1 2014-08-08 Mark Lam <mark.lam@apple.com>
3 REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
4 <https://webkit.org/b/135656>
8 Rolling out r170680 which was merged to ToT in r172129.
10 * debugger/Debugger.h:
11 * debugger/DebuggerCallFrame.cpp:
12 (JSC::DebuggerCallFrame::scope):
13 (JSC::DebuggerCallFrame::evaluate):
14 (JSC::DebuggerCallFrame::invalidate):
15 * debugger/DebuggerCallFrame.h:
16 * debugger/DebuggerScope.cpp:
17 (JSC::DebuggerScope::DebuggerScope):
18 (JSC::DebuggerScope::finishCreation):
19 (JSC::DebuggerScope::visitChildren):
20 (JSC::DebuggerScope::className):
21 (JSC::DebuggerScope::getOwnPropertySlot):
22 (JSC::DebuggerScope::put):
23 (JSC::DebuggerScope::deleteProperty):
24 (JSC::DebuggerScope::getOwnPropertyNames):
25 (JSC::DebuggerScope::defineOwnProperty):
26 (JSC::DebuggerScope::next): Deleted.
27 (JSC::DebuggerScope::invalidateChain): Deleted.
28 (JSC::DebuggerScope::isWithScope): Deleted.
29 (JSC::DebuggerScope::isGlobalScope): Deleted.
30 (JSC::DebuggerScope::isFunctionScope): Deleted.
31 * debugger/DebuggerScope.h:
32 (JSC::DebuggerScope::create):
33 (JSC::DebuggerScope::Iterator::Iterator): Deleted.
34 (JSC::DebuggerScope::Iterator::get): Deleted.
35 (JSC::DebuggerScope::Iterator::operator++): Deleted.
36 (JSC::DebuggerScope::Iterator::operator==): Deleted.
37 (JSC::DebuggerScope::Iterator::operator!=): Deleted.
38 (JSC::DebuggerScope::isValid): Deleted.
39 (JSC::DebuggerScope::jsScope): Deleted.
40 (JSC::DebuggerScope::begin): Deleted.
41 (JSC::DebuggerScope::end): Deleted.
42 * inspector/JSJavaScriptCallFrame.cpp:
43 (Inspector::JSJavaScriptCallFrame::scopeType):
44 (Inspector::JSJavaScriptCallFrame::scopeChain):
45 * inspector/JavaScriptCallFrame.h:
46 (Inspector::JavaScriptCallFrame::scopeChain):
47 * inspector/ScriptDebugServer.cpp:
48 * runtime/JSGlobalObject.cpp:
49 (JSC::JSGlobalObject::reset):
50 (JSC::JSGlobalObject::visitChildren):
51 * runtime/JSGlobalObject.h:
52 (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
54 (JSC::JSObject::isWithScope): Deleted.
60 2014-08-07 Saam Barati <sbarati@apple.com>
62 Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
63 https://bugs.webkit.org/show_bug.cgi?id=135358
65 Reviewed by Geoffrey Garen.
67 When VMEntryScope is destroyed, and it has a flag set indicating that the
68 Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
69 This flag is only used by Debugger to have VMEntryScope notify it when the
70 Debugger is safe to recompile all functions. This patch will substitute this
71 Debugger-specific recompilation flag with a list of callbacks that are notified
72 when the outermost VMEntryScope dies. This creates a general purpose interface
73 for being notified when the VM stops executing code via the event of the outermost
76 * debugger/Debugger.cpp:
77 (JSC::Debugger::recompileAllJSFunctions):
78 * runtime/VMEntryScope.cpp:
79 (JSC::VMEntryScope::VMEntryScope):
80 (JSC::VMEntryScope::setEntryScopeDidPopListener):
81 (JSC::VMEntryScope::~VMEntryScope):
82 * runtime/VMEntryScope.h:
83 (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
85 2014-08-07 Benjamin Poulain <bpoulain@apple.com>
87 Get rid of SCRIPTED_SPEECH
88 https://bugs.webkit.org/show_bug.cgi?id=135729
90 Reviewed by Brent Fulgham.
92 * Configurations/FeatureDefines.xcconfig:
94 2014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
96 SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
97 https://bugs.webkit.org/show_bug.cgi?id=135722
99 Reviewed by Filip Pizlo.
101 We should be using SpeculateStrictInt32Operand instead.
103 * dfg/DFGSpeculativeJIT64.cpp:
104 (JSC::DFG::SpeculativeJIT::compile):
106 2014-08-07 Benjamin Poulain <bpoulain@apple.com>
108 Get rid of INPUT_SPEECH
109 https://bugs.webkit.org/show_bug.cgi?id=135672
111 Reviewed by Andreas Kling.
113 * Configurations/FeatureDefines.xcconfig:
115 2014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
117 for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
118 https://bugs.webkit.org/show_bug.cgi?id=135681
120 Reviewed by Filip Pizlo.
122 * runtime/Structure.cpp:
123 (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire
124 prototype chain for overridesGetPropertyNames, but we were neglecting to check the
125 base object's Structure. D'oh!
127 2014-08-06 Mark Lam <mark.lam@apple.com>
129 Gardening: fix for build failure on EFL bots.
133 * runtime/EnumerationMode.h:
134 (JSC::shouldIncludeJSObjectPropertyNames):
135 (JSC::modeThatSkipsJSObject):
136 * runtime/JSCell.cpp:
137 (JSC::JSCell::getEnumerableLength):
140 2014-08-06 Dean Jackson <dino@apple.com>
142 ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
143 https://bugs.webkit.org/show_bug.cgi?id=135675
145 Reviewed by Sam Weinig.
147 * Configurations/FeatureDefines.xcconfig:
149 2014-08-06 Wenson Hsieh <wenson_hsieh@apple.com>
151 Implement parsing for CSS scroll snap points
152 https://bugs.webkit.org/show_bug.cgi?id=134301
154 Reviewed by Dean Jackson.
156 * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
158 2014-08-06 Mark Lam <mark.lam@apple.com>
160 Gardening: fix for build failure on GTK bots.
164 * runtime/FunctionHasExecutedCache.cpp:
165 - #include <limits.h> for UINT_MAX's definition.
167 2014-08-06 Mark Lam <mark.lam@apple.com>
169 Gardening: fix for build failure on EFL bots.
174 (JSC::JIT::emitLoadForArrayMode):
176 2014-08-06 Mark Lam <mark.lam@apple.com>
178 Gardening: adding missing build file changes from the FTLOPT merge at r172176.
183 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
184 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
186 2014-08-06 Ryuan Choi <ryuan.choi@samsung.com>
188 Unreviewed build fix attempt since r172184
190 * CMakeLists.txt: Removed TypeLocation.cpp
192 2014-08-06 Mark Lam <mark.lam@apple.com>
194 Gardening: adding missing build file changes from r171510.
195 <https://webkit.org/b/134860>
200 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
201 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
203 2014-08-06 Mark Lam <mark.lam@apple.com>
205 Gardening: adding missing build file changes from r170490.
206 <https://webkit.org/b/133395>
211 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
213 2014-08-06 Filip Pizlo <fpizlo@apple.com>
215 Silence a debug assertion.
217 Reviewed by Mark Hahnenberg.
219 * runtime/JSPropertyNameEnumerator.h:
220 (JSC::JSPropertyNameEnumerator::cachedStructure):
222 2014-08-06 Filip Pizlo <fpizlo@apple.com>
226 * jit/JITOpcodes32_64.cpp:
227 (JSC::JIT::privateCompileHasIndexedProperty):
229 2014-08-06 Filip Pizlo <fpizlo@apple.com>
231 Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
233 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
235 Support for-in in the FTL
236 https://bugs.webkit.org/show_bug.cgi?id=134140
238 Reviewed by Filip Pizlo.
240 * dfg/DFGSSALoweringPhase.cpp:
241 (JSC::DFG::SSALoweringPhase::handleNode):
242 * ftl/FTLAbstractHeapRepository.cpp:
243 * ftl/FTLAbstractHeapRepository.h:
244 * ftl/FTLCapabilities.cpp:
245 (JSC::FTL::canCompile):
246 * ftl/FTLIntrinsicRepository.h:
247 * ftl/FTLLowerDFGToLLVM.cpp:
248 (JSC::FTL::LowerDFGToLLVM::compileNode):
249 (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
250 (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
251 (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
252 (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
253 (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
254 (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
255 (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
256 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
257 (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
259 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
261 Remove JSPropertyNameIterator
262 https://bugs.webkit.org/show_bug.cgi?id=135066
264 Reviewed by Geoffrey Garen.
266 It has been replaced by JSPropertyNameEnumerator.
268 * JavaScriptCore.order:
269 * bytecode/BytecodeBasicBlock.cpp:
271 * bytecode/BytecodeList.json:
272 * bytecode/BytecodeUseDef.h:
273 (JSC::computeUsesForBytecodeOffset):
274 (JSC::computeDefsForBytecodeOffset):
275 * bytecode/CodeBlock.cpp:
276 (JSC::CodeBlock::dumpBytecode):
277 * bytecode/PreciseJumpTargets.cpp:
278 (JSC::getJumpTargetsForBytecodeOffset):
279 * bytecompiler/BytecodeGenerator.cpp:
280 (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
281 (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
282 * bytecompiler/BytecodeGenerator.h:
283 * interpreter/Interpreter.cpp:
284 * interpreter/Register.h:
286 (JSC::JIT::privateCompileMainPass):
287 (JSC::JIT::privateCompileSlowCases):
289 * jit/JITOpcodes.cpp:
290 (JSC::JIT::emit_op_get_pnames): Deleted.
291 (JSC::JIT::emit_op_next_pname): Deleted.
292 * jit/JITOpcodes32_64.cpp:
293 (JSC::JIT::emit_op_get_pnames): Deleted.
294 (JSC::JIT::emit_op_next_pname): Deleted.
295 * jit/JITOperations.cpp:
296 * jit/JITPropertyAccess.cpp:
297 (JSC::JIT::emit_op_get_by_pname): Deleted.
298 (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
299 * jit/JITPropertyAccess32_64.cpp:
300 (JSC::JIT::emit_op_get_by_pname): Deleted.
301 (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
302 * llint/LLIntOffsetsExtractor.cpp:
303 * llint/LLIntSlowPaths.cpp:
304 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
305 * llint/LLIntSlowPaths.h:
306 * llint/LowLevelInterpreter.asm:
307 * llint/LowLevelInterpreter32_64.asm:
308 * llint/LowLevelInterpreter64.asm:
309 * runtime/CommonSlowPaths.cpp:
310 * runtime/JSPropertyNameIterator.cpp:
311 (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
312 (JSC::JSPropertyNameIterator::create): Deleted.
313 (JSC::JSPropertyNameIterator::destroy): Deleted.
314 (JSC::JSPropertyNameIterator::get): Deleted.
315 (JSC::JSPropertyNameIterator::visitChildren): Deleted.
316 * runtime/JSPropertyNameIterator.h:
317 (JSC::JSPropertyNameIterator::createStructure): Deleted.
318 (JSC::JSPropertyNameIterator::size): Deleted.
319 (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
320 (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
321 (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
322 (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
323 (JSC::JSPropertyNameIterator::finishCreation): Deleted.
324 (JSC::Register::propertyNameIterator): Deleted.
325 (JSC::StructureRareData::enumerationCache): Deleted.
326 (JSC::StructureRareData::setEnumerationCache): Deleted.
327 * runtime/Structure.cpp:
328 (JSC::Structure::addPropertyWithoutTransition):
329 (JSC::Structure::removePropertyWithoutTransition):
330 * runtime/Structure.h:
331 * runtime/StructureInlines.h:
332 (JSC::Structure::setEnumerationCache): Deleted.
333 (JSC::Structure::enumerationCache): Deleted.
334 * runtime/StructureRareData.cpp:
335 (JSC::StructureRareData::visitChildren):
336 * runtime/StructureRareData.h:
340 2014-07-25 Saam Barati <sbarati@apple.com>
342 Fix 32-bit build breakage for type profiling
343 https://bugs.webkit.org/process_bug.cgi
345 Reviewed by Mark Hahnenberg.
347 32-bit builds currently break because global variable IDs for high
348 fidelity type profiling are int64_t. Change this to intptr_t so that
349 it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
351 * bytecode/CodeBlock.cpp:
352 (JSC::CodeBlock::CodeBlock):
353 (JSC::CodeBlock::scopeDependentProfile):
354 * bytecode/TypeLocation.h:
355 * runtime/SymbolTable.cpp:
356 (JSC::SymbolTable::uniqueIDForVariable):
357 (JSC::SymbolTable::uniqueIDForRegister):
358 * runtime/SymbolTable.h:
359 * runtime/TypeLocationCache.cpp:
360 (JSC::TypeLocationCache::getTypeLocation):
361 * runtime/TypeLocationCache.h:
363 (JSC::VM::getNextUniqueVariableID):
365 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
367 Reindent PropertyNameArray.h
368 https://bugs.webkit.org/show_bug.cgi?id=135067
370 Reviewed by Geoffrey Garen.
372 * runtime/PropertyNameArray.h:
373 (JSC::RefCountedIdentifierSet::contains):
374 (JSC::RefCountedIdentifierSet::size):
375 (JSC::RefCountedIdentifierSet::add):
376 (JSC::PropertyNameArrayData::create):
377 (JSC::PropertyNameArrayData::propertyNameVector):
378 (JSC::PropertyNameArrayData::PropertyNameArrayData):
379 (JSC::PropertyNameArray::PropertyNameArray):
380 (JSC::PropertyNameArray::vm):
381 (JSC::PropertyNameArray::add):
382 (JSC::PropertyNameArray::addKnownUnique):
383 (JSC::PropertyNameArray::operator[]):
384 (JSC::PropertyNameArray::setData):
385 (JSC::PropertyNameArray::data):
386 (JSC::PropertyNameArray::releaseData):
387 (JSC::PropertyNameArray::identifierSet):
388 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
389 (JSC::PropertyNameArray::size):
390 (JSC::PropertyNameArray::begin):
391 (JSC::PropertyNameArray::end):
392 (JSC::PropertyNameArray::numCacheableSlots):
393 (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
394 (JSC::PropertyNameArray::setBaseObject):
395 (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
397 2014-07-23 Mark Hahnenberg <mhahnenberg@apple.com>
399 Refactor our current implementation of for-in
400 https://bugs.webkit.org/show_bug.cgi?id=134142
402 Reviewed by Filip Pizlo.
404 This patch splits for-in loops into three distinct parts:
406 - Iterating over the indexed properties in the base object.
407 - Iterating over the Structure properties in the base object.
408 - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
410 It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
411 support the various operations required for each loop.
