1 2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
3 https://bugs.webkit.org/show_bug.cgi?id=112141
4 LLInt CLoop backend misses Double2Ints() on 32bit architectures
6 Reviewed by Filip Pizlo.
8 Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures.
10 * llint/LowLevelInterpreter.cpp:
12 (JSC::LLInt::Double2Ints):
13 * offlineasm/cloop.rb:
15 2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
17 Making more sophisticated cache flush on ARM Linux platform
18 https://bugs.webkit.org/show_bug.cgi?id=111854
20 Reviewed by Zoltan Herczeg.
22 The cache flush on ARM Linux invalidates whole pages
23 instead of just the required area.
25 * assembler/ARMAssembler.h:
27 (JSC::ARMAssembler::linuxPageFlush):
28 (JSC::ARMAssembler::cacheFlush):
29 * assembler/ARMv7Assembler.h:
31 (JSC::ARMv7Assembler::linuxPageFlush):
32 (JSC::ARMv7Assembler::cacheFlush):
34 2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
36 Renaming the armv7.rb LLINT backend to arm.rb
37 https://bugs.webkit.org/show_bug.cgi?id=110565
39 Reviewed by Zoltan Herczeg.
41 This is the first step of a unified ARM backend for
42 all ARM 32 bit architectures in LLInt.
45 * GNUmakefile.list.am:
46 * JavaScriptCore.gypi:
47 * LLIntOffsetsExtractor.pro:
48 * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb.
49 * offlineasm/armv7.rb: Removed.
50 * offlineasm/backends.rb:
53 2013-03-12 Csaba Osztrogonác <ossy@webkit.org>
55 REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform
56 https://bugs.webkit.org/show_bug.cgi?id=112112
58 Reviewed by Oliver Hunt.
60 Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots.
62 * runtime/JSStringJoiner.cpp:
63 (JSC::JSStringJoiner::build):
64 * runtime/JSStringJoiner.h:
66 (JSC::JSStringJoiner::JSStringJoiner):
67 (JSC::JSStringJoiner::append):
69 2013-03-12 Filip Pizlo <fpizlo@apple.com>
71 DFG prediction propagation phase should not rerun forward propagation if double voting has already converged
72 https://bugs.webkit.org/show_bug.cgi?id=111920
74 Reviewed by Oliver Hunt.
76 I don't know why we weren't exiting early after double voting if !m_changed.
78 This change also removes backwards propagation from the voting fixpoint, since at that
79 point short-circuiting loops is probably not particularly profitable. Profiling shows
80 that this reduces the time spent in prediction propagation even further.
82 This change appears to be a 1% SunSpider speed-up.
84 * dfg/DFGPredictionPropagationPhase.cpp:
85 (JSC::DFG::PredictionPropagationPhase::run):
87 2013-03-11 Filip Pizlo <fpizlo@apple.com>
89 DFG overflow check elimination is too smart for its own good
90 https://bugs.webkit.org/show_bug.cgi?id=111832
92 Reviewed by Oliver Hunt and Gavin Barraclough.
94 Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt
95 rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized.
96 It worked by always being false and always disabling the relvant optimization.
98 This improves overflow check elimination in three ways:
100 1) It reduces the amount of time the compiler will spend doing it.
102 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
103 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
104 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
105 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
106 @b->children are int32's and that hence @b might produce a large enough result that doubles would
107 start chopping low bits. The specific implication of this is that for a binary operation to not
108 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
109 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
110 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
111 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
112 large won't even make it into the DFG currently.
114 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
115 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
116 NodeUsedAsNumber to either @a or @b.
118 This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
121 * GNUmakefile.list.am:
122 * JavaScriptCore.xcodeproj/project.pbxproj:
124 * dfg/DFGArrayMode.cpp:
125 (JSC::DFG::ArrayMode::refine):
126 * dfg/DFGBackwardsPropagationPhase.cpp: Added.
128 (BackwardsPropagationPhase):
129 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
130 (JSC::DFG::BackwardsPropagationPhase::run):
131 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
132 (JSC::DFG::BackwardsPropagationPhase::isNotZero):
133 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
134 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
135 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
136 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
137 (JSC::DFG::BackwardsPropagationPhase::propagate):
138 (JSC::DFG::performBackwardsPropagation):
139 * dfg/DFGBackwardsPropagationPhase.h: Added.
141 * dfg/DFGCPSRethreadingPhase.cpp:
142 (JSC::DFG::CPSRethreadingPhase::run):
143 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
144 (CPSRethreadingPhase):
145 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
146 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
150 (JSC::DFG::Graph::dump):
151 * dfg/DFGNodeFlags.cpp:
152 (JSC::DFG::dumpNodeFlags):
154 * dfg/DFGNodeFlags.h:
156 * dfg/DFGPredictionPropagationPhase.cpp:
157 (PredictionPropagationPhase):
158 (JSC::DFG::PredictionPropagationPhase::propagate):
159 * dfg/DFGUnificationPhase.cpp:
160 (JSC::DFG::UnificationPhase::run):
161 * dfg/DFGVariableAccessData.h:
162 (JSC::DFG::VariableAccessData::VariableAccessData):
163 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
164 (VariableAccessData):
165 (JSC::DFG::VariableAccessData::setIsLoadedFrom):
166 (JSC::DFG::VariableAccessData::isLoadedFrom):
168 2013-03-11 Oliver Hunt <oliver@apple.com>
170 Harden JSStringJoiner
171 https://bugs.webkit.org/show_bug.cgi?id=112093
173 Reviewed by Filip Pizlo.
175 Harden JSStringJoiner, make it use our CheckedArithmetic
176 class to simplify everything.
178 * runtime/JSStringJoiner.cpp:
179 (JSC::JSStringJoiner::build):
180 * runtime/JSStringJoiner.h:
182 (JSC::JSStringJoiner::JSStringJoiner):
183 (JSC::JSStringJoiner::append):
185 2013-03-11 Michael Saboff <msaboff@apple.com>
187 Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
188 https://bugs.webkit.org/show_bug.cgi?id=112067
190 Reviewed by Geoffrey Garen.
192 We weren't setting the tag in SetCallee. Therefore set it to CellTag.
194 * dfg/DFGSpeculativeJIT32_64.cpp:
195 (JSC::DFG::SpeculativeJIT::compile):
197 2013-03-11 Oliver Hunt <oliver@apple.com>
199 Make SegmentedVector Noncopyable
200 https://bugs.webkit.org/show_bug.cgi?id=112059
202 Reviewed by Geoffrey Garen.
204 Copying a SegmentedVector is very expensive, and really shouldn't
205 be necessary. So I've taken the one place where we currently copy
206 and replaced it with a regular Vector, and replaced the address
207 dependent logic with a indexing ref instead.
209 * bytecompiler/BytecodeGenerator.cpp:
210 (JSC::BytecodeGenerator::newLabelScope):
211 (JSC::BytecodeGenerator::emitComplexJumpScopes):
212 * bytecompiler/BytecodeGenerator.h:
214 * bytecompiler/LabelScope.h:
216 (JSC::LabelScopePtr::LabelScopePtr):
218 (JSC::LabelScopePtr::operator=):
219 (JSC::LabelScopePtr::~LabelScopePtr):
220 (JSC::LabelScopePtr::operator*):
221 (JSC::LabelScopePtr::operator->):
222 * bytecompiler/NodesCodegen.cpp:
223 (JSC::DoWhileNode::emitBytecode):
224 (JSC::WhileNode::emitBytecode):
225 (JSC::ForNode::emitBytecode):
226 (JSC::ForInNode::emitBytecode):
227 (JSC::SwitchNode::emitBytecode):
228 (JSC::LabelNode::emitBytecode):
230 2013-03-10 Andreas Kling <akling@apple.com>
232 SpeculativeJIT should use OwnPtr<SlowPathGenerator>.
233 <http://webkit.org/b/111942>
235 Reviewed by Anders Carlsson.
237 There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line,
238 so let's use OwnPtr instead of raw pointers + deleteAllValues().
