DFG::SpeculativeJIT::compile):
1707 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1709 CodeBlock::valueProfile() has a bogus assertion
1710 https://bugs.webkit.org/show_bug.cgi?id=111106
1711 <rdar://problem/13131427>
1713 Reviewed by Mark Hahnenberg.
1715 This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized.
1716 ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized
1717 ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes
1718 their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their
1719 ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of
1720 them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles.
1721 This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile
1722 you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't.
1724 The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring
1725 a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now
1726 all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done
1727 soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion
1728 sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us
1729 anything at this point.
1731 * bytecode/CodeBlock.h:
1732 (JSC::CodeBlock::valueProfile):
1734 2013-02-27 Filip Pizlo <fpizlo@apple.com>
1736 DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed
1737 https://bugs.webkit.org/show_bug.cgi?id=110840
1739 Reviewed by Mark Hahnenberg.
1741 This doesn't add any observable functionality to the compiler, yet. But it does give
1742 every phase that runs after CFA the ability to know, in O(1) time, whether an edge
1743 will need to execute a type check.
1745 * dfg/DFGAbstractState.h:
1746 (JSC::DFG::AbstractState::filterEdgeByUse):
1747 (JSC::DFG::AbstractState::filterByType):
1748 * dfg/DFGCommon.cpp:
1750 (WTF::printInternal):
1752 (JSC::DFG::isProved):
1754 (JSC::DFG::proofStatusForIsProved):
1757 (JSC::DFG::Edge::dump):
1759 (JSC::DFG::Edge::Edge):
1760 (JSC::DFG::Edge::setNode):
1761 (JSC::DFG::Edge::useKindUnchecked):
1762 (JSC::DFG::Edge::setUseKind):
1764 (JSC::DFG::Edge::proofStatusUnchecked):
1765 (JSC::DFG::Edge::proofStatus):
1766 (JSC::DFG::Edge::setProofStatus):
1767 (JSC::DFG::Edge::isProved):
1768 (JSC::DFG::Edge::needsCheck):
1769 (JSC::DFG::Edge::shift):
1770 (JSC::DFG::Edge::makeWord):
1772 2013-02-28 Simon Hausmann <simon.hausmann@digia.com>
1774 [Qt][Mac] Fix massive parallel builds
1776 Reviewed by Tor Arne Vestbø.
1778 There exists a race condition that LLIntDesiredOffsets.h is written to
1779 by two parllel instances of the ruby script. This patch ensures that similar to the output file,
1780 the generated file is also prefixed according to the build configuration.
1782 * LLIntOffsetsExtractor.pro:
1784 2013-02-27 Sheriff Bot <webkit.review.bot@gmail.com>
1786 Unreviewed, rolling out r144168.
1787 http://trac.webkit.org/changeset/144168
1788 https://bugs.webkit.org/show_bug.cgi?id=111019
1790 It broke the build and tronical is unavailable (Requested by
1791 Ossy_night on #webkit).
1793 * LLIntOffsetsExtractor.pro:
1795 2013-02-26 Filip Pizlo <fpizlo@apple.com>
1797 Disable some unsound DFG DCE
1798 https://bugs.webkit.org/show_bug.cgi?id=110948
1800 Reviewed by Michael Saboff.
1802 DCE of bitops is not sound since the bitops might call some variant of valueOf.
1804 This used to work right because ValueToInt32 was MustGenerate. From the DFG IR
1805 standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is
1806 implemented entirely as a pure conversion. If we ever gave the DFG the ability to
1807 do effectful bitops, we would most likely implement them as special nodes not
1808 related to the ValueToInt32 and bitop nodes we have now.
1810 This change is performance neutral.
1812 * dfg/DFGNodeType.h:
1815 2013-02-27 Glenn Adams <glenn@skynav.com>
1817 Add ENABLE_CSS3_TEXT_LINE_BREAK flag.
1818 https://bugs.webkit.org/show_bug.cgi?id=110944
1820 Reviewed by Dean Jackson.
1822 * Configurations/FeatureDefines.xcconfig:
1824 2013-02-27 Julien Brianceau <jbrianceau@nds.com>
1826 Fix build when DFG_JIT is not enabled
1827 https://bugs.webkit.org/show_bug.cgi?id=110991
1829 Reviewed by Csaba Osztrogonác.
1832 (JSC::JIT::canBeOptimizedOrInlined):
1834 2013-02-27 Simon Hausmann <simon.hausmann@digia.com>
1836 [Qt][Mac] Fix massive parallel builds
1838 Reviewed by Tor Arne Vestbø.
1840 There exists a race condition that LLIntDesiredOffsets.h is written to
1841 by two parllel instances of the ruby script. This patch ensures that similar to the output file,
1842 the generated file is also prefixed according to the build configuration.
1844 * LLIntOffsetsExtractor.pro:
1846 2013-02-26 Filip Pizlo <fpizlo@apple.com>
1848 DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
1849 https://bugs.webkit.org/show_bug.cgi?id=109036
1850 <rdar://problem/13292139>
1852 Reviewed by Gavin Barraclough.
1854 This was a two-fold problem:
1856 1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit
1857 assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was
1858 wrong in this assumption.
1860 2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it
1861 was doing this only for code blocks that could be totally optimized, but not code blocks that could only be
1862 optimized when inlined.
1864 This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work
1865 to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR
1866 entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(),
1869 This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously
1870 we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks
1871 that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get
1872 symptoms similar to this bug.
1874 * dfg/DFGCapabilities.h:
1875 (JSC::DFG::canCompileOpcode):
1878 (JSC::JIT::privateCompile):
1880 (JSC::JIT::compilePatchGetArrayLength):
1881 (JSC::JIT::canBeOptimizedOrInlined):
1883 * jit/JITArithmetic.cpp:
1884 (JSC::JIT::emit_op_post_inc):
1885 (JSC::JIT::emit_op_post_dec):
1886 * jit/JITArithmetic32_64.cpp:
1887 (JSC::JIT::emit_op_post_inc):
1888 (JSC::JIT::emit_op_post_dec):
1890 (JSC::JIT::emit_op_call_put_result):
1891 (JSC::JIT::compileOpCall):
1892 * jit/JITCall32_64.cpp:
1893 (JSC::JIT::compileOpCall):
1895 (JSC::JIT::emitArrayProfilingSite):
1897 * jit/JITOpcodes.cpp:
1898 (JSC::JIT::emit_op_mov):
1899 * jit/JITPropertyAccess.cpp:
1900 (JSC::JIT::compileGetByIdHotPath):
1901 (JSC::JIT::privateCompilePutByIdTransition):
1902 * jit/JITPropertyAccess32_64.cpp:
1903 (JSC::JIT::compileGetByIdHotPath):
1904 (JSC::JIT::privateCompilePutByIdTransition):
1906 2013-02-26 Roger Fong <roger_fong@apple.com>
1908 Unreviewed. AppleWin VS2010 build fix.
1910 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
1912 2013-02-25 Filip Pizlo <fpizlo@apple.com>
1914 The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context
1915 https://bugs.webkit.org/show_bug.cgi?id=110433
1917 Reviewed by Oliver Hunt and Mark Hahnenberg.
1919 This introduces the equivalent of a liveness analysis, except for type checking.
1920 A variable is said to be "profitable for unboxing" (i.e. live at a type check)
1921 if there exists a type check on a GetLocal of that variable, and the type check
1922 is consistent with the variable's prediction. Variables that are not profitable
1923 for unboxing aren't unboxed. Previously they would have been.
1925 This is a slight speed-up on some things but mostly neutral.
1927 * dfg/DFGArgumentPosition.h:
1928 (JSC::DFG::ArgumentPosition::ArgumentPosition):
1929 (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
1930 (JSC::DFG::ArgumentPosition::mergeArgumentPredictionAwareness):
1931 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
1933 (JSC::DFG::ArgumentPosition::isProfitableToUnbox):
1934 (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
1936 (JSC::DFG::checkAndSet):
1938 * dfg/DFGFixupPhase.cpp:
1939 (JSC::DFG::FixupPhase::run):
1940 (JSC::DFG::FixupPhase::fixupNode):
1941 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
1943 (JSC::DFG::FixupPhase::alwaysUnboxSimplePrimitives):
1944 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
1945 * dfg/DFGPredictionPropagationPhase.cpp:
1946 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1947 * dfg/DFGSpeculativeJIT.cpp:
1948 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1949 * dfg/DFGVariableAccessData.h:
1950 (JSC::DFG::VariableAccessData::VariableAccessData):
1951 (JSC::DFG::VariableAccessData::mergeIsCaptured):
1952 (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
1953 (VariableAccessData):
1954 (JSC::DFG::VariableAccessData::isProfitableToUnbox):
1955 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
1956 (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
1957 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
1958 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1959 (JSC::DFG::VariableAccessData::mergeFlags):
1961 2013-02-26 Oliver Hunt <oliver@apple.com>
1965 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1967 2013-02-26 Oliver Hunt <oliver@apple.com>
1969 Web Inspector: REGRESSION: [JSC] SourceProvider reuses IDs
1970 https://bugs.webkit.org/show_bug.cgi?id=99674
1972 Reviewed by Gavin Barraclough.
1974 Simple incrementing counter for SourceProvider IDs. Uses a
1975 lock to incrementing the counter so we don't increment reuse
1976 counter values or reassign the ID for a given SourceProvider.
1978 * parser/SourceProvider.cpp:
1979 (JSC::SourceProvider::SourceProvider):
1981 (JSC::SourceProvider::getID):
1982 * parser/SourceProvider.h:
1983 (JSC::SourceProvider::asID):
1986 2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
1988 Unreviewed, rolling out r144074.
1989 http://trac.webkit.org/changeset/144074
1990 https://bugs.webkit.org/show_bug.cgi?id=110897
1992 Causing 20+ crashes on Mac (Requested by bradee-oh on
1996 * GNUmakefile.list.am:
1997 * JavaScriptCore.gypi:
1998 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1999 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2000 * JavaScriptCore.xcodeproj/project.pbxproj:
2002 * runtime/JSGlobalData.cpp:
2003 (JSC::JSGlobalData::JSGlobalData):
2004 * runtime/JSGlobalData.h:
2006 * runtime/PropertyMapHashTable.h:
2008 (JSC::PropertyTable::PropertyTable):
2010 (JSC::PropertyTable::~PropertyTable):
2011 (JSC::PropertyTable::copy):
2012 * runtime/PropertyTable.cpp: Removed.