413 * API/JSCallbackObjectFunctions.h:
414 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
415 * JavaScriptCore.xcodeproj/project.pbxproj:
416 * bytecode/BytecodeList.json:
417 * bytecode/BytecodeUseDef.h:
418 (JSC::computeUsesForBytecodeOffset):
419 (JSC::computeDefsForBytecodeOffset):
420 * bytecode/CallLinkStatus.h:
421 (JSC::CallLinkStatus::CallLinkStatus):
422 * bytecode/CodeBlock.cpp:
423 (JSC::CodeBlock::dumpBytecode):
424 (JSC::CodeBlock::CodeBlock):
425 * bytecompiler/BytecodeGenerator.cpp:
426 (JSC::BytecodeGenerator::emitGetByVal):
427 (JSC::BytecodeGenerator::emitComplexPopScopes):
428 (JSC::BytecodeGenerator::emitGetEnumerableLength):
429 (JSC::BytecodeGenerator::emitHasGenericProperty):
430 (JSC::BytecodeGenerator::emitHasIndexedProperty):
431 (JSC::BytecodeGenerator::emitHasStructureProperty):
432 (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
433 (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
434 (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
435 (JSC::BytecodeGenerator::emitToIndexString):
436 (JSC::BytecodeGenerator::pushIndexedForInScope):
437 (JSC::BytecodeGenerator::popIndexedForInScope):
438 (JSC::BytecodeGenerator::pushStructureForInScope):
439 (JSC::BytecodeGenerator::popStructureForInScope):
440 (JSC::BytecodeGenerator::invalidateForInContextForLocal):
441 * bytecompiler/BytecodeGenerator.h:
442 (JSC::ForInContext::ForInContext):
443 (JSC::ForInContext::~ForInContext):
444 (JSC::ForInContext::isValid):
445 (JSC::ForInContext::invalidate):
446 (JSC::ForInContext::local):
447 (JSC::StructureForInContext::StructureForInContext):
448 (JSC::StructureForInContext::type):
449 (JSC::StructureForInContext::index):
450 (JSC::StructureForInContext::property):
451 (JSC::StructureForInContext::enumerator):
452 (JSC::IndexedForInContext::IndexedForInContext):
453 (JSC::IndexedForInContext::type):
454 (JSC::IndexedForInContext::index):
455 (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
456 (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
457 * bytecompiler/NodesCodegen.cpp:
458 (JSC::ReadModifyResolveNode::emitBytecode):
459 (JSC::AssignResolveNode::emitBytecode):
460 (JSC::ForInNode::tryGetBoundLocal):
461 (JSC::ForInNode::emitLoopHeader):
462 (JSC::ForInNode::emitMultiLoopBytecode):
463 (JSC::ForInNode::emitBytecode):
464 * debugger/DebuggerScope.h:
465 * dfg/DFGAbstractHeap.h:
466 * dfg/DFGAbstractInterpreterInlines.h:
467 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
468 * dfg/DFGByteCodeParser.cpp:
469 (JSC::DFG::ByteCodeParser::parseBlock):
470 * dfg/DFGCapabilities.cpp:
471 (JSC::DFG::capabilityLevel):
472 * dfg/DFGClobberize.h:
473 (JSC::DFG::clobberize):
476 * dfg/DFGFixupPhase.cpp:
477 (JSC::DFG::FixupPhase::fixupNode):
478 * dfg/DFGHeapLocation.cpp:
479 (WTF::printInternal):
480 * dfg/DFGHeapLocation.h:
482 (JSC::DFG::Node::hasHeapPrediction):
483 (JSC::DFG::Node::hasArrayMode):
485 * dfg/DFGPredictionPropagationPhase.cpp:
486 (JSC::DFG::PredictionPropagationPhase::propagate):
487 * dfg/DFGSafeToExecute.h:
488 (JSC::DFG::safeToExecute):
489 * dfg/DFGSpeculativeJIT.h:
490 (JSC::DFG::SpeculativeJIT::callOperation):
491 * dfg/DFGSpeculativeJIT32_64.cpp:
492 (JSC::DFG::SpeculativeJIT::compile):
493 * dfg/DFGSpeculativeJIT64.cpp:
494 (JSC::DFG::SpeculativeJIT::compile):
496 (JSC::JIT::privateCompileMainPass):
497 (JSC::JIT::privateCompileSlowCases):
499 (JSC::JIT::compileHasIndexedProperty):
500 (JSC::JIT::emitInt32Load):
502 (JSC::JIT::emitDoubleGetByVal):
503 (JSC::JIT::emitLoadForArrayMode):
504 (JSC::JIT::emitContiguousGetByVal):
505 (JSC::JIT::emitArrayStorageGetByVal):
506 * jit/JITOpcodes.cpp:
507 (JSC::JIT::emit_op_get_enumerable_length):
508 (JSC::JIT::emit_op_has_structure_property):
509 (JSC::JIT::emitSlow_op_has_structure_property):
510 (JSC::JIT::emit_op_has_generic_property):
511 (JSC::JIT::privateCompileHasIndexedProperty):
512 (JSC::JIT::emit_op_has_indexed_property):
513 (JSC::JIT::emitSlow_op_has_indexed_property):
514 (JSC::JIT::emit_op_get_direct_pname):
515 (JSC::JIT::emitSlow_op_get_direct_pname):
516 (JSC::JIT::emit_op_get_structure_property_enumerator):
517 (JSC::JIT::emit_op_get_generic_property_enumerator):
518 (JSC::JIT::emit_op_next_enumerator_pname):
519 (JSC::JIT::emit_op_to_index_string):
520 * jit/JITOpcodes32_64.cpp:
521 (JSC::JIT::emit_op_get_enumerable_length):
522 (JSC::JIT::emit_op_has_structure_property):
523 (JSC::JIT::emitSlow_op_has_structure_property):
524 (JSC::JIT::emit_op_has_generic_property):
525 (JSC::JIT::privateCompileHasIndexedProperty):
526 (JSC::JIT::emit_op_has_indexed_property):
527 (JSC::JIT::emitSlow_op_has_indexed_property):
528 (JSC::JIT::emit_op_get_direct_pname):
529 (JSC::JIT::emitSlow_op_get_direct_pname):
530 (JSC::JIT::emit_op_get_structure_property_enumerator):
531 (JSC::JIT::emit_op_get_generic_property_enumerator):
532 (JSC::JIT::emit_op_next_enumerator_pname):
533 (JSC::JIT::emit_op_to_index_string):
534 * jit/JITOperations.cpp:
535 * jit/JITOperations.h:
536 * jit/JITPropertyAccess.cpp:
537 (JSC::JIT::emitDoubleLoad):
538 (JSC::JIT::emitContiguousLoad):
539 (JSC::JIT::emitArrayStorageLoad):
540 (JSC::JIT::emitDoubleGetByVal): Deleted.
541 (JSC::JIT::emitContiguousGetByVal): Deleted.
542 (JSC::JIT::emitArrayStorageGetByVal): Deleted.
543 * jit/JITPropertyAccess32_64.cpp:
544 (JSC::JIT::emitContiguousLoad):
545 (JSC::JIT::emitDoubleLoad):
546 (JSC::JIT::emitArrayStorageLoad):
547 (JSC::JIT::emitContiguousGetByVal): Deleted.
548 (JSC::JIT::emitDoubleGetByVal): Deleted.
549 (JSC::JIT::emitArrayStorageGetByVal): Deleted.
550 * llint/LowLevelInterpreter.asm:
552 * runtime/Arguments.cpp:
553 (JSC::Arguments::getOwnPropertyNames):
554 * runtime/ClassInfo.h:
555 * runtime/CommonSlowPaths.cpp:
556 (JSC::SLOW_PATH_DECL):
557 * runtime/CommonSlowPaths.h:
558 * runtime/EnumerationMode.h: Added.
559 (JSC::shouldIncludeDontEnumProperties):
560 (JSC::shouldExcludeDontEnumProperties):
561 (JSC::shouldIncludeJSObjectPropertyNames):
562 (JSC::modeThatSkipsJSObject):
563 * runtime/JSActivation.cpp:
564 (JSC::JSActivation::getOwnNonIndexPropertyNames):
565 * runtime/JSArray.cpp:
566 (JSC::JSArray::getOwnNonIndexPropertyNames):
567 * runtime/JSArrayBuffer.cpp:
568 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
569 * runtime/JSArrayBufferView.cpp:
570 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
571 * runtime/JSCell.cpp:
572 (JSC::JSCell::getEnumerableLength):
573 (JSC::JSCell::getStructurePropertyNames):
574 (JSC::JSCell::getGenericPropertyNames):
576 * runtime/JSFunction.cpp:
577 (JSC::JSFunction::getOwnNonIndexPropertyNames):
578 * runtime/JSGenericTypedArrayViewInlines.h:
579 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
580 * runtime/JSObject.cpp:
581 (JSC::getClassPropertyNames):
582 (JSC::JSObject::hasOwnProperty):
583 (JSC::JSObject::getOwnPropertyNames):
584 (JSC::JSObject::getOwnNonIndexPropertyNames):
585 (JSC::JSObject::getEnumerableLength):
586 (JSC::JSObject::getStructurePropertyNames):
587 (JSC::JSObject::getGenericPropertyNames):
588 * runtime/JSObject.h:
589 * runtime/JSPropertyNameEnumerator.cpp: Added.
590 (JSC::JSPropertyNameEnumerator::create):
591 (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
592 (JSC::JSPropertyNameEnumerator::finishCreation):
593 (JSC::JSPropertyNameEnumerator::destroy):
594 (JSC::JSPropertyNameEnumerator::visitChildren):
595 * runtime/JSPropertyNameEnumerator.h: Added.
596 (JSC::JSPropertyNameEnumerator::createStructure):
597 (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
598 (JSC::JSPropertyNameEnumerator::identifierSet):
599 (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
600 (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
601 (JSC::JSPropertyNameEnumerator::cachedStructure):
602 (JSC::JSPropertyNameEnumerator::cachedStructureID):
603 (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
604 (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
605 (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
606 (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
607 (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
608 (JSC::structurePropertyNameEnumerator):
609 (JSC::genericPropertyNameEnumerator):
610 * runtime/JSProxy.cpp:
611 (JSC::JSProxy::getEnumerableLength):
612 (JSC::JSProxy::getStructurePropertyNames):
613 (JSC::JSProxy::getGenericPropertyNames):
615 * runtime/JSSymbolTableObject.cpp:
616 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
617 * runtime/PropertyNameArray.cpp:
618 (JSC::PropertyNameArray::add):
619 (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
620 * runtime/PropertyNameArray.h:
621 (JSC::RefCountedIdentifierSet::contains):
622 (JSC::RefCountedIdentifierSet::size):
623 (JSC::RefCountedIdentifierSet::add):
624 (JSC::PropertyNameArray::PropertyNameArray):
625 (JSC::PropertyNameArray::add):
626 (JSC::PropertyNameArray::addKnownUnique):
627 (JSC::PropertyNameArray::identifierSet):
628 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
629 (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
630 * runtime/RegExpObject.cpp:
631 (JSC::RegExpObject::getOwnNonIndexPropertyNames):
632 (JSC::RegExpObject::getPropertyNames):
633 (JSC::RegExpObject::getGenericPropertyNames):
634 * runtime/RegExpObject.h:
635 * runtime/StringObject.cpp:
636 (JSC::StringObject::getOwnPropertyNames):
637 * runtime/Structure.cpp:
638 (JSC::Structure::getPropertyNamesFromStructure):
639 (JSC::Structure::setCachedStructurePropertyNameEnumerator):
640 (JSC::Structure::cachedStructurePropertyNameEnumerator):
641 (JSC::Structure::setCachedGenericPropertyNameEnumerator):
642 (JSC::Structure::cachedGenericPropertyNameEnumerator):
643 (JSC::Structure::canCacheStructurePropertyNameEnumerator):
644 (JSC::Structure::canCacheGenericPropertyNameEnumerator):
645 (JSC::Structure::canAccessPropertiesQuickly):
646 * runtime/Structure.h:
647 * runtime/StructureRareData.cpp:
648 (JSC::StructureRareData::visitChildren):
649 (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
650 (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
651 (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
652 (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
653 * runtime/StructureRareData.h:
658 2014-07-23 Saam Barati <sbarati@apple.com>
660 Make improvements to Type Profiling
661 https://bugs.webkit.org/show_bug.cgi?id=134860
663 Reviewed by Filip Pizlo.
665 I improved the API between the inspector and JSC. We no longer send one huge
666 string to the inspector. We now send structured data that represents the type
667 information that JSC has collected. I've also created a beginning implementation
668 of a type lattice that allows us to resolve a display name for a type that
669 consists of a single word.
671 I created a data structure that knows which functions have executed. This
672 solves the bug where types inside an un-executed function will resolve
673 to the type of the enclosing expression of that function. This data
674 structure may also be useful later if the inspector chooses to create a UI
675 around showing which functions have executed.
677 Better type information is gathered for objects. StructureShape now
678 represents an object's prototype chain. StructureShape also collects
679 the constructor name for an object.
681 Expression ranges are now zero indexed.
683 Removed some extraneous methods.
685 * JavaScriptCore.xcodeproj/project.pbxproj:
686 * bytecode/CodeBlock.cpp:
687 (JSC::CodeBlock::CodeBlock):
688 (JSC::CodeBlock::scopeDependentProfile):
689 * bytecode/CodeBlock.h:
690 * bytecode/TypeLocation.h:
691 (JSC::TypeLocation::TypeLocation):
692 * bytecode/UnlinkedCodeBlock.cpp:
693 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
694 * bytecode/UnlinkedCodeBlock.h:
695 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
696 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
697 * bytecompiler/BytecodeGenerator.cpp:
698 (JSC::BytecodeGenerator::BytecodeGenerator):
699 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
700 * bytecompiler/BytecodeGenerator.h:
701 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
703 (JSC::Heap::collect):
704 * inspector/agents/InspectorRuntimeAgent.cpp:
705 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
706 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
707 * inspector/agents/InspectorRuntimeAgent.h:
708 * inspector/protocol/Runtime.json:
709 * runtime/Executable.cpp:
710 (JSC::ScriptExecutable::ScriptExecutable):
711 (JSC::ProgramExecutable::ProgramExecutable):
712 (JSC::FunctionExecutable::FunctionExecutable):
713 (JSC::ProgramExecutable::initializeGlobalProperties):
714 * runtime/Executable.h:
715 (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
716 (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
717 * runtime/FunctionHasExecutedCache.cpp: Added.
718 (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
719 (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
720 (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
721 * runtime/FunctionHasExecutedCache.h: Added.
722 (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
723 (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
724 (JSC::FunctionHasExecutedCache::FunctionRange::hash):
725 * runtime/HighFidelityLog.cpp:
726 (JSC::HighFidelityLog::processHighFidelityLog):
727 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
728 * runtime/HighFidelityLog.h:
729 (JSC::HighFidelityLog::recordTypeInformationForLocation):
730 * runtime/HighFidelityTypeProfiler.cpp:
731 (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
732 (JSC::HighFidelityTypeProfiler::insertNewLocation):
733 (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
734 (JSC::descriptorMatchesTypeLocation):
735 (JSC::HighFidelityTypeProfiler::findLocation):
736 (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
737 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
738 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
739 * runtime/HighFidelityTypeProfiler.h:
740 (JSC::QueryKey::QueryKey):
741 (JSC::QueryKey::isHashTableDeletedValue):
742 (JSC::QueryKey::operator==):
743 (JSC::QueryKey::hash):
744 (JSC::QueryKeyHash::hash):
745 (JSC::QueryKeyHash::equal):
746 (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
747 (JSC::HighFidelityTypeProfiler::typeLocationCache):
748 * runtime/Structure.cpp:
749 (JSC::Structure::toStructureShape):
750 * runtime/Structure.h:
751 * runtime/TypeLocationCache.cpp: Added.
752 (JSC::TypeLocationCache::getTypeLocation):
753 * runtime/TypeLocationCache.h: Added.
754 (JSC::TypeLocationCache::LocationKey::LocationKey):
755 (JSC::TypeLocationCache::LocationKey::operator==):
756 (JSC::TypeLocationCache::LocationKey::hash):
757 * runtime/TypeSet.cpp:
758 (JSC::TypeSet::getRuntimeTypeForValue):
759 (JSC::TypeSet::addTypeForValue):
760 (JSC::TypeSet::seenTypes):
761 (JSC::TypeSet::doesTypeConformTo):
762 (JSC::TypeSet::displayName):
763 (JSC::TypeSet::allPrimitiveTypeNames):
764 (JSC::TypeSet::allStructureRepresentations):
765 (JSC::TypeSet::leastCommonAncestor):
766 (JSC::StructureShape::StructureShape):
767 (JSC::StructureShape::addProperty):
768 (JSC::StructureShape::propertyHash):
769 (JSC::StructureShape::leastCommonAncestor):
770 (JSC::StructureShape::stringRepresentation):
771 (JSC::StructureShape::inspectorRepresentation):
772 (JSC::StructureShape::leastUpperBound): Deleted.
774 (JSC::StructureShape::setConstructorName):
775 (JSC::StructureShape::constructorName):
776 (JSC::StructureShape::setProto):
778 (JSC::VM::dumpHighFidelityProfilingTypes):
779 (JSC::VM::getTypesForVariableAtOffset): Deleted.
780 (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
782 (JSC::VM::isProfilingTypesWithHighFidelity):
783 (JSC::VM::highFidelityTypeProfiler):
785 2014-07-23 Filip Pizlo <fpizlo@apple.com>
789 * bytecode/CallLinkStatus.h:
790 (JSC::CallLinkStatus::CallLinkStatus):
792 2014-07-20 Filip Pizlo <fpizlo@apple.com>
794 [ftlopt] Phantoms in SSA form should be aggressively hoisted
795 https://bugs.webkit.org/show_bug.cgi?id=135111
797 Reviewed by Oliver Hunt.
799 In CPS form, Phantom means three things: (1) that the children should be kept alive so long
800 as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
801 at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
802 second meaning is not used but the other two stay.
