1 2014-07-30 Andreas Kling <akling@apple.com>
3 Speculative Windows build fix.
5 Try to dllimport the dllexported global object HashTable.
10 2014-07-30 Andreas Kling <akling@apple.com>
12 PropertyName's internal string is always atomic.
13 <https://webkit.org/b/135451>
15 Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
16 we know that any string that's an Identifier is guaranteed to be atomic.
18 A PropertyName can be either an Identifier or a PrivateName, and the
19 private names are also guaranteed to be atomic internally.
21 Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
23 Reviewed by Benjamin Poulain.
25 * runtime/PropertyName.h:
26 (JSC::PropertyName::PropertyName):
27 (JSC::PropertyName::uid):
28 (JSC::PropertyName::publicName):
30 2014-07-30 Andy Estes <aestes@apple.com>
32 USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
33 https://bugs.webkit.org/show_bug.cgi?id=135439
35 Reviewed by Tim Horton.
37 We now support two different platform content filters, and will soon support a mock content filter (as part of
38 webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
39 library. ENABLE() is the correct macro to use for such a feature.
41 * Configurations/FeatureDefines.xcconfig:
43 2014-07-30 Andreas Kling <akling@apple.com>
45 Static hash tables no longer need to be coupled with a VM.
46 <https://webkit.org/b/135421>
48 Now that the static hash tables are using char** instead of StringImpl**,
49 it's no longer necessary to make them per-VM.
51 This patch removes the hook in ClassInfo for providing your own static
52 hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
53 Most of this patch is tweaking ClassInfo construction sites to pass one
56 Also simplified Lookup.h to stop requiring ExecState/VM to access the
59 Reviewed by Geoffrey Garen.
61 * API/JSAPIWrapperObject.mm:
62 * API/JSCallbackConstructor.cpp:
63 * API/JSCallbackFunction.cpp:
64 * API/JSCallbackObject.cpp:
65 * API/ObjCCallbackFunction.mm:
66 * bytecode/UnlinkedCodeBlock.cpp:
68 * debugger/DebuggerScope.cpp:
69 * inspector/JSInjectedScriptHost.cpp:
70 * inspector/JSInjectedScriptHostPrototype.cpp:
71 * inspector/JSJavaScriptCallFrame.cpp:
72 * inspector/JSJavaScriptCallFramePrototype.cpp:
73 * interpreter/CallFrame.h:
74 (JSC::ExecState::arrayConstructorTable): Deleted.
75 (JSC::ExecState::arrayPrototypeTable): Deleted.
76 (JSC::ExecState::booleanPrototypeTable): Deleted.
77 (JSC::ExecState::dataViewTable): Deleted.
78 (JSC::ExecState::dateTable): Deleted.
79 (JSC::ExecState::dateConstructorTable): Deleted.
80 (JSC::ExecState::errorPrototypeTable): Deleted.
81 (JSC::ExecState::globalObjectTable): Deleted.
82 (JSC::ExecState::jsonTable): Deleted.
83 (JSC::ExecState::numberConstructorTable): Deleted.
84 (JSC::ExecState::numberPrototypeTable): Deleted.
85 (JSC::ExecState::objectConstructorTable): Deleted.
86 (JSC::ExecState::privateNamePrototypeTable): Deleted.
87 (JSC::ExecState::regExpTable): Deleted.
88 (JSC::ExecState::regExpConstructorTable): Deleted.
89 (JSC::ExecState::regExpPrototypeTable): Deleted.
90 (JSC::ExecState::stringConstructorTable): Deleted.
91 (JSC::ExecState::promisePrototypeTable): Deleted.
92 (JSC::ExecState::promiseConstructorTable): Deleted.
95 (JSC::Keywords::isKeyword):
96 (JSC::Keywords::getKeyword):
97 * runtime/Arguments.cpp:
98 * runtime/ArgumentsIteratorConstructor.cpp:
99 * runtime/ArgumentsIteratorPrototype.cpp:
100 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
101 * runtime/ArrayConstructor.cpp:
102 (JSC::ArrayConstructor::getOwnPropertySlot):
103 * runtime/ArrayIteratorConstructor.cpp:
104 * runtime/ArrayIteratorPrototype.cpp:
105 * runtime/ArrayPrototype.cpp:
106 (JSC::ArrayPrototype::getOwnPropertySlot):
107 * runtime/BooleanConstructor.cpp:
108 * runtime/BooleanObject.cpp:
109 * runtime/BooleanPrototype.cpp:
110 (JSC::BooleanPrototype::getOwnPropertySlot):
111 * runtime/ClassInfo.h:
112 (JSC::ClassInfo::hasStaticProperties):
113 (JSC::ClassInfo::propHashTable): Deleted.
114 * runtime/ConsolePrototype.cpp:
115 * runtime/CustomGetterSetter.cpp:
116 * runtime/DateConstructor.cpp:
117 (JSC::DateConstructor::getOwnPropertySlot):
118 * runtime/DateInstance.cpp:
119 * runtime/DatePrototype.cpp:
120 (JSC::DatePrototype::getOwnPropertySlot):
122 * runtime/ErrorConstructor.cpp:
123 * runtime/ErrorInstance.cpp:
124 * runtime/ErrorPrototype.cpp:
125 (JSC::ErrorPrototype::getOwnPropertySlot):
126 * runtime/ExceptionHelpers.cpp:
127 * runtime/Executable.cpp:
128 * runtime/FunctionConstructor.cpp:
129 * runtime/FunctionPrototype.cpp:
130 * runtime/GetterSetter.cpp:
131 * runtime/InternalFunction.cpp:
132 * runtime/JSAPIValueWrapper.cpp:
133 * runtime/JSActivation.cpp:
134 * runtime/JSArgumentsIterator.cpp:
135 * runtime/JSArray.cpp:
136 * runtime/JSArrayBuffer.cpp:
137 * runtime/JSArrayBufferConstructor.cpp:
138 * runtime/JSArrayBufferPrototype.cpp:
139 * runtime/JSArrayBufferView.cpp:
140 * runtime/JSArrayIterator.cpp:
141 * runtime/JSBoundFunction.cpp:
142 * runtime/JSConsole.cpp:
143 * runtime/JSDataView.cpp:
144 * runtime/JSDataViewPrototype.cpp:
145 (JSC::JSDataViewPrototype::getOwnPropertySlot):
146 * runtime/JSFunction.cpp:
147 * runtime/JSGlobalObject.cpp:
148 (JSC::JSGlobalObject::getOwnPropertySlot):
150 * runtime/JSMapIterator.cpp:
151 * runtime/JSNameScope.cpp:
152 * runtime/JSNotAnObject.cpp:
153 * runtime/JSONObject.cpp:
154 (JSC::JSONObject::getOwnPropertySlot):
155 * runtime/JSObject.cpp:
156 (JSC::getClassPropertyNames):
157 (JSC::JSObject::put):
158 (JSC::JSObject::deleteProperty):
159 (JSC::JSObject::findPropertyHashEntry):
160 (JSC::JSObject::reifyStaticFunctionsForDelete):
161 * runtime/JSObject.h:
162 * runtime/JSPromise.cpp:
163 * runtime/JSPromiseConstructor.cpp:
164 (JSC::JSPromiseConstructor::getOwnPropertySlot):
165 * runtime/JSPromiseDeferred.cpp:
166 * runtime/JSPromisePrototype.cpp:
167 (JSC::JSPromisePrototype::getOwnPropertySlot):
168 * runtime/JSPromiseReaction.cpp:
169 * runtime/JSPropertyNameIterator.cpp:
170 * runtime/JSProxy.cpp:
172 * runtime/JSSetIterator.cpp:
173 * runtime/JSString.cpp:
174 * runtime/JSTypedArrayConstructors.cpp:
175 * runtime/JSTypedArrayPrototypes.cpp:
176 * runtime/JSTypedArrays.cpp:
177 * runtime/JSVariableObject.cpp:
178 * runtime/JSWeakMap.cpp:
179 * runtime/JSWithScope.cpp:
180 * runtime/Lookup.cpp:
181 (JSC::HashTable::createTable):
183 (JSC::HashTable::initializeIfNeeded):
184 (JSC::HashTable::entry):
185 (JSC::HashTable::begin):
186 (JSC::HashTable::end):
187 (JSC::getStaticPropertySlot):
188 (JSC::getStaticFunctionSlot):
189 (JSC::getStaticValueSlot):
191 * runtime/MapConstructor.cpp:
192 * runtime/MapData.cpp:
193 * runtime/MapIteratorConstructor.cpp:
194 * runtime/MapIteratorPrototype.cpp:
195 * runtime/MapPrototype.cpp:
196 * runtime/MathObject.cpp:
197 * runtime/NameConstructor.cpp:
198 * runtime/NameInstance.cpp:
199 * runtime/NamePrototype.cpp:
200 (JSC::NamePrototype::getOwnPropertySlot):
201 * runtime/NativeErrorConstructor.cpp:
202 * runtime/NumberConstructor.cpp:
203 (JSC::NumberConstructor::getOwnPropertySlot):
204 * runtime/NumberObject.cpp:
205 * runtime/NumberPrototype.cpp:
206 (JSC::NumberPrototype::getOwnPropertySlot):
207 * runtime/ObjectConstructor.cpp:
208 (JSC::ObjectConstructor::getOwnPropertySlot):
209 * runtime/ObjectPrototype.cpp:
210 * runtime/PropertyTable.cpp:
211 * runtime/RegExp.cpp:
212 * runtime/RegExpConstructor.cpp:
213 (JSC::RegExpConstructor::getOwnPropertySlot):
214 * runtime/RegExpMatchesArray.cpp:
215 * runtime/RegExpObject.cpp:
216 (JSC::RegExpObject::getOwnPropertySlot):
217 * runtime/RegExpPrototype.cpp:
218 (JSC::RegExpPrototype::getOwnPropertySlot):
219 * runtime/SetConstructor.cpp:
220 * runtime/SetIteratorConstructor.cpp:
221 * runtime/SetIteratorPrototype.cpp:
222 * runtime/SetPrototype.cpp:
223 * runtime/SparseArrayValueMap.cpp:
224 * runtime/StrictEvalActivation.cpp:
225 * runtime/StringConstructor.cpp:
226 (JSC::StringConstructor::getOwnPropertySlot):
227 * runtime/StringObject.cpp:
228 * runtime/StringPrototype.cpp:
229 * runtime/Structure.cpp:
230 (JSC::Structure::Structure):
231 (JSC::Structure::freezeTransition):
232 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
233 * runtime/StructureChain.cpp:
234 * runtime/StructureRareData.cpp:
235 * runtime/SymbolTable.cpp:
240 * runtime/WeakMapConstructor.cpp:
241 * runtime/WeakMapData.cpp:
242 * runtime/WeakMapPrototype.cpp:
245 2014-07-29 Brent Fulgham <bfulgham@apple.com>
247 [Win] Modify version numbering scheme to support 5-tuple versions
248 https://bugs.webkit.org/show_bug.cgi?id=135400
249 <rdar://problem/17849033>
251 Reviewed by David Kilzer.
253 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
254 new version-stamp.pl script to version JavaScriptCore.dll.
256 2014-07-29 Daniel Bates <dabates@apple.com>
258 Use WTF::move() instead of std::move() to help ensure move semantics
259 https://bugs.webkit.org/show_bug.cgi?id=135351
261 Reviewed by Alexey Proskuryakov.
263 * bytecode/GetByIdStatus.cpp:
264 (JSC::GetByIdStatus::computeForStubInfo):
265 * bytecode/GetByIdVariant.cpp:
266 (JSC::GetByIdVariant::GetByIdVariant):
268 2014-07-28 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
270 BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
271 https://bugs.webkit.org/show_bug.cgi?id=135287
273 Reviewed by Darin Adler.
275 The set() method tries to use a part of the old value (the reservedFlag bit) which
276 was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
278 * bytecode/StructureSet.h:
279 (JSC::StructureSet::StructureSet):
281 2014-07-28 Benjamin Poulain <bpoulain@apple.com>
283 [JSC] JIT::assertStackPointerOffset() crashes on ARM64
284 https://bugs.webkit.org/show_bug.cgi?id=135316
286 Reviewed by Geoffrey Garen.
288 JIT::assertStackPointerOffset() does a compare between an arbitrary register
289 and the stack pointer. This was not supported by the ARM64 assembler.
291 There are no variation that can take a stack pointer for Xd. There is one version of subs
292 that can take a stack pointer, but only for the Xn: the shift+extend one.
293 To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
294 the implementation of sub.
296 * assembler/ARM64Assembler.h:
297 (JSC::ARM64Assembler::sub):
298 In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
299 with either version of sub.
301 In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
302 the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
303 gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
305 Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
306 not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
307 the shift value must be zero, it is safe to call either variant.
309 * assembler/MacroAssemblerARM64.h:
310 (JSC::MacroAssemblerARM64::branch64):
311 With the changes described above, we can now use SP for the left register. What do we do if the rightmost
314 For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
315 we just switch the registers before generating the instruction.
317 For the generic case, just move the value of SP to a GPR before doing the CMP.
319 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
321 Unreviewed build fix after r171682.
323 * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
324 as an exported symbol.
326 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
328 REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
329 https://bugs.webkit.org/show_bug.cgi?id=135322
331 Reviewed by Oliver Hunt.
333 The prototype chain of the JSProxy object should match that of the JSGlobalObject.
335 This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
336 account for JSProxies. I also audited the rest of the C API to check that we correctly
337 handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
338 and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
341 I also added some new tests for these cases.
343 * API/JSObjectRef.cpp:
344 (JSObjectSetPrototype):
345 (JSObjectGetPrivateProperty):
346 (JSObjectSetPrivateProperty):
347 (JSObjectDeletePrivateProperty):
348 * API/JSWeakObjectMapRefPrivate.cpp:
349 * API/tests/CustomGlobalObjectClassTest.c:
350 (globalObjectSetPrototypeTest):
351 (globalObjectPrivatePropertyTest):
352 * API/tests/CustomGlobalObjectClassTest.h:
353 * API/tests/testapi.c:
356 2014-07-28 Filip Pizlo <fpizlo@apple.com>
358 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
359 https://bugs.webkit.org/show_bug.cgi?id=135350
360 <rdar://problem/17509889>
362 Reviewed by Mark Hahnenberg and Oliver Hunt.
364 If we have an exiting node that uses a conversion node, then that exiting node
365 needs to have a Phantom after it for the the original node. But we can't do that
366 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
368 * dfg/DFGFixupPhase.cpp:
369 (JSC::DFG::FixupPhase::fixupNode):
370 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
371 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
374 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
378 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
380 JSContext Inspector: crash when using step-into
381 https://bugs.webkit.org/show_bug.cgi?id=135345
383 Reviewed by Timothy Hatcher.
385 * inspector/agents/InspectorDebuggerAgent.cpp:
386 (Inspector::InspectorDebuggerAgent::stepInto):
387 Null check m_listener since it may not be set.
389 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
391 Web Replay: auto-decoding of parameterized vector's elements is incorrect
392 https://bugs.webkit.org/show_bug.cgi?id=135343
394 Reviewed by Timothy Hatcher.
396 Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
397 that was using the element's decoded type as the type parameter to
398 EncodedValue::append<T>. It should instead be the raw type T. This
399 causes problems when encoding Vector<RefPtr<T>>, as it later tries to
400 use encoding traits for RefPtr<T> rather than for T.
402 Fix incorrect generated encoding traits argument for vectors of
403 RefCounted objects. Updated test to cover this scenario.
405 * replay/scripts/CodeGeneratorReplayInputs.py:
406 (Type.encoding_type_argument):
407 (VectorType.type_name):
409 (VectorType.encoding_type_argument):
410 (Generator.generate_input_encode_implementation):
411 (Generator.generate_input_decode_implementation):
412 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
413 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
414 * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
416 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
418 Web Replay: incorrect serialization code generated for enum classes inside class scope
419 https://bugs.webkit.org/show_bug.cgi?id=135342
421 Reviewed by Timothy Hatcher.
423 If an enum class is defined inside of a class scope, then the enum class
424 cannot be forward-declared and the relevant header should be included.