240 * dfg/DFGSpeculativeJIT.cpp:
241 (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
242 (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
243 * dfg/DFGSpeculativeJIT.h:
246 2013-03-09 Sheriff Bot <webkit.review.bot@gmail.com>
248 Unreviewed, rolling out r145299.
249 http://trac.webkit.org/changeset/145299
250 https://bugs.webkit.org/show_bug.cgi?id=111928
252 compilation failure with recent clang
253 (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of
254 constant 10 with expression of type 'bool' is always false)
255 (Requested by thorton on #webkit).
258 * GNUmakefile.list.am:
259 * JavaScriptCore.xcodeproj/project.pbxproj:
261 * dfg/DFGArrayMode.cpp:
262 (JSC::DFG::ArrayMode::refine):
263 * dfg/DFGBackwardsPropagationPhase.cpp: Removed.
264 * dfg/DFGBackwardsPropagationPhase.h: Removed.
265 * dfg/DFGCPSRethreadingPhase.cpp:
266 (JSC::DFG::CPSRethreadingPhase::run):
267 (CPSRethreadingPhase):
268 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
269 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
273 (JSC::DFG::Graph::dump):
274 * dfg/DFGNodeFlags.cpp:
275 (JSC::DFG::nodeFlagsAsString):
277 * dfg/DFGNodeFlags.h:
279 * dfg/DFGPredictionPropagationPhase.cpp:
280 (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
281 (PredictionPropagationPhase):
282 (JSC::DFG::PredictionPropagationPhase::isNotZero):
283 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
284 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
285 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
286 (JSC::DFG::PredictionPropagationPhase::propagate):
287 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
288 * dfg/DFGUnificationPhase.cpp:
289 (JSC::DFG::UnificationPhase::run):
290 * dfg/DFGVariableAccessData.h:
291 (JSC::DFG::VariableAccessData::VariableAccessData):
292 (VariableAccessData):
294 2013-03-08 Filip Pizlo <fpizlo@apple.com>
296 DFG overflow check elimination is too smart for its own good
297 https://bugs.webkit.org/show_bug.cgi?id=111832
299 Reviewed by Oliver Hunt and Gavin Barraclough.
301 This improves overflow check elimination in three ways:
303 1) It reduces the amount of time the compiler will spend doing it.
305 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
306 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
307 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
308 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
309 @b->children are int32's and that hence @b might produce a large enough result that doubles would
310 start chopping low bits. The specific implication of this is that for a binary operation to not
311 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
312 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
313 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
314 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
315 large won't even make it into the DFG currently.
317 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
318 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
319 NodeUsedAsNumber to either @a or @b.
321 This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
324 * GNUmakefile.list.am:
325 * JavaScriptCore.xcodeproj/project.pbxproj:
327 * dfg/DFGArrayMode.cpp:
328 (JSC::DFG::ArrayMode::refine):
329 * dfg/DFGBackwardsPropagationPhase.cpp: Added.
331 (BackwardsPropagationPhase):
332 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
333 (JSC::DFG::BackwardsPropagationPhase::run):
334 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
335 (JSC::DFG::BackwardsPropagationPhase::isNotZero):
336 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
337 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
338 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
339 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
340 (JSC::DFG::BackwardsPropagationPhase::propagate):
341 (JSC::DFG::performBackwardsPropagation):
342 * dfg/DFGBackwardsPropagationPhase.h: Added.
344 * dfg/DFGCPSRethreadingPhase.cpp:
345 (JSC::DFG::CPSRethreadingPhase::run):
346 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
347 (CPSRethreadingPhase):
348 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
349 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
353 (JSC::DFG::Graph::dump):
354 * dfg/DFGNodeFlags.cpp:
355 (JSC::DFG::dumpNodeFlags):
357 * dfg/DFGNodeFlags.h:
359 * dfg/DFGPredictionPropagationPhase.cpp:
360 (PredictionPropagationPhase):
361 (JSC::DFG::PredictionPropagationPhase::propagate):
362 * dfg/DFGUnificationPhase.cpp:
363 (JSC::DFG::UnificationPhase::run):
364 * dfg/DFGVariableAccessData.h:
365 (JSC::DFG::VariableAccessData::VariableAccessData):
366 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
367 (VariableAccessData):
368 (JSC::DFG::VariableAccessData::setIsLoadedFrom):
369 (JSC::DFG::VariableAccessData::isLoadedFrom):
371 2013-03-08 Roger Fong <roger_fong@apple.com>
375 * JavaScriptCore.vcxproj/JavaScriptCore.make:
377 2013-03-08 Gabor Rapcsanyi <rgabor@webkit.org>
379 Cache flush problem on ARMv7 JSC
380 https://bugs.webkit.org/show_bug.cgi?id=111441
382 Reviewed by Zoltan Herczeg.
384 Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests.
385 The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712.
386 Change the cache fulsh mechanism similar to ARM traditinal and revert the
389 * assembler/ARMv7Assembler.h:
390 (JSC::ARMv7Assembler::cacheFlush):
392 2013-03-07 Geoffrey Garen <ggaren@apple.com>
394 REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression
395 https://bugs.webkit.org/show_bug.cgi?id=111797
397 Reviewed by Oliver Hunt.
399 The bot's testing configuration stresses the cache's starting guess
402 This patch removes any starting guess, and just uses wall clock time
403 to discover the initial working set size of an app, in code size.
405 * runtime/CodeCache.cpp:
406 (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go.
408 Also fixed a bug where pruning from 0 to 0 would hang -- that case is
409 a possibility now that we start with a capacity of 0.
411 * runtime/CodeCache.h:
413 (JSC::CodeCacheMap::CodeCacheMap):
414 (JSC::CodeCacheMap::add):
415 (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of
416 discovering the working set size of an app, in code size.
418 2013-03-07 Michael Saboff <msaboff@apple.com>
420 Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
421 https://bugs.webkit.org/show_bug.cgi?id=111777
423 Reviewed by Filip Pizlo.
425 Moved register allocations to be above any generated control flow so that any
426 resulting spill would be visible to all subsequently generated code.
428 * dfg/DFGSpeculativeJIT32_64.cpp:
429 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
430 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
431 (JSC::DFG::SpeculativeJIT::compile):
432 * dfg/DFGSpeculativeJIT64.cpp:
433 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
434 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
435 (JSC::DFG::SpeculativeJIT::compile):
437 2013-03-07 Filip Pizlo <fpizlo@apple.com>
439 DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
440 https://bugs.webkit.org/show_bug.cgi?id=111783
442 Reviewed by Mark Hahnenberg.
444 Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
445 But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
446 this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
447 Phantom node that had another Phantom node as one of its kids.
449 * dfg/DFGDCEPhase.cpp:
450 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
452 2013-03-07 Filip Pizlo <fpizlo@apple.com>
454 The DFG fixpoint is not strictly profitable, and should be straight-lined
455 https://bugs.webkit.org/show_bug.cgi?id=111764
457 Reviewed by Oliver Hunt and Geoffrey Garen.
459 The DFG previously ran optimizations to fixpoint because there exists a circular dependency:
461 CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local.
463 CFG simplification depends on CFA and constant folding: constant folding reveals branches on
466 CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations
467 always produce identical values.
469 Arguments simplification also depends on CSE, but it ought not depend on anything else.
471 Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA.
473 Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought
474 not be the case anymore: CFG simplification should not by itself lead to better CFA results.