804 The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
805 even in a totally different basic block, complicates some SSA transformations. It's not
806 possible to just jettison some successor, since tha successor could have a Phantom that we
809 This change rationalizes how Phantoms work so that:
811 1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
812 in both CPS and SSA. This was true before and it's true now.
814 2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
815 now, except that now we also don't bother preserving the live-in-bytecode information
816 that Phantoms convey, when we are in SSA.
818 3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
819 use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
822 The biggest part of this change is that in SSA, we canonicalize Phantoms:
824 - All Phantoms are replaced with Check nodes that include only those edges that have
827 - Nodes that were the children of any Phantoms have a Phantom right after them.
829 For example, the following code:
835 would be turned into the following:
838 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
839 // @5. This is the only Phantom we will have for @5.
841 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
842 // a checking edge, we leave it.
844 This is a slight speed-up across the board, presumably because we now do a better job of
845 reducing the size of the graph during compilation. It could also be a fluke, though. The
846 main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
847 become a requirement to run phantom canonicalization prior to some SSA phases. None of the
848 current phases need it, but future phases probably will.
851 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
852 * JavaScriptCore.xcodeproj/project.pbxproj:
853 * dfg/DFGAbstractInterpreterInlines.h:
854 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
855 * dfg/DFGConstantFoldingPhase.cpp:
856 (JSC::DFG::ConstantFoldingPhase::foldConstants):
857 * dfg/DFGDCEPhase.cpp:
858 (JSC::DFG::DCEPhase::run):
859 (JSC::DFG::DCEPhase::findTypeCheckRoot):
860 (JSC::DFG::DCEPhase::countEdge):
861 (JSC::DFG::DCEPhase::fixupBlock):
862 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
864 (JSC::DFG::Edge::dump):
866 (JSC::DFG::Edge::isProved):
867 (JSC::DFG::Edge::needsCheck): Deleted.
868 * dfg/DFGNodeFlags.h:
869 * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
870 (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
871 (JSC::DFG::PhantomCanonicalizationPhase::run):
872 (JSC::DFG::performPhantomCanonicalization):
873 * dfg/DFGPhantomCanonicalizationPhase.h: Added.
874 * dfg/DFGPhantomRemovalPhase.cpp:
875 (JSC::DFG::PhantomRemovalPhase::run):
876 * dfg/DFGPhantomRemovalPhase.h:
878 (JSC::DFG::Plan::compileInThreadImpl):
879 * ftl/FTLLowerDFGToLLVM.cpp:
880 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
881 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
883 2014-07-22 Filip Pizlo <fpizlo@apple.com>
885 [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
886 https://bugs.webkit.org/show_bug.cgi?id=135146
888 Reviewed by Oliver Hunt.
890 This greatly simplifies our closure call optimizations by taking advantage of the type
891 bits available in the cell header.
893 * bytecode/CallLinkInfo.cpp:
894 (JSC::CallLinkInfo::visitWeak):
895 * bytecode/CallLinkStatus.cpp:
896 (JSC::CallLinkStatus::CallLinkStatus):
897 (JSC::CallLinkStatus::computeFor):
898 (JSC::CallLinkStatus::dump):
899 * bytecode/CallLinkStatus.h:
900 (JSC::CallLinkStatus::CallLinkStatus):
901 (JSC::CallLinkStatus::executable):
902 (JSC::CallLinkStatus::structure): Deleted.
903 * dfg/DFGByteCodeParser.cpp:
904 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
905 * dfg/DFGFixupPhase.cpp:
906 (JSC::DFG::FixupPhase::fixupNode):
907 (JSC::DFG::FixupPhase::observeUseKindOnNode):
908 * dfg/DFGSafeToExecute.h:
909 (JSC::DFG::SafeToExecuteEdge::operator()):
910 * dfg/DFGSpeculativeJIT.cpp:
911 (JSC::DFG::SpeculativeJIT::checkArray):
912 (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
913 (JSC::DFG::SpeculativeJIT::speculateCellType):
914 (JSC::DFG::SpeculativeJIT::speculateFunction):
915 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
916 (JSC::DFG::SpeculativeJIT::speculate):
917 * dfg/DFGSpeculativeJIT.h:
918 * dfg/DFGSpeculativeJIT32_64.cpp:
919 (JSC::DFG::SpeculativeJIT::compile):
920 * dfg/DFGSpeculativeJIT64.cpp:
921 (JSC::DFG::SpeculativeJIT::compile):
922 * dfg/DFGUseKind.cpp:
923 (WTF::printInternal):
925 (JSC::DFG::typeFilterFor):
927 * ftl/FTLCapabilities.cpp:
928 (JSC::FTL::canCompile):
929 * ftl/FTLLowerDFGToLLVM.cpp:
930 (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
931 (JSC::FTL::LowerDFGToLLVM::speculate):
932 (JSC::FTL::LowerDFGToLLVM::isFunction):
933 (JSC::FTL::LowerDFGToLLVM::isNotFunction):
934 (JSC::FTL::LowerDFGToLLVM::speculateFunction):
935 * jit/ClosureCallStubRoutine.cpp:
936 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
937 (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
938 * jit/ClosureCallStubRoutine.h:
939 (JSC::ClosureCallStubRoutine::structure): Deleted.
941 (JSC::JIT::compileClosureCall): Deleted.
943 (JSC::JIT::privateCompileClosureCall): Deleted.
944 * jit/JITCall32_64.cpp:
945 (JSC::JIT::privateCompileClosureCall): Deleted.
946 * jit/JITOperations.cpp:
948 (JSC::linkClosureCall):
951 2014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
953 [ARM] Incorrect handling of Unicode characters
954 https://bugs.webkit.org/show_bug.cgi?id=135380
956 Reviewed by Darin Adler.
958 Removed erroneous fast case from stringFromUTF(), since it assumed that
959 char is always implemented as signed.
964 2014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
966 [JSC] Build fix for FTL on EFL after ftlopt merge
967 https://bugs.webkit.org/show_bug.cgi?id=135565
969 Reviewed by Mark Lam.
971 Adding an enable guard for native inlining, since it now requires the bitcode
972 emitted from Clang, and we don't have a good way of creating it from other compilers.
974 * dfg/DFGByteCodeParser.cpp:
975 (JSC::DFG::ByteCodeParser::handleCall):
976 * ftl/FTLLowerDFGToLLVM.cpp:
977 (JSC::FTL::LowerDFGToLLVM::compileNode):
979 (JSC::FTL::State::State):
982 2014-08-05 Csaba Osztrogonác <ossy@webkit.org>
984 URTBF after r172129. (ftlopt branch merge)
986 Remove the duplicated friend declaration to fix this build failure:
987 "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
989 * runtime/StructureRareData.h:
991 2014-08-05 Filip Pizlo <fpizlo@apple.com>
993 Attempt to fix CMake-based builds, part 3.
997 2014-08-05 Filip Pizlo <fpizlo@apple.com>
999 Attempt to fix CMake-based builds, part 2.
1003 2014-08-05 Filip Pizlo <fpizlo@apple.com>
1005 Attempt to fix Windows build, part 2.
1007 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1009 2014-08-05 Filip Pizlo <fpizlo@apple.com>
1011 Attempt to fix CMake-based builds.
1015 2014-08-05 Filip Pizlo <fpizlo@apple.com>
1017 Attempt to fix Windows build.
1019 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1021 2014-08-05 Filip Pizlo <fpizlo@apple.com>
1025 * bytecode/CodeBlock.cpp:
1026 (JSC::CodeBlock::jettison):
1028 2014-07-29 Filip Pizlo <fpizlo@apple.com>
1030 Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
1032 This part of the merge delivers roughly a 2% across-the-board performance
1033 improvement, mostly due to immutable property inference and DFG-side GCSE. It also
1034 almost completely resolves accessor performance issues; in the common case the DFG
1035 will compile a getter/setter access into code that is just as efficient as a normal
1038 Another major highlight of this part of the merge is the work to add a type profiler
1039 to the inspector. This work is still on-going but this greatly increases coverage.
1041 Note that this merge fixes a minor bug in the GetterSetter refactoring from
1042 http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
1043 It also adds a new tests to tests/stress to cover that bug. That bug was previously only
1044 covered by layout tests.
1046 2014-07-17 Filip Pizlo <fpizlo@apple.com>
1048 [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
1049 https://bugs.webkit.org/show_bug.cgi?id=135019
1051 Reviewed by Oliver Hunt.
1053 Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
1054 has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
1057 * dfg/DFGNodeType.h:
1058 * dfg/DFGStrengthReductionPhase.cpp:
1059 (JSC::DFG::StrengthReductionPhase::handleNode):
1060 * tests/stress/capture-escape-and-throw.js: Added.
1063 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1067 2014-07-15 Filip Pizlo <fpizlo@apple.com>
1069 [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
1070 https://bugs.webkit.org/show_bug.cgi?id=134962
1072 Reviewed by Oliver Hunt.
1074 This removes yet another steady-state-throughput implication of using getters and setters:
1075 if your accessor call is monomorphic then you'll just get a structure check, nothing more.
1076 No more loads to get to the GetterSetter object or the accessor function object.
1078 * dfg/DFGAbstractInterpreterInlines.h:
1079 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1080 * runtime/GetterSetter.h:
1081 (JSC::GetterSetter::getterConcurrently):
1082 (JSC::GetterSetter::setGetter):
1083 (JSC::GetterSetter::setterConcurrently):
1084 (JSC::GetterSetter::setSetter):
1086 2014-07-15 Filip Pizlo <fpizlo@apple.com>
1088 [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
1089 https://bugs.webkit.org/show_bug.cgi?id=134893
1091 Reviewed by Oliver Hunt.
1093 Replace Identity with Check instead of Phantom. Phantom means that the child of the
1094 Identity should be unconditionally live. The liveness semantics of Identity are such that
1095 if the parents of Identity are live then the child is live. Removing the Identity entirely
1096 preserves such liveness semantics. So, the only thing that should be left behind is the
1097 type check on the child, which is what Check means: do the check but don't keep the child
1098 alive if the check isn't needed.
1100 * dfg/DFGCSEPhase.cpp:
1102 (JSC::DFG::Node::convertToCheck):
1104 2014-07-13 Filip Pizlo <fpizlo@apple.com>
1106 [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
1107 https://bugs.webkit.org/show_bug.cgi?id=134677
1109 Reviewed by Sam Weinig.
1111 This removes the old local CSE phase, which was based on manually written backward-search
1112 rules for all of the different kinds of things we cared about, and adds a new local/global
1113 CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
1114 clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
1115 structures used for storing sets of available values. This results in a large reduction in
1116 code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
1117 global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
1118 structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
1119 that this is a significant (~0.7%) throughput improvement.
1121 This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
1122 means that the node being analyzed makes available some value in some DFG node, and that
1123 future attempts to compute that value can simply use that node. In other words, it
1124 establishes an available value mapping of the form value=>node. There are two kinds of
1125 values that can be passed to def():
1127 PureValue. This captures everything needed to determine whether two pure nodes - nodes that
1128 neither read nor write, and produce a value that is a CSE candidate - are identical. It
1129 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
1130 usually used for things like the arithmetic mode or constant pointer. Passing a
1131 PureValue to def() means that the node produces a value that is valid anywhere that the
1134 HeapLocation. This describes a location in the heap that could be written to or read from.
1135 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
1136 heap that both serves as part of the "name" of the heap location (together with the
1137 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
1138 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
1139 then it means that the values for that location are no longer available.
1141 This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
1142 tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
1143 interpreting the semantics of different DFG node types - that is now almost entirely in
1144 clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
1145 CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
1146 and the LocalCSE rule for turning PutByVal into PutByValAlias.
1148 This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
1149 not a bigger win because LLVM was already giving us most of what we needed in its GVN.
1150 Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
1151 is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
1152 generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
1153 it improves both the quality of the code we generate and the speed with which we generate
1154 it. Also, any future optimizations that depend on GCSE will now be easier to implement.
1156 During the development of this patch I also rationalized some other stuff, like Graph's
1157 ordered traversals - we now have preorder and postorder rather than just "depth first".
1160 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1161 * JavaScriptCore.xcodeproj/project.pbxproj:
1162 * dfg/DFGAbstractHeap.h:
1163 * dfg/DFGAdjacencyList.h:
1164 (JSC::DFG::AdjacencyList::hash):
1165 (JSC::DFG::AdjacencyList::operator==):
1166 * dfg/DFGBasicBlock.h:
1167 * dfg/DFGCSEPhase.cpp:
1168 (JSC::DFG::performLocalCSE):
1169 (JSC::DFG::performGlobalCSE):
1170 (JSC::DFG::CSEPhase::CSEPhase): Deleted.
1171 (JSC::DFG::CSEPhase::run): Deleted.
1172 (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
1173 (JSC::DFG::CSEPhase::pureCSE): Deleted.
1174 (JSC::DFG::CSEPhase::constantCSE): Deleted.
1175 (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
1176 (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
1177 (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
1178 (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
1179 (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
1180 (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
1181 (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
1182 (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
1183 (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
1184 (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
1185 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
1186 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
1187 (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
1188 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
1189 (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
1190 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
1191 (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
1192 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
1193 (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
1194 (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
1195 (JSC::DFG::CSEPhase::setReplacement): Deleted.
1196 (JSC::DFG::CSEPhase::eliminate): Deleted.
1197 (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
1198 (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
1199 (JSC::DFG::performCSE): Deleted.
1200 * dfg/DFGCSEPhase.h:
1201 * dfg/DFGClobberSet.cpp:
1202 (JSC::DFG::addReads):
1203 (JSC::DFG::addWrites):
1204 (JSC::DFG::addReadsAndWrites):
1205 (JSC::DFG::readsOverlap):
1206 (JSC::DFG::writesOverlap):
1207 * dfg/DFGClobberize.cpp:
1208 (JSC::DFG::doesWrites):
1209 (JSC::DFG::accessesOverlap):
1210 (JSC::DFG::writesOverlap):
1211 * dfg/DFGClobberize.h:
1212 (JSC::DFG::clobberize):
1213 (JSC::DFG::NoOpClobberize::operator()):
1214 (JSC::DFG::CheckClobberize::operator()):
1215 (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
1216 (JSC::DFG::ReadMethodClobberize::operator()):
1217 (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
1218 (JSC::DFG::WriteMethodClobberize::operator()):
1219 (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
1220 (JSC::DFG::DefMethodClobberize::operator()):
1221 * dfg/DFGDCEPhase.cpp:
1222 (JSC::DFG::DCEPhase::run):
1223 (JSC::DFG::DCEPhase::fixupBlock):
1225 (JSC::DFG::Graph::getBlocksInPreOrder):
1226 (JSC::DFG::Graph::getBlocksInPostOrder):
1227 (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
1228 (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
1230 * dfg/DFGHeapLocation.cpp: Added.
1231 (JSC::DFG::HeapLocation::dump):
1232 (WTF::printInternal):
1233 * dfg/DFGHeapLocation.h: Added.
1234 (JSC::DFG::HeapLocation::HeapLocation):
1235 (JSC::DFG::HeapLocation::operator!):
1236 (JSC::DFG::HeapLocation::kind):
1237 (JSC::DFG::HeapLocation::heap):
1238 (JSC::DFG::HeapLocation::base):
1239 (JSC::DFG::HeapLocation::index):
1240 (JSC::DFG::HeapLocation::hash):
1241 (JSC::DFG::HeapLocation::operator==):
1242 (JSC::DFG::HeapLocation::isHashTableDeletedValue):
1243 (JSC::DFG::HeapLocationHash::hash):
1244 (JSC::DFG::HeapLocationHash::equal):
1245 * dfg/DFGLICMPhase.cpp:
1246 (JSC::DFG::LICMPhase::run):
1248 (JSC::DFG::Node::replaceWith):
1249 (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
1251 (JSC::DFG::Plan::compileInThreadImpl):
1252 * dfg/DFGPureValue.cpp: Added.