425 Some generated code used incorrectly-scoped enum values in this situation.
427 * replay/scripts/CodeGeneratorReplayInputs.py:
428 (Generator.generate_includes.declaration.is):
429 (Generator.generate_enum_trait_implementation.is):
430 (Generator.generate_enum_trait_implementation):
434 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
435 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
436 * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
437 class types to this test case.
439 2014-07-28 Brian J. Burg <burg@cs.washington.edu>
441 Web Replay: vectors of characters should be base64-encoded
442 https://bugs.webkit.org/show_bug.cgi?id=135341
444 Reviewed by Timothy Hatcher.
446 Without this specialization, encode/decode methods try to create an
447 array of single characters in JSON, rather than treating the
448 vector as a binary blob.
450 * replay/EncodedValue.cpp:
451 (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
452 (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
453 * replay/EncodedValue.h:
455 2014-07-28 Brent Fulgham <bfulgham@apple.com>
457 [Win] Unreviewed build fix.
459 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
460 builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
462 2014-07-27 Ryuan Choi <ryuan.choi@samsung.com>
464 Unreviewed build fix on the EFL port
466 Build break because of -Werror=return-type
468 * bytecode/PutByIdVariant.cpp:
469 (JSC::PutByIdVariant::oldStructureForTransition):
470 * dfg/DFGValueStrength.h:
473 2014-07-27 Filip Pizlo <fpizlo@apple.com>
475 [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
476 https://bugs.webkit.org/show_bug.cgi?id=135323
478 Reviewed by Oliver Hunt.
480 SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
481 then it's a constant that can be represented using that node's current DataFormat.
482 This doesn't work if the constant had been filled as a JSValue, and then one of the
483 fillSpeculateBlah() methods had speculated that it's of some type that the constant
484 isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
485 a constant that claims to have a contradictory data format.
487 This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
488 fillSpeculateCell() appears to not have this bug, but I added a similar defense
489 mechanism anyway just in case, since this is one of those mistakes that keeps
492 * dfg/DFGSpeculativeJIT.cpp:
493 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
494 * dfg/DFGSpeculativeJIT32_64.cpp:
495 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
496 * dfg/DFGSpeculativeJIT64.cpp:
497 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
499 2014-07-27 Filip Pizlo <fpizlo@apple.com>
501 Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
503 This fixes the previous mismerge and adds test coverage for the thing that went wrong.
505 Additional changes listed here:
508 (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
509 * runtime/Structure.cpp:
510 (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
511 * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
513 2014-06-27 Michael Saboff <msaboff@apple.com>
515 Unreviewed build fix after r169795.
517 Fixed ASSERT for 32 bit build.
519 * dfg/DFGSpeculativeJIT.cpp:
520 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
522 2014-06-24 Saam Barati <sbarati@apple.com>
524 Web Inspector: debugger should be able to show variable types
525 https://bugs.webkit.org/show_bug.cgi?id=133395
527 Reviewed by Filip Pizlo.
529 Increase the amount of type information the VM gathers when directed
530 to do so. This initial commit is working towards the goal of
531 capturing, and then showing (via the Web Inspector) type information for all
532 assignment and load operations. This patch doesn't have the feature fully
533 implemented, but it ensures the VM has no performance regressions
534 unless the feature is specifically turned on.
536 * JavaScriptCore.xcodeproj/project.pbxproj:
537 * bytecode/BytecodeList.json:
538 * bytecode/BytecodeUseDef.h:
539 (JSC::computeUsesForBytecodeOffset):
540 (JSC::computeDefsForBytecodeOffset):
541 * bytecode/CodeBlock.cpp:
542 (JSC::CodeBlock::dumpBytecode):
543 (JSC::CodeBlock::CodeBlock):
544 (JSC::CodeBlock::finalizeUnconditionally):
545 * bytecode/CodeBlock.h:
546 * bytecode/Instruction.h:
547 * bytecode/TypeLocation.h: Added.
548 (JSC::TypeLocation::TypeLocation):
549 * bytecompiler/BytecodeGenerator.cpp:
550 (JSC::BytecodeGenerator::emitMove):
551 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
552 (JSC::BytecodeGenerator::emitPutToScope):
553 (JSC::BytecodeGenerator::emitPutById):
554 (JSC::BytecodeGenerator::emitPutByVal):
555 * bytecompiler/BytecodeGenerator.h:
556 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
557 * bytecompiler/NodesCodegen.cpp:
558 (JSC::PostfixNode::emitResolve):
559 (JSC::PrefixNode::emitResolve):
560 (JSC::ReadModifyResolveNode::emitBytecode):
561 (JSC::AssignResolveNode::emitBytecode):
562 (JSC::ConstDeclNode::emitCodeSingle):
563 (JSC::ForInNode::emitBytecode):
565 (JSC::Heap::collect):
566 * inspector/agents/InspectorRuntimeAgent.cpp:
567 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
568 * inspector/agents/InspectorRuntimeAgent.h:
569 * inspector/protocol/Runtime.json:
571 (GlobalObject::finishCreation):
572 (functionDumpTypesForAllVariables):
573 * llint/LLIntSlowPaths.cpp:
574 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
575 (JSC::LLInt::putToScopeCommon):
576 * llint/LLIntSlowPaths.h:
577 * llint/LowLevelInterpreter.asm:
578 * runtime/HighFidelityLog.cpp: Added.
579 (JSC::HighFidelityLog::initializeHighFidelityLog):
580 (JSC::HighFidelityLog::~HighFidelityLog):
581 (JSC::HighFidelityLog::recordTypeInformationForLocation):
582 (JSC::HighFidelityLog::processHighFidelityLog):
583 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
584 * runtime/HighFidelityLog.h: Added.
585 (JSC::HighFidelityLog::HighFidelityLog):
586 * runtime/HighFidelityTypeProfiler.cpp: Added.
587 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
588 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
589 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
590 (JSC::HighFidelityTypeProfiler::insertNewLocation):
591 (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
592 * runtime/HighFidelityTypeProfiler.h: Added.
594 * runtime/Structure.cpp:
595 (JSC::Structure::toStructureShape):
596 * runtime/Structure.h:
597 * runtime/SymbolTable.cpp:
598 (JSC::SymbolTable::SymbolTable):
599 (JSC::SymbolTable::cloneCapturedNames):
600 (JSC::SymbolTable::uniqueIDForVariable):
601 (JSC::SymbolTable::uniqueIDForRegister):
602 (JSC::SymbolTable::globalTypeSetForRegister):
603 (JSC::SymbolTable::globalTypeSetForVariable):
604 * runtime/SymbolTable.h:
605 (JSC::SymbolTable::add):
606 (JSC::SymbolTable::set):
607 * runtime/TypeSet.cpp: Added.
608 (JSC::TypeSet::TypeSet):
609 (JSC::TypeSet::getRuntimeTypeForValue):
610 (JSC::TypeSet::addTypeForValue):
611 (JSC::TypeSet::removeDuplicatesInStructureHistory):
612 (JSC::TypeSet::seenTypes):
613 (JSC::TypeSet::dumpSeenTypes):
614 (JSC::StructureShape::StructureShape):
615 (JSC::StructureShape::markAsFinal):
616 (JSC::StructureShape::addProperty):
617 (JSC::StructureShape::propertyHash):
618 (JSC::StructureShape::leastUpperBound):
619 (JSC::StructureShape::stringRepresentation):
620 * runtime/TypeSet.h: Added.
621 (JSC::StructureShape::create):
622 (JSC::TypeSet::create):
625 (JSC::VM::getTypesForVariableInRange):
626 (JSC::VM::updateHighFidelityTypeProfileState):
627 (JSC::VM::dumpHighFidelityProfilingTypes):
629 (JSC::VM::isProfilingTypesWithHighFidelity):
630 (JSC::VM::highFidelityLog):
631 (JSC::VM::highFidelityTypeProfiler):
632 (JSC::VM::nextLocation):
633 (JSC::VM::getNextUniqueVariableID):
635 2014-06-26 Mark Lam <mark.lam@apple.com>
637 Remove unused instantiation of the WithScope structure.
638 <https://webkit.org/b/134331>
640 Reviewed by Oliver Hunt.
642 The WithScope structure instance is the VM is unused, and is now removed.
648 2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
650 Structure bit fields should have a consistent format
651 https://bugs.webkit.org/show_bug.cgi?id=134307
653 Reviewed by Filip Pizlo.
655 Currently we use C-style bit fields for a number of member variables in Structure to save space.
656 This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
657 format to make it easy to load and test these variables in JIT code.
659 * runtime/JSObject.cpp:
660 (JSC::JSObject::putDirectNonIndexAccessor):
661 (JSC::JSObject::reifyStaticFunctionsForDelete):
662 * runtime/Structure.cpp:
663 (JSC::StructureTransitionTable::contains):
664 (JSC::StructureTransitionTable::get):
665 (JSC::StructureTransitionTable::add):
666 (JSC::Structure::Structure):
667 (JSC::Structure::materializePropertyMap):
668 (JSC::Structure::addPropertyTransition):
669 (JSC::Structure::despecifyFunctionTransition):
670 (JSC::Structure::toDictionaryTransition):
671 (JSC::Structure::freezeTransition):
672 (JSC::Structure::preventExtensionsTransition):
673 (JSC::Structure::takePropertyTableOrCloneIfPinned):
674 (JSC::Structure::nonPropertyTransition):
675 (JSC::Structure::flattenDictionaryStructure):
676 (JSC::Structure::addPropertyWithoutTransition):
677 (JSC::Structure::pin):
678 (JSC::Structure::allocateRareData):
679 (JSC::Structure::cloneRareDataFrom):
680 (JSC::Structure::getConcurrently):
681 (JSC::Structure::putSpecificValue):
682 (JSC::Structure::getPropertyNamesFromStructure):
683 (JSC::Structure::visitChildren):
684 (JSC::Structure::checkConsistency):
685 * runtime/Structure.h:
686 (JSC::Structure::isExtensible):
687 (JSC::Structure::isDictionary):
688 (JSC::Structure::isUncacheableDictionary):
689 (JSC::Structure::propertyAccessesAreCacheable):
690 (JSC::Structure::previousID):
691 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
692 (JSC::Structure::setContainsReadOnlyProperties):
693 (JSC::Structure::disableSpecificFunctionTracking):
694 (JSC::Structure::objectToStringValue):
695 (JSC::Structure::setObjectToStringValue):
696 (JSC::Structure::setPreviousID):
697 (JSC::Structure::clearPreviousID):
698 (JSC::Structure::previous):
699 (JSC::Structure::rareData):
700 (JSC::Structure::didTransition): Deleted.
701 (JSC::Structure::hasGetterSetterProperties): Deleted.
702 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
703 (JSC::Structure::setHasGetterSetterProperties): Deleted.
704 (JSC::Structure::hasNonEnumerableProperties): Deleted.
705 (JSC::Structure::staticFunctionsReified): Deleted.
706 (JSC::Structure::setStaticFunctionsReified): Deleted.
707 * runtime/StructureInlines.h:
708 (JSC::Structure::setEnumerationCache):
709 (JSC::Structure::enumerationCache):
710 (JSC::Structure::checkOffsetConsistency):
712 2014-06-24 Mark Lam <mark.lam@apple.com>
714 [ftlopt] Renamed DebuggerActivation to DebuggerScope.
715 <https://webkit.org/b/134273>
717 Reviewed by Michael Saboff.
720 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
721 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
722 * JavaScriptCore.xcodeproj/project.pbxproj:
723 * debugger/DebuggerActivation.cpp: Removed.
724 * debugger/DebuggerActivation.h: Removed.
725 * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
726 (JSC::DebuggerScope::DebuggerScope):
727 (JSC::DebuggerScope::finishCreation):
728 (JSC::DebuggerScope::visitChildren):
729 (JSC::DebuggerScope::className):
730 (JSC::DebuggerScope::getOwnPropertySlot):
731 (JSC::DebuggerScope::put):
732 (JSC::DebuggerScope::deleteProperty):
733 (JSC::DebuggerScope::getOwnPropertyNames):
734 (JSC::DebuggerScope::defineOwnProperty):
735 (JSC::DebuggerActivation::DebuggerActivation): Deleted.
736 (JSC::DebuggerActivation::finishCreation): Deleted.
737 (JSC::DebuggerActivation::visitChildren): Deleted.
738 (JSC::DebuggerActivation::className): Deleted.
739 (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
740 (JSC::DebuggerActivation::put): Deleted.
741 (JSC::DebuggerActivation::deleteProperty): Deleted.
742 (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
743 (JSC::DebuggerActivation::defineOwnProperty): Deleted.
744 * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
745 (JSC::DebuggerScope::create):
746 (JSC::DebuggerActivation::create): Deleted.
751 2014-06-24 Filip Pizlo <fpizlo@apple.com>
753 [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
754 https://bugs.webkit.org/show_bug.cgi?id=134265
756 Reviewed by Geoffrey Garen.
758 More assertion fallout from the PutById folding work.
761 (JSC::DFG::Node::convertToPutByOffset):
763 2014-06-24 Filip Pizlo <fpizlo@apple.com>
765 [ftlopt] GC should notify us if it resets to_this
766 https://bugs.webkit.org/show_bug.cgi?id=128231
768 Reviewed by Geoffrey Garen.
771 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
772 * JavaScriptCore.xcodeproj/project.pbxproj:
773 * bytecode/BytecodeList.json:
774 * bytecode/CodeBlock.cpp:
775 (JSC::CodeBlock::dumpBytecode):
776 (JSC::CodeBlock::finalizeUnconditionally):
777 * bytecode/Instruction.h:
778 * bytecode/ToThisStatus.cpp: Added.
780 (WTF::printInternal):
781 * bytecode/ToThisStatus.h: Added.
782 * bytecompiler/BytecodeGenerator.cpp:
783 (JSC::BytecodeGenerator::BytecodeGenerator):
784 * dfg/DFGByteCodeParser.cpp:
785 (JSC::DFG::ByteCodeParser::parseBlock):
786 * llint/LowLevelInterpreter32_64.asm:
787 * llint/LowLevelInterpreter64.asm:
788 * runtime/CommonSlowPaths.cpp:
789 (JSC::SLOW_PATH_DECL):
791 2014-06-24 Filip Pizlo <fpizlo@apple.com>
793 [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
794 https://bugs.webkit.org/show_bug.cgi?id=134256
796 Reviewed by Michael Saboff.
798 This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
799 point is to be able to precisely model what goes on in the snippets of code between a
800 side-effect and an InvalidationPoint.
802 This patch also cleans up onlyStructure() by delegating more work to
803 StructureSet::onlyStructure().
805 * dfg/DFGStructureAbstractValue.h:
806 (JSC::DFG::StructureAbstractValue::onlyStructure):
808 2014-06-24 Filip Pizlo <fpizlo@apple.com>
810 [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
811 https://bugs.webkit.org/show_bug.cgi?id=134260
813 Reviewed by Geoffrey Garen.
815 This was causing loads of assertion failures in debug builds.
817 * dfg/DFGAbstractInterpreterInlines.h:
818 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
820 2014-06-21 Filip Pizlo <fpizlo@apple.com>
822 [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
823 https://bugs.webkit.org/show_bug.cgi?id=134090
825 Reviewed by Oliver Hunt.
827 This pretty much finishes off the work to eliminate the special-casing of singleton
828 structure sets by making it possible to fold GetById and PutById to various polymorphic
829 forms of the ByOffset nodes.