476 My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you
477 CSE too much then you increase register pressure. Hence it's not clear that you always want
478 to CSE after simplifying control flow. This leads to an order of optimization as follows:
480 CSE -> arguments -> CFA -> folding -> CFG
482 This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down
483 on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5%
484 speed-up over a 0.3% V8v7 speed-up.
489 2013-03-07 Roger Fong <roger_fong@apple.com>
491 Build fix for AppleWin VS2010.
493 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
494 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
496 2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
498 Objective-C API: Need a good way to reference event handlers without causing cycles
499 https://bugs.webkit.org/show_bug.cgi?id=111088
501 Reviewed by Geoffrey Garen.
503 JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can
504 supply an Objective-C object as its "owner". As long as the Objective-C owner object remains
505 alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by
506 the global object), the reference to the JavaScript value is strong. As soon as the Objective-C
507 owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference
510 If you do not supply an owner or you use the weakValueWithValue: convenience class method, the
511 returned JSManagedValue behaves as a normal weak reference.
513 This new class allows clients to maintain references to JavaScript values in the Objective-C
514 heap without creating reference cycles/leaking memory.
516 * API/JSAPIWrapperObject.cpp: Added.
518 (JSC::::createStructure):
519 (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows
520 for the purposes of garbage collection/marking that it wraps an opaque Objective-C object.
521 (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of
522 opaque roots so that the weak handle owner for JSManagedValues can find it later.
523 * API/JSAPIWrapperObject.h: Added.
525 (JSAPIWrapperObject):
526 (JSC::JSAPIWrapperObject::wrappedObject):
527 (JSC::JSAPIWrapperObject::setWrappedObject):
529 (JSSynchronousGarbageCollect):
530 * API/JSBasePrivate.h:
531 * API/JSCallbackObject.cpp:
533 * API/JSCallbackObject.h:
534 (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject.
536 (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to
537 the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since
538 not everyone is guaranteed to use the latter.
539 (-[JSContext initWithGlobalContextRef:]):
540 (+[JSContext contextWithGlobalContextRef:]):
541 * API/JSManagedValue.h: Added.
542 * API/JSManagedValue.mm: Added.
543 (JSManagedValueHandleOwner):
544 (managedValueHandleOwner):
545 (+[JSManagedValue weakValueWithValue:]):
546 (+[JSManagedValue managedValueWithValue:owner:]):
547 (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't
548 use ARC when building our framework.
549 (-[JSManagedValue initWithValue:]):
550 (-[JSManagedValue initWithValue:owner:]):
551 (-[JSManagedValue dealloc]):
552 (-[JSManagedValue value]):
553 (-[JSManagedValue weakOwner]):
554 (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field
555 returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the
556 JSObject to which the JSManagedObject refers is still alive.
557 * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects.
558 (JSObjectGetPrivate):
559 (JSObjectSetPrivate):
560 (JSObjectGetPrivateProperty):
561 (JSObjectSetPrivateProperty):
562 (JSObjectDeletePrivateProperty):
564 (objectToValueWithoutCopy):
565 * API/JSValueRef.cpp:
566 (JSValueIsObjectOfClass):
567 * API/JSVirtualMachine.mm:
568 (-[JSVirtualMachine initWithContextGroupRef:]):
569 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
570 * API/JSWrapperMap.mm:
572 (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API
573 version of JSCallbackObjects.
574 (createObjectWithCustomBrand):
575 (-[JSObjCClassInfo wrapperForObject:]):
576 (tryUnwrapObjcObject):
577 * API/JavaScriptCore.h:
578 * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an
579 onclick handler for an Objective-C object inserted into a JSContext.
580 (-[TextXYZ setWeakOnclick:]):
581 (-[TextXYZ setOnclick:]):
582 (-[TextXYZ weakOnclick]):
583 (-[TextXYZ onclick]):
585 * CMakeLists.txt: Various build system additions.
586 * GNUmakefile.list.am:
587 * JavaScriptCore.gypi:
588 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
589 * JavaScriptCore.xcodeproj/project.pbxproj:
590 * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class.
591 (JSC::JSGlobalObject::reset):
593 (JSC::JSGlobalObject::visitChildren):
594 * runtime/JSGlobalObject.h:
596 (JSC::JSGlobalObject::objcWrapperObjectStructure):
598 2013-03-06 Filip Pizlo <fpizlo@apple.com>
600 ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding
601 https://bugs.webkit.org/show_bug.cgi?id=111674
603 Reviewed by Oliver Hunt.
605 This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup
606 convert them to either Identity(Object:@child) if the child is predicted object, or
607 Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other.
609 The goal of this is to ensure that the optimization fixpoint doesn't create
610 Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up
611 but I'm hoping this will be a step towards reducing the need to rerun the fixpoint
612 so as to ultimately reduce compile times.
614 * dfg/DFGAbstractState.cpp:
615 (JSC::DFG::AbstractState::executeEffects):
616 * dfg/DFGAssemblyHelpers.h:
618 * dfg/DFGConstantFoldingPhase.cpp:
619 (JSC::DFG::ConstantFoldingPhase::foldConstants):
620 * dfg/DFGFixupPhase.cpp:
621 (JSC::DFG::FixupPhase::fixupNode):
623 (JSC::DFG::FixupPhase::observeUseKindOnNode):
624 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
626 (JSC::DFG::Graph::globalThisObjectFor):
630 (JSC::DFG::Node::convertToIdentity):
631 (JSC::DFG::Node::convertToWeakConstant):
632 * dfg/DFGSpeculativeJIT32_64.cpp:
633 (JSC::DFG::SpeculativeJIT::compile):
634 * dfg/DFGSpeculativeJIT64.cpp:
635 (JSC::DFG::SpeculativeJIT::compile):
637 2013-03-07 Peter Gal <galpeter@inf.u-szeged.hu>
639 Children method in LLINT AST Not class should return [@child]
640 https://bugs.webkit.org/show_bug.cgi?id=90740
642 Reviewed by Filip Pizlo.
644 * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class.