1253 (JSC::DFG::PureValue::dump):
1254 * dfg/DFGPureValue.h: Added.
1255 (JSC::DFG::PureValue::PureValue):
1256 (JSC::DFG::PureValue::operator!):
1257 (JSC::DFG::PureValue::op):
1258 (JSC::DFG::PureValue::children):
1259 (JSC::DFG::PureValue::info):
1260 (JSC::DFG::PureValue::hash):
1261 (JSC::DFG::PureValue::operator==):
1262 (JSC::DFG::PureValue::isHashTableDeletedValue):
1263 (JSC::DFG::PureValueHash::hash):
1264 (JSC::DFG::PureValueHash::equal):
1265 * dfg/DFGSSAConversionPhase.cpp:
1266 (JSC::DFG::SSAConversionPhase::run):
1267 * ftl/FTLLowerDFGToLLVM.cpp:
1268 (JSC::FTL::LowerDFGToLLVM::lower):
1270 2014-07-13 Filip Pizlo <fpizlo@apple.com>
1272 Unreviewed, revert unintended change in r171051.
1274 * dfg/DFGCSEPhase.cpp:
1276 2014-07-08 Filip Pizlo <fpizlo@apple.com>
1278 [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
1279 https://bugs.webkit.org/show_bug.cgi?id=134739
1281 Reviewed by Mark Hahnenberg.
1283 I'm going to streamline CSE around clobberize() as part of
1284 https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
1285 elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
1286 means that it belongs in StrengthReductionPhase, since that's intended to be our
1289 To do this I had to add some missing smarts to clobberize(). Previously clobberize()
1290 could play a bit loose with reads of Variables because it wasn't used for store
1291 elimination. The main client of read() was LICM, but it would only use it to
1292 determine hoistability and anything that did a write() was not hoistable - so, we had
1293 benign (but still wrong) missing read() calls in places that did write()s. This fixes
1294 a bunch of those cases.
1296 * dfg/DFGCSEPhase.cpp:
1297 (JSC::DFG::CSEPhase::performNodeCSE):
1298 (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
1299 * dfg/DFGClobberize.cpp:
1300 (JSC::DFG::accessesOverlap):
1301 * dfg/DFGClobberize.h:
1302 (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
1303 * dfg/DFGStrengthReductionPhase.cpp:
1304 (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
1306 2014-07-08 Filip Pizlo <fpizlo@apple.com>
1308 [ftlopt] Phantom simplification should be in its own phase
1309 https://bugs.webkit.org/show_bug.cgi?id=134742
1311 Reviewed by Geoffrey Garen.
1313 This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
1314 more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
1315 this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
1319 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1320 * JavaScriptCore.xcodeproj/project.pbxproj:
1321 * dfg/DFGAdjacencyList.h:
1322 * dfg/DFGCSEPhase.cpp:
1323 (JSC::DFG::CSEPhase::run):
1324 (JSC::DFG::CSEPhase::setReplacement):
1325 (JSC::DFG::CSEPhase::eliminate):
1326 (JSC::DFG::CSEPhase::performNodeCSE):
1327 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
1328 * dfg/DFGPhantomRemovalPhase.cpp: Added.
1329 (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
1330 (JSC::DFG::PhantomRemovalPhase::run):
1331 (JSC::DFG::performCleanUp):
1332 * dfg/DFGPhantomRemovalPhase.h: Added.
1334 (JSC::DFG::Plan::compileInThreadImpl):
1336 2014-07-08 Filip Pizlo <fpizlo@apple.com>
1338 [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
1339 https://bugs.webkit.org/show_bug.cgi?id=134730
1341 Reviewed by Mark Lam.
1343 This will allow for a better GCSE implementation.
1345 * dfg/DFGCPSRethreadingPhase.cpp:
1346 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1347 * dfg/DFGCSEPhase.cpp:
1348 (JSC::DFG::CSEPhase::setReplacement):
1349 * dfg/DFGEdgeDominates.h:
1350 (JSC::DFG::EdgeDominates::operator()):
1352 (JSC::DFG::Graph::clearReplacements):
1353 (JSC::DFG::Graph::initializeNodeOwners):
1355 (JSC::DFG::Graph::performSubstitutionForEdge):
1356 * dfg/DFGLICMPhase.cpp:
1357 (JSC::DFG::LICMPhase::attemptHoist):
1359 (JSC::DFG::Node::Node):
1360 * dfg/DFGSSAConversionPhase.cpp:
1361 (JSC::DFG::SSAConversionPhase::run):
1363 2014-07-04 Filip Pizlo <fpizlo@apple.com>
1365 [ftlopt] Infer immutable object properties
1366 https://bugs.webkit.org/show_bug.cgi?id=134567
1368 Reviewed by Mark Hahnenberg.
1370 This introduces a new way of inferring immutable object properties. A property is said to
1371 be immutable if after its creation (i.e. the transition that creates it), we never
1372 overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
1373 property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
1374 directly and not on a prototype. More specifically, the immutability inference will prove
1375 that a property on some structure is immutable. This means that, for example, we may have a
1376 structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
1377 transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
1378 mutable. This is mainly for convenience; it allows us to decouple immutability logic from
1379 transition logic. Immutability can be used to constant-fold accesses to objects at
1380 DFG-time. The DFG needs to prove the following to constant-fold the access:
1382 - The base of the access must be a constant object pointer. We prove that a property at a
1383 structure is immutable, but that says nothing of its value; each actual instance of that
1384 property may have a different value. So, a constant object pointer is needed to get an
1385 actual constant instance of the immutable value.
1387 - A check (or watchpoint) must have been emitted proving that the object has a structure
1388 that allows loading the property in question.
1390 - The replacement watchpoint set of the property in the structure that we've proven the
1391 object to have is still valid and we add a watchpoint to it lazily. The replacement
1392 watchpoint set is the key new mechanism that this change adds. It's possible that we have
1393 proven that the object has one of many structures, in which case each of those structures
1394 needs a valid replacement watchpoint set.
1396 The replacement watchpoint set is created the first time that any access to the property is
1397 cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
1398 get cache will create the watchpoint set and make it start watching. Any non-cached put
1399 access will invalidate the watchpoint set if one had been created; the underlying algorithm
1400 ensures that checking for the existence of a replacement watchpoint set is very fast in the
1401 common case. This algorithm ensures that no cached access needs to ever do any work to
1402 invalidate, or check the validity of, any replacement watchpoint sets. It also has some
1403 other nice properties:
1405 - It's very robust in its definition of immutability. The strictest that it will ever be is
1406 that for any instance of the object, the property must be written to only once,
1407 specifically at the time that the property is created. But it's looser than this in
1408 practice. For example, the property may be written to any number of times before we add
1409 the final property that the object will have before anyone reads the property; this works
1410 since for optimization purposes we only care if we detect immutability on the structure
1411 that the object will have when it is most frequently read from, not any previous
1412 structure that the object had. Also, we may write to the property any number of times
1413 before anyone caches accesses to it.
1415 - It is mostly orthogonal to structure transitions. No new structures need to be created to
1416 track the immutability of a property. Hence, there is no risk from this feature causing
1417 more polymorphism. This is different from the previous "specificValue" constant
1418 inference, which did cause additional structures to be created and sometimes those
1419 structures led to fake polymorphism. This feature does leverage existing transitions to
1420 do some of the watchpointing: property deletions don't fire the replacement watchpoint
1421 set because that would cause a new structure and so the mandatory structure check would
1422 fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
1423 because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
1424 this feature to be enabled.
1426 - No memory overhead is incurred except when accesses to the property are cached.
1427 Dictionary properties will typically have no meta-data for immutability. The number of
1428 replacement watchpoint sets we allocate is proportional to the number of inline caches in
1429 the program, which is typically must smaller than the number of structures or even the
1432 This inference is far more powerful than the previous "specificValue" inference, so this
1433 change also removes all of that code. It's interesting that the amount of code that is
1434 changed to remove that feature is almost as big as the amount of code added to support the
1435 new inference - and that's if you include the new tests in the tally. Without new tests,
1436 it appears that the new feature actually touches less code!
1438 There is one corner case where the previous "specificValue" inference was more powerful.
1439 You can imagine someone creating objects with functions as self properties on those
1440 objects, such that each object instance had the same function pointers - essentially,
1441 someone might be trying to create a vtable but failing at the whole "one vtable for many
1442 instances" concept. The "specificValue" inference would do very well for such programs,
1443 because a structure check would be sufficient to prove a constant value for all of the
1444 function properties. This new inference will fail because it doesn't track the constant
1445 values of constant properties; instead it detects the immutability of otherwise variable
1446 properties (in the sense that each instance of the property may have a different value).
1447 So, the new inference requires having a particular object instance to actually get the
1448 constant value. I think it's OK to lose this antifeature. It took a lot of code to support
1449 and was a constant source of grief in our transition logic, and there doesn't appear to be
1450 any real evidence that programs benefited from that particular kind of inference since
1451 usually it's the singleton prototype instance that has all of the functions.
1453 This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
1454 V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
1455 speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
1458 * bytecode/ComplexGetStatus.cpp:
1459 (JSC::ComplexGetStatus::computeFor):
1460 * bytecode/GetByIdStatus.cpp:
1461 (JSC::GetByIdStatus::computeFromLLInt):
1462 (JSC::GetByIdStatus::computeForStubInfo):
1463 (JSC::GetByIdStatus::computeFor):
1464 * bytecode/GetByIdVariant.cpp:
1465 (JSC::GetByIdVariant::GetByIdVariant):
1466 (JSC::GetByIdVariant::operator=):
1467 (JSC::GetByIdVariant::attemptToMerge):
1468 (JSC::GetByIdVariant::dumpInContext):
1469 * bytecode/GetByIdVariant.h:
1470 (JSC::GetByIdVariant::alternateBase):
1471 (JSC::GetByIdVariant::specificValue): Deleted.
1472 * bytecode/PutByIdStatus.cpp:
1473 (JSC::PutByIdStatus::computeForStubInfo):
1474 (JSC::PutByIdStatus::computeFor):
1475 * bytecode/PutByIdVariant.cpp:
1476 (JSC::PutByIdVariant::operator=):
1477 (JSC::PutByIdVariant::setter):
1478 (JSC::PutByIdVariant::dumpInContext):
1479 * bytecode/PutByIdVariant.h:
1480 (JSC::PutByIdVariant::specificValue): Deleted.
1481 * bytecode/Watchpoint.cpp:
1482 (JSC::WatchpointSet::fireAllSlow):
1483 (JSC::WatchpointSet::fireAll): Deleted.
1484 * bytecode/Watchpoint.h:
1485 (JSC::WatchpointSet::fireAll):
1486 * dfg/DFGAbstractInterpreterInlines.h:
1487 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1488 * dfg/DFGByteCodeParser.cpp:
1489 (JSC::DFG::ByteCodeParser::handleGetByOffset):
1490 (JSC::DFG::ByteCodeParser::handleGetById):
1491 (JSC::DFG::ByteCodeParser::handlePutById):
1492 (JSC::DFG::ByteCodeParser::parseBlock):
1493 * dfg/DFGConstantFoldingPhase.cpp:
1494 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1495 * dfg/DFGFixupPhase.cpp:
1496 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
1497 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
1499 (JSC::DFG::Graph::tryGetConstantProperty):
1500 (JSC::DFG::Graph::visitChildren):
1502 * dfg/DFGWatchableStructureWatchingPhase.cpp:
1503 (JSC::DFG::WatchableStructureWatchingPhase::run):
1504 * ftl/FTLLowerDFGToLLVM.cpp:
1505 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1506 * jit/JITOperations.cpp:
1508 (JSC::repatchByIdSelfAccess):
1509 (JSC::generateByIdStub):
1510 (JSC::tryCacheGetByID):
1511 (JSC::tryCachePutByID):
1512 (JSC::tryBuildPutByIdList):
1513 * llint/LLIntSlowPaths.cpp:
1514 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1515 (JSC::LLInt::putToScopeCommon):
1516 * runtime/CommonSlowPaths.h:
1517 (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
1518 * runtime/IntendedStructureChain.cpp:
1519 (JSC::IntendedStructureChain::mayInterceptStoreTo):
1520 * runtime/JSCJSValue.cpp:
1521 (JSC::JSValue::putToPrimitive):
1522 * runtime/JSGlobalObject.cpp:
1523 (JSC::JSGlobalObject::reset):
1524 * runtime/JSObject.cpp:
1525 (JSC::JSObject::put):
1526 (JSC::JSObject::putDirectNonIndexAccessor):
1527 (JSC::JSObject::deleteProperty):
1528 (JSC::JSObject::defaultValue):
1529 (JSC::getCallableObjectSlow): Deleted.
1530 (JSC::JSObject::getPropertySpecificValue): Deleted.
1531 * runtime/JSObject.h:
1532 (JSC::JSObject::getDirect):
1533 (JSC::JSObject::getDirectOffset):
1534 (JSC::JSObject::inlineGetOwnPropertySlot):
1535 (JSC::JSObject::putDirectInternal):
1536 (JSC::JSObject::putOwnDataProperty):
1537 (JSC::JSObject::putDirect):
1538 (JSC::JSObject::putDirectWithoutTransition):
1539 (JSC::getCallableObject): Deleted.
1540 * runtime/JSScope.cpp:
1541 (JSC::abstractAccess):
1542 * runtime/PropertyMapHashTable.h:
1543 (JSC::PropertyMapEntry::PropertyMapEntry):
1544 (JSC::PropertyTable::copy):
1545 * runtime/PropertyTable.cpp:
1546 (JSC::PropertyTable::clone):
1547 (JSC::PropertyTable::PropertyTable):
1548 (JSC::PropertyTable::visitChildren): Deleted.
1549 * runtime/Structure.cpp:
1550 (JSC::Structure::Structure):
1551 (JSC::Structure::materializePropertyMap):
1552 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
1553 (JSC::Structure::addPropertyTransitionToExistingStructure):
1554 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
1555 (JSC::Structure::addPropertyTransition):
1556 (JSC::Structure::changePrototypeTransition):
1557 (JSC::Structure::attributeChangeTransition):
1558 (JSC::Structure::toDictionaryTransition):
1559 (JSC::Structure::preventExtensionsTransition):
1560 (JSC::Structure::takePropertyTableOrCloneIfPinned):
1561 (JSC::Structure::nonPropertyTransition):
1562 (JSC::Structure::addPropertyWithoutTransition):
1563 (JSC::Structure::allocateRareData):
1564 (JSC::Structure::ensurePropertyReplacementWatchpointSet):
1565 (JSC::Structure::startWatchingPropertyForReplacements):
1566 (JSC::Structure::didCachePropertyReplacement):
1567 (JSC::Structure::startWatchingInternalProperties):
1568 (JSC::Structure::copyPropertyTable):
1569 (JSC::Structure::copyPropertyTableForPinning):
1570 (JSC::Structure::getConcurrently):
1571 (JSC::Structure::get):
1572 (JSC::Structure::add):
1573 (JSC::Structure::visitChildren):
1574 (JSC::Structure::prototypeChainMayInterceptStoreTo):
1575 (JSC::Structure::dump):
1576 (JSC::Structure::despecifyDictionaryFunction): Deleted.
1577 (JSC::Structure::despecifyFunctionTransition): Deleted.
1578 (JSC::Structure::despecifyFunction): Deleted.
1579 (JSC::Structure::despecifyAllFunctions): Deleted.
1580 (JSC::Structure::putSpecificValue): Deleted.
1581 * runtime/Structure.h:
1582 (JSC::Structure::startWatchingPropertyForReplacements):
1583 (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
1584 (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
1585 (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
1586 (JSC::Structure::disableSpecificFunctionTracking): Deleted.
1587 * runtime/StructureInlines.h:
1588 (JSC::Structure::getConcurrently):
1589 (JSC::Structure::didReplaceProperty):
1590 (JSC::Structure::propertyReplacementWatchpointSet):
1591 * runtime/StructureRareData.cpp:
1592 (JSC::StructureRareData::destroy):
1593 * runtime/StructureRareData.h:
1594 * tests/stress/infer-constant-global-property.js: Added.
1597 * tests/stress/infer-constant-property.js: Added.