831 * bytecode/GetByIdStatus.cpp:
832 (JSC::GetByIdStatus::computeForStubInfo):
833 (JSC::GetByIdStatus::computeFor):
834 * bytecode/GetByIdStatus.h:
835 * bytecode/PutByIdStatus.cpp:
836 (JSC::PutByIdStatus::computeFor):
837 * bytecode/PutByIdStatus.h:
838 * bytecode/PutByIdVariant.h:
839 (JSC::PutByIdVariant::constantChecks):
840 * dfg/DFGAbstractInterpreterInlines.h:
841 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
842 * dfg/DFGByteCodeParser.cpp:
843 (JSC::DFG::ByteCodeParser::parseBlock):
844 * dfg/DFGConstantFoldingPhase.cpp:
845 (JSC::DFG::ConstantFoldingPhase::foldConstants):
846 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
847 (JSC::DFG::ConstantFoldingPhase::addChecks):
849 (JSC::DFG::Node::convertToMultiGetByOffset):
850 (JSC::DFG::Node::convertToMultiPutByOffset):
851 * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
852 (JSC::DFG::SpeculativeJIT::fillJSValue):
853 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
854 (JSC::DFG::SpeculativeJIT::emitCall):
855 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
856 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
857 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
858 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
859 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
860 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
861 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
862 (JSC::DFG::SpeculativeJIT::emitBranch):
863 (JSC::DFG::SpeculativeJIT::compile):
864 * dfg/DFGStructureAbstractValue.h:
865 (JSC::DFG::StructureAbstractValue::set):
867 2014-06-19 Filip Pizlo <fpizlo@apple.com>
869 [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
870 https://bugs.webkit.org/show_bug.cgi?id=134077
872 Reviewed by Sam Weinig.
874 This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
875 in the abstract interpreter.
877 * bytecode/StructureSet.h:
878 (JSC::StructureSet::onlyStructure):
880 2014-06-18 Filip Pizlo <fpizlo@apple.com>
882 DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
883 https://bugs.webkit.org/show_bug.cgi?id=133918
885 Reviewed by Mark Hahnenberg.
887 This also adds pruning of PutStructure, since I basically had no choice but
888 to implement such logic within MultiPutByOffset.
890 Also adds a bunch of PutById cache status dumping to bytecode dumping.
892 * bytecode/GetByIdVariant.cpp:
893 (JSC::GetByIdVariant::dumpInContext):
894 * bytecode/GetByIdVariant.h:
895 (JSC::GetByIdVariant::structureSet):
896 * bytecode/PutByIdVariant.h:
897 (JSC::PutByIdVariant::oldStructure):
898 * bytecode/StructureSet.cpp:
899 (JSC::StructureSet::filter):
900 (JSC::StructureSet::filterArrayModes):
901 * bytecode/StructureSet.h:
902 * dfg/DFGAbstractInterpreterInlines.h:
903 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
904 * dfg/DFGAbstractValue.cpp:
905 (JSC::DFG::AbstractValue::changeStructure):
906 (JSC::DFG::AbstractValue::contains):
907 * dfg/DFGAbstractValue.h:
908 (JSC::DFG::AbstractValue::couldBeType):
909 (JSC::DFG::AbstractValue::isType):
910 * dfg/DFGConstantFoldingPhase.cpp:
911 (JSC::DFG::ConstantFoldingPhase::foldConstants):
912 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
913 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
914 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
916 (JSC::DFG::Graph::freezeStrong):
918 * dfg/DFGStructureAbstractValue.h:
919 (JSC::DFG::StructureAbstractValue::operator=):
920 * ftl/FTLLowerDFGToLLVM.cpp:
921 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
922 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
929 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
936 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
944 2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
946 Remove CompoundType and LeafType
947 https://bugs.webkit.org/show_bug.cgi?id=134037
949 Reviewed by Filip Pizlo.
951 We don't use them for anything. We'll replace them with a generic CellType type for all
952 the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
953 their JSType at runtime.
955 * llint/LLIntData.cpp:
956 (JSC::LLInt::Data::performAssertions):
957 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
958 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
959 * runtime/Executable.h:
960 (JSC::ExecutableBase::createStructure):
961 (JSC::NativeExecutable::createStructure):
962 * runtime/JSPromiseDeferred.h:
963 (JSC::JSPromiseDeferred::createStructure):
964 * runtime/JSPromiseReaction.h:
965 (JSC::JSPromiseReaction::createStructure):
966 * runtime/JSPropertyNameIterator.h:
967 (JSC::JSPropertyNameIterator::createStructure):
969 * runtime/JSTypeInfo.h:
970 (JSC::TypeInfo::TypeInfo):
972 (JSC::MapData::createStructure):
973 * runtime/PropertyMapHashTable.h:
974 (JSC::PropertyTable::createStructure):
976 (JSC::RegExp::createStructure):
977 * runtime/SparseArrayValueMap.cpp:
978 (JSC::SparseArrayValueMap::createStructure):
979 * runtime/Structure.cpp:
980 (JSC::Structure::Structure):
981 * runtime/StructureChain.h:
982 (JSC::StructureChain::createStructure):
983 * runtime/StructureRareData.cpp:
984 (JSC::StructureRareData::createStructure):
985 * runtime/SymbolTable.h:
986 (JSC::SymbolTable::createStructure):
987 * runtime/WeakMapData.h:
988 (JSC::WeakMapData::createStructure):
990 2014-06-17 Filip Pizlo <fpizlo@apple.com>
992 [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
993 https://bugs.webkit.org/show_bug.cgi?id=134002
995 Reviewed by Mark Hahnenberg.
997 The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
998 JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
999 of the structure if that structure was watchable.
1001 Also kill PhantomPutStructure.
1003 * dfg/DFGAbstractInterpreterInlines.h:
1004 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1005 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1006 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1007 * dfg/DFGClobberize.h:
1008 (JSC::DFG::clobberize):
1009 * dfg/DFGDoesGC.cpp:
1011 * dfg/DFGFixupPhase.cpp:
1012 (JSC::DFG::FixupPhase::fixupNode):
1014 (JSC::DFG::Graph::visitChildren):
1016 (JSC::DFG::Node::hasTransition):
1017 * dfg/DFGNodeType.h:
1018 * dfg/DFGPredictionPropagationPhase.cpp:
1019 (JSC::DFG::PredictionPropagationPhase::propagate):
1020 * dfg/DFGSafeToExecute.h:
1021 (JSC::DFG::safeToExecute):
1022 * dfg/DFGSpeculativeJIT32_64.cpp:
1023 (JSC::DFG::SpeculativeJIT::compile):
1024 * dfg/DFGSpeculativeJIT64.cpp:
1025 (JSC::DFG::SpeculativeJIT::compile):
1026 * dfg/DFGStructureAbstractValue.cpp:
1027 (JSC::DFG::StructureAbstractValue::observeTransition):
1028 (JSC::DFG::StructureAbstractValue::observeTransitions):
1029 * dfg/DFGValidate.cpp:
1030 (JSC::DFG::Validate::validate):
1031 * dfg/DFGWatchableStructureWatchingPhase.cpp:
1032 (JSC::DFG::WatchableStructureWatchingPhase::run):
1033 * ftl/FTLCapabilities.cpp:
1034 (JSC::FTL::canCompile):
1035 * ftl/FTLLowerDFGToLLVM.cpp:
1036 (JSC::FTL::LowerDFGToLLVM::compileNode):
1037 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1039 2014-06-17 Filip Pizlo <fpizlo@apple.com>
1041 [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1042 https://bugs.webkit.org/show_bug.cgi?id=133964
1044 Reviewed by Mark Hahnenberg.
1046 * bytecode/PutByIdStatus.cpp:
1047 (JSC::PutByIdStatus::appendVariant):
1048 (JSC::PutByIdStatus::computeForStubInfo):
1049 * bytecode/PutByIdVariant.cpp:
1050 (JSC::PutByIdVariant::oldStructureForTransition):
1051 (JSC::PutByIdVariant::writesStructures):
1052 (JSC::PutByIdVariant::reallocatesStorage):
1053 (JSC::PutByIdVariant::attemptToMerge):
1054 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1055 (JSC::PutByIdVariant::dumpInContext):
1056 * bytecode/PutByIdVariant.h:
1057 (JSC::PutByIdVariant::PutByIdVariant):
1058 (JSC::PutByIdVariant::replace):
1059 (JSC::PutByIdVariant::transition):
1060 (JSC::PutByIdVariant::structure):
1061 (JSC::PutByIdVariant::oldStructure):
1062 * dfg/DFGAbstractInterpreterInlines.h:
1063 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1064 * dfg/DFGByteCodeParser.cpp:
1065 (JSC::DFG::ByteCodeParser::handlePutById):
1066 (JSC::DFG::ByteCodeParser::parseBlock):
1067 * dfg/DFGConstantFoldingPhase.cpp:
1068 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1069 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1071 (JSC::DFG::Graph::visitChildren):
1073 (JSC::DFG::MultiPutByOffsetData::writesStructures):
1074 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1075 * ftl/FTLAbbreviations.h:
1076 (JSC::FTL::getLinkage):
1077 * ftl/FTLLowerDFGToLLVM.cpp:
1078 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1079 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1081 2014-07-26 Filip Pizlo <fpizlo@apple.com>
1083 Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
1087 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1088 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1089 * JavaScriptCore.xcodeproj/project.pbxproj:
1090 * bytecode/BytecodeList.json:
1091 * bytecode/BytecodeUseDef.h:
1092 (JSC::computeUsesForBytecodeOffset):
1093 (JSC::computeDefsForBytecodeOffset):
1094 * bytecode/CodeBlock.cpp:
1095 (JSC::CodeBlock::dumpBytecode):
1096 (JSC::CodeBlock::CodeBlock):
1097 (JSC::CodeBlock::finalizeUnconditionally):
1098 (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
1099 * bytecode/CodeBlock.h:
1100 * bytecode/GetByIdStatus.cpp:
1101 (JSC::GetByIdStatus::computeForStubInfo):
1102 (JSC::GetByIdStatus::computeFor):
1103 * bytecode/GetByIdStatus.h:
1104 * bytecode/GetByIdVariant.cpp:
1105 (JSC::GetByIdVariant::dumpInContext):
1106 * bytecode/GetByIdVariant.h:
1107 (JSC::GetByIdVariant::structureSet):
1108 * bytecode/Instruction.h:
1109 * bytecode/PutByIdStatus.cpp:
1110 (JSC::PutByIdStatus::appendVariant):
1111 (JSC::PutByIdStatus::computeForStubInfo):
1112 (JSC::PutByIdStatus::computeFor):
1113 * bytecode/PutByIdStatus.h:
1114 * bytecode/PutByIdVariant.cpp:
1115 (JSC::PutByIdVariant::dumpInContext):
1116 (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
1117 (JSC::PutByIdVariant::writesStructures): Deleted.
1118 (JSC::PutByIdVariant::reallocatesStorage): Deleted.
1119 (JSC::PutByIdVariant::attemptToMerge): Deleted.
1120 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
1121 * bytecode/PutByIdVariant.h:
1122 (JSC::PutByIdVariant::PutByIdVariant):
1123 (JSC::PutByIdVariant::replace):
1124 (JSC::PutByIdVariant::transition):
1125 (JSC::PutByIdVariant::structure):
1126 (JSC::PutByIdVariant::oldStructure):
1127 (JSC::PutByIdVariant::newStructure):
1128 (JSC::PutByIdVariant::constantChecks):
1129 * bytecode/StructureSet.cpp:
1130 (JSC::StructureSet::filter): Deleted.
1131 (JSC::StructureSet::filterArrayModes): Deleted.
1132 * bytecode/StructureSet.h:
1133 (JSC::StructureSet::onlyStructure):
1134 * bytecode/ToThisStatus.cpp: Removed.
1135 * bytecode/ToThisStatus.h: Removed.
1136 * bytecode/TypeLocation.h: Removed.
1137 * bytecompiler/BytecodeGenerator.cpp:
1138 (JSC::BytecodeGenerator::BytecodeGenerator):
1139 (JSC::BytecodeGenerator::emitMove):
1140 (JSC::BytecodeGenerator::emitPutToScope):
1141 (JSC::BytecodeGenerator::emitPutById):
1142 (JSC::BytecodeGenerator::emitPutByVal):
1143 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
1144 * bytecompiler/BytecodeGenerator.h:
1145 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
1146 * bytecompiler/NodesCodegen.cpp:
1147 (JSC::PostfixNode::emitResolve):
1148 (JSC::PrefixNode::emitResolve):
1149 (JSC::ReadModifyResolveNode::emitBytecode):
1150 (JSC::AssignResolveNode::emitBytecode):
1151 (JSC::ConstDeclNode::emitCodeSingle):
1152 (JSC::ForInNode::emitBytecode):
1153 * debugger/DebuggerActivation.cpp: Added.
1154 (JSC::DebuggerActivation::DebuggerActivation):
1155 (JSC::DebuggerActivation::finishCreation):
1156 (JSC::DebuggerActivation::visitChildren):
1157 (JSC::DebuggerActivation::className):
1158 (JSC::DebuggerActivation::getOwnPropertySlot):
1159 (JSC::DebuggerActivation::put):
1160 (JSC::DebuggerActivation::deleteProperty):
1161 (JSC::DebuggerActivation::getOwnPropertyNames):
1162 (JSC::DebuggerActivation::defineOwnProperty):
1163 * debugger/DebuggerActivation.h: Added.
1164 (JSC::DebuggerActivation::create):
1165 (JSC::DebuggerActivation::createStructure):
1166 * debugger/DebuggerScope.cpp: Removed.
1167 * debugger/DebuggerScope.h: Removed.
1168 * dfg/DFGAbstractInterpreterInlines.h:
1169 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1170 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1171 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1172 * dfg/DFGAbstractValue.cpp:
1173 (JSC::DFG::AbstractValue::changeStructure): Deleted.
1174 (JSC::DFG::AbstractValue::contains): Deleted.
1175 * dfg/DFGAbstractValue.h:
1176 (JSC::DFG::AbstractValue::couldBeType):
1177 (JSC::DFG::AbstractValue::isType):
1178 * dfg/DFGByteCodeParser.cpp:
1179 (JSC::DFG::ByteCodeParser::handlePutById):
1180 (JSC::DFG::ByteCodeParser::parseBlock):
1181 * dfg/DFGClobberize.h:
1182 (JSC::DFG::clobberize):
1183 * dfg/DFGConstantFoldingPhase.cpp:
1184 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1185 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1186 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1187 (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
1188 (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
1189 * dfg/DFGDoesGC.cpp:
1191 * dfg/DFGFixupPhase.cpp:
1192 (JSC::DFG::FixupPhase::fixupNode):
1194 (JSC::DFG::Graph::visitChildren):
1195 (JSC::DFG::Graph::freezeStrong):
1198 (JSC::DFG::MultiPutByOffsetData::writesStructures):
1199 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1201 (JSC::DFG::Node::convertToPutByOffset):
1202 (JSC::DFG::Node::hasTransition):
1203 (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
1204 (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
1205 * dfg/DFGNodeType.h:
1206 * dfg/DFGPredictionPropagationPhase.cpp:
1207 (JSC::DFG::PredictionPropagationPhase::propagate):
1208 * dfg/DFGSafeToExecute.h:
1209 (JSC::DFG::safeToExecute):
1210 * dfg/DFGSpeculativeJIT.cpp:
1211 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1212 * dfg/DFGSpeculativeJIT32_64.cpp:
1213 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1214 (JSC::DFG::SpeculativeJIT::compile):
1215 * dfg/DFGSpeculativeJIT64.cpp:
1216 (JSC::DFG::SpeculativeJIT::fillJSValue):
1217 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1218 (JSC::DFG::SpeculativeJIT::emitCall):
1219 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1220 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1221 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1222 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1223 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1224 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1225 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1226 (JSC::DFG::SpeculativeJIT::emitBranch):
1227 (JSC::DFG::SpeculativeJIT::compile):
1228 * dfg/DFGStructureAbstractValue.cpp:
1229 (JSC::DFG::StructureAbstractValue::observeTransition):
1230 (JSC::DFG::StructureAbstractValue::observeTransitions):
1231 * dfg/DFGStructureAbstractValue.h:
1232 (JSC::DFG::StructureAbstractValue::onlyStructure):
1233 (JSC::DFG::StructureAbstractValue::operator=): Deleted.