2013 * runtime/Structure.cpp:
2014 (JSC::Structure::materializePropertyMap):
2015 (JSC::Structure::addPropertyTransition):
2016 (JSC::Structure::changePrototypeTransition):
2017 (JSC::Structure::despecifyFunctionTransition):
2018 (JSC::Structure::attributeChangeTransition):
2019 (JSC::Structure::toDictionaryTransition):
2020 (JSC::Structure::preventExtensionsTransition):
2021 (JSC::Structure::nonPropertyTransition):
2022 (JSC::Structure::copyPropertyTable):
2023 (JSC::Structure::copyPropertyTableForPinning):
2024 (JSC::Structure::putSpecificValue):
2025 (JSC::Structure::createPropertyMap):
2026 (JSC::Structure::visitChildren):
2027 * runtime/Structure.h:
2029 (JSC::Structure::putWillGrowOutOfLineStorage):
2030 (JSC::Structure::checkOffsetConsistency):
2032 * runtime/StructureInlines.h:
2034 2013-02-26 Roger Fong <roger_fong@apple.com>
2036 Unreviewed. AppleWin VS2010 build fix.
2038 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
2040 2013-02-26 Jer Noble <jer.noble@apple.com>
2042 Unreviewed build fix; use correct macro for platform name in FeatureDefines.xcconfig.
2044 * Configurations/FeatureDefines.xcconfig:
2046 2013-02-26 Michael Saboff <msaboff@apple.com>
2048 Potential crash in YARR JIT generated code when building 64 bit
2049 https://bugs.webkit.org/show_bug.cgi?id=110893
2051 Reviewed by Gavin Barraclough.
2053 The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
2054 Therefore, we zero extend both the count and length registers to assure that these unsigned values
2055 don't have garbage upper bits.
2058 (JSC::Yarr::YarrGenerator::generateEnter):
2060 2013-02-26 Andreas Kling <akling@apple.com>
2062 Unused Structure property tables waste 14MB on Membuster.
2063 <http://webkit.org/b/110854>
2064 <rdar://problem/13292104>
2066 Reviewed by Filip Pizlo.
2068 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
2069 14 MB progression on Membuster3.
2072 * GNUmakefile.list.am:
2073 * JavaScriptCore.gypi:
2074 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2075 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2076 * JavaScriptCore.xcodeproj/project.pbxproj:
2079 Added PropertyTable.cpp.
2081 * runtime/PropertyTable.cpp: Added.
2082 (JSC::PropertyTable::create):
2083 (JSC::PropertyTable::clone):
2084 (JSC::PropertyTable::PropertyTable):
2085 (JSC::PropertyTable::destroy):
2086 (JSC::PropertyTable::~PropertyTable):
2087 (JSC::PropertyTable::visitChildren):
2089 Moved marking of property table values here from Structure::visitChildren().
2091 * runtime/StructureInlines.h:
2092 (JSC::Structure::putWillGrowOutOfLineStorage):
2093 (JSC::Structure::checkOffsetConsistency):
2095 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
2097 * runtime/Structure.cpp:
2098 (JSC::Structure::visitChildren):
2100 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
2102 (JSC::Structure::materializePropertyMap):
2103 (JSC::Structure::addPropertyTransition):
2104 (JSC::Structure::changePrototypeTransition):
2105 (JSC::Structure::despecifyFunctionTransition):
2106 (JSC::Structure::attributeChangeTransition):
2107 (JSC::Structure::toDictionaryTransition):
2108 (JSC::Structure::preventExtensionsTransition):
2109 (JSC::Structure::nonPropertyTransition):
2110 (JSC::Structure::copyPropertyTable):
2111 (JSC::Structure::copyPropertyTableForPinning):
2112 (JSC::Structure::putSpecificValue):
2113 (JSC::Structure::createPropertyMap):
2114 * runtime/Structure.h:
2116 * runtime/JSGlobalData.cpp:
2117 (JSC::JSGlobalData::JSGlobalData):
2118 * runtime/JSGlobalData.h:
2120 * runtime/PropertyMapHashTable.h:
2122 (JSC::PropertyTable::createStructure):
2123 (JSC::PropertyTable::copy):
2125 2013-02-26 Andreas Kling <akling@apple.com>
2127 Unreviewed, rolling out r144054.
2128 http://trac.webkit.org/changeset/144054
2129 https://bugs.webkit.org/show_bug.cgi?id=110854
2134 * GNUmakefile.list.am:
2135 * JavaScriptCore.gypi:
2136 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2137 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2138 * JavaScriptCore.xcodeproj/project.pbxproj:
2140 * runtime/JSGlobalData.cpp:
2141 (JSC::JSGlobalData::JSGlobalData):
2142 * runtime/JSGlobalData.h:
2144 * runtime/PropertyMapHashTable.h:
2146 (JSC::PropertyTable::PropertyTable):
2148 (JSC::PropertyTable::~PropertyTable):
2149 (JSC::PropertyTable::copy):
2150 * runtime/PropertyTable.cpp: Removed.
2151 * runtime/Structure.cpp:
2152 (JSC::Structure::materializePropertyMap):
2153 (JSC::Structure::addPropertyTransition):
2154 (JSC::Structure::changePrototypeTransition):
2155 (JSC::Structure::despecifyFunctionTransition):
2156 (JSC::Structure::attributeChangeTransition):
2157 (JSC::Structure::toDictionaryTransition):
2158 (JSC::Structure::preventExtensionsTransition):
2159 (JSC::Structure::nonPropertyTransition):
2160 (JSC::Structure::copyPropertyTable):
2161 (JSC::Structure::copyPropertyTableForPinning):
2162 (JSC::Structure::putSpecificValue):
2163 (JSC::Structure::createPropertyMap):
2164 (JSC::Structure::visitChildren):
2165 * runtime/Structure.h:
2167 (JSC::Structure::putWillGrowOutOfLineStorage):
2168 (JSC::Structure::checkOffsetConsistency):
2170 * runtime/StructureInlines.h:
2172 2013-02-26 Andreas Kling <akling@apple.com>
2174 Unused Structure property tables waste 14MB on Membuster.
2175 <http://webkit.org/b/110854>
2176 <rdar://problem/13292104>
2178 Reviewed by Filip Pizlo.
2180 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
2181 14 MB progression on Membuster3.
2184 * GNUmakefile.list.am:
2185 * JavaScriptCore.gypi:
2186 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2187 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2188 * JavaScriptCore.xcodeproj/project.pbxproj:
2191 Added PropertyTable.cpp.
2193 * runtime/PropertyTable.cpp: Added.
2194 (JSC::PropertyTable::create):
2195 (JSC::PropertyTable::clone):
2196 (JSC::PropertyTable::PropertyTable):
2197 (JSC::PropertyTable::destroy):
2198 (JSC::PropertyTable::~PropertyTable):
2199 (JSC::PropertyTable::visitChildren):
2201 Moved marking of property table values here from Structure::visitChildren().
2203 * runtime/StructureInlines.h:
2204 (JSC::Structure::putWillGrowOutOfLineStorage):
2205 (JSC::Structure::checkOffsetConsistency):
2207 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
2209 * runtime/Structure.cpp:
2210 (JSC::Structure::visitChildren):
2212 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
2214 (JSC::Structure::materializePropertyMap):
2215 (JSC::Structure::addPropertyTransition):
2216 (JSC::Structure::changePrototypeTransition):
2217 (JSC::Structure::despecifyFunctionTransition):
2218 (JSC::Structure::attributeChangeTransition):
2219 (JSC::Structure::toDictionaryTransition):
2220 (JSC::Structure::preventExtensionsTransition):
2221 (JSC::Structure::nonPropertyTransition):
2222 (JSC::Structure::copyPropertyTable):
2223 (JSC::Structure::copyPropertyTableForPinning):
2224 (JSC::Structure::putSpecificValue):
2225 (JSC::Structure::createPropertyMap):
2226 * runtime/Structure.h:
2228 * runtime/JSGlobalData.cpp:
2229 (JSC::JSGlobalData::JSGlobalData):
2230 * runtime/JSGlobalData.h:
2232 * runtime/PropertyMapHashTable.h:
2234 (JSC::PropertyTable::createStructure):
2235 (JSC::PropertyTable::copy):
2237 2013-02-26 Jocelyn Turcotte <jocelyn.turcotte@digia.com>
2239 Implement JIT on Windows 64 bits
2240 https://bugs.webkit.org/show_bug.cgi?id=107965
2242 Reviewed by Simon Hausmann.
2244 1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file.
2246 2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI.
2247 Differences that we have to handle here:
2248 - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9
2249 - RDI and RSI must be preserved by callee
2250 - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word)
2251 - There is no red-zone after RIP on the stack, but instead 4 reserved words before it
2258 (JSC::JITStackFrame::returnAddressSlot):
2259 * jit/JITStubsMSVC64.asm: Added.
2260 * jit/JSInterfaceJIT.h:
2262 * jit/ThunkGenerators.cpp:
2263 (JSC::nativeForGenerator):
2266 (JSC::Yarr::YarrGenerator::generateEnter):
2267 (JSC::Yarr::YarrGenerator::generateReturn):
2269 2013-02-26 Oliver Hunt <oliver@apple.com>
2271 Kill another analyzer warning in javascriptcore
2272 https://bugs.webkit.org/show_bug.cgi?id=110802
2274 Reviewed by Benjamin Poulain.
2278 * profiler/LegacyProfiler.cpp:
2279 (JSC::LegacyProfiler::startProfiling):
2280 (JSC::LegacyProfiler::stopProfiling):
2282 2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
2284 Unreviewed, rolling out r144004.
2285 http://trac.webkit.org/changeset/144004
2286 https://bugs.webkit.org/show_bug.cgi?id=110858
2288 This iOS change is outdated (Requested by notbenjamin on
2291 * bytecompiler/BytecodeGenerator.cpp:
2292 (JSC::BytecodeGenerator::BytecodeGenerator):
2293 * bytecompiler/BytecodeGenerator.h:
2294 (JSC::BytecodeGenerator::emitNode):
2295 (JSC::BytecodeGenerator::emitNodeInConditionContext):
2296 (BytecodeGenerator):
2297 * parser/Parser.cpp:
2300 (JSC::Parser::canRecurse):
2303 2013-02-25 Filip Pizlo <fpizlo@apple.com>
2305 REGRESSION(r143654): some jquery test asserts on 32 bit debug build
2306 https://bugs.webkit.org/show_bug.cgi?id=110756
2308 Reviewed by Geoffrey Garen.
2310 TypeOf does speculations manually, so it should mark its JSValueOperand as doing ManualOperandSpeculation.
2312 * dfg/DFGSpeculativeJIT32_64.cpp:
2313 (JSC::DFG::SpeculativeJIT::compile):
2315 2013-02-25 Benjamin Poulain <bpoulain@apple.com>
2317 [JSC] Upstream iOS Stack bound checking
2318 https://bugs.webkit.org/show_bug.cgi?id=110813
2320 Reviewed by Filip Pizlo.
2322 On iOS, the StackBounds cannot be cached because the stack
2323 can be in one of two threads (the web thread or the UI thread).