1599 * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1602 * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1605 * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1608 * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
1611 * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
1614 * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
1618 2014-07-03 Saam Barati <sbarati@apple.com>
1620 Add more coverage for the profile_types_with_high_fidelity op code.
1621 https://bugs.webkit.org/show_bug.cgi?id=134616
1623 Reviewed by Filip Pizlo.
1625 More operations are now being recorded by the profile_types_with_high_fidelity
1626 opcode. Specifically: function parameters, function return values,
1627 function 'this' value, get_by_id, get_by_value, resolve nodes, function return
1628 values at the call site. Added more flags to the profile_types_with_high_fidelity
1629 opcode so more focused tasks can take place when the instruction is
1630 being linked in CodeBlock. Re-worked the type profiler to search
1631 through character offset ranges when asked for the type of an expression
1632 at a given offset. Removed redundant calls to Structure::toStructureShape
1633 in HighFidelityLog and TypeSet by caching calls based on StructureID.
1635 * bytecode/BytecodeList.json:
1636 * bytecode/BytecodeUseDef.h:
1637 (JSC::computeUsesForBytecodeOffset):
1638 (JSC::computeDefsForBytecodeOffset):
1639 * bytecode/CodeBlock.cpp:
1640 (JSC::CodeBlock::CodeBlock):
1641 (JSC::CodeBlock::finalizeUnconditionally):
1642 (JSC::CodeBlock::scopeDependentProfile):
1643 * bytecode/CodeBlock.h:
1644 (JSC::CodeBlock::returnStatementTypeSet):
1645 * bytecode/TypeLocation.h:
1646 * bytecode/UnlinkedCodeBlock.cpp:
1647 (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
1648 (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
1649 * bytecode/UnlinkedCodeBlock.h:
1650 * bytecompiler/BytecodeGenerator.cpp:
1651 (JSC::BytecodeGenerator::emitMove):
1652 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1653 (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
1654 (JSC::BytecodeGenerator::emitPutToScope):
1655 (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
1656 (JSC::BytecodeGenerator::emitPutById):
1657 (JSC::BytecodeGenerator::emitPutByVal):
1658 * bytecompiler/BytecodeGenerator.h:
1659 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
1660 * bytecompiler/NodesCodegen.cpp:
1661 (JSC::ResolveNode::emitBytecode):
1662 (JSC::BracketAccessorNode::emitBytecode):
1663 (JSC::DotAccessorNode::emitBytecode):
1664 (JSC::FunctionCallValueNode::emitBytecode):
1665 (JSC::FunctionCallResolveNode::emitBytecode):
1666 (JSC::FunctionCallBracketNode::emitBytecode):
1667 (JSC::FunctionCallDotNode::emitBytecode):
1668 (JSC::CallFunctionCallDotNode::emitBytecode):
1669 (JSC::ApplyFunctionCallDotNode::emitBytecode):
1670 (JSC::PostfixNode::emitResolve):
1671 (JSC::PostfixNode::emitBracket):
1672 (JSC::PostfixNode::emitDot):
1673 (JSC::PrefixNode::emitResolve):
1674 (JSC::PrefixNode::emitBracket):
1675 (JSC::PrefixNode::emitDot):
1676 (JSC::ReadModifyResolveNode::emitBytecode):
1677 (JSC::AssignResolveNode::emitBytecode):
1678 (JSC::AssignDotNode::emitBytecode):
1679 (JSC::ReadModifyDotNode::emitBytecode):
1680 (JSC::AssignBracketNode::emitBytecode):
1681 (JSC::ReadModifyBracketNode::emitBytecode):
1682 (JSC::ReturnNode::emitBytecode):
1683 (JSC::FunctionBodyNode::emitBytecode):
1684 * inspector/agents/InspectorRuntimeAgent.cpp:
1685 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
1686 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1687 * inspector/agents/InspectorRuntimeAgent.h:
1688 * inspector/protocol/Runtime.json:
1689 * llint/LLIntSlowPaths.cpp:
1690 (JSC::LLInt::getFromScopeCommon):
1691 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1692 * llint/LLIntSlowPaths.h:
1693 * llint/LowLevelInterpreter.asm:
1694 * runtime/HighFidelityLog.cpp:
1695 (JSC::HighFidelityLog::processHighFidelityLog):
1696 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1697 (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
1698 * runtime/HighFidelityLog.h:
1699 (JSC::HighFidelityLog::recordTypeInformationForLocation):
1700 * runtime/HighFidelityTypeProfiler.cpp:
1701 (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
1702 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
1703 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
1704 (JSC::HighFidelityTypeProfiler::insertNewLocation):
1705 (JSC::HighFidelityTypeProfiler::findLocation):
1706 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
1707 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
1708 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
1709 (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
1710 * runtime/HighFidelityTypeProfiler.h:
1711 (JSC::LocationKey::LocationKey): Deleted.
1712 (JSC::LocationKey::hash): Deleted.
1713 (JSC::LocationKey::operator==): Deleted.
1714 * runtime/Structure.cpp:
1715 (JSC::Structure::toStructureShape):
1716 * runtime/Structure.h:
1717 * runtime/TypeSet.cpp:
1718 (JSC::TypeSet::TypeSet):
1719 (JSC::TypeSet::addTypeForValue):
1720 (JSC::TypeSet::seenTypes):
1721 (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
1722 * runtime/TypeSet.h:
1723 (JSC::StructureShape::setConstructorName):
1725 (JSC::VM::getTypesForVariableAtOffset):
1726 (JSC::VM::dumpHighFidelityProfilingTypes):
1727 (JSC::VM::getTypesForVariableInRange): Deleted.
1730 2014-07-04 Filip Pizlo <fpizlo@apple.com>
1732 [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
1733 https://bugs.webkit.org/show_bug.cgi?id=134642
1735 Rubber stamped by Andreas Kling.
1737 * ftl/FTLLowerDFGToLLVM.cpp:
1738 (JSC::FTL::LowerDFGToLLVM::compileNode):
1740 2014-07-01 Filip Pizlo <fpizlo@apple.com>
1742 [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
1743 https://bugs.webkit.org/show_bug.cgi?id=134518
1745 Reviewed by Mark Hahnenberg.
1747 This has no real effect right now, particularly since almost all uses of
1748 setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
1749 doing more aggressive constant property inference, this change will allow us to remove
1750 all runtime checks from getter/setter calls.
1752 * runtime/GetterSetter.cpp:
1753 (JSC::GetterSetter::withGetter):
1754 (JSC::GetterSetter::withSetter):
1755 * runtime/GetterSetter.h:
1756 (JSC::GetterSetter::setGetter):
1757 (JSC::GetterSetter::setSetter):
1758 * runtime/JSObject.cpp:
1759 (JSC::JSObject::defineOwnNonIndexProperty):
1761 2014-07-02 Filip Pizlo <fpizlo@apple.com>
1763 [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
1765 Rubber stamped by Mark Hahnenberg.
1767 * runtime/Structure.cpp:
1768 (JSC::Structure::Structure):
1769 (JSC::Structure::nonPropertyTransition):
1770 (JSC::Structure::didTransitionFromThisStructure):
1771 (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
1772 * runtime/Structure.h:
1774 2014-07-02 Filip Pizlo <fpizlo@apple.com>
1776 [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
1778 Rubber stamped by Mark Hahnenberg.
1780 * runtime/Structure.cpp:
1781 (JSC::Structure::Structure):
1782 (JSC::Structure::cloneRareDataFrom): Deleted.
1783 * runtime/Structure.h:
1784 * runtime/StructureRareData.cpp:
1785 (JSC::StructureRareData::clone): Deleted.
1786 (JSC::StructureRareData::StructureRareData): Deleted.
1787 * runtime/StructureRareData.h:
1788 (JSC::StructureRareData::needsCloning): Deleted.
1790 2014-07-01 Mark Lam <mark.lam@apple.com>
1792 [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
1793 <https://webkit.org/b/134420>
1795 Reviewed by Geoffrey Garen.
1797 Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
1798 peers) which the WebInspector will use to introspect CallFrame variables.
1799 Instead, we should be returning a DebuggerScope as an abstraction layer that
1800 provides the introspection functionality that the WebInspector needs. This
1801 is the first step towards not forcing every frame to have a JSActivation
1802 object just because the debugger is enabled.
1804 1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
1805 instead of the VM. This allows JSObject::globalObject() to be able to
1806 return the global object for the DebuggerScope.
1808 2. On the DebuggerScope's life-cycle management:
1810 The DebuggerCallFrame is designed to be "valid" only during a debugging session
1811 (while the debugger is broken) through the use of a DebuggerCallFrameScope in
1812 Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the
1813 DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
1814 We can't guarantee (from this code alone) that the Inspector code isn't still
1815 holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
1816 the frame will be invalidated, and any attempt to query it will return null values.
1817 This is pre-existing behavior.
1819 Now, we're adding the DebuggerScope into the picture. While a single debugger
1820 pause session is in progress, the Inspector may request the scope from the
1821 DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want
1822 DebuggerCallFrame::scope() to always return the same DebuggerScope object.
1823 This is why we hold on to the DebuggerScope with a strong ref.
1825 If we use a weak ref instead, the following cooky behavior can manifest:
1826 1. The Inspector calls Debugger::scope() to get the top scope.
1827 2. The Inspector iterates down the scope chain and is now only holding a
1828 reference to a parent scope. It is no longer referencing the top scope.
1829 3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
1831 4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
1832 a different DebuggerScope instance.
1833 5. The Inspector iterates down the scope chain but never sees the parent scope
1834 instance that retained a ref to in step 2 above. This is because when iterating
1835 this new DebuggerScope instance (which has no knowledge of the previous parent
1836 DebuggerScope instance), a new DebuggerScope instance will get created for the
1839 Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
1840 However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
1841 When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
1842 instantiated) will also get invalidated. This is why we need the
1843 DebuggerScope::invalidateChain() method. The Inspector should not be using the
1844 DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does,
1845 those methods will do nothing or returned a failed status.
1847 * debugger/Debugger.h:
1848 * debugger/DebuggerCallFrame.cpp:
1849 (JSC::DebuggerCallFrame::scope):
1850 (JSC::DebuggerCallFrame::evaluate):
1851 (JSC::DebuggerCallFrame::invalidate):
1852 (JSC::DebuggerCallFrame::vm):
1853 (JSC::DebuggerCallFrame::lexicalGlobalObject):
1854 * debugger/DebuggerCallFrame.h:
1855 * debugger/DebuggerScope.cpp:
1856 (JSC::DebuggerScope::DebuggerScope):
1857 (JSC::DebuggerScope::finishCreation):
1858 (JSC::DebuggerScope::visitChildren):
1859 (JSC::DebuggerScope::className):
1860 (JSC::DebuggerScope::getOwnPropertySlot):
1861 (JSC::DebuggerScope::put):
1862 (JSC::DebuggerScope::deleteProperty):
1863 (JSC::DebuggerScope::getOwnPropertyNames):
1864 (JSC::DebuggerScope::defineOwnProperty):
1865 (JSC::DebuggerScope::next):
1866 (JSC::DebuggerScope::invalidateChain):
1867 (JSC::DebuggerScope::isWithScope):
1868 (JSC::DebuggerScope::isGlobalScope):
1869 (JSC::DebuggerScope::isFunctionScope):
1870 * debugger/DebuggerScope.h:
1871 (JSC::DebuggerScope::create):
1872 (JSC::DebuggerScope::Iterator::Iterator):
1873 (JSC::DebuggerScope::Iterator::get):
1874 (JSC::DebuggerScope::Iterator::operator++):
1875 (JSC::DebuggerScope::Iterator::operator==):
1876 (JSC::DebuggerScope::Iterator::operator!=):
1877 (JSC::DebuggerScope::isValid):
1878 (JSC::DebuggerScope::jsScope):
1879 (JSC::DebuggerScope::begin):
1880 (JSC::DebuggerScope::end):
1881 * inspector/JSJavaScriptCallFrame.cpp:
1882 (Inspector::JSJavaScriptCallFrame::scopeType):
1883 (Inspector::JSJavaScriptCallFrame::scopeChain):
1884 * inspector/JavaScriptCallFrame.h:
1885 (Inspector::JavaScriptCallFrame::scopeChain):
1886 * inspector/ScriptDebugServer.cpp:
1887 * runtime/JSGlobalObject.cpp:
1888 (JSC::JSGlobalObject::reset):
1889 (JSC::JSGlobalObject::visitChildren):
1890 * runtime/JSGlobalObject.h:
1891 (JSC::JSGlobalObject::debuggerScopeStructure):
1892 * runtime/JSObject.h:
1893 (JSC::JSObject::isWithScope):
1894 * runtime/JSScope.h:
1899 2014-07-01 Filip Pizlo <fpizlo@apple.com>
1901 [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
1902 https://bugs.webkit.org/show_bug.cgi?id=130756
1904 Reviewed by Oliver Hunt.
1906 The enables exposing the call to setters in the DFG, and then inlining it. Previously we
1907 already supproted inlined-cached calls to setters from within put_by_id inline caches,
1908 and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
1909 will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
1910 better and inline the call.
1912 A lot of the core functionality was already available from the previous work to inline
1913 getters. So, there are some refactorings in this patch that move preexisting
1914 functionality around. For example, the work to figure out how the DFG should go about
1915 getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
1916 the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
1917 PutByIdStatus use it. This means that we can keep the safety checks common. This patch
1918 also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
1919 handleCall() for all of the various kinds of calls we can now emit.
1921 83% speed-up on getter-richards, 2% speed-up on box2d.
1924 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1925 * JavaScriptCore.xcodeproj/project.pbxproj:
1926 * bytecode/ComplexGetStatus.cpp: Added.
1927 (JSC::ComplexGetStatus::computeFor):
1928 * bytecode/ComplexGetStatus.h: Added.
1929 (JSC::ComplexGetStatus::ComplexGetStatus):
1930 (JSC::ComplexGetStatus::skip):
1931 (JSC::ComplexGetStatus::takesSlowPath):
1932 (JSC::ComplexGetStatus::kind):
1933 (JSC::ComplexGetStatus::attributes):
1934 (JSC::ComplexGetStatus::specificValue):
1935 (JSC::ComplexGetStatus::offset):
1936 (JSC::ComplexGetStatus::chain):
1937 * bytecode/GetByIdStatus.cpp:
1938 (JSC::GetByIdStatus::computeForStubInfo):
1939 * bytecode/GetByIdVariant.cpp:
1940 (JSC::GetByIdVariant::GetByIdVariant):
1941 * bytecode/PolymorphicPutByIdList.h:
1942 (JSC::PutByIdAccess::PutByIdAccess):
1943 (JSC::PutByIdAccess::setter):
1944 (JSC::PutByIdAccess::structure):
1945 (JSC::PutByIdAccess::chainCount):
1946 * bytecode/PutByIdStatus.cpp:
1947 (JSC::PutByIdStatus::computeFromLLInt):
1948 (JSC::PutByIdStatus::computeFor):
1949 (JSC::PutByIdStatus::computeForStubInfo):
1950 (JSC::PutByIdStatus::makesCalls):
1951 * bytecode/PutByIdStatus.h:
1952 (JSC::PutByIdStatus::makesCalls): Deleted.
1953 * bytecode/PutByIdVariant.cpp:
1954 (JSC::PutByIdVariant::PutByIdVariant):
1955 (JSC::PutByIdVariant::operator=):
1956 (JSC::PutByIdVariant::replace):
1957 (JSC::PutByIdVariant::transition):
1958 (JSC::PutByIdVariant::setter):
1959 (JSC::PutByIdVariant::writesStructures):
1960 (JSC::PutByIdVariant::reallocatesStorage):
1961 (JSC::PutByIdVariant::makesCalls):
1962 (JSC::PutByIdVariant::dumpInContext):
1963 * bytecode/PutByIdVariant.h:
1964 (JSC::PutByIdVariant::PutByIdVariant):
1965 (JSC::PutByIdVariant::structure):
1966 (JSC::PutByIdVariant::oldStructure):
1967 (JSC::PutByIdVariant::alternateBase):
1968 (JSC::PutByIdVariant::specificValue):
1969 (JSC::PutByIdVariant::callLinkStatus):
1970 (JSC::PutByIdVariant::replace): Deleted.