646 2013-03-05 Oliver Hunt <oliver@apple.com>
648 Bring back eager resolution of function scoped variables
649 https://bugs.webkit.org/show_bug.cgi?id=111497
651 Reviewed by Geoffrey Garen.
653 This reverts the get/put_scoped_var part of the great non-local
654 variable resolution refactoring. This still leaves all the lazy
655 variable resolution logic as it's necessary for global property
656 resolution, and i don't want to make the patch bigger than it
659 * bytecode/CodeBlock.cpp:
660 (JSC::CodeBlock::dumpBytecode):
661 (JSC::CodeBlock::CodeBlock):
662 * bytecode/CodeBlock.h:
666 (JSC::padOpcodeName):
667 * bytecode/UnlinkedCodeBlock.cpp:
668 (JSC::generateFunctionCodeBlock):
669 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
670 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
671 * bytecode/UnlinkedCodeBlock.h:
673 (UnlinkedFunctionExecutable):
675 (JSC::UnlinkedCodeBlock::usesGlobalObject):
676 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
677 (JSC::UnlinkedCodeBlock::globalObjectRegister):
678 * bytecompiler/BytecodeGenerator.cpp:
679 (JSC::ResolveResult::checkValidity):
680 (JSC::BytecodeGenerator::BytecodeGenerator):
681 (JSC::BytecodeGenerator::emitLoadGlobalObject):
683 (JSC::BytecodeGenerator::resolve):
684 (JSC::BytecodeGenerator::resolveConstDecl):
685 (JSC::BytecodeGenerator::emitResolve):
686 (JSC::BytecodeGenerator::emitResolveBase):
687 (JSC::BytecodeGenerator::emitResolveBaseForPut):
688 (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
689 (JSC::BytecodeGenerator::emitResolveWithThis):
690 (JSC::BytecodeGenerator::emitGetStaticVar):
691 (JSC::BytecodeGenerator::emitPutStaticVar):
692 * bytecompiler/BytecodeGenerator.h:
693 (JSC::ResolveResult::lexicalResolve):
694 (JSC::ResolveResult::isStatic):
695 (JSC::ResolveResult::depth):
696 (JSC::ResolveResult::index):
698 (JSC::ResolveResult::ResolveResult):
700 * bytecompiler/NodesCodegen.cpp:
701 (JSC::ResolveNode::isPure):
702 (JSC::FunctionCallResolveNode::emitBytecode):
703 (JSC::PostfixNode::emitResolve):
704 (JSC::TypeOfResolveNode::emitBytecode):
705 (JSC::PrefixNode::emitResolve):
706 (JSC::ReadModifyResolveNode::emitBytecode):
707 (JSC::AssignResolveNode::emitBytecode):
708 (JSC::ConstDeclNode::emitCodeSingle):
709 * dfg/DFGByteCodeParser.cpp:
710 (JSC::DFG::ByteCodeParser::parseBlock):
711 * dfg/DFGCapabilities.cpp:
712 (JSC::DFG::debugFail):
713 * dfg/DFGCapabilities.h:
714 (JSC::DFG::canCompileOpcode):
715 (JSC::DFG::canInlineOpcode):
717 (JSC::JIT::privateCompileMainPass):
720 * jit/JITPropertyAccess.cpp:
721 (JSC::JIT::emit_op_get_scoped_var):
723 (JSC::JIT::emit_op_put_scoped_var):
724 * jit/JITPropertyAccess32_64.cpp:
725 (JSC::JIT::emit_op_get_scoped_var):
727 (JSC::JIT::emit_op_put_scoped_var):
728 * llint/LowLevelInterpreter32_64.asm:
729 * llint/LowLevelInterpreter64.asm:
730 * runtime/CodeCache.cpp:
731 (JSC::CodeCache::getCodeBlock):
732 (JSC::CodeCache::getProgramCodeBlock):
733 (JSC::CodeCache::getEvalCodeBlock):
734 * runtime/CodeCache.h:
737 * runtime/Executable.cpp:
738 (JSC::EvalExecutable::compileInternal):
739 (JSC::FunctionExecutable::produceCodeBlockFor):
740 * runtime/JSGlobalObject.cpp:
741 (JSC::JSGlobalObject::createEvalCodeBlock):
742 * runtime/JSGlobalObject.h:
744 * runtime/Options.cpp:
745 (JSC::Options::initialize):
747 2013-03-06 Filip Pizlo <fpizlo@apple.com>
749 Unreviewed, roll out http://trac.webkit.org/changeset/144989
751 I think we want the assertion that I removed.
753 * dfg/DFGAbstractState.cpp:
754 (JSC::DFG::AbstractState::merge):
755 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
756 * dfg/DFGAbstractState.h:
759 2013-03-06 Filip Pizlo <fpizlo@apple.com>
761 DFG::AbstractState::merge() is still more complicated than it needs to be
762 https://bugs.webkit.org/show_bug.cgi?id=111619
764 Reviewed by Mark Hahnenberg.
766 This method is the one place where we still do some minimal amount of liveness pruning, but the style with
767 which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated
768 by https://bugs.webkit.org/show_bug.cgi?id=111539.
770 * dfg/DFGAbstractState.cpp:
771 (JSC::DFG::AbstractState::merge):
772 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
773 * dfg/DFGAbstractState.h:
776 2013-03-06 Filip Pizlo <fpizlo@apple.com>
778 DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
779 https://bugs.webkit.org/show_bug.cgi?id=111536
781 Reviewed by Oliver Hunt and Mark Hahnenberg.
783 The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
784 On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
785 Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
786 the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
787 that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
788 time spent doing load elimination after the fixpoint, since that is just wasted cycles.
790 * dfg/DFGCSEPhase.cpp:
791 (JSC::DFG::CSEPhase::CSEPhase):
792 (JSC::DFG::CSEPhase::run):
793 (JSC::DFG::CSEPhase::performNodeCSE):
794 (JSC::DFG::CSEPhase::performBlockCSE):
795 (JSC::DFG::performCSE):
797 (JSC::DFG::performStoreElimination):
803 2013-03-06 Andreas Kling <akling@apple.com>
805 Pack Structure members better.
806 <http://webkit.org/b/111593>
807 <rdar://problem/13359200>
809 Reviewed by Mark Hahnenberg.
811 Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better.
813 * runtime/Structure.cpp:
814 (JSC::Structure::Structure):
815 * runtime/Structure.h:
818 2013-03-06 Andreas Kling <akling@apple.com>
820 Unreviewed, fix Windows build after r144910.
822 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
824 2013-03-05 Filip Pizlo <fpizlo@apple.com>
826 DFG should not check if nodes are shouldGenerate prior to DCE
827 https://bugs.webkit.org/show_bug.cgi?id=111520
829 Reviewed by Geoffrey Garen.
831 All nodes are live before DCE. We don't need to check that they aren't, because they
834 * dfg/DFGArgumentsSimplificationPhase.cpp:
835 (JSC::DFG::ArgumentsSimplificationPhase::run):
836 * dfg/DFGCFAPhase.cpp:
837 (JSC::DFG::CFAPhase::performBlockCFA):
838 * dfg/DFGCFGSimplificationPhase.cpp:
839 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
840 * dfg/DFGCSEPhase.cpp:
841 (JSC::DFG::CSEPhase::pureCSE):
842 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
843 (JSC::DFG::CSEPhase::constantCSE):
844 (JSC::DFG::CSEPhase::weakConstantCSE):
845 (JSC::DFG::CSEPhase::getCalleeLoadElimination):
846 (JSC::DFG::CSEPhase::getArrayLengthElimination):
847 (JSC::DFG::CSEPhase::globalVarLoadElimination):
848 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
849 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
850 (JSC::DFG::CSEPhase::globalVarStoreElimination):
851 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
852 (JSC::DFG::CSEPhase::getByValLoadElimination):
853 (JSC::DFG::CSEPhase::checkStructureElimination):
854 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
855 (JSC::DFG::CSEPhase::putStructureStoreElimination):
856 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
857 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
858 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
859 (JSC::DFG::CSEPhase::checkArrayElimination):
860 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
861 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
862 (JSC::DFG::CSEPhase::getLocalLoadElimination):
863 (JSC::DFG::CSEPhase::setLocalStoreElimination):
864 (JSC::DFG::CSEPhase::performNodeCSE):
865 * dfg/DFGFixupPhase.cpp:
866 (JSC::DFG::FixupPhase::fixupNode):
867 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
868 * dfg/DFGPredictionPropagationPhase.cpp:
869 (JSC::DFG::PredictionPropagationPhase::propagate):
870 * dfg/DFGStructureCheckHoistingPhase.cpp:
871 (JSC::DFG::StructureCheckHoistingPhase::run):
873 2013-03-06 Csaba Osztrogonác <ossy@webkit.org>
875 Fix unused parameter warnings in ARM assembler
876 https://bugs.webkit.org/show_bug.cgi?id=111433
878 Reviewed by Kentaro Hara.
880 * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346.
881 * assembler/MacroAssemblerARM.h:
882 (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM.
883 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter.
884 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters.
886 2013-03-06 Andreas Kling <akling@apple.com>
888 Unused Structure property tables waste 14MB on Membuster.
889 <http://webkit.org/b/110854>
890 <rdar://problem/13292104>
892 Reviewed by Geoffrey Garen.
894 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
895 14 MB progression on Membuster3.
897 This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
898 The issue with the last version was that Structure::m_offset could be used uninitialized
899 when re-materializing a previously GC'd property table, causing some sanity checks to fail.