2325 We simply always consider the current stack bound when testing
2328 * bytecompiler/BytecodeGenerator.cpp:
2329 (JSC::BytecodeGenerator::BytecodeGenerator):
2330 * bytecompiler/BytecodeGenerator.h:
2331 (JSC::BytecodeGenerator::emitNode):
2332 (JSC::BytecodeGenerator::emitNodeInConditionContext):
2333 (BytecodeGenerator):
2334 * parser/Parser.cpp:
2337 (JSC::Parser::canRecurse):
2340 2013-02-25 Michael Saboff <msaboff@apple.com>
2342 For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
2343 https://bugs.webkit.org/show_bug.cgi?id=110828
2345 Reviewed by Oliver Hunt.
2347 * runtime/JSObject.h:
2348 (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
2349 That way this function will return the offset farthest from 0 needed to access either the payload
2352 2013-02-25 Jeffrey Pfau <jpfau@apple.com>
2354 Optionally partition cache to prevent using cache for tracking
2355 https://bugs.webkit.org/show_bug.cgi?id=110269
2357 Reviewed by Maciej Stachowiak.
2359 * Configurations/FeatureDefines.xcconfig: Add defines for cache partitioning and public suffix list usage
2361 2013-02-25 Roger Fong <roger_fong@apple.com>
2363 Unreviewed. VS2010 solution build fix.
2365 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
2367 2013-02-24 Filip Pizlo <fpizlo@apple.com>
2369 DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler
2370 https://bugs.webkit.org/show_bug.cgi?id=110722
2372 Reviewed by Oliver Hunt.
2374 This rolls out the DFG::Allocator part of http://trac.webkit.org/changeset/143654,
2375 and changes Edge to have more room for UseKinds and possibly other things.
2377 This is performance-neutral on both 32-bit and 64-bit. It reduces the size of
2378 DFG::Node on 64-bit (by virtue of getting rid of the 16-byte alignment of Node)
2379 and increases it slightly on 32-bit (by 4 bytes total - 16-byte alignment led to
2380 80 bytes, but the base size of Node plus the 12 bytes of new m_encodedWords in
2381 Edge gets 84 bytes). But, it will mean that we don't have to increase Node by
2382 another 16 bytes if we ever want to add more UseKinds or other things to Edge.
2384 * dfg/DFGAllocator.h:
2387 (JSC::DFG::Allocator::Region::headerSize):
2388 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
2389 (JSC::DFG::Allocator::Region::data):
2390 (JSC::DFG::Allocator::Region::isInThisRegion):
2391 (JSC::DFG::::Allocator):
2392 (JSC::DFG::::~Allocator):
2393 (JSC::DFG::::allocate):
2395 (JSC::DFG::::freeAll):
2396 (JSC::DFG::::reset):
2397 (JSC::DFG::::indexOf):
2398 (JSC::DFG::::allocatorOf):
2399 (JSC::DFG::::bumpAllocate):
2400 (JSC::DFG::::freeListAllocate):
2401 (JSC::DFG::::allocateSlow):
2402 (JSC::DFG::::freeRegionsStartingAt):
2403 (JSC::DFG::::startBumpingIn):
2405 (JSC::DFG::Edge::Edge):
2407 (JSC::DFG::Edge::node):
2408 (JSC::DFG::Edge::setNode):
2409 (JSC::DFG::Edge::useKindUnchecked):
2410 (JSC::DFG::Edge::setUseKind):
2411 (JSC::DFG::Edge::operator==):
2412 (JSC::DFG::Edge::operator!=):
2413 (JSC::DFG::Edge::makeWord):
2414 * dfg/DFGNodeAllocator.h:
2417 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2419 The DFG special case checks for isCreatedThisArgument are fragile
2420 https://bugs.webkit.org/show_bug.cgi?id=110535
2422 Reviewed by Oliver Hunt.
2424 There may be many situations in which we want to force a variable to never be
2425 unboxed. Capturing is one such case, and the created this argument is another.
2426 Previously all code that dealt with this issue had to query both scenarios.
2428 Now DFG::VariableAccessData knows these things. You just have to ask
2429 VariableAccessData for whether a variable should be unboxed. Anyone wishing to
2430 force a variable to never be unboxed just tells VariableAccessData.
2432 * dfg/DFGAbstractState.cpp:
2433 (JSC::DFG::AbstractState::initialize):
2434 * dfg/DFGByteCodeParser.cpp:
2435 (JSC::DFG::ByteCodeParser::parseBlock):
2437 * dfg/DFGCFGSimplificationPhase.cpp:
2438 (CFGSimplificationPhase):
2439 * dfg/DFGFixupPhase.cpp:
2440 (JSC::DFG::FixupPhase::fixupNode):
2443 * dfg/DFGPredictionPropagationPhase.cpp:
2444 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2445 * dfg/DFGSpeculativeJIT.cpp:
2446 (JSC::DFG::SpeculativeJIT::compile):
2447 * dfg/DFGSpeculativeJIT32_64.cpp:
2448 (JSC::DFG::SpeculativeJIT::compile):
2449 * dfg/DFGSpeculativeJIT64.cpp:
2450 (JSC::DFG::SpeculativeJIT::compile):
2451 * dfg/DFGUnificationPhase.cpp:
2452 (JSC::DFG::UnificationPhase::run):
2453 * dfg/DFGVariableAccessData.h:
2454 (JSC::DFG::VariableAccessData::VariableAccessData):
2455 (JSC::DFG::VariableAccessData::mergeIsCaptured):
2456 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2457 (VariableAccessData):
2458 (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2459 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
2460 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2461 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2463 2013-02-25 Geoffrey Garen <ggaren@apple.com>
2465 Do one lookup per code cache insertion instead of two
2466 https://bugs.webkit.org/show_bug.cgi?id=110674
2468 Reviewed by Sam Weinig.
2470 Deployed the idiomatic "add null value" trick to avoid a second hash
2471 lookup when inserting an item.
2473 * runtime/CodeCache.cpp:
2474 (JSC::CodeCacheMap::pruneSlowCase): Factored this into a helper function
2475 to improve clarity and get some code off the hot path.
2477 (JSC::CodeCache::getCodeBlock):
2478 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Use the add() API
2479 to avoid two hash lookups. Be sure to remove items if parsing fails,
2480 otherwise we'll leave nulls in the table. (I'm guessing that caching parse
2481 errors is not a win.)
2483 * runtime/CodeCache.h:
2484 (JSC::SourceCodeValue::SourceCodeValue):
2486 (JSC::CodeCacheMap::add): Combined find() and set() into add().
2488 (JSC::CodeCacheMap::remove):
2489 (JSC::CodeCacheMap::age):
2490 (JSC::CodeCacheMap::prune): Refactored to support above changes.
2492 2013-02-25 Carlos Garcia Campos <cgarcia@igalia.com>
2494 [BlackBerry][ARM] Fix cast-align warnings in JavaScriptCore
2495 https://bugs.webkit.org/show_bug.cgi?id=110738
2497 Reviewed by Rob Buis.
2499 Use reinterpret_cast_ptr instead of reinterpret_cast for
2502 * dfg/DFGOperations.cpp:
2503 * heap/CopiedBlock.h:
2504 (JSC::CopiedBlock::zeroFillWilderness):
2506 (JSC::WeakBlock::asWeakImpl):
2507 (JSC::WeakBlock::asFreeCell):
2508 (JSC::WeakBlock::weakImpls):
2510 (JSC::WeakImpl::asWeakImpl):
2511 * interpreter/JSStack.cpp:
2512 (JSC::JSStack::disableErrorStackReserve):
2513 * interpreter/JSStack.h:
2514 (JSC::JSStack::reservationEnd):
2515 * runtime/ArrayStorage.h:
2516 (JSC::ArrayStorage::from):
2517 * runtime/Butterfly.h:
2518 (JSC::Butterfly::indexingPayload):
2519 * runtime/IndexingHeader.h:
2520 (JSC::IndexingHeader::propertyStorage):
2521 * runtime/JSActivation.h:
2522 (JSC::JSActivation::tearOff):
2523 (JSC::JSActivation::isTornOff):
2524 (JSC::JSActivation::storage):
2526 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2528 DFG::SpeculativeJIT::speculateNumber() should just use SpeculateDoubleOperand instead of doing its own thing
2529 https://bugs.webkit.org/show_bug.cgi?id=110659
2531 Reviewed by Oliver Hunt and Mark Hahnenberg.
2533 This simplifies the code, and also has the effect that if speculateNumber() is called
2534 prior to someone actually using the number in a double context, then the number will
2535 already be up-converted to double and ready to go.
2537 Previously if this ever came up, the subsequent use would have to again branch to see
2538 if the value is tagged as int or tagged as double.
2540 On the other hand, if you ever did speculateNumber() and then used the value as a
2541 JSValue, this will be a slow down now.
2543 I suspect that the former (speculateNumber() and then use as number) is more likely
2544 than the latter (speculateNumber() and then use as JSValue).
2546 * dfg/DFGSpeculativeJIT.cpp:
2547 (JSC::DFG::SpeculativeJIT::speculateNumber):
2549 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2551 DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way
2552 https://bugs.webkit.org/show_bug.cgi?id=110650
2554 Reviewed by Mark Hahnenberg.
2556 Changes almost all calls to edge.setUseKind(kind) to be
2557 setUseKindAndUnboxIfProfitable<kind>(edge). This will allow us to use the latter
2558 as a hook for deciding which locals to unbox (webkit.org/b/110433).