1971 (JSC::PutByIdVariant::transition): Deleted.
1972 * dfg/DFGByteCodeParser.cpp:
1973 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
1974 (JSC::DFG::ByteCodeParser::addCall):
1975 (JSC::DFG::ByteCodeParser::handleCall):
1976 (JSC::DFG::ByteCodeParser::handleInlining):
1977 (JSC::DFG::ByteCodeParser::handleGetById):
1978 (JSC::DFG::ByteCodeParser::handlePutById):
1979 (JSC::DFG::ByteCodeParser::parseBlock):
1981 (JSC::tryCachePutByID):
1982 (JSC::tryBuildPutByIdList):
1983 * runtime/IntendedStructureChain.cpp:
1984 (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
1985 * runtime/IntendedStructureChain.h:
1986 * tests/stress/exit-from-setter.js: Added.
1987 * tests/stress/poly-chain-setter.js: Added.
1991 * tests/stress/poly-chain-then-setter.js: Added.
1996 * tests/stress/poly-setter-combo.js: Added.
2002 * tests/stress/poly-setter-then-self.js: Added.
2006 * tests/stress/weird-setter-counter.js: Added.
2009 * tests/stress/weird-setter-counter-syntactic.js: Added.
2013 2014-07-01 Matthew Mirman <mmirman@apple.com>
2015 Added an implementation of the "in" check to FTL.
2016 https://bugs.webkit.org/show_bug.cgi?id=134508
2018 Reviewed by Filip Pizlo.
2020 * ftl/FTLCapabilities.cpp: enabled compilation for "in"
2021 (JSC::FTL::canCompile): ditto
2022 * ftl/FTLCompile.cpp:
2023 (JSC::FTL::generateCheckInICFastPath): added.
2024 (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
2025 * ftl/FTLInlineCacheDescriptor.h:
2026 (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
2027 (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
2028 * ftl/FTLInlineCacheSize.cpp:
2029 (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
2030 * ftl/FTLInlineCacheSize.h: ditto
2031 * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
2032 * ftl/FTLLowerDFGToLLVM.cpp:
2033 (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
2034 (JSC::FTL::LowerDFGToLLVM::compileIn): added.
2035 * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
2036 (JSC::FTL::callOperation): ditto
2037 * ftl/FTLSlowPathCall.h: ditto
2038 * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
2039 * jit/JITOperations.h: made operationIns internal.
2040 * tests/stress/ftl-checkin.js: Added.
2041 * tests/stress/ftl-checkin-variable.js: Added.
2043 2014-06-30 Mark Hahnenberg <mhahnenberg@apple.com>
2045 CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
2046 https://bugs.webkit.org/show_bug.cgi?id=134455
2048 Reviewed by Geoffrey Garen.
2050 Otherwise we get hanging pointers which can cause us to die later.
2052 * bytecode/CodeBlock.cpp:
2053 (JSC::CodeBlock::stronglyVisitWeakReferences):
2055 2014-06-27 Filip Pizlo <fpizlo@apple.com>
2057 [ftlopt] Reduce the GC's influence on optimization decisions
2058 https://bugs.webkit.org/show_bug.cgi?id=134427
2060 Reviewed by Oliver Hunt.
2062 This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
2063 while trying to make the GC keep more structures alive
2064 (https://bugs.webkit.org/show_bug.cgi?id=128072).
2066 The fixes are, roughly:
2068 - If the GC clears an inline cache, then this no longer causes the IC to be forever
2071 - If we exit in inlined code into a function that tries to OSR enter, then we jettison
2074 - Some variables being uninitialized led to rage-recompilations.
2076 This is a pretty strong step in the direction of keeping more Structures alive and not
2077 blowing away code just because a Structure died. But, it seems like there is still a slight
2078 speed-up to be had from blowing away code that references dead Structures.
2080 * bytecode/CodeBlock.cpp:
2081 (JSC::CodeBlock::dumpAssumingJITType):
2082 (JSC::shouldMarkTransition):
2083 (JSC::CodeBlock::propagateTransitions):
2084 (JSC::CodeBlock::determineLiveness):
2085 * bytecode/GetByIdStatus.cpp:
2086 (JSC::GetByIdStatus::computeForStubInfo):
2087 * bytecode/PutByIdStatus.cpp:
2088 (JSC::PutByIdStatus::computeForStubInfo):
2089 * dfg/DFGCapabilities.cpp:
2090 (JSC::DFG::isSupportedForInlining):
2091 (JSC::DFG::mightInlineFunctionForCall):
2092 (JSC::DFG::mightInlineFunctionForClosureCall):
2093 (JSC::DFG::mightInlineFunctionForConstruct):
2094 * dfg/DFGCapabilities.h:
2095 * dfg/DFGCommonData.h:
2096 * dfg/DFGDesiredWeakReferences.cpp:
2097 (JSC::DFG::DesiredWeakReferences::reallyAdd):
2098 * dfg/DFGOSREntry.cpp:
2099 (JSC::DFG::prepareOSREntry):
2100 * dfg/DFGOSRExitCompilerCommon.cpp:
2101 (JSC::DFG::handleExitCounts):
2102 * dfg/DFGOperations.cpp:
2103 * dfg/DFGOperations.h:
2104 * ftl/FTLForOSREntryJITCode.cpp:
2105 (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
2106 * ftl/FTLOSREntry.cpp:
2107 (JSC::FTL::prepareOSREntry):
2108 * runtime/Executable.cpp:
2109 (JSC::ExecutableBase::destroy):
2110 (JSC::NativeExecutable::destroy):
2111 (JSC::ScriptExecutable::ScriptExecutable):
2112 (JSC::ScriptExecutable::destroy):
2113 (JSC::ScriptExecutable::installCode):
2114 (JSC::EvalExecutable::EvalExecutable):
2115 (JSC::ProgramExecutable::ProgramExecutable):
2116 * runtime/Executable.h:
2117 (JSC::ScriptExecutable::setDidTryToEnterInLoop):
2118 (JSC::ScriptExecutable::didTryToEnterInLoop):
2119 (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
2120 (JSC::ScriptExecutable::ScriptExecutable): Deleted.
2121 * runtime/StructureInlines.h:
2122 (JSC::Structure::storedPrototypeObject):
2123 (JSC::Structure::storedPrototypeStructure):
2125 2014-06-25 Filip Pizlo <fpizlo@apple.com>
2127 [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
2128 https://bugs.webkit.org/show_bug.cgi?id=134333
2130 Reviewed by Geoffrey Garen.
2132 This is engineered to provide loads of information to the profiler without incurring any
2133 costs when the profiler is disabled. It's the oldest trick in the book: the thing that
2134 fires the watchpoint doesn't actually create anything to describe the reason why it was
2135 fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
2136 FireDetail::dump() virtual method is called does anything happen.
2138 Currently we use this to produce very fine-grained data for Structure watchpoints and
2139 some cases of variable watchpoints. For all other situations, the given reason is just a
2140 string constant, by using StringFireDetail. If we find a situation where that string
2141 constant is insufficient to diagnose an issue then we can change it to provide more
2142 fine-grained information.
2144 * JavaScriptCore.xcodeproj/project.pbxproj:
2145 * bytecode/CodeBlock.cpp:
2146 (JSC::CodeBlock::CodeBlock):
2147 (JSC::CodeBlock::jettison):
2148 * bytecode/CodeBlock.h:
2149 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2150 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2151 * bytecode/CodeBlockJettisoningWatchpoint.h:
2152 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
2153 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
2154 * bytecode/StructureStubClearingWatchpoint.cpp:
2155 (JSC::StructureStubClearingWatchpoint::fireInternal):
2156 * bytecode/StructureStubClearingWatchpoint.h:
2157 * bytecode/VariableWatchpointSet.h:
2158 (JSC::VariableWatchpointSet::invalidate):
2159 (JSC::VariableWatchpointSet::finalizeUnconditionally):
2160 * bytecode/VariableWatchpointSetInlines.h:
2161 (JSC::VariableWatchpointSet::notifyWrite):
2162 * bytecode/Watchpoint.cpp:
2163 (JSC::StringFireDetail::dump):
2164 (JSC::WatchpointSet::fireAll):
2165 (JSC::WatchpointSet::fireAllSlow):
2166 (JSC::WatchpointSet::fireAllWatchpoints):
2167 (JSC::InlineWatchpointSet::fireAll):
2168 * bytecode/Watchpoint.h:
2169 (JSC::FireDetail::FireDetail):
2170 (JSC::FireDetail::~FireDetail):
2171 (JSC::StringFireDetail::StringFireDetail):
2172 (JSC::Watchpoint::fire):
2173 (JSC::WatchpointSet::fireAll):
2174 (JSC::WatchpointSet::touch):
2175 (JSC::WatchpointSet::invalidate):
2176 (JSC::InlineWatchpointSet::fireAll):
2177 (JSC::InlineWatchpointSet::touch):
2178 * dfg/DFGCommonData.h:
2179 * dfg/DFGOperations.cpp:
2180 * interpreter/Interpreter.cpp:
2181 (JSC::Interpreter::execute):
2183 (WTF::Masquerader::create):
2184 * profiler/ProfilerCompilation.cpp:
2185 (JSC::Profiler::Compilation::setJettisonReason):
2186 (JSC::Profiler::Compilation::toJS):
2187 * profiler/ProfilerCompilation.h:
2188 (JSC::Profiler::Compilation::setJettisonReason): Deleted.
2189 * runtime/ArrayBuffer.cpp:
2190 (JSC::ArrayBuffer::transfer):
2191 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2192 (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
2193 * runtime/ArrayBufferNeuteringWatchpoint.h:
2194 * runtime/CommonIdentifiers.h:
2195 * runtime/CommonSlowPaths.cpp:
2196 (JSC::SLOW_PATH_DECL):
2197 * runtime/Identifier.cpp:
2198 (JSC::Identifier::dump):
2199 * runtime/Identifier.h:
2200 * runtime/JSFunction.cpp:
2201 (JSC::JSFunction::put):
2202 (JSC::JSFunction::defineOwnProperty):
2203 * runtime/JSGlobalObject.cpp:
2204 (JSC::JSGlobalObject::addFunction):
2205 (JSC::JSGlobalObject::haveABadTime):
2206 * runtime/JSSymbolTableObject.cpp:
2207 (JSC::VariableWriteFireDetail::dump):
2208 * runtime/JSSymbolTableObject.h:
2209 (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
2210 (JSC::symbolTablePut):
2211 (JSC::symbolTablePutWithAttributes):
2212 * runtime/PropertyName.h:
2213 (JSC::PropertyName::dump):
2214 * runtime/Structure.cpp:
2215 (JSC::Structure::notifyTransitionFromThisStructure):
2216 * runtime/Structure.h:
2217 (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
2218 * runtime/SymbolTable.cpp:
2219 (JSC::SymbolTableEntry::notifyWriteSlow):
2220 (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
2221 * runtime/SymbolTable.h:
2222 (JSC::SymbolTableEntry::notifyWrite):
2224 (JSC::VM::addImpureProperty):
2226 2014-08-05 Commit Queue <commit-queue@webkit.org>
2228 Unreviewed, rolling out r172099.
2229 https://bugs.webkit.org/show_bug.cgi?id=135635
2231 Needs a do-over. (Requested by kling on #webkit).
2235 "The JIT should cache property lookup misses."
2236 https://bugs.webkit.org/show_bug.cgi?id=135578
2237 http://trac.webkit.org/changeset/172099
2239 2014-08-05 Przemyslaw Kuczynski <p.kuczynski@samsung.com>
2241 Fix resource leak of unclosed file descriptor.
2242 https://bugs.webkit.org/show_bug.cgi?id=135417
2244 Reviewed by Darin Adler.
2246 When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
2249 * assembler/MacroAssemblerARM.cpp:
2250 (JSC::isVFPPresent):
2252 2014-08-05 Andreas Kling <akling@apple.com>
2254 The JIT should cache property lookup misses.
2255 <https://webkit.org/b/135578>
2257 Add support for inline caching of object properties that don't exist.
2258 Previously we'd fall back to the C++ slow-path whenever a property was missing.
2260 It's implemented as a simple GetById-style stub that returns jsUndefined() as
2261 long as the Structure chain check passes.
2263 10x speedup on the included microbenchmark.
2265 Reviewed by Geoffrey Garen.
2270 (JSC::generateByIdStub):
2271 (JSC::tryCacheGetByID):
2272 (JSC::patchJumpToGetByIdStub):
2273 * runtime/PropertySlot.h:
2274 (JSC::PropertySlot::isUnset):
2276 2014-08-05 Commit Queue <commit-queue@webkit.org>
2278 Unreviewed, rolling out r172009.
2279 https://bugs.webkit.org/show_bug.cgi?id=135627
2281 "Commit landed on trunk instead of ftlopt branch." (Requested
2282 by saamyjoon on #webkit).
2286 "Create a more generic way for VMEntryScope to notify those
2287 interested that it will be destroyed"
2288 https://bugs.webkit.org/show_bug.cgi?id=135358
2289 http://trac.webkit.org/changeset/172009
2291 2014-08-05 Alex Christensen <achristensen@webkit.org>
2294 https://bugs.webkit.org/show_bug.cgi?id=135620
2296 Reviewed by Laszlo Gombos.
2299 Added missing source files.
2300 * PlatformEfl.cmake:
2301 * PlatformGTK.cmake:
2302 Include glib directories and libraries to find glib.h in EventLoop.cpp.
2303 * PlatformMac.cmake:
2304 Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
2305 because it should not be defined on Windows.
2306 Added remote inspector source files.
2308 2014-08-05 Peyton Randolph <prandolph@apple.com>
2310 Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
2311 https://bugs.webkit.org/show_bug.cgi?id=135276
2313 Reviewed by Beth Dakin.
2315 * Configurations/FeatureDefines.xcconfig:
2317 2014-08-04 Benjamin Poulain <benjamin@webkit.org>
2319 Add a flag for the CSS Selectors level 4 implementation
2320 https://bugs.webkit.org/show_bug.cgi?id=135535
2322 Reviewed by Andreas Kling.
2324 * Configurations/FeatureDefines.xcconfig:
2326 2014-08-04 Alex Christensen <achristensen@webkit.org>
2328 Progress towards CMake on Mac.
2329 https://bugs.webkit.org/show_bug.cgi?id=135528
2331 Reviewed by Gyuyoung Kim.
2334 Include necessary directories and copy all necessary forwarding headers.
2335 Only compile UDis86Disassembler.cpp if we're using UDIS86.
2336 * PlatformMac.cmake: Added.
2337 * tools/CodeProfiling.cpp:
2338 Compile fix. Include sys/time.h on darwin, too.
2340 2014-08-04 Saam Barati <sbarati@apple.com>
2342 Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
2343 https://bugs.webkit.org/show_bug.cgi?id=135358
2345 Reviewed by Geoffrey Garen.
2347 When VMEntryScope is destroyed, and it has a flag set indicating that the
2348 Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
2349 This flag is only used by Debugger to have VMEntryScope notify it when the
2350 Debugger is safe to recompile all functions. This patch will substitute this
2351 Debugger-specific recompilation flag with a list of callbacks that are notified
2352 when the outermost VMEntryScope dies. This creates a general purpose interface
2353 for being notified when the VM stops executing code via the event of the outermost
2356 * debugger/Debugger.cpp:
2357 (JSC::Debugger::recompileAllJSFunctions):
2358 * runtime/VMEntryScope.cpp:
2359 (JSC::VMEntryScope::VMEntryScope):
2360 (JSC::VMEntryScope::addEntryScopeDidPopListener):
2361 (JSC::VMEntryScope::~VMEntryScope):
2362 * runtime/VMEntryScope.h:
2363 (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2365 2014-08-01 Carlos Alberto Lopez Perez <clopez@igalia.com>
2367 REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
2368 https://bugs.webkit.org/show_bug.cgi?id=135522
2370 Reviewed by Martin Robinson.
2372 * CMakeLists.txt: Output the inspector headers inside inspector
2375 2014-08-01 Mark Lam <mark.lam@apple.com>
2377 Add some structure related assertions.
2378 <https://webkit.org/b/135523>
2380 Reviewed by Geoffrey Garen.
2382 Adding 2 assertions:
2383 1. assert that we don't index pass the end of the StructureIDTable.