902 * GNUmakefile.list.am:
903 * JavaScriptCore.gypi:
904 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
905 * JavaScriptCore.xcodeproj/project.pbxproj:
908 Added PropertyTable.cpp.
910 * runtime/PropertyTable.cpp: Added.
911 (JSC::PropertyTable::create):
912 (JSC::PropertyTable::clone):
913 (JSC::PropertyTable::PropertyTable):
914 (JSC::PropertyTable::destroy):
915 (JSC::PropertyTable::~PropertyTable):
916 (JSC::PropertyTable::visitChildren):
918 Moved marking of property table values here from Structure::visitChildren().
920 * runtime/WriteBarrier.h:
921 (JSC::WriteBarrierBase::get):
923 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
924 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
925 zaps the property table.
927 * runtime/Structure.h:
928 (JSC::Structure::materializePropertyMapIfNecessary):
929 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
930 * runtime/StructureInlines.h:
931 (JSC::Structure::propertyTable):
933 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
934 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
935 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
937 (JSC::Structure::putWillGrowOutOfLineStorage):
938 (JSC::Structure::checkOffsetConsistency):
940 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
942 * runtime/Structure.cpp:
943 (JSC::Structure::visitChildren):
945 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
947 (JSC::Structure::takePropertyTableOrCloneIfPinned):
949 Added for setting up the property table in a new transition, this code is now shared between
950 addPropertyTransition() and nonPropertyTransition().
952 * runtime/JSGlobalData.h:
953 * runtime/JSGlobalData.cpp:
954 (JSC::JSGlobalData::JSGlobalData):
956 Add a global propertyTableStructure.
958 * runtime/PropertyMapHashTable.h:
960 (JSC::PropertyTable::createStructure):
961 (JSC::PropertyTable::copy):
963 Make PropertyTable a GC object.
965 * runtime/Structure.cpp:
966 (JSC::Structure::dumpStatistics):
967 (JSC::Structure::materializePropertyMap):
968 (JSC::Structure::despecifyDictionaryFunction):
969 (JSC::Structure::addPropertyTransition):
970 (JSC::Structure::changePrototypeTransition):
971 (JSC::Structure::despecifyFunctionTransition):
972 (JSC::Structure::attributeChangeTransition):
973 (JSC::Structure::toDictionaryTransition):
974 (JSC::Structure::sealTransition):
975 (JSC::Structure::freezeTransition):
976 (JSC::Structure::preventExtensionsTransition):
977 (JSC::Structure::nonPropertyTransition):
978 (JSC::Structure::isSealed):
979 (JSC::Structure::isFrozen):
980 (JSC::Structure::flattenDictionaryStructure):
981 (JSC::Structure::pin):
982 (JSC::Structure::copyPropertyTable):
983 (JSC::Structure::copyPropertyTableForPinning):
984 (JSC::Structure::get):
985 (JSC::Structure::despecifyFunction):
986 (JSC::Structure::despecifyAllFunctions):
987 (JSC::Structure::putSpecificValue):
988 (JSC::Structure::remove):
989 (JSC::Structure::createPropertyMap):
990 (JSC::Structure::getPropertyNamesFromStructure):
991 (JSC::Structure::checkConsistency):
993 2013-03-05 Filip Pizlo <fpizlo@apple.com>
995 Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode
996 https://bugs.webkit.org/show_bug.cgi?id=105624
998 Reviewed by Oliver Hunt.
1000 All callers pass invert = false, which is the default value of the argument. So, get
1001 rid of the argument and fold away all code that checks it.
1003 * dfg/DFGSpeculativeJIT.cpp:
1004 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
1005 * dfg/DFGSpeculativeJIT.h:
1008 2013-03-05 Filip Pizlo <fpizlo@apple.com>
1010 Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code.
1012 * dfg/DFGDCEPhase.cpp:
1013 (JSC::DFG::DCEPhase::run):
1015 2013-03-04 Filip Pizlo <fpizlo@apple.com>
1017 DFG DCE might eliminate checks unsoundly
1018 https://bugs.webkit.org/show_bug.cgi?id=109389
1020 Reviewed by Oliver Hunt.
1022 This gets rid of all eager reference counting, and does all dead code elimination
1023 in one phase - the DCEPhase. This phase also sets up the node reference counts,
1024 which are then used not just for DCE but also register allocation and stack slot
1027 Doing this required a number of surgical changes in places that previously relied
1028 on always having liveness information. For example, the structure check hoisting
1029 phase must now consult whether a VariableAccessData is profitable for unboxing to
1030 make sure that it doesn't try to do hoisting on set SetLocals. The arguments
1031 simplification phase employs its own light-weight liveness analysis. Both phases
1032 previously just used reference counts.
1034 The largest change is that now, dead nodes get turned into Phantoms. Those
1035 Phantoms will retain those child edges that are not proven. This ensures that any
1036 type checks performed by a dead node remain even after the node is killed. On the
1037 other hand, this Phantom conversion means that we need special handling for
1038 SetLocal. I decided to make the four forms of SetLocal explicit:
1040 MovHint(@a, rK): Just indicates that node @a contains the value that would have
1041 now been placed into virtual register rK. Does not actually cause @a to be
1042 stored into rK. This would have previously been a dead SetLocal with @a
1043 being live. MovHints are always dead.
1045 ZombieHint(rK): Indicates that at this point, register rK will contain a dead
1046 value and OSR should put Undefined into it. This would have previously been
1047 a dead SetLocal with @a being dead also. ZombieHints are always dead.
1049 MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
1050 according to whatever UseKind the edge to @a has. The type check is always a
1051 forward exit. MovHintAndChecks are always live, since they are
1052 NodeMustGenerate. Previously this would have been a dead SetLocal with a
1053 live @a, and the check would have disappeared. This is one of the bugs that
1056 SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
1059 Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
1060 ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
1061 also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
1062 has a type check and @a's type hasn't been proven to have that type then you get
1063 a MovHintAndCheck. Otherwise you get a MovHint.
1065 This is performance neutral.
1068 * GNUmakefile.list.am:
1069 * JavaScriptCore.xcodeproj/project.pbxproj:
1071 * dfg/DFGAbstractState.cpp:
1072 (JSC::DFG::AbstractState::executeEffects):
1073 (JSC::DFG::AbstractState::mergeStateAtTail):
1074 * dfg/DFGArgumentsSimplificationPhase.cpp:
1075 (JSC::DFG::ArgumentsSimplificationPhase::run):
1076 (ArgumentsSimplificationPhase):
1077 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
1078 * dfg/DFGBasicBlock.h:
1080 * dfg/DFGBasicBlockInlines.h:
1082 * dfg/DFGByteCodeParser.cpp:
1083 (JSC::DFG::ByteCodeParser::addToGraph):
1084 (JSC::DFG::ByteCodeParser::insertPhiNode):
1085 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
1086 * dfg/DFGCFAPhase.cpp:
1087 (JSC::DFG::CFAPhase::run):
1088 * dfg/DFGCFGSimplificationPhase.cpp:
1089 (JSC::DFG::CFGSimplificationPhase::run):
1090 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1091 * dfg/DFGCPSRethreadingPhase.cpp:
1092 (JSC::DFG::CPSRethreadingPhase::run):
1093 (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
1094 * dfg/DFGCSEPhase.cpp:
1095 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1096 (JSC::DFG::CSEPhase::setReplacement):
1097 (JSC::DFG::CSEPhase::performNodeCSE):
1098 * dfg/DFGCommon.cpp:
1099 (WTF::printInternal):
1103 * dfg/DFGConstantFoldingPhase.cpp:
1104 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1105 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1106 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1107 * dfg/DFGDCEPhase.cpp: Added.