2560 * dfg/DFGFixupPhase.cpp:
2561 (JSC::DFG::FixupPhase::fixupNode):
2563 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
2564 (JSC::DFG::FixupPhase::fixIntEdge):
2565 (JSC::DFG::FixupPhase::fixDoubleEdge):
2566 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2568 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2570 REGRESSION(r143654): some fast/js test crashes on 32 bit build
2571 https://bugs.webkit.org/show_bug.cgi?id=110590
2573 Reviewed by Mark Hahnenberg.
2575 In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
2576 r143314 due to a merge goof.
2578 In speculateNumber, we were simply forgetting to indicate that we need a
2579 ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
2580 be passed whenever you will be performing the type checks yourself rather than
2581 using the operand class to do it for you.
2583 * dfg/DFGSpeculativeJIT.cpp:
2584 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2585 (JSC::DFG::SpeculativeJIT::speculateNumber):
2587 2013-02-22 Geoffrey Garen <ggaren@apple.com>
2591 Fix the 32-bit build by using the right data type in more places.
2593 * runtime/CodeCache.h:
2596 2013-02-22 Geoffrey Garen <ggaren@apple.com>
2600 Fix the 32-bit build by using the right data type.
2602 * runtime/CodeCache.h:
2603 (JSC::CodeCacheMap::find):
2605 2013-02-21 Geoffrey Garen <ggaren@apple.com>
2607 Code cache size should adapt to workload
2608 https://bugs.webkit.org/show_bug.cgi?id=110560
2610 Reviewed by Antti Koivisto.
2612 (*) 5% PLT arithmetic mean speedup
2613 (*) 10% PLT geometric mean speedup
2614 (*) 3.4X microbenchmark speedup
2615 (*) Reduces initial cache capacity by 16X
2617 * runtime/CodeCache.cpp:
2618 (JSC::CodeCache::CodeCache): Updated for interface change.
2620 * runtime/CodeCache.h:
2621 (JSC::SourceCodeValue::SourceCodeValue):
2622 (SourceCodeValue): Turned the cache value into a struct so it can track its age.
2625 (JSC::CodeCacheMap::CodeCacheMap):
2626 (JSC::CodeCacheMap::find):
2627 (JSC::CodeCacheMap::set):
2628 (JSC::CodeCacheMap::clear):
2629 (JSC::CodeCacheMap::pruneIfNeeded):
2630 (CodeCache): Grow and shrink in response to usage.
2632 2013-02-21 Jessie Berlin <jberlin@apple.com>
2634 Fix a typo that broke the 32 bit build.
2636 * dfg/DFGSpeculativeJIT32_64.cpp:
2637 (JSC::DFG::SpeculativeJIT::compile):
2639 2013-02-21 Michael Saboff <msaboff@apple.com>
2641 25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled
2642 https://bugs.webkit.org/show_bug.cgi?id=110539
2644 Reviewed by Filip Pizlo.
2646 Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for
2647 the 32 bit version of the interpreter.
2649 * llint/LowLevelInterpreter32_64.asm:
2651 2013-02-21 Roger Fong <roger_fong@apple.com>
2653 Unreviewed. Add executable property to cmd file.
2654 Required for executable files to maintain their executable permissions over svn.
2656 * JavaScriptCore.vcxproj/copy-files.cmd: Added property svn:executable.
2658 2013-02-21 Filip Pizlo <fpizlo@apple.com>
2660 Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
2661 https://bugs.webkit.org/show_bug.cgi?id=110519
2662 <rdar://problem/13218566>
2664 Reviewed by Geoffrey Garen.
2666 * runtime/JSFunction.h:
2667 (JSC::JSFunction::allocationProfile):
2669 2013-02-21 Roger Fong <roger_fong@apple.com>
2671 Unreviewed. Build fix for VS2010 WebKit solution.
2673 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
2675 2013-02-20 Filip Pizlo <fpizlo@apple.com>
2677 DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
2678 https://bugs.webkit.org/show_bug.cgi?id=109371
2680 Reviewed by Oliver Hunt.
2682 FixupPhase now locks in the speculations that each node will do. The DFG then
2683 remembers those speculations, and doesn't change its mind about them even if the
2684 graph is transformed - for example if a node's child is repointed to a different
2685 node as part of CSE, CFG simplification, or folding. Each node ensures that it
2686 executes the speculations promised by its edges. This is true even for Phantom
2689 This still leaves some craziness on the table for future work, like the
2690 elimination of speculating SetLocal's due to CFG simplification
2691 (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
2693 In all, this allows for a huge simplification of the DFG. Instead of having to
2694 execute the right speculation heuristic each time you want to decide what a node
2695 does (for example Node::shouldSpeculateInteger(child1, child2) &&
2696 node->canSpeculateInteger()), you just ask for the use kinds of its children
2697 (typically node->binaryUseKind() == Int32Use). Because the use kinds are
2698 discrete, you can often just switch over them. This makes many parts of the code
2699 more clear than they were before.
2701 Having UseKinds describe the speculations being performed also makes it far
2702 easier to perform analyses that need to know what speculations are done. This is
2703 so far only used to simplify large parts of the CFA.
2705 To have a larger vocabulary of UseKinds, this also changes the node allocator to
2706 be able to round up Node sizes to the nearest multiple of 16.
2708 This appears to be neutral on benchmarks, except for some goofy speed-ups, like
2712 * GNUmakefile.list.am:
2713 * JavaScriptCore.xcodeproj/project.pbxproj:
2715 * dfg/DFGAbstractState.cpp:
2716 (JSC::DFG::AbstractState::startExecuting):
2718 (JSC::DFG::AbstractState::executeEdges):
2719 (JSC::DFG::AbstractState::verifyEdge):
2720 (JSC::DFG::AbstractState::verifyEdges):
2721 (JSC::DFG::AbstractState::executeEffects):
2722 (JSC::DFG::AbstractState::execute):
2723 * dfg/DFGAbstractState.h:
2725 (JSC::DFG::AbstractState::filterEdgeByUse):
2726 (JSC::DFG::AbstractState::filterByType):
2727 * dfg/DFGAbstractValue.h:
2728 (JSC::DFG::AbstractValue::filter):
2729 * dfg/DFGAdjacencyList.h:
2730 (JSC::DFG::AdjacencyList::AdjacencyList):
2731 (JSC::DFG::AdjacencyList::child):
2732 (JSC::DFG::AdjacencyList::setChild):
2733 (JSC::DFG::AdjacencyList::reset):
2734 (JSC::DFG::AdjacencyList::firstChild):
2735 (JSC::DFG::AdjacencyList::setFirstChild):
2736 (JSC::DFG::AdjacencyList::numChildren):
2737 (JSC::DFG::AdjacencyList::setNumChildren):
2739 * dfg/DFGAllocator.h:
2742 (JSC::DFG::Allocator::cellSize):
2743 (JSC::DFG::Allocator::Region::headerSize):
2744 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
2745 (JSC::DFG::Allocator::Region::payloadSize):
2746 (JSC::DFG::Allocator::Region::payloadBegin):
2747 (JSC::DFG::Allocator::Region::payloadEnd):
2748 (JSC::DFG::Allocator::Region::isInThisRegion):
2749 (JSC::DFG::::Allocator):
2750 (JSC::DFG::::~Allocator):
2751 (JSC::DFG::::allocate):
2753 (JSC::DFG::::freeAll):
2754 (JSC::DFG::::reset):
2755 (JSC::DFG::::indexOf):
2756 (JSC::DFG::::allocatorOf):
2757 (JSC::DFG::::bumpAllocate):
2758 (JSC::DFG::::freeListAllocate):
2759 (JSC::DFG::::allocateSlow):
2760 (JSC::DFG::::freeRegionsStartingAt):
2761 (JSC::DFG::::startBumpingIn):
2762 * dfg/DFGByteCodeParser.cpp:
2763 (JSC::DFG::ByteCodeParser::addToGraph):
2764 (JSC::DFG::ByteCodeParser::handleMinMax):
2765 * dfg/DFGCSEPhase.cpp:
2766 (JSC::DFG::CSEPhase::setLocalStoreElimination):
2767 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2768 (JSC::DFG::CSEPhase::setReplacement):
2769 (JSC::DFG::CSEPhase::performNodeCSE):
2772 * dfg/DFGConstantFoldingPhase.cpp:
2773 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2774 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2775 * dfg/DFGDriver.cpp:
2776 (JSC::DFG::compile):
2778 (JSC::DFG::Edge::dump):
2780 (JSC::DFG::Edge::useKindUnchecked):
2781 (JSC::DFG::Edge::useKind):
2782 (JSC::DFG::Edge::shift):
2783 * dfg/DFGFixupPhase.cpp:
2784 (JSC::DFG::FixupPhase::run):
2785 (JSC::DFG::FixupPhase::fixupNode):
2786 (JSC::DFG::FixupPhase::checkArray):
2787 (JSC::DFG::FixupPhase::blessArrayOperation):
2788 (JSC::DFG::FixupPhase::fixIntEdge):
2789 (JSC::DFG::FixupPhase::fixDoubleEdge):
2790 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2792 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2793 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
2794 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2797 (JSC::DFG::Graph::refChildren):
2798 (JSC::DFG::Graph::derefChildren):
2800 (JSC::DFG::Graph::ref):
2801 (JSC::DFG::Graph::deref):
2802 (JSC::DFG::Graph::performSubstitution):
2803 (JSC::DFG::Graph::isPredictedNumerical):
2804 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
2807 (JSC::DFG::Node::Node):
2808 (JSC::DFG::Node::convertToGetByOffset):
2809 (JSC::DFG::Node::convertToPutByOffset):
2810 (JSC::DFG::Node::willHaveCodeGenOrOSR):
2811 (JSC::DFG::Node::child1):
2812 (JSC::DFG::Node::child2):
2813 (JSC::DFG::Node::child3):
2814 (JSC::DFG::Node::binaryUseKind):
2816 (JSC::DFG::Node::isBinaryUseKind):
2817 * dfg/DFGNodeAllocator.h:
2819 * dfg/DFGNodeFlags.cpp:
2820 (JSC::DFG::nodeFlagsAsString):
2821 * dfg/DFGNodeType.h:
2823 * dfg/DFGPredictionPropagationPhase.cpp:
2824 (JSC::DFG::PredictionPropagationPhase::propagate):
2825 * dfg/DFGSpeculativeJIT.cpp:
2826 (JSC::DFG::SpeculativeJIT::speculationCheck):
2828 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2829 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
2830 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2831 (JSC::DFG::SpeculativeJIT::typeCheck):
2832 (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
2833 (JSC::DFG::SpeculativeJIT::fillStorage):
2834 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2835 (JSC::DFG::SpeculativeJIT::compile):
2836 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2837 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2838 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2839 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2840 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2841 (JSC::DFG::SpeculativeJIT::compileAdd):
2842 (JSC::DFG::SpeculativeJIT::compileArithSub):
2843 (JSC::DFG::SpeculativeJIT::compileArithNegate):
2844 (JSC::DFG::SpeculativeJIT::compileArithMul):
2845 (JSC::DFG::SpeculativeJIT::compileArithMod):
2846 (JSC::DFG::SpeculativeJIT::compare):
2847 (JSC::DFG::SpeculativeJIT::compileStrictEq):
2848 (JSC::DFG::SpeculativeJIT::speculateInt32):
2849 (JSC::DFG::SpeculativeJIT::speculateNumber):