2384 This should never happen, but this assertion will help catch bugs
2385 where a bad structureID gets passed in.
2386 2. assert that cells in MarkedBlock::callDestructor() that are not
2387 zapped should have a non-null StructureID. This will help us catch
2388 bugs where the other cell header flag bits get set after the cell is
2389 zapped, thereby making the cell look like an unzapped cell but has a
2392 * heap/MarkedBlock.cpp:
2393 (JSC::MarkedBlock::callDestructor):
2394 * runtime/StructureIDTable.h:
2395 (JSC::StructureIDTable::get):
2397 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
2399 URTBF after r171946 to fix non-Apple builds.
2401 * bytecode/InlineCallFrameSet.cpp:
2403 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
2405 CodeBlock fails to visit the Executables of its InlineCallFrames
2406 https://bugs.webkit.org/show_bug.cgi?id=135471
2408 Reviewed by Geoffrey Garen.
2410 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
2411 can be prematurely collected and cause crashes.
2413 * bytecode/CodeBlock.cpp:
2414 (JSC::CodeBlock::stronglyVisitStrongReferences):
2415 * bytecode/CodeOrigin.h:
2416 (JSC::InlineCallFrame::visitAggregate):
2417 * bytecode/InlineCallFrameSet.cpp:
2418 (JSC::InlineCallFrameSet::visitAggregate):
2419 * bytecode/InlineCallFrameSet.h:
2421 2014-08-01 Alex Christensen <achristensen@webkit.org>
2423 Progress towards cmake on Windows.
2424 https://bugs.webkit.org/show_bug.cgi?id=135484
2426 Reviewed by Martin Robinson.
2429 Generate code directly to inspector directory to avoid using the cp command
2430 which is not available on Windows.
2431 * PlatformWin.cmake: Added.
2433 2014-07-31 Andreas Kling <akling@apple.com>
2435 Remove the JSC::OverridesVisitChildren flag.
2436 <https://webkit.org/b/135489>
2438 Except for 3 special classes, the visitChildren() call is always
2439 dispatched through the method table (see SlotVisitor.cpp.)
2441 The OverridesVisitChildren flag doesn't actually do anything.
2442 It could be used to implement a non-virtual direct call to
2443 JSCell::visitChildren, bypassing the method table for some objects,
2444 but such a micro-optimization seems like a weak trade for all this
2445 code complexity. Instead, just remove the flag.
2447 This change frees up an inline flag bit in JSCell.
2449 Reviewed by Geoffrey Garen.
2451 * API/JSAPIWrapperObject.h:
2452 * API/JSAPIWrapperObject.mm:
2453 (JSC::JSAPIWrapperObject::visitChildren):
2454 * API/JSCallbackObject.h:
2455 (JSC::JSCallbackObject::visitChildren):
2456 * bytecode/UnlinkedCodeBlock.cpp:
2457 (JSC::UnlinkedFunctionExecutable::visitChildren):
2458 (JSC::UnlinkedCodeBlock::visitChildren):
2459 (JSC::UnlinkedProgramCodeBlock::visitChildren):
2460 * bytecode/UnlinkedCodeBlock.h:
2461 * debugger/DebuggerScope.cpp:
2462 (JSC::DebuggerScope::visitChildren):
2463 * debugger/DebuggerScope.h:
2465 * runtime/Arguments.cpp:
2466 (JSC::Arguments::visitChildren):
2467 * runtime/Arguments.h:
2468 * runtime/Executable.cpp:
2469 (JSC::EvalExecutable::visitChildren):
2470 (JSC::ProgramExecutable::visitChildren):
2471 (JSC::FunctionExecutable::visitChildren):
2472 * runtime/Executable.h:
2473 * runtime/GetterSetter.cpp:
2474 (JSC::GetterSetter::visitChildren):
2475 * runtime/GetterSetter.h:
2476 (JSC::GetterSetter::createStructure):
2477 * runtime/JSAPIValueWrapper.h:
2478 (JSC::JSAPIValueWrapper::createStructure):
2479 * runtime/JSActivation.cpp:
2480 (JSC::JSActivation::visitChildren):
2481 * runtime/JSActivation.h:
2482 * runtime/JSArrayIterator.cpp:
2483 (JSC::JSArrayIterator::visitChildren):
2484 * runtime/JSArrayIterator.h:
2485 * runtime/JSBoundFunction.cpp:
2486 (JSC::JSBoundFunction::visitChildren):
2487 * runtime/JSBoundFunction.h:
2488 * runtime/JSCellInlines.h:
2489 (JSC::JSCell::setStructure):
2490 * runtime/JSFunction.cpp:
2491 (JSC::JSFunction::visitChildren):
2492 * runtime/JSFunction.h:
2493 * runtime/JSGlobalObject.cpp:
2494 (JSC::JSGlobalObject::visitChildren):
2495 * runtime/JSGlobalObject.h:
2497 * runtime/JSMapIterator.cpp:
2498 (JSC::JSMapIterator::visitChildren):
2499 * runtime/JSMapIterator.h:
2500 * runtime/JSNameScope.cpp:
2501 (JSC::JSNameScope::visitChildren):
2502 * runtime/JSNameScope.h:
2503 * runtime/JSPromise.cpp:
2504 (JSC::JSPromise::visitChildren):
2505 * runtime/JSPromise.h:
2506 * runtime/JSPromiseDeferred.cpp:
2507 (JSC::JSPromiseDeferred::visitChildren):
2508 * runtime/JSPromiseDeferred.h:
2509 * runtime/JSPromiseReaction.cpp:
2510 (JSC::JSPromiseReaction::visitChildren):
2511 * runtime/JSPromiseReaction.h:
2512 * runtime/JSPropertyNameIterator.cpp:
2513 (JSC::JSPropertyNameIterator::visitChildren):
2514 * runtime/JSPropertyNameIterator.h:
2515 * runtime/JSProxy.cpp:
2516 (JSC::JSProxy::visitChildren):
2517 * runtime/JSProxy.h:
2518 * runtime/JSScope.cpp:
2519 (JSC::JSScope::visitChildren):
2520 * runtime/JSScope.h:
2521 * runtime/JSSegmentedVariableObject.cpp:
2522 (JSC::JSSegmentedVariableObject::visitChildren):
2523 * runtime/JSSegmentedVariableObject.h:
2525 * runtime/JSSetIterator.cpp:
2526 (JSC::JSSetIterator::visitChildren):
2527 * runtime/JSSetIterator.h:
2528 * runtime/JSSymbolTableObject.cpp:
2529 (JSC::JSSymbolTableObject::visitChildren):
2530 * runtime/JSSymbolTableObject.h:
2531 * runtime/JSTypeInfo.h:
2532 (JSC::TypeInfo::overridesVisitChildren): Deleted.
2533 * runtime/JSWeakMap.h:
2534 * runtime/JSWithScope.cpp:
2535 (JSC::JSWithScope::visitChildren):
2536 * runtime/JSWithScope.h:
2537 * runtime/JSWrapperObject.cpp:
2538 (JSC::JSWrapperObject::visitChildren):
2539 * runtime/JSWrapperObject.h:
2540 * runtime/MapData.h:
2541 * runtime/NativeErrorConstructor.cpp:
2542 (JSC::NativeErrorConstructor::visitChildren):
2543 * runtime/NativeErrorConstructor.h:
2544 * runtime/PropertyMapHashTable.h:
2545 * runtime/PropertyTable.cpp:
2546 (JSC::PropertyTable::visitChildren):
2547 * runtime/RegExpConstructor.cpp:
2548 (JSC::RegExpConstructor::visitChildren):
2549 * runtime/RegExpConstructor.h:
2550 * runtime/RegExpMatchesArray.cpp:
2551 (JSC::RegExpMatchesArray::visitChildren):
2552 * runtime/RegExpMatchesArray.h:
2553 * runtime/RegExpObject.cpp:
2554 (JSC::RegExpObject::visitChildren):
2555 * runtime/RegExpObject.h:
2556 * runtime/SparseArrayValueMap.h:
2557 * runtime/Structure.cpp:
2558 (JSC::Structure::Structure):
2559 (JSC::Structure::visitChildren):
2560 * runtime/StructureChain.cpp:
2561 (JSC::StructureChain::visitChildren):
2562 * runtime/StructureChain.h:
2563 * runtime/StructureRareData.cpp:
2564 (JSC::StructureRareData::visitChildren):
2565 * runtime/StructureRareData.h:
2566 * runtime/WeakMapData.h:
2568 2014-07-31 Mark Lam <mark.lam@apple.com>
2570 JSCell::classInfo() belongs in JSCellInlines.h.
2571 <https://webkit.org/b/135475>
2573 Reviewed by Mark Hahnenberg.
2575 * runtime/JSCellInlines.h:
2576 (JSC::JSCell::classInfo):
2577 * runtime/JSDestructibleObject.h:
2578 (JSC::JSCell::classInfo): Deleted.
2580 2014-07-31 Tanay C <tanay.c@samsung.com>
2582 Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
2583 https://bugs.webkit.org/show_bug.cgi?id=135414
2585 Reviewed by Csaba Osztrogonác.
2587 * llint/LLIntSlowPaths.cpp:
2588 (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
2590 2014-07-30 Filip Pizlo <fpizlo@apple.com>
2592 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
2593 https://bugs.webkit.org/show_bug.cgi?id=135430
2595 Reviewed by Mark Hahnenberg.
2597 We already handled this correctly after the ftlopt merge, but it's useful to have the test.
2599 * tests/stress/new-function-expression-has-structures.js: Added.
2601 (foo.f.prototype.f):
2604 2014-07-30 Andreas Kling <akling@apple.com>
2606 Speculative Windows build fix.
2608 Try to dllimport the dllexported global object HashTable.
2613 2014-07-30 Andreas Kling <akling@apple.com>
2615 PropertyName's internal string is always atomic.
2616 <https://webkit.org/b/135451>
2618 Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
2619 we know that any string that's an Identifier is guaranteed to be atomic.
2621 A PropertyName can be either an Identifier or a PrivateName, and the
2622 private names are also guaranteed to be atomic internally.
2624 Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
2626 Reviewed by Benjamin Poulain.
2628 * runtime/PropertyName.h:
2629 (JSC::PropertyName::PropertyName):
2630 (JSC::PropertyName::uid):
2631 (JSC::PropertyName::publicName):
2633 2014-07-30 Andy Estes <aestes@apple.com>
2635 USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
2636 https://bugs.webkit.org/show_bug.cgi?id=135439
2638 Reviewed by Tim Horton.
2640 We now support two different platform content filters, and will soon support a mock content filter (as part of
2641 webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
2642 library. ENABLE() is the correct macro to use for such a feature.
2644 * Configurations/FeatureDefines.xcconfig:
2646 2014-07-30 Andreas Kling <akling@apple.com>
2648 Static hash tables no longer need to be coupled with a VM.
2649 <https://webkit.org/b/135421>
2651 Now that the static hash tables are using char** instead of StringImpl**,
2652 it's no longer necessary to make them per-VM.
2654 This patch removes the hook in ClassInfo for providing your own static
2655 hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
2656 Most of this patch is tweaking ClassInfo construction sites to pass one
2659 Also simplified Lookup.h to stop requiring ExecState/VM to access the
2662 Reviewed by Geoffrey Garen.
2664 * API/JSAPIWrapperObject.mm:
2665 * API/JSCallbackConstructor.cpp:
2666 * API/JSCallbackFunction.cpp:
2667 * API/JSCallbackObject.cpp:
2668 * API/ObjCCallbackFunction.mm:
2669 * bytecode/UnlinkedCodeBlock.cpp:
2670 * create_hash_table:
2671 * debugger/DebuggerScope.cpp:
2672 * inspector/JSInjectedScriptHost.cpp:
2673 * inspector/JSInjectedScriptHostPrototype.cpp:
2674 * inspector/JSJavaScriptCallFrame.cpp:
2675 * inspector/JSJavaScriptCallFramePrototype.cpp:
2676 * interpreter/CallFrame.h:
2677 (JSC::ExecState::arrayConstructorTable): Deleted.
2678 (JSC::ExecState::arrayPrototypeTable): Deleted.
2679 (JSC::ExecState::booleanPrototypeTable): Deleted.
2680 (JSC::ExecState::dataViewTable): Deleted.
2681 (JSC::ExecState::dateTable): Deleted.
2682 (JSC::ExecState::dateConstructorTable): Deleted.
2683 (JSC::ExecState::errorPrototypeTable): Deleted.
2684 (JSC::ExecState::globalObjectTable): Deleted.
2685 (JSC::ExecState::jsonTable): Deleted.
2686 (JSC::ExecState::numberConstructorTable): Deleted.
2687 (JSC::ExecState::numberPrototypeTable): Deleted.
2688 (JSC::ExecState::objectConstructorTable): Deleted.
2689 (JSC::ExecState::privateNamePrototypeTable): Deleted.
2690 (JSC::ExecState::regExpTable): Deleted.
2691 (JSC::ExecState::regExpConstructorTable): Deleted.
2692 (JSC::ExecState::regExpPrototypeTable): Deleted.
2693 (JSC::ExecState::stringConstructorTable): Deleted.
2694 (JSC::ExecState::promisePrototypeTable): Deleted.
2695 (JSC::ExecState::promiseConstructorTable): Deleted.
2698 (JSC::Keywords::isKeyword):
2699 (JSC::Keywords::getKeyword):
2700 * runtime/Arguments.cpp:
2701 * runtime/ArgumentsIteratorConstructor.cpp:
2702 * runtime/ArgumentsIteratorPrototype.cpp:
2703 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
2704 * runtime/ArrayConstructor.cpp:
2705 (JSC::ArrayConstructor::getOwnPropertySlot):
2706 * runtime/ArrayIteratorConstructor.cpp:
2707 * runtime/ArrayIteratorPrototype.cpp:
2708 * runtime/ArrayPrototype.cpp:
2709 (JSC::ArrayPrototype::getOwnPropertySlot):
2710 * runtime/BooleanConstructor.cpp:
2711 * runtime/BooleanObject.cpp:
2712 * runtime/BooleanPrototype.cpp:
2713 (JSC::BooleanPrototype::getOwnPropertySlot):
2714 * runtime/ClassInfo.h:
2715 (JSC::ClassInfo::hasStaticProperties):
2716 (JSC::ClassInfo::propHashTable): Deleted.