1234 (JSC::DFG::StructureAbstractValue::set): Deleted.
1235 * dfg/DFGValidate.cpp:
1236 (JSC::DFG::Validate::validate):
1237 * dfg/DFGWatchableStructureWatchingPhase.cpp:
1238 (JSC::DFG::WatchableStructureWatchingPhase::run):
1239 * ftl/FTLAbbreviations.h:
1240 (JSC::FTL::getLinkage): Deleted.
1241 * ftl/FTLCapabilities.cpp:
1242 (JSC::FTL::canCompile):
1243 * ftl/FTLLowerDFGToLLVM.cpp:
1244 (JSC::FTL::LowerDFGToLLVM::compileNode):
1245 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
1246 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1247 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1248 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1250 (JSC::Heap::collect):
1251 * inspector/agents/InspectorRuntimeAgent.cpp:
1252 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
1253 * inspector/agents/InspectorRuntimeAgent.h:
1254 * inspector/protocol/Runtime.json:
1256 (GlobalObject::finishCreation):
1257 (functionDumpTypesForAllVariables): Deleted.
1258 * llint/LLIntData.cpp:
1259 (JSC::LLInt::Data::performAssertions):
1260 * llint/LLIntSlowPaths.cpp:
1261 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1262 (JSC::LLInt::putToScopeCommon): Deleted.
1263 * llint/LLIntSlowPaths.h:
1264 * llint/LowLevelInterpreter.asm:
1265 * llint/LowLevelInterpreter32_64.asm:
1266 * llint/LowLevelInterpreter64.asm:
1267 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1268 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1269 * runtime/CommonSlowPaths.cpp:
1270 (JSC::SLOW_PATH_DECL):
1271 * runtime/Executable.h:
1272 (JSC::ExecutableBase::createStructure):
1273 (JSC::NativeExecutable::createStructure):
1274 * runtime/HighFidelityLog.cpp: Removed.
1275 * runtime/HighFidelityLog.h: Removed.
1276 * runtime/HighFidelityTypeProfiler.cpp: Removed.
1277 * runtime/HighFidelityTypeProfiler.h: Removed.
1278 * runtime/JSObject.cpp:
1279 (JSC::JSObject::putDirectCustomAccessor):
1280 (JSC::JSObject::putDirectNonIndexAccessor):
1281 (JSC::JSObject::reifyStaticFunctionsForDelete):
1282 * runtime/JSPromiseDeferred.h:
1283 (JSC::JSPromiseDeferred::createStructure):
1284 * runtime/JSPromiseReaction.h:
1285 (JSC::JSPromiseReaction::createStructure):
1286 * runtime/JSPropertyNameIterator.h:
1287 (JSC::JSPropertyNameIterator::createStructure):
1289 * runtime/JSTypeInfo.h:
1290 (JSC::TypeInfo::TypeInfo):
1291 * runtime/MapData.h:
1292 (JSC::MapData::createStructure):
1293 * runtime/Options.h:
1294 * runtime/PropertyMapHashTable.h:
1295 (JSC::PropertyTable::createStructure):
1297 (JSC::RegExp::createStructure):
1298 * runtime/SparseArrayValueMap.cpp:
1299 (JSC::SparseArrayValueMap::createStructure):
1300 * runtime/Structure.cpp:
1301 (JSC::StructureTransitionTable::contains):
1302 (JSC::StructureTransitionTable::get):
1303 (JSC::StructureTransitionTable::add):
1304 (JSC::Structure::Structure):
1305 (JSC::Structure::materializePropertyMap):
1306 (JSC::Structure::addPropertyTransition):
1307 (JSC::Structure::despecifyFunctionTransition):
1308 (JSC::Structure::toDictionaryTransition):
1309 (JSC::Structure::freezeTransition):
1310 (JSC::Structure::preventExtensionsTransition):
1311 (JSC::Structure::takePropertyTableOrCloneIfPinned):
1312 (JSC::Structure::nonPropertyTransition):
1313 (JSC::Structure::flattenDictionaryStructure):
1314 (JSC::Structure::addPropertyWithoutTransition):
1315 (JSC::Structure::pin):
1316 (JSC::Structure::allocateRareData):
1317 (JSC::Structure::cloneRareDataFrom):
1318 (JSC::Structure::getConcurrently):
1319 (JSC::Structure::putSpecificValue):
1320 (JSC::Structure::getPropertyNamesFromStructure):
1321 (JSC::Structure::visitChildren):
1322 (JSC::Structure::checkConsistency):
1323 (JSC::Structure::toStructureShape): Deleted.
1324 * runtime/Structure.h:
1325 (JSC::Structure::isExtensible):
1326 (JSC::Structure::didTransition):
1327 (JSC::Structure::isDictionary):
1328 (JSC::Structure::isUncacheableDictionary):
1329 (JSC::Structure::hasBeenFlattenedBefore):
1330 (JSC::Structure::propertyAccessesAreCacheable):
1331 (JSC::Structure::previousID):
1332 (JSC::Structure::hasGetterSetterProperties):
1333 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
1334 (JSC::Structure::setHasGetterSetterProperties):
1335 (JSC::Structure::hasCustomGetterSetterProperties):
1336 (JSC::Structure::setHasCustomGetterSetterProperties):
1337 (JSC::Structure::setContainsReadOnlyProperties):
1338 (JSC::Structure::hasNonEnumerableProperties):
1339 (JSC::Structure::disableSpecificFunctionTracking):
1340 (JSC::Structure::objectToStringValue):
1341 (JSC::Structure::setObjectToStringValue):
1342 (JSC::Structure::staticFunctionsReified):
1343 (JSC::Structure::setStaticFunctionsReified):
1344 (JSC::Structure::transitionWatchpointSet):
1345 (JSC::Structure::setPreviousID):
1346 (JSC::Structure::clearPreviousID):
1347 (JSC::Structure::previous):
1348 (JSC::Structure::rareData):
1349 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
1350 (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
1351 * runtime/StructureChain.h:
1352 (JSC::StructureChain::createStructure):
1353 * runtime/StructureInlines.h:
1354 (JSC::Structure::setEnumerationCache):
1355 (JSC::Structure::enumerationCache):
1356 (JSC::Structure::checkOffsetConsistency):
1357 * runtime/StructureRareData.cpp:
1358 (JSC::StructureRareData::createStructure):
1359 * runtime/SymbolTable.cpp:
1360 (JSC::SymbolTable::SymbolTable):
1361 (JSC::SymbolTable::cloneCapturedNames):
1362 (JSC::SymbolTable::uniqueIDForVariable): Deleted.
1363 (JSC::SymbolTable::uniqueIDForRegister): Deleted.
1364 (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
1365 (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
1366 * runtime/SymbolTable.h:
1367 (JSC::SymbolTable::createStructure):
1368 (JSC::SymbolTable::add):
1369 (JSC::SymbolTable::set):
1370 * runtime/TypeSet.cpp: Removed.
1371 * runtime/TypeSet.h: Removed.
1374 (JSC::VM::getTypesForVariableInRange): Deleted.
1375 (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
1376 (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
1378 (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
1379 (JSC::VM::highFidelityLog): Deleted.
1380 (JSC::VM::highFidelityTypeProfiler): Deleted.
1381 (JSC::VM::nextLocation): Deleted.
1382 (JSC::VM::getNextUniqueVariableID): Deleted.
1383 * runtime/WeakMapData.h:
1384 (JSC::WeakMapData::createStructure):
1385 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
1386 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
1387 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
1389 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1391 Attempt to fix non-Xcode platforms.
1394 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1396 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1400 * bytecode/CodeBlock.cpp:
1402 (JSC::CodeBlock::printPutByIdCacheStatus):
1403 * bytecode/StructureSet.cpp:
1404 * bytecode/StructureSet.h:
1406 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1408 Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
1410 2014-06-27 Michael Saboff <msaboff@apple.com>
1412 Unreviewed build fix after r169795.
1414 Fixed ASSERT for 32 bit build.
1416 * dfg/DFGSpeculativeJIT.cpp:
1417 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1419 2014-06-24 Saam Barati <sbarati@apple.com>
1421 Web Inspector: debugger should be able to show variable types
1422 https://bugs.webkit.org/show_bug.cgi?id=133395
1424 Reviewed by Filip Pizlo.
1426 Increase the amount of type information the VM gathers when directed
1427 to do so. This initial commit is working towards the goal of
1428 capturing, and then showing (via the Web Inspector) type information for all
1429 assignment and load operations. This patch doesn't have the feature fully
1430 implemented, but it ensures the VM has no performance regressions
1431 unless the feature is specifically turned on.
1433 * JavaScriptCore.xcodeproj/project.pbxproj:
1434 * bytecode/BytecodeList.json:
1435 * bytecode/BytecodeUseDef.h:
1436 (JSC::computeUsesForBytecodeOffset):
1437 (JSC::computeDefsForBytecodeOffset):
1438 * bytecode/CodeBlock.cpp:
1439 (JSC::CodeBlock::dumpBytecode):
1440 (JSC::CodeBlock::CodeBlock):
1441 (JSC::CodeBlock::finalizeUnconditionally):
1442 * bytecode/CodeBlock.h:
1443 * bytecode/Instruction.h:
1444 * bytecode/TypeLocation.h: Added.
1445 (JSC::TypeLocation::TypeLocation):
1446 * bytecompiler/BytecodeGenerator.cpp:
1447 (JSC::BytecodeGenerator::emitMove):
1448 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
1449 (JSC::BytecodeGenerator::emitPutToScope):
1450 (JSC::BytecodeGenerator::emitPutById):
1451 (JSC::BytecodeGenerator::emitPutByVal):
1452 * bytecompiler/BytecodeGenerator.h:
1453 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
1454 * bytecompiler/NodesCodegen.cpp:
1455 (JSC::PostfixNode::emitResolve):
1456 (JSC::PrefixNode::emitResolve):
1457 (JSC::ReadModifyResolveNode::emitBytecode):
1458 (JSC::AssignResolveNode::emitBytecode):
1459 (JSC::ConstDeclNode::emitCodeSingle):
1460 (JSC::ForInNode::emitBytecode):
1462 (JSC::Heap::collect):
1463 * inspector/agents/InspectorRuntimeAgent.cpp:
1464 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
1465 * inspector/agents/InspectorRuntimeAgent.h:
1466 * inspector/protocol/Runtime.json:
1468 (GlobalObject::finishCreation):
1469 (functionDumpTypesForAllVariables):
1470 * llint/LLIntSlowPaths.cpp:
1471 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1472 (JSC::LLInt::putToScopeCommon):
1473 * llint/LLIntSlowPaths.h:
1474 * llint/LowLevelInterpreter.asm:
1475 * runtime/HighFidelityLog.cpp: Added.
1476 (JSC::HighFidelityLog::initializeHighFidelityLog):
1477 (JSC::HighFidelityLog::~HighFidelityLog):
1478 (JSC::HighFidelityLog::recordTypeInformationForLocation):
1479 (JSC::HighFidelityLog::processHighFidelityLog):
1480 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
1481 * runtime/HighFidelityLog.h: Added.
1482 (JSC::HighFidelityLog::HighFidelityLog):
1483 * runtime/HighFidelityTypeProfiler.cpp: Added.
1484 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
1485 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
1486 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
1487 (JSC::HighFidelityTypeProfiler::insertNewLocation):
1488 (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
1489 * runtime/HighFidelityTypeProfiler.h: Added.
1490 * runtime/Options.h:
1491 * runtime/Structure.cpp:
1492 (JSC::Structure::toStructureShape):
1493 * runtime/Structure.h:
1494 * runtime/SymbolTable.cpp:
1495 (JSC::SymbolTable::SymbolTable):
1496 (JSC::SymbolTable::cloneCapturedNames):
1497 (JSC::SymbolTable::uniqueIDForVariable):
1498 (JSC::SymbolTable::uniqueIDForRegister):
1499 (JSC::SymbolTable::globalTypeSetForRegister):
1500 (JSC::SymbolTable::globalTypeSetForVariable):
1501 * runtime/SymbolTable.h:
1502 (JSC::SymbolTable::add):
1503 (JSC::SymbolTable::set):
1504 * runtime/TypeSet.cpp: Added.
1505 (JSC::TypeSet::TypeSet):
1506 (JSC::TypeSet::getRuntimeTypeForValue):
1507 (JSC::TypeSet::addTypeForValue):
1508 (JSC::TypeSet::removeDuplicatesInStructureHistory):
1509 (JSC::TypeSet::seenTypes):
1510 (JSC::TypeSet::dumpSeenTypes):
1511 (JSC::StructureShape::StructureShape):
1512 (JSC::StructureShape::markAsFinal):
1513 (JSC::StructureShape::addProperty):
1514 (JSC::StructureShape::propertyHash):
1515 (JSC::StructureShape::leastUpperBound):
1516 (JSC::StructureShape::stringRepresentation):
1517 * runtime/TypeSet.h: Added.
1518 (JSC::StructureShape::create):
1519 (JSC::TypeSet::create):
1522 (JSC::VM::getTypesForVariableInRange):
1523 (JSC::VM::updateHighFidelityTypeProfileState):
1524 (JSC::VM::dumpHighFidelityProfilingTypes):
1526 (JSC::VM::isProfilingTypesWithHighFidelity):
1527 (JSC::VM::highFidelityLog):
1528 (JSC::VM::highFidelityTypeProfiler):
1529 (JSC::VM::nextLocation):
1530 (JSC::VM::getNextUniqueVariableID):
1532 2014-06-26 Mark Lam <mark.lam@apple.com>
1534 Remove unused instantiation of the WithScope structure.
1535 <https://webkit.org/b/134331>
1537 Reviewed by Oliver Hunt.
1539 The WithScope structure instance is the VM is unused, and is now removed.
1545 2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
1547 Structure bit fields should have a consistent format
1548 https://bugs.webkit.org/show_bug.cgi?id=134307
1550 Reviewed by Filip Pizlo.
1552 Currently we use C-style bit fields for a number of member variables in Structure to save space.
1553 This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
1554 format to make it easy to load and test these variables in JIT code.
1556 * runtime/JSObject.cpp:
1557 (JSC::JSObject::putDirectNonIndexAccessor):
1558 (JSC::JSObject::reifyStaticFunctionsForDelete):
1559 * runtime/Structure.cpp:
1560 (JSC::StructureTransitionTable::contains):
1561 (JSC::StructureTransitionTable::get):
1562 (JSC::StructureTransitionTable::add):
1563 (JSC::Structure::Structure):
1564 (JSC::Structure::materializePropertyMap):
1565 (JSC::Structure::addPropertyTransition):
1566 (JSC::Structure::despecifyFunctionTransition):
1567 (JSC::Structure::toDictionaryTransition):
1568 (JSC::Structure::freezeTransition):
1569 (JSC::Structure::preventExtensionsTransition):
1570 (JSC::Structure::takePropertyTableOrCloneIfPinned):
1571 (JSC::Structure::nonPropertyTransition):
1572 (JSC::Structure::flattenDictionaryStructure):
1573 (JSC::Structure::addPropertyWithoutTransition):
1574 (JSC::Structure::pin):
1575 (JSC::Structure::allocateRareData):
1576 (JSC::Structure::cloneRareDataFrom):
1577 (JSC::Structure::getConcurrently):
1578 (JSC::Structure::putSpecificValue):
1579 (JSC::Structure::getPropertyNamesFromStructure):
1580 (JSC::Structure::visitChildren):
1581 (JSC::Structure::checkConsistency):
1582 * runtime/Structure.h:
1583 (JSC::Structure::isExtensible):
1584 (JSC::Structure::isDictionary):
1585 (JSC::Structure::isUncacheableDictionary):
1586 (JSC::Structure::propertyAccessesAreCacheable):
1587 (JSC::Structure::previousID):
1588 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
1589 (JSC::Structure::setContainsReadOnlyProperties):
1590 (JSC::Structure::disableSpecificFunctionTracking):
1591 (JSC::Structure::objectToStringValue):
1592 (JSC::Structure::setObjectToStringValue):
1593 (JSC::Structure::setPreviousID):
1594 (JSC::Structure::clearPreviousID):
1595 (JSC::Structure::previous):
1596 (JSC::Structure::rareData):
1597 (JSC::Structure::didTransition): Deleted.