2850 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
2851 (JSC::DFG::SpeculativeJIT::speculateBoolean):
2852 (JSC::DFG::SpeculativeJIT::speculateCell):
2853 (JSC::DFG::SpeculativeJIT::speculateObject):
2854 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2855 (JSC::DFG::SpeculativeJIT::speculateString):
2856 (JSC::DFG::SpeculativeJIT::speculateNotCell):
2857 (JSC::DFG::SpeculativeJIT::speculateOther):
2858 (JSC::DFG::SpeculativeJIT::speculate):
2859 * dfg/DFGSpeculativeJIT.h:
2861 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
2862 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
2863 (JSC::DFG::IntegerOperand::IntegerOperand):
2864 (JSC::DFG::IntegerOperand::edge):
2866 (JSC::DFG::IntegerOperand::node):
2867 (JSC::DFG::IntegerOperand::gpr):
2868 (JSC::DFG::IntegerOperand::use):
2869 (JSC::DFG::JSValueOperand::JSValueOperand):
2871 (JSC::DFG::JSValueOperand::edge):
2872 (JSC::DFG::JSValueOperand::node):
2873 (JSC::DFG::JSValueOperand::gpr):
2874 (JSC::DFG::JSValueOperand::fill):
2875 (JSC::DFG::JSValueOperand::use):
2876 (JSC::DFG::StorageOperand::StorageOperand):
2877 (JSC::DFG::StorageOperand::edge):
2879 (JSC::DFG::StorageOperand::node):
2880 (JSC::DFG::StorageOperand::gpr):
2881 (JSC::DFG::StorageOperand::use):
2882 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
2883 (SpeculateIntegerOperand):
2884 (JSC::DFG::SpeculateIntegerOperand::edge):
2885 (JSC::DFG::SpeculateIntegerOperand::node):
2886 (JSC::DFG::SpeculateIntegerOperand::gpr):
2887 (JSC::DFG::SpeculateIntegerOperand::use):
2888 (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
2889 (SpeculateStrictInt32Operand):
2890 (JSC::DFG::SpeculateStrictInt32Operand::edge):
2891 (JSC::DFG::SpeculateStrictInt32Operand::node):
2892 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
2893 (JSC::DFG::SpeculateStrictInt32Operand::use):
2894 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2895 (SpeculateDoubleOperand):
2896 (JSC::DFG::SpeculateDoubleOperand::edge):
2897 (JSC::DFG::SpeculateDoubleOperand::node):
2898 (JSC::DFG::SpeculateDoubleOperand::fpr):
2899 (JSC::DFG::SpeculateDoubleOperand::use):
2900 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
2901 (SpeculateCellOperand):
2902 (JSC::DFG::SpeculateCellOperand::edge):
2903 (JSC::DFG::SpeculateCellOperand::node):
2904 (JSC::DFG::SpeculateCellOperand::gpr):
2905 (JSC::DFG::SpeculateCellOperand::use):
2906 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
2907 (JSC::DFG::SpeculateBooleanOperand::edge):
2908 (SpeculateBooleanOperand):
2909 (JSC::DFG::SpeculateBooleanOperand::node):
2910 (JSC::DFG::SpeculateBooleanOperand::gpr):
2911 (JSC::DFG::SpeculateBooleanOperand::use):
2913 * dfg/DFGSpeculativeJIT32_64.cpp:
2914 (JSC::DFG::SpeculativeJIT::fillInteger):
2915 (JSC::DFG::SpeculativeJIT::fillJSValue):
2916 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2917 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2918 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2919 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2920 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2921 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2922 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2923 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2924 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2925 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2926 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2927 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2928 (JSC::DFG::SpeculativeJIT::emitBranch):
2929 (JSC::DFG::SpeculativeJIT::compile):
2930 * dfg/DFGSpeculativeJIT64.cpp:
2931 (JSC::DFG::SpeculativeJIT::fillInteger):
2932 (JSC::DFG::SpeculativeJIT::fillJSValue):
2933 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2934 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2935 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2936 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2937 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2938 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2939 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2940 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2941 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2942 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2943 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2944 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2945 (JSC::DFG::SpeculativeJIT::emitBranch):
2946 (JSC::DFG::SpeculativeJIT::compile):
2947 * dfg/DFGStructureCheckHoistingPhase.cpp:
2948 (JSC::DFG::StructureCheckHoistingPhase::run):
2949 * dfg/DFGUseKind.cpp: Added.
2951 (WTF::printInternal):
2952 * dfg/DFGUseKind.h: Added.
2954 (JSC::DFG::typeFilterFor):
2955 (JSC::DFG::isNumerical):
2957 * dfg/DFGValidate.cpp:
2958 (JSC::DFG::Validate::reportValidationContext):
2960 2013-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
2962 Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit
2963 https://bugs.webkit.org/show_bug.cgi?id=106059
2965 Reviewed by Geoffrey Garen.
2967 * API/JSBase.h: Renamed enable flag for API.
2968 * API/JSBlockAdaptor.h: Using new flag.
2969 * API/JSBlockAdaptor.mm: Ditto.
2970 * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef.
2972 (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function.
2973 (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more.
2974 (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef.
2975 (-[JSContext dealloc]): No more m_apiData.
2976 (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject.
2977 (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext.
2978 (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given
2979 JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one.
2980 * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef.
2981 * API/JSExport.h: New flag.
2982 * API/JSValue.h: New flag and new C API convenience method.
2984 (-[JSValue JSValueRef]): Implementation of the C API convenience method.
2985 (objectToValueWithoutCopy):
2986 (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache
2987 in its internal JSWrapperMap.
2988 * API/JSValueInternal.h:
2989 * API/JSVirtualMachine.h:
2990 * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers.
2993 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
2994 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
2995 (-[JSVirtualMachine init]):
2996 (-[JSVirtualMachine initWithContextGroupRef:]):
2997 (-[JSVirtualMachine dealloc]):
2998 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
2999 (-[JSVirtualMachine contextForGlobalContextRef:]):
3000 (-[JSVirtualMachine addContext:forGlobalContextRef:]):
3001 * API/JSVirtualMachineInternal.h:
3002 * API/JSWrapperMap.h:
3003 * API/JSWrapperMap.mm:
3004 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because
3005 setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on
3006 when it gets called.
3007 (-[JSWrapperMap initWithContext:]):
3008 (-[JSWrapperMap jsWrapperForObject:]):
3009 (-[JSWrapperMap objcWrapperForJSValueRef:]):
3010 * API/JavaScriptCore.h:
3011 * API/ObjCCallbackFunction.h:
3012 * API/ObjCCallbackFunction.mm:
3013 (ObjCCallbackFunction::ObjCCallbackFunction): We never actually should have retained the target in the case that we had a
3014 block as a callback. Blocks are initially allocated on the stack and are only moved to the heap if we call their copy method.
3015 Retaining the block on the stack was a bad idea because if that stack frame ever went away and we called the block later,
3016 we'd crash and burn.
3017 (ObjCCallbackFunction::setContext): We need a new setter for when the weak reference to a JSContext inside an ObjCCallbackFunction
3018 disappears, we can allocate a new one in its place.
3019 (ObjCCallbackFunction):
3020 (objCCallbackFunctionCallAsFunction): Reset the callback's context if it's ever destroyed.
3021 (objCCallbackFunctionForInvocation): Again, don't set the __proto__ property because it uses black magic that can cause us to crash
3022 depending on when this is called.
3023 (objCCallbackFunctionForBlock): Here is where we copy the block to the heap when we're first creating the callback object for it.
3024 * API/tests/testapi.c:
3026 * API/tests/testapi.mm: We're going to get rid of the automatic block conversion, since that is causing leaks. I changed it
3027 here in this test just so that it wouldn't mask any other potential leaks. Also modified some of the tests since JSContexts are
3028 just lightweight wrappers now, we're not guaranteed to get the same pointer back from the call to [JSValue context] as the one
3029 that the value was created in.
3030 (-[TestObject callback:]):
3031 * JavaScriptCore.xcodeproj/project.pbxproj:
3032 * runtime/JSGlobalData.cpp:
3033 (JSC::JSGlobalData::JSGlobalData): No more m_apiData.
3034 * runtime/JSGlobalData.h: Ditto.
3035 * runtime/JSGlobalObject.cpp:
3036 (JSC::JSGlobalObject::JSGlobalObject): Ditto.
3037 * runtime/JSGlobalObject.h:
3039 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3041 DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands
3042 https://bugs.webkit.org/show_bug.cgi?id=110309
3044 Reviewed by Sam Weinig.
3046 It used to be necessary, back when we didn't have constant folding. Now we have
3047 constant folding. So we don't need it.
3049 * dfg/DFGSpeculativeJIT.cpp:
3050 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3052 2013-02-20 Filip Pizlo <fpizlo@apple.com>
3054 DFG inlines Resolves that it doesn't know how to handle correctly
3055 https://bugs.webkit.org/show_bug.cgi?id=110405
3057 Reviewed by Geoffrey Garen.
3059 Don't try to be clever: if there's a failing resolve, we can't inline it, period.
3061 * dfg/DFGCapabilities.h:
3062 (JSC::DFG::canInlineResolveOperations):
3063 (JSC::DFG::canInlineOpcode):
3065 2013-02-20 Roger Fong <roger_fong@apple.com>
3067 Get VS2010 Solution B&I ready.
3068 <rdar://problem/1322988>
3070 Rubberstamped by Timothy Horton.
3072 Add Production configuration.
3073 Add a JavaScriptCore submit solution with a DebugSuffix configuration.
3074 Modify JavaScriptCore.make as necessary.
3076 * JavaScriptCore.vcxproj/JavaScriptCore.make: Added.