1110 (JSC::DFG::DCEPhase::DCEPhase):
1111 (JSC::DFG::DCEPhase::run):
1112 (JSC::DFG::DCEPhase::findTypeCheckRoot):
1113 (JSC::DFG::DCEPhase::countEdge):
1114 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1115 (JSC::DFG::performDCE):
1116 * dfg/DFGDCEPhase.h: Added.
1118 * dfg/DFGDriver.cpp:
1119 (JSC::DFG::compile):
1120 * dfg/DFGFixupPhase.cpp:
1121 (JSC::DFG::FixupPhase::fixupNode):
1122 (JSC::DFG::FixupPhase::checkArray):
1123 (JSC::DFG::FixupPhase::blessArrayOperation):
1124 (JSC::DFG::FixupPhase::fixIntEdge):
1125 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1126 (JSC::DFG::FixupPhase::truncateConstantToInt32):
1128 (JSC::DFG::Graph::Graph):
1129 (JSC::DFG::Graph::dump):
1132 (JSC::DFG::Graph::changeChild):
1133 (JSC::DFG::Graph::changeEdge):
1134 (JSC::DFG::Graph::compareAndSwap):
1135 (JSC::DFG::Graph::clearAndDerefChild):
1136 (JSC::DFG::Graph::performSubstitution):
1137 (JSC::DFG::Graph::performSubstitutionForEdge):
1139 (JSC::DFG::Graph::substitute):
1140 * dfg/DFGInsertionSet.h:
1143 (JSC::DFG::Node::Node):
1144 (JSC::DFG::Node::convertToConstant):
1145 (JSC::DFG::Node::convertToGetLocalUnlinked):
1146 (JSC::DFG::Node::containsMovHint):
1148 (JSC::DFG::Node::hasVariableAccessData):
1149 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1150 * dfg/DFGNodeType.h:
1152 * dfg/DFGPredictionPropagationPhase.cpp:
1153 (JSC::DFG::PredictionPropagationPhase::propagate):
1154 * dfg/DFGSpeculativeJIT.cpp:
1155 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1156 (JSC::DFG::SpeculativeJIT::compileMovHint):
1157 (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
1159 (JSC::DFG::SpeculativeJIT::compileInlineStart):
1160 (JSC::DFG::SpeculativeJIT::compile):
1161 * dfg/DFGSpeculativeJIT.h:
1163 * dfg/DFGSpeculativeJIT32_64.cpp:
1164 (JSC::DFG::SpeculativeJIT::compile):
1165 * dfg/DFGSpeculativeJIT64.cpp:
1166 (JSC::DFG::SpeculativeJIT::compile):
1167 * dfg/DFGStructureCheckHoistingPhase.cpp:
1168 (JSC::DFG::StructureCheckHoistingPhase::run):
1169 (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
1170 (StructureCheckHoistingPhase):
1171 * dfg/DFGValidate.cpp:
1172 (JSC::DFG::Validate::validate):
1174 2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
1176 Objective-C API: JSValue should implement init and return nil in exceptional cases
1177 https://bugs.webkit.org/show_bug.cgi?id=111487
1179 Reviewed by Darin Adler.
1182 (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state
1183 without a JSContext.
1184 (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0.
1186 2013-03-05 Sheriff Bot <webkit.review.bot@gmail.com>
1188 Unreviewed, rolling out r144708.
1189 http://trac.webkit.org/changeset/144708
1190 https://bugs.webkit.org/show_bug.cgi?id=111447
1192 random assertion crashes in inspector tests on qt+mac bots
1193 (Requested by kling on #webkit).
1196 * GNUmakefile.list.am:
1197 * JavaScriptCore.gypi:
1198 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1199 * JavaScriptCore.xcodeproj/project.pbxproj:
1201 * runtime/JSGlobalData.cpp:
1202 (JSC::JSGlobalData::JSGlobalData):
1203 * runtime/JSGlobalData.h:
1205 * runtime/PropertyMapHashTable.h:
1207 (JSC::PropertyTable::PropertyTable):
1209 (JSC::PropertyTable::~PropertyTable):
1210 (JSC::PropertyTable::copy):
1211 * runtime/PropertyTable.cpp: Removed.
1212 * runtime/Structure.cpp:
1213 (JSC::Structure::dumpStatistics):
1214 (JSC::Structure::materializePropertyMap):
1215 (JSC::Structure::despecifyDictionaryFunction):
1216 (JSC::Structure::addPropertyTransition):
1217 (JSC::Structure::changePrototypeTransition):
1218 (JSC::Structure::despecifyFunctionTransition):
1219 (JSC::Structure::attributeChangeTransition):
1220 (JSC::Structure::toDictionaryTransition):
1221 (JSC::Structure::sealTransition):
1222 (JSC::Structure::freezeTransition):
1223 (JSC::Structure::preventExtensionsTransition):
1224 (JSC::Structure::nonPropertyTransition):
1225 (JSC::Structure::isSealed):
1226 (JSC::Structure::isFrozen):
1227 (JSC::Structure::flattenDictionaryStructure):
1228 (JSC::Structure::pin):
1229 (JSC::Structure::copyPropertyTable):
1230 (JSC::Structure::copyPropertyTableForPinning):
1231 (JSC::Structure::get):
1232 (JSC::Structure::despecifyFunction):
1233 (JSC::Structure::despecifyAllFunctions):
1234 (JSC::Structure::putSpecificValue):
1235 (JSC::Structure::remove):
1236 (JSC::Structure::createPropertyMap):
1237 (JSC::Structure::getPropertyNamesFromStructure):
1238 (JSC::Structure::visitChildren):
1239 (JSC::Structure::checkConsistency):
1240 * runtime/Structure.h:
1242 (JSC::Structure::putWillGrowOutOfLineStorage):
1243 (JSC::Structure::materializePropertyMapIfNecessary):
1244 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1245 (JSC::Structure::checkOffsetConsistency):
1247 * runtime/StructureInlines.h:
1248 (JSC::Structure::get):
1249 * runtime/WriteBarrier.h:
1250 (JSC::WriteBarrierBase::get):
1252 2013-03-05 David Kilzer <ddkilzer@apple.com>
1254 BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac
1255 <http://webkit.org/b/106742>
1257 Fixes the following build failures:
1259 Undefined symbols for architecture i386:
1260 "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from:
1261 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
1262 NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
1263 "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from:
1264 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
1265 ld: symbol(s) not found for architecture i386
1267 * Configurations/FeatureDefines.xcconfig:
1268 - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match
1269 other FeatureDefines.xcconfig files.
1270 - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform.
1272 2013-03-04 Andreas Kling <akling@apple.com>
1274 Unused Structure property tables waste 14MB on Membuster.
1275 <http://webkit.org/b/110854>
1276 <rdar://problem/13292104>
1278 Reviewed by Geoffrey Garen.
1280 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
1281 14 MB progression on Membuster3.
1284 * GNUmakefile.list.am:
1285 * JavaScriptCore.gypi:
1286 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1287 * JavaScriptCore.xcodeproj/project.pbxproj:
1290 Added PropertyTable.cpp.
1292 * runtime/PropertyTable.cpp: Added.
1293 (JSC::PropertyTable::create):
1294 (JSC::PropertyTable::clone):
1295 (JSC::PropertyTable::PropertyTable):
1296 (JSC::PropertyTable::destroy):
1297 (JSC::PropertyTable::~PropertyTable):
1298 (JSC::PropertyTable::visitChildren):
1300 Moved marking of property table values here from Structure::visitChildren().
1302 * runtime/WriteBarrier.h:
1303 (JSC::WriteBarrierBase::get):
1305 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
1306 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
1307 zaps the property table.