1598 (JSC::Structure::hasGetterSetterProperties): Deleted.
1599 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
1600 (JSC::Structure::setHasGetterSetterProperties): Deleted.
1601 (JSC::Structure::hasNonEnumerableProperties): Deleted.
1602 (JSC::Structure::staticFunctionsReified): Deleted.
1603 (JSC::Structure::setStaticFunctionsReified): Deleted.
1604 * runtime/StructureInlines.h:
1605 (JSC::Structure::setEnumerationCache):
1606 (JSC::Structure::enumerationCache):
1607 (JSC::Structure::checkOffsetConsistency):
1609 2014-06-24 Mark Lam <mark.lam@apple.com>
1611 [ftlopt] Renamed DebuggerActivation to DebuggerScope.
1612 <https://webkit.org/b/134273>
1614 Reviewed by Michael Saboff.
1617 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1618 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1619 * JavaScriptCore.xcodeproj/project.pbxproj:
1620 * debugger/DebuggerActivation.cpp: Removed.
1621 * debugger/DebuggerActivation.h: Removed.
1622 * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
1623 (JSC::DebuggerScope::DebuggerScope):
1624 (JSC::DebuggerScope::finishCreation):
1625 (JSC::DebuggerScope::visitChildren):
1626 (JSC::DebuggerScope::className):
1627 (JSC::DebuggerScope::getOwnPropertySlot):
1628 (JSC::DebuggerScope::put):
1629 (JSC::DebuggerScope::deleteProperty):
1630 (JSC::DebuggerScope::getOwnPropertyNames):
1631 (JSC::DebuggerScope::defineOwnProperty):
1632 (JSC::DebuggerActivation::DebuggerActivation): Deleted.
1633 (JSC::DebuggerActivation::finishCreation): Deleted.
1634 (JSC::DebuggerActivation::visitChildren): Deleted.
1635 (JSC::DebuggerActivation::className): Deleted.
1636 (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
1637 (JSC::DebuggerActivation::put): Deleted.
1638 (JSC::DebuggerActivation::deleteProperty): Deleted.
1639 (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
1640 (JSC::DebuggerActivation::defineOwnProperty): Deleted.
1641 * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
1642 (JSC::DebuggerScope::create):
1643 (JSC::DebuggerActivation::create): Deleted.
1648 2014-06-24 Filip Pizlo <fpizlo@apple.com>
1650 [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
1651 https://bugs.webkit.org/show_bug.cgi?id=134265
1653 Reviewed by Geoffrey Garen.
1655 More assertion fallout from the PutById folding work.
1658 (JSC::DFG::Node::convertToPutByOffset):
1660 2014-06-24 Filip Pizlo <fpizlo@apple.com>
1662 [ftlopt] GC should notify us if it resets to_this
1663 https://bugs.webkit.org/show_bug.cgi?id=128231
1665 Reviewed by Geoffrey Garen.
1668 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1669 * JavaScriptCore.xcodeproj/project.pbxproj:
1670 * bytecode/BytecodeList.json:
1671 * bytecode/CodeBlock.cpp:
1672 (JSC::CodeBlock::dumpBytecode):
1673 (JSC::CodeBlock::finalizeUnconditionally):
1674 * bytecode/Instruction.h:
1675 * bytecode/ToThisStatus.cpp: Added.
1677 (WTF::printInternal):
1678 * bytecode/ToThisStatus.h: Added.
1679 * bytecompiler/BytecodeGenerator.cpp:
1680 (JSC::BytecodeGenerator::BytecodeGenerator):
1681 * dfg/DFGByteCodeParser.cpp:
1682 (JSC::DFG::ByteCodeParser::parseBlock):
1683 * llint/LowLevelInterpreter32_64.asm:
1684 * llint/LowLevelInterpreter64.asm:
1685 * runtime/CommonSlowPaths.cpp:
1686 (JSC::SLOW_PATH_DECL):
1688 2014-06-24 Filip Pizlo <fpizlo@apple.com>
1690 [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
1691 https://bugs.webkit.org/show_bug.cgi?id=134256
1693 Reviewed by Michael Saboff.
1695 This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
1696 point is to be able to precisely model what goes on in the snippets of code between a
1697 side-effect and an InvalidationPoint.
1699 This patch also cleans up onlyStructure() by delegating more work to
1700 StructureSet::onlyStructure().
1702 * dfg/DFGStructureAbstractValue.h:
1703 (JSC::DFG::StructureAbstractValue::onlyStructure):
1705 2014-06-24 Filip Pizlo <fpizlo@apple.com>
1707 [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
1708 https://bugs.webkit.org/show_bug.cgi?id=134260
1710 Reviewed by Geoffrey Garen.
1712 This was causing loads of assertion failures in debug builds.
1714 * dfg/DFGAbstractInterpreterInlines.h:
1715 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1717 2014-06-21 Filip Pizlo <fpizlo@apple.com>
1719 [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
1720 https://bugs.webkit.org/show_bug.cgi?id=134090
1722 Reviewed by Oliver Hunt.
1724 This pretty much finishes off the work to eliminate the special-casing of singleton
1725 structure sets by making it possible to fold GetById and PutById to various polymorphic
1726 forms of the ByOffset nodes.
1728 * bytecode/GetByIdStatus.cpp:
1729 (JSC::GetByIdStatus::computeForStubInfo):
1730 (JSC::GetByIdStatus::computeFor):
1731 * bytecode/GetByIdStatus.h:
1732 * bytecode/PutByIdStatus.cpp:
1733 (JSC::PutByIdStatus::computeFor):
1734 * bytecode/PutByIdStatus.h:
1735 * bytecode/PutByIdVariant.h:
1736 (JSC::PutByIdVariant::constantChecks):
1737 * dfg/DFGAbstractInterpreterInlines.h:
1738 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1739 * dfg/DFGByteCodeParser.cpp:
1740 (JSC::DFG::ByteCodeParser::parseBlock):
1741 * dfg/DFGConstantFoldingPhase.cpp:
1742 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1743 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1744 (JSC::DFG::ConstantFoldingPhase::addChecks):
1746 (JSC::DFG::Node::convertToMultiGetByOffset):
1747 (JSC::DFG::Node::convertToMultiPutByOffset):
1748 * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
1749 (JSC::DFG::SpeculativeJIT::fillJSValue):
1750 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1751 (JSC::DFG::SpeculativeJIT::emitCall):
1752 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1753 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
1754 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1755 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1756 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1757 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1758 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1759 (JSC::DFG::SpeculativeJIT::emitBranch):
1760 (JSC::DFG::SpeculativeJIT::compile):
1761 * dfg/DFGStructureAbstractValue.h:
1762 (JSC::DFG::StructureAbstractValue::set):
1764 2014-06-19 Filip Pizlo <fpizlo@apple.com>
1766 [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
1767 https://bugs.webkit.org/show_bug.cgi?id=134077
1769 Reviewed by Sam Weinig.
1771 This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
1772 in the abstract interpreter.
1774 * bytecode/StructureSet.h:
1775 (JSC::StructureSet::onlyStructure):
1777 2014-06-18 Filip Pizlo <fpizlo@apple.com>
1779 DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
1780 https://bugs.webkit.org/show_bug.cgi?id=133918
1782 Reviewed by Mark Hahnenberg.
1784 This also adds pruning of PutStructure, since I basically had no choice but
1785 to implement such logic within MultiPutByOffset.
1787 Also adds a bunch of PutById cache status dumping to bytecode dumping.
1789 * bytecode/GetByIdVariant.cpp:
1790 (JSC::GetByIdVariant::dumpInContext):
1791 * bytecode/GetByIdVariant.h:
1792 (JSC::GetByIdVariant::structureSet):
1793 * bytecode/PutByIdVariant.h:
1794 (JSC::PutByIdVariant::oldStructure):
1795 * bytecode/StructureSet.cpp:
1796 (JSC::StructureSet::filter):
1797 (JSC::StructureSet::filterArrayModes):
1798 * bytecode/StructureSet.h:
1799 * dfg/DFGAbstractInterpreterInlines.h:
1800 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1801 * dfg/DFGAbstractValue.cpp:
1802 (JSC::DFG::AbstractValue::changeStructure):
1803 (JSC::DFG::AbstractValue::contains):
1804 * dfg/DFGAbstractValue.h:
1805 (JSC::DFG::AbstractValue::couldBeType):
1806 (JSC::DFG::AbstractValue::isType):
1807 * dfg/DFGConstantFoldingPhase.cpp:
1808 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1809 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1810 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1811 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1813 (JSC::DFG::Graph::freezeStrong):
1815 * dfg/DFGStructureAbstractValue.h:
1816 (JSC::DFG::StructureAbstractValue::operator=):
1817 * ftl/FTLLowerDFGToLLVM.cpp:
1818 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1819 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
1826 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
1833 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
1841 2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
1843 Remove CompoundType and LeafType
1844 https://bugs.webkit.org/show_bug.cgi?id=134037
1846 Reviewed by Filip Pizlo.
1848 We don't use them for anything. We'll replace them with a generic CellType type for all
1849 the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
1850 their JSType at runtime.
1852 * llint/LLIntData.cpp:
1853 (JSC::LLInt::Data::performAssertions):
1854 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
1855 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
1856 * runtime/Executable.h:
1857 (JSC::ExecutableBase::createStructure):
1858 (JSC::NativeExecutable::createStructure):
1859 * runtime/JSPromiseDeferred.h:
1860 (JSC::JSPromiseDeferred::createStructure):
1861 * runtime/JSPromiseReaction.h:
1862 (JSC::JSPromiseReaction::createStructure):
1863 * runtime/JSPropertyNameIterator.h:
1864 (JSC::JSPropertyNameIterator::createStructure):
1866 * runtime/JSTypeInfo.h:
1867 (JSC::TypeInfo::TypeInfo):
1868 * runtime/MapData.h:
1869 (JSC::MapData::createStructure):
1870 * runtime/PropertyMapHashTable.h:
1871 (JSC::PropertyTable::createStructure):
1873 (JSC::RegExp::createStructure):
1874 * runtime/SparseArrayValueMap.cpp:
1875 (JSC::SparseArrayValueMap::createStructure):
1876 * runtime/Structure.cpp:
1877 (JSC::Structure::Structure):
1878 * runtime/StructureChain.h:
1879 (JSC::StructureChain::createStructure):
1880 * runtime/StructureRareData.cpp:
1881 (JSC::StructureRareData::createStructure):
1882 * runtime/SymbolTable.h:
1883 (JSC::SymbolTable::createStructure):
1884 * runtime/WeakMapData.h:
1885 (JSC::WeakMapData::createStructure):
1887 2014-06-17 Filip Pizlo <fpizlo@apple.com>
1889 [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
1890 https://bugs.webkit.org/show_bug.cgi?id=134002
1892 Reviewed by Mark Hahnenberg.
1894 The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
1895 JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
1896 of the structure if that structure was watchable.
1898 Also kill PhantomPutStructure.
1900 * dfg/DFGAbstractInterpreterInlines.h:
1901 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1902 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
1903 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
1904 * dfg/DFGClobberize.h:
1905 (JSC::DFG::clobberize):
1906 * dfg/DFGDoesGC.cpp:
1908 * dfg/DFGFixupPhase.cpp:
1909 (JSC::DFG::FixupPhase::fixupNode):
1911 (JSC::DFG::Graph::visitChildren):
1913 (JSC::DFG::Node::hasTransition):
1914 * dfg/DFGNodeType.h:
1915 * dfg/DFGPredictionPropagationPhase.cpp:
1916 (JSC::DFG::PredictionPropagationPhase::propagate):
1917 * dfg/DFGSafeToExecute.h:
1918 (JSC::DFG::safeToExecute):
1919 * dfg/DFGSpeculativeJIT32_64.cpp:
1920 (JSC::DFG::SpeculativeJIT::compile):
1921 * dfg/DFGSpeculativeJIT64.cpp:
1922 (JSC::DFG::SpeculativeJIT::compile):
1923 * dfg/DFGStructureAbstractValue.cpp:
1924 (JSC::DFG::StructureAbstractValue::observeTransition):
1925 (JSC::DFG::StructureAbstractValue::observeTransitions):
1926 * dfg/DFGValidate.cpp:
1927 (JSC::DFG::Validate::validate):
1928 * dfg/DFGWatchableStructureWatchingPhase.cpp:
1929 (JSC::DFG::WatchableStructureWatchingPhase::run):
1930 * ftl/FTLCapabilities.cpp:
1931 (JSC::FTL::canCompile):
1932 * ftl/FTLLowerDFGToLLVM.cpp:
1933 (JSC::FTL::LowerDFGToLLVM::compileNode):
1934 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
1936 2014-06-17 Filip Pizlo <fpizlo@apple.com>
1938 [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
1939 https://bugs.webkit.org/show_bug.cgi?id=133964
1941 Reviewed by Mark Hahnenberg.
1943 * bytecode/PutByIdStatus.cpp:
1944 (JSC::PutByIdStatus::appendVariant):
1945 (JSC::PutByIdStatus::computeForStubInfo):
1946 * bytecode/PutByIdVariant.cpp:
1947 (JSC::PutByIdVariant::oldStructureForTransition):
1948 (JSC::PutByIdVariant::writesStructures):
1949 (JSC::PutByIdVariant::reallocatesStorage):
1950 (JSC::PutByIdVariant::attemptToMerge):
1951 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
1952 (JSC::PutByIdVariant::dumpInContext):
1953 * bytecode/PutByIdVariant.h:
1954 (JSC::PutByIdVariant::PutByIdVariant):
1955 (JSC::PutByIdVariant::replace):
1956 (JSC::PutByIdVariant::transition):
1957 (JSC::PutByIdVariant::structure):
1958 (JSC::PutByIdVariant::oldStructure):
1959 * dfg/DFGAbstractInterpreterInlines.h:
1960 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1961 * dfg/DFGByteCodeParser.cpp:
1962 (JSC::DFG::ByteCodeParser::handlePutById):
1963 (JSC::DFG::ByteCodeParser::parseBlock):
1964 * dfg/DFGConstantFoldingPhase.cpp:
1965 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1966 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
1968 (JSC::DFG::Graph::visitChildren):
1970 (JSC::DFG::MultiPutByOffsetData::writesStructures):
1971 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
1972 * ftl/FTLAbbreviations.h:
1973 (JSC::FTL::getLinkage):
1974 * ftl/FTLLowerDFGToLLVM.cpp:
1975 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1976 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
1978 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1980 Add an option to disable native call inlining. Disable it for now to see how it
1983 * dfg/DFGByteCodeParser.cpp:
1984 (JSC::DFG::ByteCodeParser::handleCall):
1985 * runtime/Options.h:
1987 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1991 * dfg/DFGMayExit.cpp:
1993 2014-07-25 Filip Pizlo <fpizlo@apple.com>
1995 Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
1997 2014-06-17 Filip Pizlo <fpizlo@apple.com>
1999 [ftlopt] Fold constant Phis
2000 https://bugs.webkit.org/show_bug.cgi?id=133967
2002 Reviewed by Mark Hahnenberg.
2004 It's surprising but we didn't really do this before. Or, rather, we only did it
2005 incidentally when we would likely crash if it ever happened.
2007 Making this work required cleaning up the validater a bit, so I did that too. I also added
2008 mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
2009 the Phi header of basic blocks). But this required beefing up mayExit() a bit.