3077 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
3078 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.sln.
3079 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3080 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
3081 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
3082 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
3083 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
3084 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
3085 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Added.
3086 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
3087 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
3088 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
3089 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Added.
3090 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
3091 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Added.
3092 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
3093 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
3094 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
3095 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
3096 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3097 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
3098 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Added.
3099 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
3100 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
3101 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
3102 * JavaScriptCore.vcxproj/jsc/jscProduction.props: Added.
3103 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
3104 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
3105 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3106 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Added.
3107 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
3108 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3109 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
3110 * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Added.
3111 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
3113 2013-02-19 Jer Noble <jer.noble@apple.com>
3115 EME: Enable both ENCRYPTED_MEDIA and ENCRYPTED_MEDIA_V2 until clients transition to the new API.
3116 https://bugs.webkit.org/show_bug.cgi?id=110284
3118 Reviewed by Eric Carlson.
3120 Re-enable the ENCRYPTED_MEDIA flag.
3122 * Configurations/FeatureDefines.xcconfig:
3124 2013-02-20 Dirk Schulze <krit@webkit.org>
3126 Enable CANVAS_PATH flag
3127 https://bugs.webkit.org/show_bug.cgi?id=108508
3129 Reviewed by Simon Fraser.
3131 Enable CANVAS_PATH flag on trunk.
3133 Existing tests cover the feature.
3135 * Configurations/FeatureDefines.xcconfig:
3137 2013-02-19 Mark Rowe <mrowe@apple.com>
3139 Unreviewed, uninteresting change to test a theory about bad dependency handling.
3141 * API/JSStringRefCF.cpp:
3142 (JSStringCreateWithCFString): Remove an unnecessary else clause.
3144 2013-02-19 Oliver Hunt <oliver@apple.com>
3146 Silence some analyzer warnings
3147 https://bugs.webkit.org/show_bug.cgi?id=110281
3149 Reviewed by Mark Hahnenberg.
3151 The static analyzer believes that callerCodeBlock can be null,
3152 based on other code performing null tests. This should not
3153 ever be the case, but we'll add RELEASE_ASSERTs to make it
3154 obvious if we're ever wrong.
3156 * interpreter/Interpreter.cpp:
3157 (JSC::getCallerInfo):
3159 2013-02-19 Oliver Hunt <oliver@apple.com>
3161 Don't force everything to be blinded in debug builds
3162 https://bugs.webkit.org/show_bug.cgi?id=110279
3164 Reviewed by Mark Hahnenberg.
3166 Switch to an explicit flag for indicating that we want
3167 every constant to be blinded.
3169 * assembler/MacroAssembler.h:
3170 (JSC::MacroAssembler::shouldBlind):
3172 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3174 Fix indentation of Opcode.h
3176 Rubber stamped by Mark Hahnenberg.
3178 * bytecode/Opcode.h:
3180 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3182 Moved PolymorphicAccessStructureList into its own file.
3184 Rubber stamped by Mark Hahnenberg.
3186 * GNUmakefile.list.am:
3187 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3188 * JavaScriptCore.xcodeproj/project.pbxproj:
3189 * bytecode/Instruction.h:
3191 * bytecode/PolymorphicAccessStructureList.h: Added.
3193 (PolymorphicAccessStructureList):
3194 (PolymorphicStubInfo):
3195 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
3196 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
3197 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
3198 (JSC::PolymorphicAccessStructureList::visitWeak):
3199 * bytecode/StructureStubInfo.h:
3201 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3203 Fix indentation of Instruction.h
3205 Rubber stamped by Mark Hahnenberg.
3207 * bytecode/Instruction.h:
3209 2013-02-18 Geoffrey Garen <ggaren@apple.com>
3211 Unreviewed, rolling in r143348.
3212 http://trac.webkit.org/changeset/143348
3213 https://bugs.webkit.org/show_bug.cgi?id=110242
3215 The bug was that isEmptyValue() was returning true for the deleted value.
3216 Fixed this and simplified things further by delegating to m_sourceCode
3217 for both isNull() and isHashTableDeletedValue(), so they can't be out of
3220 * runtime/CodeCache.cpp:
3221 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3222 * runtime/CodeCache.h:
3223 (JSC::SourceCodeKey::SourceCodeKey):
3224 (JSC::SourceCodeKey::isHashTableDeletedValue):
3225 (JSC::SourceCodeKey::hash):
3226 (JSC::SourceCodeKey::length):
3227 (JSC::SourceCodeKey::isNull):
3228 (JSC::SourceCodeKey::operator==):
3231 2013-02-15 Martin Robinson <mrobinson@igalia.com>
3233 [GTK] Improve gyp build JavaScriptCore code generation
3234 https://bugs.webkit.org/show_bug.cgi?id=109969
3236 Reviewed by Dirk Pranke.
3238 Switch away from using DerivedSources.make when building JavaScriptCore generated
3239 sources. This bring a couple advantages, such as building the sources in parallel,
3240 but requires us to list the generated sources more than once.
3242 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Add rules for generating JavaScriptCore sources.
3243 * JavaScriptCore.gyp/generate-derived-sources.sh: Added.
3244 * JavaScriptCore.gyp/redirect-stdout.sh: Added.
3246 2013-02-19 Sheriff Bot <webkit.review.bot@gmail.com>
3248 Unreviewed, rolling out r143348.
3249 http://trac.webkit.org/changeset/143348
3250 https://bugs.webkit.org/show_bug.cgi?id=110242
3252 "Caused a deleted value sentinel crash on the layout tests"
3253 (Requested by ggaren on #webkit).
3255 * runtime/CodeCache.cpp:
3256 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3257 * runtime/CodeCache.h:
3258 (JSC::SourceCodeKey::SourceCodeKey):
3259 (JSC::SourceCodeKey::isHashTableDeletedValue):
3260 (JSC::SourceCodeKey::hash):
3261 (JSC::SourceCodeKey::length):
3262 (JSC::SourceCodeKey::isNull):
3263 (JSC::SourceCodeKey::operator==):
3266 2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
3268 HeapBlock::destroy should issue warning if result is unused
3269 https://bugs.webkit.org/show_bug.cgi?id=110233
3271 Reviewed by Oliver Hunt.
3273 To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy,
3274 we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses.
3278 2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
3280 WeakSet::removeAllocator leaks WeakBlocks
3281 https://bugs.webkit.org/show_bug.cgi?id=110228
3283 Reviewed by Geoffrey Garen.
3285 We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.
3288 (JSC::WeakSet::removeAllocator):
3290 2013-02-18 Geoffrey Garen <ggaren@apple.com>
3292 Save space on keys in the CodeCache
3293 https://bugs.webkit.org/show_bug.cgi?id=110179
3295 Reviewed by Oliver Hunt.
3297 Share the SourceProvider's string instead of making our own copy. This
3298 chops off 16MB - 32MB from the CodeCache's memory footprint when full.
3299 (It's 16MB when the strings are LChar, and 32MB when they're UChar.)
3301 * runtime/CodeCache.cpp:
3302 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3303 * runtime/CodeCache.h: Removed a defunct enum value.
3305 (JSC::SourceCodeKey::SourceCodeKey):
3306 (JSC::SourceCodeKey::isHashTableDeletedValue):
3308 (JSC::SourceCodeKey::hash):
3309 (JSC::SourceCodeKey::length):
3310 (JSC::SourceCodeKey::isNull):
3311 (JSC::SourceCodeKey::string):
3312 (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String
3313 so we can share our string with our SourceProvider. Cache our hash so
3314 we don't have to re-decode our string just to re-hash the table.
3316 2013-02-19 Zoltan Herczeg <zherczeg@webkit.org>
3318 revertBranchPtrWithPatch is incorrect on ARM traditional
3319 https://bugs.webkit.org/show_bug.cgi?id=110201
3321 Reviewed by Oliver Hunt.
3323 Revert two instructions back to their original value.
3325 * assembler/ARMAssembler.h:
3326 (JSC::ARMAssembler::revertBranchPtrWithPatch):
3328 * assembler/MacroAssemblerARM.h:
3329 (JSC::MacroAssemblerARM::branchPtrWithPatch):
3330 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
3332 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3334 REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
3335 https://bugs.webkit.org/show_bug.cgi?id=110184
3337 Reviewed by Zoltan Herczeg.
3339 32-bit backend was making all sorts of crazy assumptions, which happened to mostly
3340 not break things prior to http://trac.webkit.org/changeset/143241. This brings the
3341 32-bit backend's type speculation fully into compliance with what the 64-bit
3344 * dfg/DFGSpeculativeJIT.cpp:
3345 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3346 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3347 * dfg/DFGSpeculativeJIT32_64.cpp:
3348 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3349 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3350 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3351 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3353 2013-02-18 Ilya Tikhonovsky <loislo@chromium.org>
3355 Unreviewed build fix for Apple Windows. Second stage.
3356 Add missed export statement.
3358 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3360 2013-02-18 Roger Fong <roger_fong@apple.com>
3362 Unreviewed Windows build fix.
3364 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3365 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
3367 2013-02-18 Darin Adler <darin@apple.com>
3369 Remove unneeded explicit function template arguments.
3370 https://bugs.webkit.org/show_bug.cgi?id=110043
3372 Reviewed by Ryosuke Niwa.
3374 * runtime/Identifier.cpp:
3375 (JSC::IdentifierASCIIStringTranslator::hash): Let the compiler deduce the type
3376 when calling computeHashAndMaskTop8Bits.
3377 (JSC::IdentifierLCharFromUCharTranslator::hash): Ditto.
3378 * runtime/Identifier.h:
3379 (JSC::IdentifierCharBufferTranslator::hash): Ditto.
3380 2013-02-18 Geoffrey Garen <ggaren@apple.com>
3382 Shrank the SourceProvider cache
3383 https://bugs.webkit.org/show_bug.cgi?id=110158
3385 Reviewed by Oliver Hunt.
3387 CodeCache is now our primary source cache, so a long-lived SourceProvider
3388 cache is a waste. I measured this as a 10MB Membuster win; with more
3389 precise instrumentation, Andreas estimated it as up to 30MB.
3391 I didn't eliminate the SourceProvider cache because it's still useful
3392 in speeding up uncached parsing of scripts with large nested functions
3393 (i.e., all scripts).