1309 * runtime/Structure.h:
1310 (JSC::Structure::materializePropertyMapIfNecessary):
1311 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
1312 * runtime/StructureInlines.h:
1313 (JSC::Structure::propertyTable):
1315 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
1316 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
1317 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
1319 (JSC::Structure::putWillGrowOutOfLineStorage):
1320 (JSC::Structure::checkOffsetConsistency):
1322 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
1324 * runtime/Structure.cpp:
1325 (JSC::Structure::visitChildren):
1327 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
1329 * runtime/JSGlobalData.h:
1330 * runtime/JSGlobalData.cpp:
1331 (JSC::JSGlobalData::JSGlobalData):
1333 Add a global propertyTableStructure.
1335 * runtime/PropertyMapHashTable.h:
1337 (JSC::PropertyTable::createStructure):
1338 (JSC::PropertyTable::copy):
1340 Make PropertyTable a GC object.
1342 * runtime/Structure.cpp:
1343 (JSC::Structure::dumpStatistics):
1344 (JSC::Structure::materializePropertyMap):
1345 (JSC::Structure::despecifyDictionaryFunction):
1346 (JSC::Structure::addPropertyTransition):
1347 (JSC::Structure::changePrototypeTransition):
1348 (JSC::Structure::despecifyFunctionTransition):
1349 (JSC::Structure::attributeChangeTransition):
1350 (JSC::Structure::toDictionaryTransition):
1351 (JSC::Structure::sealTransition):
1352 (JSC::Structure::freezeTransition):
1353 (JSC::Structure::preventExtensionsTransition):
1354 (JSC::Structure::nonPropertyTransition):
1355 (JSC::Structure::isSealed):
1356 (JSC::Structure::isFrozen):
1357 (JSC::Structure::flattenDictionaryStructure):
1358 (JSC::Structure::pin):
1359 (JSC::Structure::copyPropertyTable):
1360 (JSC::Structure::copyPropertyTableForPinning):
1361 (JSC::Structure::get):
1362 (JSC::Structure::despecifyFunction):
1363 (JSC::Structure::despecifyAllFunctions):
1364 (JSC::Structure::putSpecificValue):
1365 (JSC::Structure::remove):
1366 (JSC::Structure::createPropertyMap):
1367 (JSC::Structure::getPropertyNamesFromStructure):
1368 (JSC::Structure::checkConsistency):
1370 2013-03-04 Chris Fleizach <cfleizach@apple.com>
1372 Support WebSpeech - Speech Synthesis
1373 https://bugs.webkit.org/show_bug.cgi?id=106742
1375 Reviewed by Simon Fraser.
1377 Enable speech synthesis for the Mac.
1379 * Configurations/FeatureDefines.xcconfig:
1381 2013-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
1383 Remove contextInternalContext from JSContextInternal.h
1384 https://bugs.webkit.org/show_bug.cgi?id=111356
1386 Reviewed by Geoffrey Garen.
1388 We don't need it any more since we have globalContextRef in JSContext.
1391 * API/JSContextInternal.h:
1393 (+[JSValue valueWithBool:inContext:]):
1394 (+[JSValue valueWithDouble:inContext:]):
1395 (+[JSValue valueWithInt32:inContext:]):
1396 (+[JSValue valueWithUInt32:inContext:]):
1397 (+[JSValue valueWithNewObjectInContext:]):
1398 (+[JSValue valueWithNewArrayInContext:]):
1399 (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
1400 (+[JSValue valueWithNewErrorFromMessage:inContext:]):
1401 (+[JSValue valueWithNullInContext:]):
1402 (+[JSValue valueWithUndefinedInContext:]):
1403 (-[JSValue toBool]):
1404 (-[JSValue toDouble]):
1405 (-[JSValue toNumber]):
1406 (-[JSValue toString]):
1407 (-[JSValue toDate]):
1408 (-[JSValue toArray]):
1409 (-[JSValue toDictionary]):
1410 (-[JSValue valueForProperty:]):
1411 (-[JSValue setValue:forProperty:]):
1412 (-[JSValue deleteProperty:]):
1413 (-[JSValue hasProperty:]):
1414 (-[JSValue valueAtIndex:]):
1415 (-[JSValue setValue:atIndex:]):
1416 (-[JSValue isUndefined]):
1417 (-[JSValue isNull]):
1418 (-[JSValue isBoolean]):
1419 (-[JSValue isNumber]):
1420 (-[JSValue isString]):
1421 (-[JSValue isObject]):
1422 (-[JSValue isEqualToObject:]):
1423 (-[JSValue isEqualWithTypeCoercionToObject:]):
1424 (-[JSValue isInstanceOf:]):
1425 (-[JSValue callWithArguments:]):
1426 (-[JSValue constructWithArguments:]):
1427 (-[JSValue invokeMethod:withArguments:]):
1429 (objectToValueWithoutCopy):
1431 (-[JSValue initWithValue:inContext:]):
1432 (-[JSValue dealloc]):
1433 (-[JSValue description]):
1434 * API/JSWrapperMap.mm:
1435 (createObjectWithCustomBrand):
1436 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
1437 (-[JSObjCClassInfo wrapperForObject:]):
1438 (-[JSWrapperMap jsWrapperForObject:]):
1439 * API/ObjCCallbackFunction.mm:
1440 (ObjCCallbackFunction::call):
1441 (objCCallbackFunctionForInvocation):
1443 2013-03-04 Andreas Kling <akling@apple.com>
1445 Add simple vector traits for JSC::Identifier.
1446 <http://webkit.org/b/111323>
1448 Reviewed by Geoffrey Garen.
1450 Identifiers are really just Strings, giving them simple vector traits makes
1451 Vector move them with memcpy() instead of churning the refcounts.
1453 * runtime/Identifier.h:
1456 2013-03-04 Kunihiko Sakamoto <ksakamoto@chromium.org>
1458 Add build flag for FontLoader
1459 https://bugs.webkit.org/show_bug.cgi?id=111289
1461 Reviewed by Benjamin Poulain.
1463 Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default).
1465 * Configurations/FeatureDefines.xcconfig:
1467 2013-03-03 Andreas Kling <akling@apple.com>
1469 Shrink JSC::HashTable entries.
1470 <http://webkit.org/b/111275>
1471 <rdar://problem/13333511>
1473 Reviewed by Anders Carlsson.
1475 Move the Intrinsic value out of the function-specific part of the union,
1476 and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes.
1478 990 kB progression on Membuster3. (PTUS: 797 kB)
1481 (JSC::HashEntry::initialize):
1482 (JSC::HashEntry::intrinsic):
1485 2013-03-01 David Kilzer <ddkilzer@apple.com>
1487 BUILD FIX: testapi should link to Foundation, not CoreFoundation
1489 * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
1490 link to Foundation.framework instead of CoreFoundation.framework
1491 since it uses NS types.
1493 2013-03-01 Mark Hahnenberg <mhahnenberg@apple.com>
1495 Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak
1496 https://bugs.webkit.org/show_bug.cgi?id=107836
1498 Reviewed by Oliver Hunt.
1500 We've decided to remove support for this feature from the API because there's no way to automatically manage
1501 the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods,
1502 but the methods must accept plain JSValues instead of Objective-C blocks.
1504 We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments.
1506 * API/JSBlockAdaptor.h: Removed.
1507 * API/JSBlockAdaptor.mm: Removed.
1508 * API/ObjCCallbackFunction.mm:
1509 (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it
1510 to the object from the protocol.
1511 * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol
1512 that have block arguments.
1513 (-[TestObject bogusCallback:]):
1514 * JavaScriptCore.gypi: Updated build files.
1515 * JavaScriptCore.xcodeproj/project.pbxproj:
1517 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1519 DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live
1520 https://bugs.webkit.org/show_bug.cgi?id=111209
1522 Reviewed by Oliver Hunt.
1524 Even if it is then everything will work just fine. It's not necessary to check the ref count here.
1526 * dfg/DFGFixupPhase.cpp:
1527 (JSC::DFG::FixupPhase::fixupNode):
1529 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1531 DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to
1532 https://bugs.webkit.org/show_bug.cgi?id=111205
1534 Reviewed by Oliver Hunt.
1536 I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
1537 is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
1538 and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
1539 is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
1540 from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
1541 the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
1542 basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
1543 alive by one count rather than being solely responsible for its liveness.