2011 * dfg/DFGAbstractInterpreterInlines.h:
2012 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2013 * dfg/DFGAdjacencyList.h:
2014 (JSC::DFG::AdjacencyList::isEmpty):
2015 * dfg/DFGConstantFoldingPhase.cpp:
2016 (JSC::DFG::ConstantFoldingPhase::run):
2017 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2018 (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
2019 * dfg/DFGInPlaceAbstractState.h:
2020 * dfg/DFGLICMPhase.cpp:
2021 (JSC::DFG::LICMPhase::run):
2022 (JSC::DFG::LICMPhase::attemptHoist):
2023 * dfg/DFGMayExit.cpp:
2024 (JSC::DFG::mayExit):
2025 * dfg/DFGValidate.cpp:
2026 (JSC::DFG::Validate::validate):
2027 (JSC::DFG::Validate::validateSSA):
2029 2014-06-17 Filip Pizlo <fpizlo@apple.com>
2031 [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
2032 https://bugs.webkit.org/show_bug.cgi?id=133985
2034 Reviewed by Michael Saboff and Mark Hahnenberg.
2036 Store elimination phase has never been very profitable, and now that LLVM can do dead
2037 store elimination for us, this phase is just completely pointless.
2039 This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
2040 computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
2043 This patch does introduce a new mayExit() calculator that is independent of the CFA and
2044 should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
2045 for assertions in the DFG backend, but we could use it if we ever brought back any of the
2046 other optimizations that previously relied upon NodeDoesNotExit.
2048 This is performance-neutral, except for SunSpider, where it's a speed-up.
2051 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2052 * JavaScriptCore.xcodeproj/project.pbxproj:
2053 * dfg/DFGAbstractInterpreter.h:
2054 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
2055 (JSC::DFG::AbstractInterpreter::filterByType):
2056 * dfg/DFGAbstractInterpreterInlines.h:
2057 (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
2058 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2059 * dfg/DFGCSEPhase.cpp:
2060 (JSC::DFG::CSEPhase::CSEPhase):
2061 (JSC::DFG::CSEPhase::invalidationPointElimination):
2062 (JSC::DFG::CSEPhase::setLocalStoreElimination):
2063 (JSC::DFG::CSEPhase::performNodeCSE):
2064 (JSC::DFG::CSEPhase::performBlockCSE):
2065 (JSC::DFG::performCSE):
2066 (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
2067 (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
2068 (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
2069 (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
2070 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
2071 (JSC::DFG::performStoreElimination): Deleted.
2072 * dfg/DFGCSEPhase.h:
2073 * dfg/DFGFixupPhase.cpp:
2074 (JSC::DFG::FixupPhase::fixupNode):
2076 (JSC::DFG::Graph::resetExitStates): Deleted.
2078 * dfg/DFGMayExit.cpp: Added.
2079 (JSC::DFG::mayExit):
2080 * dfg/DFGMayExit.h: Added.
2082 (JSC::DFG::Node::mergeFlags):
2083 (JSC::DFG::Node::filterFlags):
2084 (JSC::DFG::Node::setCanExit): Deleted.
2085 (JSC::DFG::Node::canExit): Deleted.
2086 * dfg/DFGNodeFlags.cpp:
2087 (JSC::DFG::dumpNodeFlags):
2088 * dfg/DFGNodeFlags.h:
2089 * dfg/DFGNodeType.h:
2091 (JSC::DFG::Plan::compileInThreadImpl):
2092 * dfg/DFGSpeculativeJIT.cpp:
2093 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2094 (JSC::DFG::SpeculativeJIT::bail):
2095 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2096 * dfg/DFGSpeculativeJIT32_64.cpp:
2097 (JSC::DFG::SpeculativeJIT::compile):
2098 * dfg/DFGSpeculativeJIT64.cpp:
2099 (JSC::DFG::SpeculativeJIT::compile):
2101 2014-06-15 Filip Pizlo <fpizlo@apple.com>
2103 [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
2104 https://bugs.webkit.org/show_bug.cgi?id=133931
2106 Reviewed by Oliver Hunt.
2108 * dfg/DFGAbstractInterpreterInlines.h:
2109 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
2110 * dfg/DFGConstantFoldingPhase.cpp:
2111 (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
2113 (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2115 2014-06-15 Filip Pizlo <fpizlo@apple.com>
2117 [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
2118 https://bugs.webkit.org/show_bug.cgi?id=133935
2120 Reviewed by Oliver Hunt.
2122 * bytecode/Operands.h:
2123 (JSC::Operands::Operands):
2124 (JSC::Operands::ensureLocals):
2125 * dfg/DFGAbstractValue.cpp:
2126 (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
2127 * dfg/DFGAbstractValue.h:
2128 (JSC::DFG::AbstractValue::makeFullTop): Completeness.
2129 (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
2130 (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
2131 * dfg/DFGBasicBlock.cpp:
2132 (JSC::DFG::BasicBlock::BasicBlock):
2133 (JSC::DFG::BasicBlock::ensureLocals):
2134 * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
2135 * dfg/DFGCFAPhase.cpp:
2136 (JSC::DFG::CFAPhase::run): Compute the intersection.
2137 * dfg/DFGConstantFoldingPhase.cpp:
2138 (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
2140 (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
2141 (JSC::DFG::Graph::dump): Better dumping.
2142 * dfg/DFGJITCompiler.h:
2143 (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
2144 * dfg/DFGSpeculativeJIT.cpp:
2145 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2147 2014-06-12 Filip Pizlo <fpizlo@apple.com>
2149 [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
2150 https://bugs.webkit.org/show_bug.cgi?id=133821
2152 Reviewed by Mark Hahnenberg.
2154 This allows us to efficiently cache accesses that differ only in the prototypes on the path
2155 from the base to the prototype that has the field.
2157 It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
2161 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2162 * JavaScriptCore.xcodeproj/project.pbxproj:
2163 * bytecode/ConstantStructureCheck.cpp: Added.
2164 (JSC::ConstantStructureCheck::dumpInContext):
2165 (JSC::ConstantStructureCheck::dump):
2166 (JSC::structureFor):
2167 (JSC::areCompatible):
2169 * bytecode/ConstantStructureCheck.h: Added.
2170 (JSC::ConstantStructureCheck::ConstantStructureCheck):
2171 (JSC::ConstantStructureCheck::operator!):
2172 (JSC::ConstantStructureCheck::constant):
2173 (JSC::ConstantStructureCheck::structure):
2174 * bytecode/GetByIdStatus.cpp:
2175 (JSC::GetByIdStatus::computeForStubInfo):
2176 * bytecode/GetByIdVariant.cpp:
2177 (JSC::GetByIdVariant::GetByIdVariant):
2178 (JSC::GetByIdVariant::operator=):
2179 (JSC::GetByIdVariant::attemptToMerge):
2180 (JSC::GetByIdVariant::dumpInContext):
2181 * bytecode/GetByIdVariant.h:
2182 (JSC::GetByIdVariant::constantChecks):
2183 (JSC::GetByIdVariant::alternateBase):
2184 (JSC::GetByIdVariant::GetByIdVariant): Deleted.
2185 (JSC::GetByIdVariant::chain): Deleted.
2186 * bytecode/PutByIdVariant.cpp:
2187 (JSC::PutByIdVariant::dumpInContext):
2188 * bytecode/PutByIdVariant.h:
2189 (JSC::PutByIdVariant::transition):
2190 (JSC::PutByIdVariant::constantChecks):
2191 (JSC::PutByIdVariant::structureChain): Deleted.
2192 * dfg/DFGAbstractInterpreterInlines.h:
2193 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2194 * dfg/DFGByteCodeParser.cpp:
2195 (JSC::DFG::ByteCodeParser::emitChecks):
2196 (JSC::DFG::ByteCodeParser::handleGetById):
2197 (JSC::DFG::ByteCodeParser::handlePutById):
2198 (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
2199 (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
2200 (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
2201 * dfg/DFGConstantFoldingPhase.cpp:
2202 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2203 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2204 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2205 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2206 * dfg/DFGDesiredStructureChains.cpp: Removed.
2207 * dfg/DFGDesiredStructureChains.h: Removed.
2209 (JSC::DFG::Graph::watchpoints):
2210 (JSC::DFG::Graph::chains): Deleted.
2212 (JSC::DFG::Plan::isStillValid):
2213 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2214 (JSC::DFG::Plan::cancel):
2216 * ftl/FTLLowerDFGToLLVM.cpp:
2217 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
2218 * runtime/IntendedStructureChain.cpp:
2219 (JSC::IntendedStructureChain::gatherChecks):
2220 * runtime/IntendedStructureChain.h:
2221 (JSC::IntendedStructureChain::at):
2222 (JSC::IntendedStructureChain::operator[]):
2224 2014-06-12 Filip Pizlo <fpizlo@apple.com>
2226 [ftlopt] Constant folding and strength reduction should work in SSA
2227 https://bugs.webkit.org/show_bug.cgi?id=133839
2229 Reviewed by Oliver Hunt.
2231 * dfg/DFGAtTailAbstractState.cpp:
2232 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2233 (JSC::DFG::AtTailAbstractState::forNode):
2234 * dfg/DFGAtTailAbstractState.h:
2235 * dfg/DFGConstantFoldingPhase.cpp:
2236 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2238 (JSC::DFG::Graph::convertToConstant):
2239 * dfg/DFGIntegerCheckCombiningPhase.cpp:
2240 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
2241 * dfg/DFGLICMPhase.cpp:
2242 (JSC::DFG::LICMPhase::LICMPhase):
2244 (JSC::DFG::Plan::compileInThreadImpl):
2246 2014-06-11 Filip Pizlo <fpizlo@apple.com>
2248 [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
2249 https://bugs.webkit.org/show_bug.cgi?id=133751
2251 Reviewed by Mark Hahnenberg.
2253 * bytecode/GetByIdStatus.cpp:
2254 (JSC::GetByIdStatus::appendVariant):
2255 (JSC::GetByIdStatus::computeForStubInfo):
2256 * bytecode/GetByIdVariant.cpp:
2257 (JSC::GetByIdVariant::attemptToMerge):
2258 * bytecode/GetByIdVariant.h:
2259 * bytecode/PutByIdStatus.cpp:
2260 (JSC::PutByIdStatus::computeFor):
2261 * dfg/DFGByteCodeParser.cpp:
2262 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
2263 (JSC::DFG::ByteCodeParser::handleGetById):
2264 (JSC::DFG::ByteCodeParser::handlePutById):
2265 * runtime/IntendedStructureChain.cpp:
2266 (JSC::IntendedStructureChain::IntendedStructureChain):
2267 (JSC::IntendedStructureChain::isStillValid):
2268 (JSC::IntendedStructureChain::isNormalized):
2269 (JSC::IntendedStructureChain::terminalPrototype):
2270 (JSC::IntendedStructureChain::operator==):
2271 (JSC::IntendedStructureChain::visitChildren):
2272 (JSC::IntendedStructureChain::dumpInContext):
2273 (JSC::IntendedStructureChain::chain): Deleted.
2274 * runtime/IntendedStructureChain.h:
2275 (JSC::IntendedStructureChain::prototype):
2276 (JSC::IntendedStructureChain::operator!=):
2277 (JSC::IntendedStructureChain::head): Deleted.
2279 2014-06-11 Matthew Mirman <mmirman@apple.com>
2281 Readded native calling to the FTL and Split the DFG nodes
2282 Call and Construct into NativeCall and NativeConstruct
2283 to better represent their semantics.
2284 https://bugs.webkit.org/show_bug.cgi?id=133660
2286 Reviewed by Filip Pizlo.
2288 * dfg/DFGAbstractInterpreterInlines.h:
2289 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2290 Added NativeCall and NativeConstruct case
2291 * dfg/DFGByteCodeParser.cpp:
2292 (JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
2293 (JSC::DFG::ByteCodeParser::handleCall):
2294 set to return NativeCall or NativeConstruct instead of Call or Construct
2295 in the presence of a native function.
2296 * dfg/DFGClobberize.h:
2297 (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
2298 * dfg/DFGDoesGC.cpp:
2299 (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
2300 * dfg/DFGFixupPhase.cpp:
2301 (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
2303 (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
2304 (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
2305 (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
2306 * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
2307 * dfg/DFGPredictionPropagationPhase.cpp:
2308 (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
2309 * dfg/DFGSafeToExecute.h:
2310 (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
2311 * dfg/DFGSpeculativeJIT32_64.cpp:
2312 (JSC::DFG::SpeculativeJIT::emitCall): ditto
2313 (JSC::DFG::SpeculativeJIT::compile): ditto
2314 * dfg/DFGSpeculativeJIT64.cpp:
2315 (JSC::DFG::SpeculativeJIT::emitCall): ditto
2316 (JSC::DFG::SpeculativeJIT::compile): ditto
2317 * ftl/FTLCapabilities.cpp:
2318 (JSC::FTL::canCompile): ditto
2319 * ftl/FTLLowerDFGToLLVM.cpp:
2320 (JSC::FTL::LowerDFGToLLVM::lower): ditto
2321 (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
2322 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
2323 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
2324 (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
2325 * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2327 2014-06-11 Matthew Mirman <mmirman@apple.com>
2329 Ensured Native Calls and Construct and associated checks
2330 are only emitted during ftl mode.
2331 https://bugs.webkit.org/show_bug.cgi?id=133718
2333 Reviewed by Filip Pizlo.
2335 * dfg/DFGByteCodeParser.cpp:
2336 (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
2337 before attaching the native function to Call or Construct.
2339 2014-06-10 Filip Pizlo <fpizlo@apple.com>
2341 [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
2342 https://bugs.webkit.org/show_bug.cgi?id=133426
2344 Reviewed by Geoffrey Garen.
2346 The impetus for this was to provide some sense and reason to race conditions arising from
2347 cell constants having their structure changed on the main thread - this is harmess because
2348 we defend against it, but when it goes wrong, it can be difficult to reproduce because it
2349 requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
2351 But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
2352 about constants. It no longer relies on the CodeBlock constant pool at all, which allows
2353 for a more object-oriented approach: for example a Node that has a constant can tell you
2354 what constant it has without needing a CodeBlock.
2357 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2358 * JavaScriptCore.xcodeproj/project.pbxproj:
2359 * bytecode/CallLinkStatus.cpp:
2360 (JSC::CallLinkStatus::computeExitSiteData):
2361 * bytecode/ExitKind.cpp:
2362 (JSC::exitKindToString):
2363 (JSC::exitKindIsCountable):
2364 * bytecode/ExitKind.h:
2365 (JSC::isWatchpoint): Deleted.
2366 * bytecode/GetByIdStatus.cpp:
2367 (JSC::GetByIdStatus::hasExitSite):
2368 * bytecode/PutByIdStatus.cpp:
2369 (JSC::PutByIdStatus::hasExitSite):
2370 * dfg/DFGAbstractInterpreter.h:
2371 (JSC::DFG::AbstractInterpreter::filterByValue):
2372 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
2373 (JSC::DFG::AbstractInterpreter::setConstant):
2374 * dfg/DFGAbstractInterpreterInlines.h:
2375 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2376 (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
2377 * dfg/DFGAbstractValue.cpp:
2378 (JSC::DFG::AbstractValue::setOSREntryValue):
2379 (JSC::DFG::AbstractValue::set):
2380 (JSC::DFG::AbstractValue::filterByValue):
2381 (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
2382 * dfg/DFGAbstractValue.h:
2383 * dfg/DFGArgumentsSimplificationPhase.cpp:
2384 (JSC::DFG::ArgumentsSimplificationPhase::run):
2385 * dfg/DFGBackwardsPropagationPhase.cpp:
2386 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
2387 (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
2388 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
2389 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
2390 * dfg/DFGByteCodeParser.cpp:
2391 (JSC::DFG::ByteCodeParser::ByteCodeParser):
2392 (JSC::DFG::ByteCodeParser::getDirect):
2393 (JSC::DFG::ByteCodeParser::get):
2394 (JSC::DFG::ByteCodeParser::getLocal):
2395 (JSC::DFG::ByteCodeParser::setLocal):
2396 (JSC::DFG::ByteCodeParser::setArgument):
2397 (JSC::DFG::ByteCodeParser::jsConstant):
2398 (JSC::DFG::ByteCodeParser::weakJSConstant):
2399 (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
2400 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2401 (JSC::DFG::ByteCodeParser::handleCall):
2402 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
2403 (JSC::DFG::ByteCodeParser::handleInlining):
2404 (JSC::DFG::ByteCodeParser::handleMinMax):
2405 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2406 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2407 (JSC::DFG::ByteCodeParser::handleGetById):
2408 (JSC::DFG::ByteCodeParser::prepareToParseBlock):
2409 (JSC::DFG::ByteCodeParser::parseBlock):
2410 (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
2411 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2412 (JSC::DFG::ByteCodeParser::parseCodeBlock):
2413 (JSC::DFG::ByteCodeParser::addConstant): Deleted.