3396 (JSC::Heap::collect): Discard all source provider caches after GC. This
3397 is a convenient place to do so because it's reasonably soon after initial
3398 parsing without being immediate.
3400 * parser/Parser.cpp:
3401 (JSC::::Parser): Updated for interface change: The heap now owns the
3402 source provider cache, since most SourceProviders are not expected to
3403 have one by default, and the heap is responsible for throwing them away.
3405 (JSC::::parseInner): No need to update statistics on cache size, since
3406 we're going to throw it away no matter what.
3408 (JSC::::parseFunctionInfo): Reduced the minimum function size to 16. This
3409 is a 27% win on a new parsing micro-benchmark I've added. Now that the
3410 cache is temporary, we don't have to worry so much about its memory
3414 (Parser): Updated for interface changes.
3416 * parser/SourceProvider.cpp:
3417 (JSC::SourceProvider::SourceProvider):
3418 (JSC::SourceProvider::~SourceProvider):
3419 * parser/SourceProvider.h:
3421 (SourceProvider): SourceProvider doesn't own its cache anymore because
3422 the cache is temporary.
3424 * parser/SourceProviderCache.cpp:
3425 (JSC::SourceProviderCache::clear):
3426 (JSC::SourceProviderCache::add):
3427 * parser/SourceProviderCache.h:
3428 (JSC::SourceProviderCache::SourceProviderCache):
3429 (SourceProviderCache):
3430 * parser/SourceProviderCacheItem.h:
3431 (SourceProviderCacheItem): No need to update statistics on cache size,
3432 since we're going to throw it away no matter what.
3434 * runtime/JSGlobalData.cpp:
3435 (JSC::JSGlobalData::addSourceProviderCache):
3437 (JSC::JSGlobalData::clearSourceProviderCaches):
3438 * runtime/JSGlobalData.h:
3440 (JSGlobalData): Moved the cache here so it's easier to throw away.
3442 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3444 DFG backend Branch handling has duplicate code and dead code
3445 https://bugs.webkit.org/show_bug.cgi?id=110162
3447 Reviewed by Mark Hahnenberg.
3449 Streamline the code, and make the 64 backend's optimizations make more sense
3450 (i.e. not be dead code).
3452 * dfg/DFGSpeculativeJIT32_64.cpp:
3453 (JSC::DFG::SpeculativeJIT::compile):
3454 * dfg/DFGSpeculativeJIT64.cpp:
3455 (JSC::DFG::SpeculativeJIT::emitBranch):
3456 (JSC::DFG::SpeculativeJIT::compile):
3458 2013-02-18 Brent Fulgham <bfulgham@webkit.org>
3460 [Windows] Unreviewed VS2010 build correction after r143273.
3462 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing source
3463 file SourceProvider.cpp.
3464 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
3465 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Add missing exports.
3467 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3469 Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
3470 https://bugs.webkit.org/show_bug.cgi?id=110155
3471 <rdar://problem/13233773>
3473 Reviewed by Mark Rowe.
3475 This was a rookie mistake. It was doing:
3478 m_offset = foo // foo's monotonically increase in the loop
3481 as a way of computing max offset for all of the properties. Except what if the loop doesn't
3482 execute because there are no properties? Well, then, you're going to have a bogus m_offset.
3484 The solution is to initialize m_offset at the top of the loop.
3486 * runtime/Structure.cpp:
3487 (JSC::Structure::flattenDictionaryStructure):
3489 2013-02-18 Balazs Kilvady <kilvadyb@homejinni.com>
3491 MIPS DFG implementation.
3492 https://bugs.webkit.org/show_bug.cgi?id=101328
3494 Reviewed by Oliver Hunt.
3496 DFG implementation for MIPS.
3498 * assembler/MIPSAssembler.h:
3499 (JSC::MIPSAssembler::MIPSAssembler):
3500 (JSC::MIPSAssembler::sllv):
3501 (JSC::MIPSAssembler::movd):
3503 (JSC::MIPSAssembler::negd):
3504 (JSC::MIPSAssembler::labelForWatchpoint):
3505 (JSC::MIPSAssembler::label):
3506 (JSC::MIPSAssembler::vmov):
3507 (JSC::MIPSAssembler::linkDirectJump):
3508 (JSC::MIPSAssembler::maxJumpReplacementSize):
3509 (JSC::MIPSAssembler::revertJumpToMove):
3510 (JSC::MIPSAssembler::replaceWithJump):
3511 * assembler/MacroAssembler.h:
3513 (JSC::MacroAssembler::poke):
3514 * assembler/MacroAssemblerMIPS.h:
3515 (JSC::MacroAssemblerMIPS::add32):
3516 (MacroAssemblerMIPS):
3517 (JSC::MacroAssemblerMIPS::and32):
3518 (JSC::MacroAssemblerMIPS::lshift32):
3519 (JSC::MacroAssemblerMIPS::mul32):
3520 (JSC::MacroAssemblerMIPS::or32):
3521 (JSC::MacroAssemblerMIPS::rshift32):
3522 (JSC::MacroAssemblerMIPS::urshift32):
3523 (JSC::MacroAssemblerMIPS::sub32):
3524 (JSC::MacroAssemblerMIPS::xor32):
3525 (JSC::MacroAssemblerMIPS::store32):
3526 (JSC::MacroAssemblerMIPS::jump):
3527 (JSC::MacroAssemblerMIPS::branchAdd32):
3528 (JSC::MacroAssemblerMIPS::branchMul32):
3529 (JSC::MacroAssemblerMIPS::branchSub32):
3530 (JSC::MacroAssemblerMIPS::branchNeg32):
3531 (JSC::MacroAssemblerMIPS::call):
3532 (JSC::MacroAssemblerMIPS::loadDouble):
3533 (JSC::MacroAssemblerMIPS::moveDouble):
3534 (JSC::MacroAssemblerMIPS::swapDouble):
3535 (JSC::MacroAssemblerMIPS::subDouble):
3536 (JSC::MacroAssemblerMIPS::mulDouble):
3537 (JSC::MacroAssemblerMIPS::divDouble):
3538 (JSC::MacroAssemblerMIPS::negateDouble):
3539 (JSC::MacroAssemblerMIPS::branchEqual):
3540 (JSC::MacroAssemblerMIPS::branchNotEqual):
3541 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3542 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
3543 (JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
3544 (JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
3545 (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
3546 (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
3547 (JSC::MacroAssemblerMIPS::invert):
3548 (JSC::MacroAssemblerMIPS::replaceWithJump):
3549 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
3550 * dfg/DFGAssemblyHelpers.h:
3552 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
3553 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
3554 (JSC::DFG::AssemblyHelpers::debugCall):
3555 * dfg/DFGCCallHelpers.h:
3557 (JSC::DFG::CCallHelpers::setupArguments):
3558 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3562 (JSC::DFG::FPRInfo::toRegister):
3563 (JSC::DFG::FPRInfo::toIndex):
3564 (JSC::DFG::FPRInfo::debugName):
3568 (JSC::DFG::GPRInfo::toRegister):
3569 (JSC::DFG::GPRInfo::toIndex):
3570 (JSC::DFG::GPRInfo::debugName):
3571 * dfg/DFGSpeculativeJIT.h:
3573 * jit/JSInterfaceJIT.h:
3575 * runtime/JSGlobalData.h:
3576 (JSC::ScratchBuffer::allocationSize):
3579 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3581 DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things
3582 https://bugs.webkit.org/show_bug.cgi?id=110092
3584 Reviewed by Geoffrey Garen.
3586 These methods were previously using GenerationInfo and other things to try to
3587 gain information that the CFA could give away for free, if you asked kindly
3590 Also fixed CallLinkStatus's dump() method since it was making an invalid
3591 assertion: we most certainly can have a status where the structure is non-null
3592 and the executable is null, like if we're dealing with an InternalFunction.
3594 Also removed calls to isKnownNotXYZ from fillSpeculateABC methods in 32_64. I
3595 don't know why that was there. But it was causing asserts if the value was
3596 empty - i.e. we had already exited unconditionally but we didn't know it. I
3597 could have fixed this by introducing another form of isKnownNotXYZ which was
3598 tolerant of empty values, but I didn't feel like fixing code that I knew to be
3599 unnecessary. (More deeply, isKnownNotCell, for example, really asks: "do you
3600 know that this value can never be a cell?" while some of the previous uses
3601 wanted to ask: "do you know that this is a value that is not a cell?". The
3602 former is "true" if the value is a contradiction [i.e. BOTTOM], while the
3603 latter is "false" for contradictions, since contradictions are not values.)
3605 * bytecode/CallLinkStatus.cpp:
3606 (JSC::CallLinkStatus::dump):
3607 * bytecode/CallLinkStatus.h:
3608 (JSC::CallLinkStatus::CallLinkStatus):
3609 * dfg/DFGSpeculativeJIT.cpp:
3611 * dfg/DFGSpeculativeJIT.h:
3612 (JSC::DFG::SpeculativeJIT::isKnownInteger):
3613 (JSC::DFG::SpeculativeJIT::isKnownCell):
3614 (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
3615 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
3616 (JSC::DFG::SpeculativeJIT::isKnownNotCell):
3617 * dfg/DFGSpeculativeJIT32_64.cpp:
3618 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3619 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3620 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3621 * dfg/DFGStructureAbstractValue.h:
3622 (JSC::DFG::StructureAbstractValue::dump):
3624 2013-02-17 Filip Pizlo <fpizlo@apple.com>
3626 Get rid of DFG::DoubleOperand and simplify ValueToInt32
3627 https://bugs.webkit.org/show_bug.cgi?id=110072
3629 Reviewed by Geoffrey Garen.
3631 ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after
3632 the side-effect would lead to the side-effect re-executing. I got rid of that path
3633 and replaced it with an optimization for the case where the input is speculated
3634 number-or-other. This makes idioms like null|0 and true|0 work as expected, and
3635 get optimized appropriately.
3637 Also got rid of DoubleOperand. Replaced all remaining uses of it with
3638 SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse
3639 edge and the remaining uses of DoubleOperand are all for untyped uses, I worked
3640 around the assertion by setting the UseKind to DoubleUse by force. This is sound,
3641 since all existing assertions for DoubleUse are actually asserting that we're not
3642 converting a value to double unexpectedly. But all of these calls to
3643 SpeculateDoubleOperand are when the operand is already known to be represented as
3644 double, so there is no conversion.