2717 * runtime/ConsolePrototype.cpp:
2718 * runtime/CustomGetterSetter.cpp:
2719 * runtime/DateConstructor.cpp:
2720 (JSC::DateConstructor::getOwnPropertySlot):
2721 * runtime/DateInstance.cpp:
2722 * runtime/DatePrototype.cpp:
2723 (JSC::DatePrototype::getOwnPropertySlot):
2724 * runtime/Error.cpp:
2725 * runtime/ErrorConstructor.cpp:
2726 * runtime/ErrorInstance.cpp:
2727 * runtime/ErrorPrototype.cpp:
2728 (JSC::ErrorPrototype::getOwnPropertySlot):
2729 * runtime/ExceptionHelpers.cpp:
2730 * runtime/Executable.cpp:
2731 * runtime/FunctionConstructor.cpp:
2732 * runtime/FunctionPrototype.cpp:
2733 * runtime/GetterSetter.cpp:
2734 * runtime/InternalFunction.cpp:
2735 * runtime/JSAPIValueWrapper.cpp:
2736 * runtime/JSActivation.cpp:
2737 * runtime/JSArgumentsIterator.cpp:
2738 * runtime/JSArray.cpp:
2739 * runtime/JSArrayBuffer.cpp:
2740 * runtime/JSArrayBufferConstructor.cpp:
2741 * runtime/JSArrayBufferPrototype.cpp:
2742 * runtime/JSArrayBufferView.cpp:
2743 * runtime/JSArrayIterator.cpp:
2744 * runtime/JSBoundFunction.cpp:
2745 * runtime/JSConsole.cpp:
2746 * runtime/JSDataView.cpp:
2747 * runtime/JSDataViewPrototype.cpp:
2748 (JSC::JSDataViewPrototype::getOwnPropertySlot):
2749 * runtime/JSFunction.cpp:
2750 * runtime/JSGlobalObject.cpp:
2751 (JSC::JSGlobalObject::getOwnPropertySlot):
2752 * runtime/JSMap.cpp:
2753 * runtime/JSMapIterator.cpp:
2754 * runtime/JSNameScope.cpp:
2755 * runtime/JSNotAnObject.cpp:
2756 * runtime/JSONObject.cpp:
2757 (JSC::JSONObject::getOwnPropertySlot):
2758 * runtime/JSObject.cpp:
2759 (JSC::getClassPropertyNames):
2760 (JSC::JSObject::put):
2761 (JSC::JSObject::deleteProperty):
2762 (JSC::JSObject::findPropertyHashEntry):
2763 (JSC::JSObject::reifyStaticFunctionsForDelete):
2764 * runtime/JSObject.h:
2765 * runtime/JSPromise.cpp:
2766 * runtime/JSPromiseConstructor.cpp:
2767 (JSC::JSPromiseConstructor::getOwnPropertySlot):
2768 * runtime/JSPromiseDeferred.cpp:
2769 * runtime/JSPromisePrototype.cpp:
2770 (JSC::JSPromisePrototype::getOwnPropertySlot):
2771 * runtime/JSPromiseReaction.cpp:
2772 * runtime/JSPropertyNameIterator.cpp:
2773 * runtime/JSProxy.cpp:
2774 * runtime/JSSet.cpp:
2775 * runtime/JSSetIterator.cpp:
2776 * runtime/JSString.cpp:
2777 * runtime/JSTypedArrayConstructors.cpp:
2778 * runtime/JSTypedArrayPrototypes.cpp:
2779 * runtime/JSTypedArrays.cpp:
2780 * runtime/JSVariableObject.cpp:
2781 * runtime/JSWeakMap.cpp:
2782 * runtime/JSWithScope.cpp:
2783 * runtime/Lookup.cpp:
2784 (JSC::HashTable::createTable):
2786 (JSC::HashTable::initializeIfNeeded):
2787 (JSC::HashTable::entry):
2788 (JSC::HashTable::begin):
2789 (JSC::HashTable::end):
2790 (JSC::getStaticPropertySlot):
2791 (JSC::getStaticFunctionSlot):
2792 (JSC::getStaticValueSlot):
2794 * runtime/MapConstructor.cpp:
2795 * runtime/MapData.cpp:
2796 * runtime/MapIteratorConstructor.cpp:
2797 * runtime/MapIteratorPrototype.cpp:
2798 * runtime/MapPrototype.cpp:
2799 * runtime/MathObject.cpp:
2800 * runtime/NameConstructor.cpp:
2801 * runtime/NameInstance.cpp:
2802 * runtime/NamePrototype.cpp:
2803 (JSC::NamePrototype::getOwnPropertySlot):
2804 * runtime/NativeErrorConstructor.cpp:
2805 * runtime/NumberConstructor.cpp:
2806 (JSC::NumberConstructor::getOwnPropertySlot):
2807 * runtime/NumberObject.cpp:
2808 * runtime/NumberPrototype.cpp:
2809 (JSC::NumberPrototype::getOwnPropertySlot):
2810 * runtime/ObjectConstructor.cpp:
2811 (JSC::ObjectConstructor::getOwnPropertySlot):
2812 * runtime/ObjectPrototype.cpp:
2813 * runtime/PropertyTable.cpp:
2814 * runtime/RegExp.cpp:
2815 * runtime/RegExpConstructor.cpp:
2816 (JSC::RegExpConstructor::getOwnPropertySlot):
2817 * runtime/RegExpMatchesArray.cpp:
2818 * runtime/RegExpObject.cpp:
2819 (JSC::RegExpObject::getOwnPropertySlot):
2820 * runtime/RegExpPrototype.cpp:
2821 (JSC::RegExpPrototype::getOwnPropertySlot):
2822 * runtime/SetConstructor.cpp:
2823 * runtime/SetIteratorConstructor.cpp:
2824 * runtime/SetIteratorPrototype.cpp:
2825 * runtime/SetPrototype.cpp:
2826 * runtime/SparseArrayValueMap.cpp:
2827 * runtime/StrictEvalActivation.cpp:
2828 * runtime/StringConstructor.cpp:
2829 (JSC::StringConstructor::getOwnPropertySlot):
2830 * runtime/StringObject.cpp:
2831 * runtime/StringPrototype.cpp:
2832 * runtime/Structure.cpp:
2833 (JSC::Structure::Structure):
2834 (JSC::Structure::freezeTransition):
2835 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
2836 * runtime/StructureChain.cpp:
2837 * runtime/StructureRareData.cpp:
2838 * runtime/SymbolTable.cpp:
2843 * runtime/WeakMapConstructor.cpp:
2844 * runtime/WeakMapData.cpp:
2845 * runtime/WeakMapPrototype.cpp:
2848 2014-07-29 Brent Fulgham <bfulgham@apple.com>
2850 [Win] Modify version numbering scheme to support 5-tuple versions
2851 https://bugs.webkit.org/show_bug.cgi?id=135400
2852 <rdar://problem/17849033>
2854 Reviewed by David Kilzer.
2856 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
2857 new version-stamp.pl script to version JavaScriptCore.dll.
2859 2014-07-29 Daniel Bates <dabates@apple.com>
2861 Use WTF::move() instead of std::move() to help ensure move semantics
2862 https://bugs.webkit.org/show_bug.cgi?id=135351
2864 Reviewed by Alexey Proskuryakov.
2866 * bytecode/GetByIdStatus.cpp:
2867 (JSC::GetByIdStatus::computeForStubInfo):
2868 * bytecode/GetByIdVariant.cpp:
2869 (JSC::GetByIdVariant::GetByIdVariant):
2871 2014-07-28 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
2873 BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
2874 https://bugs.webkit.org/show_bug.cgi?id=135287
2876 Reviewed by Darin Adler.
2878 The set() method tries to use a part of the old value (the reservedFlag bit) which
2879 was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
2881 * bytecode/StructureSet.h:
2882 (JSC::StructureSet::StructureSet):
2884 2014-07-28 Benjamin Poulain <bpoulain@apple.com>
2886 [JSC] JIT::assertStackPointerOffset() crashes on ARM64
2887 https://bugs.webkit.org/show_bug.cgi?id=135316
2889 Reviewed by Geoffrey Garen.
2891 JIT::assertStackPointerOffset() does a compare between an arbitrary register
2892 and the stack pointer. This was not supported by the ARM64 assembler.
2894 There are no variation that can take a stack pointer for Xd. There is one version of subs
2895 that can take a stack pointer, but only for the Xn: the shift+extend one.
2896 To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
2897 the implementation of sub.
2899 * assembler/ARM64Assembler.h:
2900 (JSC::ARM64Assembler::sub):
2901 In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
2902 with either version of sub.
2904 In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
2905 the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
2906 gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
2908 Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
2909 not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
2910 the shift value must be zero, it is safe to call either variant.
2912 * assembler/MacroAssemblerARM64.h:
2913 (JSC::MacroAssemblerARM64::branch64):
2914 With the changes described above, we can now use SP for the left register. What do we do if the rightmost
2917 For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
2918 we just switch the registers before generating the instruction.
2920 For the generic case, just move the value of SP to a GPR before doing the CMP.
2922 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
2924 Unreviewed build fix after r171682.
2926 * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
2927 as an exported symbol.
2929 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
2931 REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
2932 https://bugs.webkit.org/show_bug.cgi?id=135322
2934 Reviewed by Oliver Hunt.
2936 The prototype chain of the JSProxy object should match that of the JSGlobalObject.
2938 This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
2939 account for JSProxies. I also audited the rest of the C API to check that we correctly
2940 handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
2941 and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
2944 I also added some new tests for these cases.
2946 * API/JSObjectRef.cpp:
2947 (JSObjectSetPrototype):
2948 (JSObjectGetPrivateProperty):
2949 (JSObjectSetPrivateProperty):
2950 (JSObjectDeletePrivateProperty):
2951 * API/JSWeakObjectMapRefPrivate.cpp:
2952 * API/tests/CustomGlobalObjectClassTest.c:
2953 (globalObjectSetPrototypeTest):
2954 (globalObjectPrivatePropertyTest):
2955 * API/tests/CustomGlobalObjectClassTest.h:
2956 * API/tests/testapi.c:
2959 2014-07-28 Filip Pizlo <fpizlo@apple.com>
2961 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
2962 https://bugs.webkit.org/show_bug.cgi?id=135350
2963 <rdar://problem/17509889>
2965 Reviewed by Mark Hahnenberg and Oliver Hunt.
2967 If we have an exiting node that uses a conversion node, then that exiting node
2968 needs to have a Phantom after it for the the original node. But we can't do that
2969 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
2971 * dfg/DFGFixupPhase.cpp:
2972 (JSC::DFG::FixupPhase::fixupNode):
2973 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
2974 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
2977 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
2981 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
2983 JSContext Inspector: crash when using step-into
2984 https://bugs.webkit.org/show_bug.cgi?id=135345
2986 Reviewed by Timothy Hatcher.
2988 * inspector/agents/InspectorDebuggerAgent.cpp:
2989 (Inspector::InspectorDebuggerAgent::stepInto):
2990 Null check m_listener since it may not be set.
2992 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
2994 Web Replay: auto-decoding of parameterized vector's elements is incorrect
2995 https://bugs.webkit.org/show_bug.cgi?id=135343
2997 Reviewed by Timothy Hatcher.
2999 Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
3000 that was using the element's decoded type as the type parameter to
3001 EncodedValue::append<T>. It should instead be the raw type T. This
3002 causes problems when encoding Vector<RefPtr<T>>, as it later tries to
3003 use encoding traits for RefPtr<T> rather than for T.
3005 Fix incorrect generated encoding traits argument for vectors of
3006 RefCounted objects. Updated test to cover this scenario.
3008 * replay/scripts/CodeGeneratorReplayInputs.py:
3009 (Type.encoding_type_argument):
3010 (VectorType.type_name):
3012 (VectorType.encoding_type_argument):
3013 (Generator.generate_input_encode_implementation):
3014 (Generator.generate_input_decode_implementation):
3015 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
3016 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
3017 * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
3019 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
3021 Web Replay: incorrect serialization code generated for enum classes inside class scope
3022 https://bugs.webkit.org/show_bug.cgi?id=135342
3024 Reviewed by Timothy Hatcher.
3026 If an enum class is defined inside of a class scope, then the enum class
3027 cannot be forward-declared and the relevant header should be included.
3028 Some generated code used incorrectly-scoped enum values in this situation.
3030 * replay/scripts/CodeGeneratorReplayInputs.py:
3031 (Generator.generate_includes.declaration.is):
3032 (Generator.generate_enum_trait_implementation.is):
3033 (Generator.generate_enum_trait_implementation):
3037 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
3038 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
3039 * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
3040 class types to this test case.
3042 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
3044 Web Replay: vectors of characters should be base64-encoded
3045 https://bugs.webkit.org/show_bug.cgi?id=135341
3047 Reviewed by Timothy Hatcher.
3049 Without this specialization, encode/decode methods try to create an
3050 array of single characters in JSON, rather than treating the
3051 vector as a binary blob.
3053 * replay/EncodedValue.cpp:
3054 (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
3055 (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
3056 * replay/EncodedValue.h:
3058 2014-07-28 Brent Fulgham <bfulgham@apple.com>
3060 [Win] Unreviewed build fix.
3062 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
3063 builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
3065 2014-07-27 Ryuan Choi <ryuan.choi@samsung.com>
3067 Unreviewed build fix on the EFL port
3069 Build break because of -Werror=return-type
3071 * bytecode/PutByIdVariant.cpp:
3072 (JSC::PutByIdVariant::oldStructureForTransition):
3073 * dfg/DFGValueStrength.h:
3076 2014-07-27 Filip Pizlo <fpizlo@apple.com>
3078 [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
3079 https://bugs.webkit.org/show_bug.cgi?id=135323
3081 Reviewed by Oliver Hunt.
3083 SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
3084 then it's a constant that can be represented using that node's current DataFormat.
3085 This doesn't work if the constant had been filled as a JSValue, and then one of the
3086 fillSpeculateBlah() methods had speculated that it's of some type that the constant
3087 isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
3088 a constant that claims to have a contradictory data format.
3090 This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
3091 fillSpeculateCell() appears to not have this bug, but I added a similar defense
3092 mechanism anyway just in case, since this is one of those mistakes that keeps
3095 * dfg/DFGSpeculativeJIT.cpp:
3096 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3097 * dfg/DFGSpeculativeJIT32_64.cpp:
3098 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3099 * dfg/DFGSpeculativeJIT64.cpp:
3100 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3102 2014-07-27 Filip Pizlo <fpizlo@apple.com>
3104 Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
3106 This fixes the previous mismerge and adds test coverage for the thing that went wrong.
3108 Additional changes listed here:
3111 (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
3112 * runtime/Structure.cpp:
3113 (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
3114 * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
3116 2014-06-27 Michael Saboff <msaboff@apple.com>
3118 Unreviewed build fix after r169795.
3120 Fixed ASSERT for 32 bit build.
3122 * dfg/DFGSpeculativeJIT.cpp:
3123 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3125 2014-06-24 Saam Barati <sbarati@apple.com>
3127 Web Inspector: debugger should be able to show variable types
3128 https://bugs.webkit.org/show_bug.cgi?id=133395
3130 Reviewed by Filip Pizlo.
3132 Increase the amount of type information the VM gathers when directed
3133 to do so. This initial commit is working towards the goal of
3134 capturing, and then showing (via the Web Inspector) type information for all
3135 assignment and load operations. This patch doesn't have the feature fully
3136 implemented, but it ensures the VM has no performance regressions
3137 unless the feature is specifically turned on.
3139 * JavaScriptCore.xcodeproj/project.pbxproj:
3140 * bytecode/BytecodeList.json:
3141 * bytecode/BytecodeUseDef.h:
3142 (JSC::computeUsesForBytecodeOffset):
3143 (JSC::computeDefsForBytecodeOffset):
3144 * bytecode/CodeBlock.cpp:
3145 (JSC::CodeBlock::dumpBytecode):
3146 (JSC::CodeBlock::CodeBlock):
3147 (JSC::CodeBlock::finalizeUnconditionally):
3148 * bytecode/CodeBlock.h:
3149 * bytecode/Instruction.h:
3150 * bytecode/TypeLocation.h: Added.
3151 (JSC::TypeLocation::TypeLocation):
3152 * bytecompiler/BytecodeGenerator.cpp:
3153 (JSC::BytecodeGenerator::emitMove):
3154 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
3155 (JSC::BytecodeGenerator::emitPutToScope):
3156 (JSC::BytecodeGenerator::emitPutById):
3157 (JSC::BytecodeGenerator::emitPutByVal):
3158 * bytecompiler/BytecodeGenerator.h:
3159 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
3160 * bytecompiler/NodesCodegen.cpp:
3161 (JSC::PostfixNode::emitResolve):
3162 (JSC::PrefixNode::emitResolve):
3163 (JSC::ReadModifyResolveNode::emitBytecode):
3164 (JSC::AssignResolveNode::emitBytecode):
3165 (JSC::ConstDeclNode::emitCodeSingle):
3166 (JSC::ForInNode::emitBytecode):
3168 (JSC::Heap::collect):
3169 * inspector/agents/InspectorRuntimeAgent.cpp:
3170 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
3171 * inspector/agents/InspectorRuntimeAgent.h:
3172 * inspector/protocol/Runtime.json:
3174 (GlobalObject::finishCreation):
3175 (functionDumpTypesForAllVariables):
3176 * llint/LLIntSlowPaths.cpp:
3177 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3178 (JSC::LLInt::putToScopeCommon):
3179 * llint/LLIntSlowPaths.h:
3180 * llint/LowLevelInterpreter.asm:
3181 * runtime/HighFidelityLog.cpp: Added.
3182 (JSC::HighFidelityLog::initializeHighFidelityLog):
3183 (JSC::HighFidelityLog::~HighFidelityLog):
3184 (JSC::HighFidelityLog::recordTypeInformationForLocation):
git://git.webkit.org / WebKit-https.git / blob