2414 (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
2415 (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
2416 (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
2417 (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
2418 (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
2419 (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
2420 (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
2421 (JSC::DFG::ByteCodeParser::constantNull): Deleted.
2422 (JSC::DFG::ByteCodeParser::one): Deleted.
2423 (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
2424 (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
2425 (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
2426 (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
2427 * dfg/DFGCFGSimplificationPhase.cpp:
2428 (JSC::DFG::CFGSimplificationPhase::run):
2429 * dfg/DFGCSEPhase.cpp:
2430 (JSC::DFG::CSEPhase::constantCSE):
2431 (JSC::DFG::CSEPhase::checkFunctionElimination):
2432 (JSC::DFG::CSEPhase::performNodeCSE):
2433 (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
2434 * dfg/DFGClobberize.h:
2435 (JSC::DFG::clobberize):
2437 * dfg/DFGConstantFoldingPhase.cpp:
2438 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2439 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2440 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2441 * dfg/DFGDoesGC.cpp:
2443 * dfg/DFGFixupPhase.cpp:
2444 (JSC::DFG::FixupPhase::fixupNode):
2445 (JSC::DFG::FixupPhase::fixupMakeRope):
2446 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2447 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2448 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2449 * dfg/DFGFrozenValue.cpp: Added.
2450 (JSC::DFG::FrozenValue::emptySingleton):
2451 (JSC::DFG::FrozenValue::dumpInContext):
2452 (JSC::DFG::FrozenValue::dump):
2453 * dfg/DFGFrozenValue.h: Added.
2454 (JSC::DFG::FrozenValue::FrozenValue):
2455 (JSC::DFG::FrozenValue::operator!):
2456 (JSC::DFG::FrozenValue::value):
2457 (JSC::DFG::FrozenValue::structure):
2458 (JSC::DFG::FrozenValue::strengthenTo):
2459 (JSC::DFG::FrozenValue::strength):
2460 (JSC::DFG::FrozenValue::freeze):
2462 (JSC::DFG::Graph::Graph):
2463 (JSC::DFG::Graph::dump):
2464 (JSC::DFG::Graph::tryGetActivation):
2465 (JSC::DFG::Graph::tryGetFoldableView):
2466 (JSC::DFG::Graph::registerFrozenValues):
2467 (JSC::DFG::Graph::visitChildren):
2468 (JSC::DFG::Graph::freezeFragile):
2469 (JSC::DFG::Graph::freeze):
2470 (JSC::DFG::Graph::freezeStrong):
2471 (JSC::DFG::Graph::convertToConstant):
2472 (JSC::DFG::Graph::convertToStrongConstant):
2473 (JSC::DFG::Graph::assertIsWatched):
2475 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2476 (JSC::DFG::Graph::convertToConstant): Deleted.
2477 (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
2478 (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
2479 (JSC::DFG::Graph::isConstant): Deleted.
2480 (JSC::DFG::Graph::isJSConstant): Deleted.
2481 (JSC::DFG::Graph::isInt32Constant): Deleted.
2482 (JSC::DFG::Graph::isDoubleConstant): Deleted.
2483 (JSC::DFG::Graph::isNumberConstant): Deleted.
2484 (JSC::DFG::Graph::isBooleanConstant): Deleted.
2485 (JSC::DFG::Graph::isCellConstant): Deleted.
2486 (JSC::DFG::Graph::isFunctionConstant): Deleted.
2487 (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
2488 (JSC::DFG::Graph::valueOfJSConstant): Deleted.
2489 (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
2490 (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
2491 (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
2492 (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
2493 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2494 * dfg/DFGInPlaceAbstractState.cpp:
2495 (JSC::DFG::InPlaceAbstractState::initialize):
2496 * dfg/DFGInsertionSet.h:
2497 (JSC::DFG::InsertionSet::insertConstant):
2498 (JSC::DFG::InsertionSet::insertConstantForUse):
2499 * dfg/DFGIntegerCheckCombiningPhase.cpp:
2500 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
2501 * dfg/DFGJITCompiler.cpp:
2502 (JSC::DFG::JITCompiler::link):
2503 * dfg/DFGLazyJSValue.cpp:
2504 (JSC::DFG::LazyJSValue::getValue):
2505 (JSC::DFG::LazyJSValue::strictEqual):
2506 (JSC::DFG::LazyJSValue::dumpInContext):
2507 * dfg/DFGLazyJSValue.h:
2508 (JSC::DFG::LazyJSValue::LazyJSValue):
2509 (JSC::DFG::LazyJSValue::tryGetValue):
2510 (JSC::DFG::LazyJSValue::value):
2511 (JSC::DFG::LazyJSValue::switchLookupValue):
2512 * dfg/DFGMinifiedNode.cpp:
2513 (JSC::DFG::MinifiedNode::fromNode):
2514 * dfg/DFGMinifiedNode.h:
2515 (JSC::DFG::belongsInMinifiedGraph):
2516 (JSC::DFG::MinifiedNode::hasConstant):
2517 (JSC::DFG::MinifiedNode::constant):
2518 (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
2519 (JSC::DFG::MinifiedNode::constantNumber): Deleted.
2520 (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
2521 (JSC::DFG::MinifiedNode::weakConstant): Deleted.
2523 (JSC::DFG::Node::hasConstant):
2524 (JSC::DFG::Node::constant):
2525 (JSC::DFG::Node::convertToConstant):
2526 (JSC::DFG::Node::asJSValue):
2527 (JSC::DFG::Node::isInt32Constant):
2528 (JSC::DFG::Node::asInt32):
2529 (JSC::DFG::Node::asUInt32):
2530 (JSC::DFG::Node::isDoubleConstant):
2531 (JSC::DFG::Node::isNumberConstant):
2532 (JSC::DFG::Node::asNumber):
2533 (JSC::DFG::Node::isMachineIntConstant):
2534 (JSC::DFG::Node::asMachineInt):
2535 (JSC::DFG::Node::isBooleanConstant):
2536 (JSC::DFG::Node::asBoolean):
2537 (JSC::DFG::Node::isCellConstant):
2538 (JSC::DFG::Node::asCell):
2539 (JSC::DFG::Node::dynamicCastConstant):
2540 (JSC::DFG::Node::function):
2541 (JSC::DFG::Node::isWeakConstant): Deleted.
2542 (JSC::DFG::Node::constantNumber): Deleted.
2543 (JSC::DFG::Node::convertToWeakConstant): Deleted.
2544 (JSC::DFG::Node::weakConstant): Deleted.
2545 (JSC::DFG::Node::valueOfJSConstant): Deleted.
2546 * dfg/DFGNodeType.h:
2547 * dfg/DFGOSRExitCompiler.cpp:
2548 * dfg/DFGPredictionPropagationPhase.cpp:
2549 (JSC::DFG::PredictionPropagationPhase::propagate):
2550 * dfg/DFGSafeToExecute.h:
2551 (JSC::DFG::safeToExecute):
2552 * dfg/DFGSpeculativeJIT.cpp:
2553 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2554 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
2555 (JSC::DFG::SpeculativeJIT::silentFill):
2556 (JSC::DFG::SpeculativeJIT::compileIn):
2557 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
2558 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
2559 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2560 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2561 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2562 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2563 (JSC::DFG::SpeculativeJIT::compileAdd):
2564 (JSC::DFG::SpeculativeJIT::compileArithSub):
2565 (JSC::DFG::SpeculativeJIT::compileArithMod):
2566 * dfg/DFGSpeculativeJIT.h:
2567 (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
2568 (JSC::DFG::SpeculativeJIT::initConstantInfo):
2569 (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
2570 (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
2571 (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
2572 (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
2573 (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
2574 (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
2575 (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
2576 (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
2577 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
2578 (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
2579 (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
2580 (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
2581 (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
2582 (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
2583 (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
2584 * dfg/DFGSpeculativeJIT32_64.cpp:
2585 (JSC::DFG::SpeculativeJIT::fillJSValue):
2586 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2587 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2588 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2589 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2590 (JSC::DFG::SpeculativeJIT::compile):
2591 * dfg/DFGSpeculativeJIT64.cpp:
2592 (JSC::DFG::SpeculativeJIT::fillJSValue):
2593 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2594 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
2595 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2596 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2597 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2598 (JSC::DFG::SpeculativeJIT::compile):
2599 * dfg/DFGStrengthReductionPhase.cpp:
2600 (JSC::DFG::StrengthReductionPhase::handleNode):
2601 * dfg/DFGValidate.cpp:
2602 (JSC::DFG::Validate::validate):
2603 * dfg/DFGValueStrength.cpp: Added.
2604 (WTF::printInternal):
2605 * dfg/DFGValueStrength.h: Added.
2607 * dfg/DFGVariableEventStream.cpp:
2608 (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2609 (JSC::DFG::VariableEventStream::reconstruct):
2610 * dfg/DFGVariableEventStream.h:
2611 * dfg/DFGWatchableStructureWatchingPhase.cpp:
2612 (JSC::DFG::WatchableStructureWatchingPhase::run):
2613 (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
2614 * dfg/DFGWatchpointCollectionPhase.cpp:
2615 (JSC::DFG::WatchpointCollectionPhase::handle):
2616 * ftl/FTLCapabilities.cpp:
2617 (JSC::FTL::canCompile):
2620 * ftl/FTLLowerDFGToLLVM.cpp:
2621 (JSC::FTL::LowerDFGToLLVM::compileNode):
2622 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
2623 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
2624 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
2625 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
2626 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
2627 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2628 (JSC::FTL::LowerDFGToLLVM::lowInt32):
2629 (JSC::FTL::LowerDFGToLLVM::lowCell):
2630 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
2631 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
2632 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
2633 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
2634 * ftl/FTLOSRExitCompiler.cpp:
2635 (JSC::FTL::compileStub):
2636 * runtime/JSCJSValue.cpp:
2637 (JSC::JSValue::dumpInContext):
2638 (JSC::JSValue::dumpInContextAssumingStructure):
2639 * runtime/JSCJSValue.h:
2641 2014-07-24 Brent Fulgham <bfulgham@apple.com>
2643 [Win] Correct build order in JavaScriptCore.submit.sln
2644 https://bugs.webkit.org/show_bug.cgi?id=135282
2645 <rdar://problem/17805592>
2647 Unreviewed build fix.
2649 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
2650 such that LLIntDesiredOffset is built prior to the rest of JSC.
2652 2014-07-24 Mark Lam <mark.lam@apple.com>
2654 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
2655 <https://webkit.org/b/135258>
2657 Reviewed by Mark Hahnenberg.
2659 Where needed, we cache the prototype object pointer in a stack local var.
2660 This allows it to be scanned by the GC, and hence be kept alive until
2661 we use it. The constructor object will in turn be kept alive by the
2664 Also added some comments to warn against future code additions that could
2667 * API/JSWrapperMap.mm:
2668 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
2669 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
2670 (-[JSObjCClassInfo wrapperForObject:]):
2671 (-[JSObjCClassInfo constructor]):
2673 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
2675 JSLock release should only modify the AtomicStringTable if it modified in acquire
2676 https://bugs.webkit.org/show_bug.cgi?id=135143
2678 Reviewed by Darin Adler.
2680 * runtime/JSLock.cpp:
2681 (JSC::JSLock::JSLock):
2682 Initialize the member variable to nullptr.
2684 (JSC::JSLock::willDestroyVM):
2685 Update style to use nullptr instead of 0.
2687 (JSC::JSLock::willReleaseLock):
2688 We should only reset the thread data's atomic string table if
2689 didAcquireLock changed it. m_entryAtomicStringTable will have
2690 been set by didAcquireLock if it changed, or nullptr if it didn't.
2691 This way we are sure we are balanced, regardless of m_vm changes.
2693 2014-07-24 Peyton Randolph <prandolph@apple.com>
2695 Rename feature flag for long-press gesture on Mac.
2696 https://bugs.webkit.org/show_bug.cgi?id=135259
2698 Reviewed by Beth Dakin.
2700 * Configurations/FeatureDefines.xcconfig:
2701 Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2703 2014-07-24 Commit Queue <commit-queue@webkit.org>
2705 Unreviewed, rolling out r171527.
2706 https://bugs.webkit.org/show_bug.cgi?id=135265
2708 Breaks JSC API tests (Requested by mlam on #webkit).
2712 "JSWrapperMap's jsWrapperForObject() needs to defer GC."
2713 https://bugs.webkit.org/show_bug.cgi?id=135258
2714 http://trac.webkit.org/changeset/171527
2716 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
2718 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
2719 https://bugs.webkit.org/show_bug.cgi?id=135250
2721 Reviewed by Geoffrey Garen.
2723 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
2724 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
2725 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
2726 the JSProxy's prototype fixes the issue.
2728 * API/JSValueRef.cpp:
2729 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
2730 would claim it wasn't of the specified class, even if the target was of the specified class.
2731 * API/tests/CustomGlobalObjectClassTest.c: Added.
2733 (customGlobalObjectClassTest):
2734 * API/tests/CustomGlobalObjectClassTest.h: Added.
2735 * API/tests/testapi.c:
2738 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
2739 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
2740 * JavaScriptCore.xcodeproj/project.pbxproj:
2741 * runtime/JSGlobalObject.cpp:
2742 (JSC::JSGlobalObject::resetPrototype):
2744 2014-07-24 Brian J. Burg <burg@cs.washington.edu>
2746 Web Replay: don't encode/decode primitive types that lack explicit sizes
2747 https://bugs.webkit.org/show_bug.cgi?id=133430
2749 Reviewed by Anders Carlsson.
2751 Don't support encode/decode of unsigned long, since its size is compiler-dependent.
2753 * replay/EncodedValue.cpp:
2754 (JSC::EncodedValue::convertTo<unsigned long>):
2755 (JSC::unsigned long>::encodeValue): Deleted.
2756 * replay/EncodedValue.h:
2758 2014-07-24 Mark Lam <mark.lam@apple.com>
2760 JSWrapperMap's jsWrapperForObject() needs to defer GC.
2761 <https://webkit.org/b/135258>
2763 Reviewed by Oliver Hunt.
2765 In the process of creating a JS wrapper, jsWrapperForObject() will create
2766 the prototype and constructor of the corresponding ObjC class, as well as
2767 for classes in its inheritance chain. These prototypes and constructors
2768 are stored in Weak references in the JSObjCClassInfo objects. During all
2769 the allocation that is being done to create all the prototypes and
2770 constructors as well as the wrapper objects, a GC may occur thereby
2771 collecting one or more of these newly created prototype and constructor
2774 One example of where this problem can manifest is in wrapperForObject()
2775 which is called from jsWrapperForObject(). In wrapperFoObject(), we do
2776 the following steps:
2778 1. reallocateConstructorAndOrPrototype() which creates the prototype
2779 object and store it in JSObjCClassInfo's m_prototype which is a Weak
2781 2. makeWrapper() to create the wrapper object, which may trigger a GC.
2782 GC will collect the prototype object and nullify the corresponding
2783 JSObjCClassInfo's m_prototype Weak ref.
2784 3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
2785 in the newly created wrapper. This results in the wrapper getting a
2786 jsNull as a prototype instead of the expected prototype object.
2788 To ensure that the prototype and constructor objects are retained until
2789 they can be referenced properly from the wrapper object,
2790 jsWrapperForObject() should defer GC until it's done with its work.