3646 This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a
3647 little. Mostly, this is intended to delete a bunch of code. DoubleOperand was
3648 equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it
3649 involved a _lot_ more code.
3651 * dfg/DFGAbstractState.cpp:
3652 (JSC::DFG::AbstractState::execute):
3653 * dfg/DFGCSEPhase.cpp:
3654 (JSC::DFG::CSEPhase::performNodeCSE):
3655 * dfg/DFGFixupPhase.cpp:
3656 (JSC::DFG::FixupPhase::fixupNode):
3657 * dfg/DFGNodeType.h:
3659 * dfg/DFGSpeculativeJIT.cpp:
3661 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3662 * dfg/DFGSpeculativeJIT.h:
3666 * dfg/DFGSpeculativeJIT32_64.cpp:
3668 (JSC::DFG::SpeculativeJIT::compile):
3669 * dfg/DFGSpeculativeJIT64.cpp:
3672 2013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu>
3674 [Qt] Mountain Lion buildfix after r143147.
3676 Reviewed by Csaba Osztrogonác.
3678 * runtime/DateConstructor.cpp:
3680 2013-02-18 Zan Dobersek <zdobersek@igalia.com>
3682 Stop placing std::isfinite and std::signbit inside the global scope
3683 https://bugs.webkit.org/show_bug.cgi?id=109817
3685 Reviewed by Darin Adler.
3687 Prefix calls to the isfinite and signbit methods with std:: as the two
3688 methods are no longer being imported into the global scope.
3690 * assembler/MacroAssembler.h:
3691 (JSC::MacroAssembler::shouldBlindDouble):
3692 * offlineasm/cloop.rb:
3693 * runtime/BigInteger.h:
3694 (JSC::BigInteger::BigInteger):
3695 * runtime/DateConstructor.cpp:
3696 (JSC::constructDate):
3697 * runtime/DatePrototype.cpp:
3698 (JSC::fillStructuresUsingTimeArgs):
3699 (JSC::fillStructuresUsingDateArgs):
3700 (JSC::dateProtoFuncToISOString):
3701 (JSC::dateProtoFuncSetYear):
3702 * runtime/JSCJSValueInlines.h:
3703 (JSC::JSValue::JSValue):
3704 * runtime/JSGlobalObjectFunctions.cpp:
3705 (JSC::globalFuncIsFinite):
3706 * runtime/JSONObject.cpp:
3707 (JSC::Stringifier::appendStringifiedValue):
3708 * runtime/MathObject.cpp:
3709 (JSC::mathProtoFuncMax): Also include an opportunistic style fix.
3710 (JSC::mathProtoFuncMin): Ditto.
3711 * runtime/NumberPrototype.cpp:
3712 (JSC::toStringWithRadix):
3713 (JSC::numberProtoFuncToExponential):
3714 (JSC::numberProtoFuncToFixed):
3715 (JSC::numberProtoFuncToPrecision):
3716 (JSC::numberProtoFuncToString):
3717 * runtime/Uint16WithFraction.h:
3718 (JSC::Uint16WithFraction::Uint16WithFraction):
3720 2013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu>
3722 [Qt] Mountain Lion buildfix after r143147.
3724 Reviewed by Csaba Osztrogonác.
3726 * runtime/DateInstance.cpp:
3728 2013-02-18 Ilya Tikhonovsky <loislo@chromium.org>
3730 Unreviewed speculative build fix for Apple Win bots.
3732 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3734 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3736 Fix indentation of StructureStubInfo.h
3738 Rubber stamped by Mark Hahnenberg.
3740 * bytecode/StructureStubInfo.h:
3742 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3744 Fix indentation of JSGlobalObject.h and JSGlobalObjectFunctions.h
3746 Rubber stamped by Mark Hahnenberg.
3748 * runtime/JSGlobalObject.h:
3749 * runtime/JSGlobalObjectFunctions.h:
3751 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3753 Fix indention of Operations.h
3755 Rubber stamped by Mark Hahnenberg.
3757 * runtime/Operations.h:
3759 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3761 Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere.
3763 Rubber stamped by Andy Estes.
3765 * dfg/DFGSpeculativeJIT.cpp:
3767 * dfg/DFGSpeculativeJIT.h:
3770 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3772 Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere.
3774 Rubber stampted by Andy Estes.
3776 * dfg/DFGSpeculativeJIT.cpp:
3778 * dfg/DFGSpeculativeJIT.h:
3781 2013-02-18 Filip Pizlo <fpizlo@apple.com>
3783 Remove dead code for ValueToNumber from the DFG.
3785 Rubber stamped by Andy Estes.
3787 We killed ValueToNumber at some point, but forgot to kill all of the backend support
3790 * dfg/DFGByteCodeParser.cpp:
3791 (JSC::DFG::ByteCodeParser::handleMinMax):
3792 * dfg/DFGOperations.cpp:
3793 * dfg/DFGOperations.h:
3794 * dfg/DFGSpeculativeJIT.h:
3796 * dfg/DFGSpeculativeJIT32_64.cpp:
3797 * dfg/DFGSpeculativeJIT64.cpp:
3799 2013-02-17 Csaba Osztrogonác <ossy@webkit.org>
3801 Unreviewed buildfix for JSVALUE32_64 builds after r143147.
3805 2013-02-17 Filip Pizlo <fpizlo@apple.com>
3807 Move all Structure out-of-line inline methods to StructureInlines.h
3808 https://bugs.webkit.org/show_bug.cgi?id=110024
3810 Rubber stamped by Mark Hahnenberg and Sam Weinig.
3812 This was supposed to be easy.
3814 But, initially, there was a Structure inline method in CodeBlock.h, and moving that
3815 into StructureInlines.h meant that Operations.h included CodeBlock.h. This would
3816 cause WebCore build failures, because CodeBlock.h transitively included the JSC
3817 parser (via many, many paths), and the JSC parser defines tokens using enumeration
3818 elements that CSSGrammar.cpp (generated by bison) would #define. For example,
3819 bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before
3820 including anything interesting. The JSC parser would have an enum that included
3821 FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have
3822 a token element called FUNCTION declared in an enumeration, but FUNCTION was
3823 #define'd to 123, leading to a parser error.
3827 So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I
3828 believe I was able to do so without out-of-lining anything interesting or performance
3829 critical. This is probably a purely good thing to have done: it will be nice to be
3830 able to make changes to the parser without having to compile the universe.
3832 Of course, doing this caused a bunch of other things to not compile, since a bunch of
3833 headers relied on things being implicitly included for them when they transitively
3834 included the parser. I fixed a lot of that.
3836 Finally, I ended up removing the method that depended on CodeBlock.h from
3837 StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this
3838 was a waste of time, except that I suspect it was a worthwhile forcing function for
3839 cleaning up a bunch of cruft.
3841 * API/JSCallbackFunction.cpp:
3843 * GNUmakefile.list.am:
3844 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3845 * JavaScriptCore.xcodeproj/project.pbxproj:
3847 * bytecode/CodeBlock.h:
3849 * bytecode/EvalCodeCache.h:
3850 * bytecode/SamplingTool.h:
3851 * bytecode/UnlinkedCodeBlock.cpp:
3852 (JSC::UnlinkedFunctionExecutable::parameterCount):
3854 * bytecode/UnlinkedCodeBlock.h:
3855 (UnlinkedFunctionExecutable):
3856 * bytecompiler/BytecodeGenerator.h:
3857 * bytecompiler/Label.h:
3859 * dfg/DFGByteCodeParser.cpp:
3860 * dfg/DFGByteCodeParser.h:
3862 * dfg/DFGRegisterBank.h:
3863 * heap/HandleStack.cpp:
3864 * jit/JITWriteBarrier.h:
3868 * parser/ParserError.h: Added.
3870 (JSC::ParserError::ParserError):
3872 (JSC::ParserError::toErrorObject):
3873 * parser/ParserModes.h:
3874 * parser/SourceProvider.cpp: Added.
3876 (JSC::SourceProvider::SourceProvider):
3877 (JSC::SourceProvider::~SourceProvider):
3878 * parser/SourceProvider.h:
3881 * runtime/ArrayPrototype.cpp:
3882 * runtime/DatePrototype.cpp:
3883 * runtime/Executable.h:
3884 * runtime/JSGlobalObject.cpp:
3885 * runtime/JSGlobalObject.h:
3887 * runtime/Operations.h:
3888 * runtime/Structure.cpp:
3889 (JSC::Structure::prototypeForLookup):
3891 * runtime/Structure.h:
3893 * runtime/StructureInlines.h: Added.
3895 (JSC::Structure::create):
3896 (JSC::Structure::createStructure):
3897 (JSC::Structure::get):
3898 (JSC::Structure::masqueradesAsUndefined):
3899 (JSC::SlotVisitor::internalAppend):
3900 (JSC::Structure::transitivelyTransitionedFrom):
3901 (JSC::Structure::setEnumerationCache):
3902 (JSC::Structure::enumerationCache):
3903 (JSC::Structure::prototypeForLookup):
3904 (JSC::Structure::prototypeChain):
3905 (JSC::Structure::isValid):
3906 * runtime/StructureRareData.cpp:
3908 2013-02-17 Roger Fong <roger_fong@apple.com>
3910 Unreviewed. Windows build fix.
3912 * runtime/CodeCache.h:
3915 2013-02-16 Geoffrey Garen <ggaren@apple.com>
3917 Code cache should be explicit about what it caches
3918 https://bugs.webkit.org/show_bug.cgi?id=110039
3920 Reviewed by Oliver Hunt.
3922 This patch makes the code cache more explicit in two ways:
3924 (1) The cache caches top-level scripts. Any sub-functions executed as a
3925 part of a script are cached with it and evicted with it.
3927 This simplifies things by eliminating out-of-band sub-function tracking,
3928 and fixes pathological cases where functions for live scripts would be
3929 evicted in favor of functions for dead scripts, and/or high probability
3930 functions executed early in script lifetime would be evicted in favor of
3931 low probability functions executed late in script lifetime, due to LRU.
3933 Statistical data from general browsing and PLT confirms that caching
3934 functions independently of scripts is not profitable.
3936 (2) The cache tracks script size, not script count.
3938 This reduces the worst-case cache size by a factor of infinity.
3940 Script size is a reasonable first-order estimate of in-memory footprint
3941 for a cached script because there are no syntactic constructs that have
git://git.webkit.org / WebKit-https.git / blob