2792 * API/JSWrapperMap.mm:
2793 (-[JSWrapperMap jsWrapperForObject:]):
2795 2014-07-23 Brent Fulgham <bfulgham@apple.com>
2797 Build fix after r171482.
2799 Rubberstamped by Joe Pecoraro.
2801 * runtime/Identifier.h: Make header declarations match
2802 implementation file.
2804 2014-07-23 Brent Fulgham <bfulgham@apple.com>
2806 [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
2807 https://bugs.webkit.org/show_bug.cgi?id=135199
2809 Reviewed by Mark Lam.
2812 (WTF::RuntimeArray::deleteProperty): Stop using ugly
2813 compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
2815 * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
2816 to header so function declaration matches implementation.
2818 2014-07-23 Bem Jones-Bey <bjonesbe@adobe.com>
2820 Remove CSS_EXCLUSIONS compile flag and leftover code
2821 https://bugs.webkit.org/show_bug.cgi?id=135175
2823 Reviewed by Zoltan Horvath.
2825 At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
2826 stubs. This removes the flag and the useless code.
2828 * Configurations/FeatureDefines.xcconfig:
2830 2014-07-23 Commit Queue <commit-queue@webkit.org>
2832 Unreviewed, rolling out r171367.
2833 https://bugs.webkit.org/show_bug.cgi?id=135192
2835 broke three API tests (Requested by thorton on #webkit).
2839 "JSLock release should only modify the AtomicStringTable if it
2840 modified in acquire"
2841 https://bugs.webkit.org/show_bug.cgi?id=135143
2842 http://trac.webkit.org/changeset/171367
2844 2014-07-22 László Langó <llango.u-szeged@partner.samsung.com>
2846 [EFL] Build fix after the [ftlopt] branch merge.
2848 Reviewed by Csaba Osztrogonác.
2850 * dfg/DFGBranchDirection.h:
2851 (JSC::DFG::branchDirectionToString):
2852 * dfg/DFGStructureClobberState.h:
2855 2014-07-22 Brent Fulgham <bfulgham@apple.com>
2857 Build fix for non-clang compile.
2860 (WTF::RuntimeArray::put): Remove incorrect return statement
2863 2014-07-22 Brent Fulgham <bfulgham@apple.com>
2865 Build fix for non-clang compile.
2868 (WTF::RuntimeArray::deleteProperty): Need (fake) return
2869 value when NO_RETURN_DUE_TO_CRASH is not defined.
2871 2014-07-22 Filip Pizlo <fpizlo@apple.com>
2873 Merge r169628 from ftlopt.
2875 2014-06-04 Matthew Mirman <mmirman@apple.com>
2877 Added system for inlining native functions via the FTL.
2878 https://bugs.webkit.org/show_bug.cgi?id=131515
2880 Reviewed by Filip Pizlo.
2882 Also fixed the build to not compress the bitcode and to
2883 include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO,
2884 the produced bitcode files are a 100th the size they were before.
2885 Now we can include all of the relevant runtime files with only a 3mb overhead.
2886 This is the same overhead as for two compressed files before,
2887 but done more efficiently (on both ends) and with less code.
2889 Deciding whether to inline native functions is left up to LLVM.
2890 The entire module containing the function is linked into the current
2891 compiled JS so that inlining the native functions shouldn't make them smaller.
2893 Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file
2894 InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.
2896 * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
2897 * build-symbol-table-index.py: Changed bitcode suffix.
2898 Added inclusion of only tested symbols.
2899 Added output to InlineRuntimeSymbolTable.h.
2900 * build-symbol-table-index.sh: Changed bitcode suffix.
2901 * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
2902 * tested-symbols.symlst: Added.
2903 * dfg/DFGByteCodeParser.cpp:
2904 (JSC::DFG::ByteCodeParser::handleCall):
2905 Now sets the knownFunction of the call node if such a function exists
2906 and emits a check that during runtime the callee is in fact known.
2908 Added functions to set the known function of a call node.
2909 (JSC::DFG::Node::canBeKnownFunction): Added.
2910 (JSC::DFG::Node::hasKnownFunction): Added.
2911 (JSC::DFG::Node::knownFunction): Added.
2912 (JSC::DFG::Node::giveKnownFunction): Added.
2913 * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
2914 * ftl/FTLAbbreviations.h: Added some abbreviations.
2915 * ftl/FTLLowerDFGToLLVM.cpp:
2916 (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
2917 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
2918 (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
2919 (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
2920 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
2921 Added call to possiblyCompileInlineableNativeCall
2923 (JSC::FTL::Output::allocaName): Added. Useful for debugging.
2925 (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
2926 * ftl/FTLState.h: Added symbol table hash table.
2927 * ftl/FTLCompile.cpp:
2928 (JSC::FTL::compile): Added inlining and dead function elimination passes.
2929 * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
2930 * llvm/InitializeLLVMMac.mm: Deleted.
2931 * llvm/InitializeLLVMMac.cpp: Added.
2932 * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
2933 * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
2934 * runtime/BundlePath.h: Added.
2935 * runtime/BundlePath.mm: Added.
2936 * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
2937 * runtime/DateInstance.h: ditto.
2938 * runtime/DateConversion.h: ditto.
2939 * runtime/ExceptionHelpers.h: ditto.
2940 * runtime/JSCJSValue.h: ditto.
2941 * runtime/JSArray.h: ditto.
2942 * runtime/JSDateMath.h: ditto.
2943 * runtime/JSObject.h: ditto.
2944 * runtime/JSObject.h: ditto.
2945 * runtime/RegExp.h: ditto.
2946 * runtime/Structure.h: ditto.
2947 * runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining.
2949 2014-07-22 Mark Lam <mark.lam@apple.com>
2951 Array.concat() should work on runtime arrays too.
2952 <https://webkit.org/b/135179>
2954 Reviewed by Geoffrey Garen.
2957 (WTF::RuntimeArray::create):
2958 (WTF::RuntimeArray::~RuntimeArray):
2959 (WTF::RuntimeArray::destroy):
2960 (WTF::RuntimeArray::getOwnPropertySlot):
2961 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2962 (WTF::RuntimeArray::put):
2963 (WTF::RuntimeArray::deleteProperty):
2964 (WTF::RuntimeArray::getLength):
2965 (WTF::RuntimeArray::createPrototype):
2966 (WTF::RuntimeArray::createStructure):
2967 (WTF::RuntimeArray::finishCreation):
2968 (WTF::RuntimeArray::RuntimeArray):
2969 (WTF::RuntimeArray::lengthGetter):
2970 (GlobalObject::finishCreation):
2971 (functionCreateRuntimeArray):
2972 - Added support to create a runtime array for testing purpose.
2973 * runtime/ArrayPrototype.cpp:
2975 - Added fast case for when the array object is a JSArray.
2976 (JSC::arrayProtoFuncJoin):
2977 - Added a needed but missing exception check.
2978 (JSC::arrayProtoFuncConcat):
2979 - Use getLength() to compute the array length instead of assuming that
2980 the array is a JSArray instance.
2981 * tests/stress/regexp-matches-array.js: Added.
2983 * tests/stress/runtime-array.js: Added.
2986 2014-07-22 Brent Fulgham <bfulgham@apple.com>
2988 Fix Windows (return a value!)
2991 (functionQuit): Satisfy compiler's need for
2994 2014-07-22 Brent Fulgham <bfulgham@apple.com>
2996 Fix Windows (sleep -> Sleep)
3001 2014-07-22 Filip Pizlo <fpizlo@apple.com>
3008 2014-07-22 Filip Pizlo <fpizlo@apple.com>
3012 * dfg/DFGSpeculativeJIT32_64.cpp:
3013 (JSC::DFG::SpeculativeJIT::compile):
3015 2014-07-22 Filip Pizlo <fpizlo@apple.com>
3017 Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
3019 Note that r169753 is merged out of order because it fixes a bug in r169588.
3021 2014-06-10 Filip Pizlo <fpizlo@apple.com>
3023 [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
3024 https://bugs.webkit.org/show_bug.cgi?id=133624
3026 Reviewed by Mark Hahnenberg.
3028 * runtime/Structure.h:
3029 (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
3031 2014-06-04 Filip Pizlo <fpizlo@apple.com>
3033 [ftlopt] AI should be able track structure sets larger than 1
3034 https://bugs.webkit.org/show_bug.cgi?id=128073
3036 Reviewed by Oliver Hunt.
3038 This makes two major changes to how AI (abstract interpreter) proves that a value has
3041 - StructureAbstractValue can now track an arbitrary number of structures. A set whose
3042 size is greater than one means that the value may have any of the structures, and we
3043 don't know which - but we do know that it cannot be any structure not in the set. The
3044 structure abstract value can still be TOP, which means the set of all structures. We
3045 artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
3046 memory explosion on pathological programs. This limit is big enough that it wouldn't
3047 kick in for normal code, since we have other heuristics that limit the number of
3048 structures that we would allow an inline cache to know about.
3050 - We eagerly set watchpoints on all watchable structures and then we assume that
3051 watchable structures are being watched, and that the watchpoint will jettison the code.
3052 This allows tracking of watchable structures to be far simpler than before. Previously,
3053 a structure being tracked as "future possible" was predicated on it being watchable but
3054 we might not actually watch it. This makes algebra over sets of future possible
3055 structures quite weird. But watching all watchable structures means that we simple say
3056 that a structure set can be in the following states: unclobbered, which means it's just
3057 a set of structures and it doesn't matter what is watchable or what isn't because we've
3058 proven that the value must have one of these structures right now; and clobbered, which
3059 means that we have a set of structures, plus all possible structures temporarily, with
3060 invalidation removing the "plus all possible structures". Clobbering a set means that
3061 if any of its structures are unwatchable, the set just becomes TOP; but if all
3062 structures in the set are watchable then we just set the clobbered bit to add the "plus
3063 all possible structures temporarily" thing. This precisely tracks the exact meaning of
3064 watchability and invalidation points.
3066 Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
3067 we will ultimately undo the SunSpider slow-down by making further improvements to the set
3068 representation. I believe that Octane perfromance will ultimately improve once we remove
3069 remaining singleton special-cases. The ultimate goal of this is to remove the need to
3070 try quite so desperately hard to make everything monomorphic as we do currently.
3073 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3074 * JavaScriptCore.xcodeproj/project.pbxproj:
3075 * bytecode/StructureSet.cpp:
3076 (JSC::StructureSet::clear):
3077 (JSC::StructureSet::remove):
3078 (JSC::StructureSet::filter):
3079 (JSC::StructureSet::copyFromOutOfLine):
3080 (JSC::StructureSet::StructureSet): Deleted.
3081 (JSC::StructureSet::operator=): Deleted.
3082 (JSC::StructureSet::copyFrom): Deleted.
3083 * bytecode/StructureSet.h:
3084 (JSC::StructureSet::StructureSet):
3085 (JSC::StructureSet::operator=):
3086 (JSC::StructureSet::isEmpty):
3087 (JSC::StructureSet::genericFilter):
3088 (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
3089 (JSC::StructureSet::ContainsOutOfLine::operator()):
3090 (JSC::StructureSet::copyFrom):
3091 (JSC::StructureSet::deleteStructureListIfNecessary):
3092 (JSC::StructureSet::setEmpty):
3093 (JSC::StructureSet::getReservedFlag):
3094 (JSC::StructureSet::setReservedFlag):
3095 * dfg/DFGAbstractInterpreter.h:
3096 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
3097 * dfg/DFGAbstractInterpreterInlines.h:
3098 (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
3099 (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3100 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3101 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
3102 (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
3103 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
3104 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
3105 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
3106 (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
3107 (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
3108 * dfg/DFGAbstractValue.cpp:
3109 (JSC::DFG::AbstractValue::observeTransitions):
3110 (JSC::DFG::AbstractValue::setMostSpecific):
3111 (JSC::DFG::AbstractValue::set):
3112 (JSC::DFG::AbstractValue::filter):
3113 (JSC::DFG::AbstractValue::shouldBeClear):
3114 (JSC::DFG::AbstractValue::normalizeClarity):
3115 (JSC::DFG::AbstractValue::checkConsistency):
3116 (JSC::DFG::AbstractValue::assertIsWatched):
3117 (JSC::DFG::AbstractValue::dumpInContext):
3118 (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
3119 * dfg/DFGAbstractValue.h:
3120 (JSC::DFG::AbstractValue::clear):
3121 (JSC::DFG::AbstractValue::clobberStructures):
3122 (JSC::DFG::AbstractValue::clobberStructuresFor):
3123 (JSC::DFG::AbstractValue::observeInvalidationPoint):
3124 (JSC::DFG::AbstractValue::observeInvalidationPointFor):
3125 (JSC::DFG::AbstractValue::observeTransition):
3126 (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
3127 (JSC::DFG::AbstractValue::TransitionObserver::operator()):
3128 (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
3129 (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
3130 (JSC::DFG::AbstractValue::isHeapTop):
3131 (JSC::DFG::AbstractValue::setType):
3132 (JSC::DFG::AbstractValue::operator==):
3133 (JSC::DFG::AbstractValue::merge):
3134 (JSC::DFG::AbstractValue::validate):
3135 (JSC::DFG::AbstractValue::hasClobberableState):
3136 (JSC::DFG::AbstractValue::assertIsWatched):
3137 (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
3138 (JSC::DFG::AbstractValue::makeTop):
3139 (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
3140 * dfg/DFGAllocator.h:
3141 * dfg/DFGArgumentsSimplificationPhase.cpp:
3142 (JSC::DFG::ArgumentsSimplificationPhase::run):
3143 * dfg/DFGArrayMode.cpp:
3144 (JSC::DFG::ArrayMode::alreadyChecked):
3145 * dfg/DFGAtTailAbstractState.h:
3146 (JSC::DFG::AtTailAbstractState::structureClobberState):
3147 (JSC::DFG::AtTailAbstractState::setStructureClobberState):
3148 (JSC::DFG::AtTailAbstractState::setFoundConstants):
3149 (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
3150 (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
3151 * dfg/DFGBasicBlock.cpp:
3152 (JSC::DFG::BasicBlock::BasicBlock):
3153 * dfg/DFGBasicBlock.h:
3154 * dfg/DFGBranchDirection.h:
3155 (JSC::DFG::branchDirectionToString):
3156 (WTF::printInternal):
3157 * dfg/DFGByteCodeParser.cpp:
3158 (JSC::DFG::ByteCodeParser::handlePutById):
3159 * dfg/DFGCFAPhase.cpp:
3160 (JSC::DFG::CFAPhase::performBlockCFA):
3161 * dfg/DFGCSEPhase.cpp:
3162 (JSC::DFG::CSEPhase::checkStructureElimination):
3163 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
3164 (JSC::DFG::CSEPhase::performNodeCSE):
3165 * dfg/DFGClobberize.h:
3166 (JSC::DFG::clobberize):
3167 * dfg/DFGCommon.cpp:
3168 (JSC::DFG::startCrashing):
3169 (JSC::DFG::isCrashing):
3171 * dfg/DFGCommonData.cpp:
3172 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3173 * dfg/DFGConstantFoldingPhase.cpp:
3174 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3175 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
3176 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
3177 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
3178 * dfg/DFGDesiredWatchpoints.cpp:
3179 (JSC::DFG::DesiredWatchpoints::consider):
3180 (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
3181 * dfg/DFGDesiredWatchpoints.h:
3182 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
3183 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
3184 (JSC::DFG::GenericDesiredWatchpoints::isWatched):
3185 (JSC::DFG::DesiredWatchpoints::isWatched):
3186 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
3187 (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
3188 (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
3189 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
3190 (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
3191 (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
3192 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
3193 (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
3194 * dfg/DFGDoesGC.cpp:
3196 * dfg/DFGFixupPhase.cpp:
3197 (JSC::DFG::FixupPhase::fixupNode):
3198 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
3199 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3201 (JSC::DFG::Graph::~Graph):
3202 (JSC::DFG::Graph::dump):
3203 (JSC::DFG::Graph::dumpBlockHeader):
3204 (JSC::DFG::Graph::tryGetFoldableView):
git://git.webkit.org / WebKit-https.git / blob