1545 * dfg/DFGCSEPhase.cpp:
1546 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1547 (JSC::DFG::CSEPhase::eliminate):
1548 (JSC::DFG::CSEPhase::performNodeCSE):
1550 2013-03-01 Filip Pizlo <fpizlo@apple.com>
1552 Rename MovHint to MovHintEvent so I can create a NodeType called MovHint
1554 Rubber stamped by Mark Hahnenberg.
1556 This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the
1557 NodeType and SetLocalEvent is the VariableEventKind.
1559 * dfg/DFGVariableEvent.cpp:
1560 (JSC::DFG::VariableEvent::dump):
1561 * dfg/DFGVariableEvent.h:
1562 (JSC::DFG::VariableEvent::movHint):
1563 (JSC::DFG::VariableEvent::id):
1564 (JSC::DFG::VariableEvent::operand):
1566 * dfg/DFGVariableEventStream.cpp:
1567 (JSC::DFG::VariableEventStream::reconstruct):
1569 2013-03-01 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
1571 [JSC] Fix sign comparison warning/error after r144340.
1572 https://bugs.webkit.org/show_bug.cgi?id=111164
1574 Reviewed by Mark Hahnenberg.
1576 gcc (both 4.2.1 and 4.7.2) complain about comparing signed and
1577 unsigned terms (clang accepts it just fine).
1579 Work around that by casting the 1 to an uintptr_t as well.
1582 (JSC::DFG::Edge::makeWord):
1584 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1586 DFG CFA should not do liveness pruning
1587 https://bugs.webkit.org/show_bug.cgi?id=111119
1589 Reviewed by Mark Hahnenberg.
1591 It adds complexity and probably buys nothing. Moreover, I'm transitioning to having
1592 liveness only available at the bitter end of compilation, so this will stop working
1593 after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway.
1595 * dfg/DFGAbstractState.cpp:
1596 (JSC::DFG::AbstractState::initialize):
1597 (JSC::DFG::AbstractState::mergeStateAtTail):
1599 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1601 Don't try to emit profiling if you don't have the DFG JIT.
1603 Rubber stamped by Mark Hahnenberg.
1606 (JSC::JIT::shouldEmitProfiling):
1608 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1610 DFG Phantom node should be honest about the fact that it can exit
1611 https://bugs.webkit.org/show_bug.cgi?id=111115
1613 Reviewed by Mark Hahnenberg.
1615 The chances of this having cause serious issues are low, since most clients of the
1616 NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible
1617 case of badness is if the ByteCodeParser inserted a Phantom with a type check in
1618 between a LogicalNot and a Branch; then that peephole optimization in Fixup might
1621 * dfg/DFGNodeType.h:
1624 2013-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
1626 Add casts in DFGGPRInfo.h to suppress warnings
1627 https://bugs.webkit.org/show_bug.cgi?id=111104
1629 Reviewed by Filip Pizlo.
1631 With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away.
1634 (JSC::DFG::GPRInfo::toIndex):
1635 (JSC::DFG::GPRInfo::debugName):
1637 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1639 It should be easy to determine if a DFG node exits forward or backward when doing type checks
1640 https://bugs.webkit.org/show_bug.cgi?id=111102
1642 Reviewed by Mark Hahnenberg.
1644 This adds a NodeExitsForward flag, which tells you the exit directionality of
1645 type checks performed by the node. Even if you convert the node to a Phantom
1646 and use the Edge UseKind for type checks, you'll still get the same exit
1647 directionality that the original node would have wanted.
1649 * dfg/DFGArgumentsSimplificationPhase.cpp:
1650 (JSC::DFG::ArgumentsSimplificationPhase::run):
1651 * dfg/DFGArrayifySlowPathGenerator.h:
1652 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
1653 * dfg/DFGCFGSimplificationPhase.cpp:
1654 (JSC::DFG::CFGSimplificationPhase::run):
1655 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1656 * dfg/DFGCPSRethreadingPhase.cpp:
1657 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1658 * dfg/DFGCSEPhase.cpp:
1659 (JSC::DFG::CSEPhase::setReplacement):
1660 (JSC::DFG::CSEPhase::eliminate):
1661 (JSC::DFG::CSEPhase::performNodeCSE):
1662 * dfg/DFGConstantFoldingPhase.cpp:
1663 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1664 * dfg/DFGFixupPhase.cpp:
1665 (JSC::DFG::FixupPhase::checkArray):
1668 (JSC::DFG::Node::setOpAndDefaultNonExitFlags):
1669 (JSC::DFG::Node::convertToPhantom):
1670 * dfg/DFGNodeFlags.cpp:
1671 (JSC::DFG::nodeFlagsAsString):
1672 * dfg/DFGNodeFlags.h:
1674 * dfg/DFGNodeType.h:
1676 * dfg/DFGSpeculativeJIT.cpp:
1677 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
1679 (JSC::DFG::SpeculativeJIT::speculationCheck):
1680 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1681 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1682 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
1683 (JSC::DFG::SpeculativeJIT::typeCheck):
1684 (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
1685 (JSC::DFG::SpeculativeJIT::fillStorage):
1686 (JSC::DFG::SpeculativeJIT::compile):
1687 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1688 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1689 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1690 * dfg/DFGSpeculativeJIT.h:
1692 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1693 (JSC::DFG::SpeculateIntegerOperand::gpr):
1694 (SpeculateIntegerOperand):
1695 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1696 (JSC::DFG::SpeculateDoubleOperand::fpr):
1697 (SpeculateDoubleOperand):
1698 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1699 (JSC::DFG::SpeculateCellOperand::gpr):
1700 (SpeculateCellOperand):
1701 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1702 (JSC::DFG::SpeculateBooleanOperand::gpr):
1703 (SpeculateBooleanOperand):
1704 * dfg/DFGSpeculativeJIT32_64.cpp:
1705 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1706 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1707 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1708 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1709 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1710 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1711 (JSC::DFG::SpeculativeJIT::compile):
1712 * dfg/DFGSpeculativeJIT64.cpp:
1713 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1714 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1715 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1716 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1717 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1718 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1719 (JSC::DFG::SpeculativeJIT::compile):
1721 2013-02-28 Filip Pizlo <fpizlo@apple.com>
1723 CodeBlock::valueProfile() has a bogus assertion
1724 https://bugs.webkit.org/show_bug.cgi?id=111106
1725 <rdar://problem/13131427>
1727 Reviewed by Mark Hahnenberg.
1729 This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized.
1730 ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized
1731 ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes
1732 their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their
1733 ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of
1734 them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles.
1735 This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile
1736 you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't.
1738 The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring
1739 a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now
1740 all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done
1741 soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion
1742 sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us
1743 anything at this point.
1745 * bytecode/CodeBlock.h:
1746 (JSC::CodeBlock::valueProfile):
1748 2013-02-27 Filip Pizlo <fpizlo@apple.com>
1750 DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed
1751 https://bugs.webkit.org/show_bug.cgi?id=110840
1753 Reviewed by Mark Hahnenberg.
1755 This doesn't add any observable functionality to the compiler, yet. But it does give
1756 every phase that runs after CFA the ability to know, in O(1) time, whether an edge
1757 will need to execute a type check.
1759 * dfg/DFGAbstractState.h:
1760 (JSC::DFG::AbstractState::filterEdgeByUse):
1761 (JSC::DFG::AbstractState::filterByType):
1762 * dfg/DFGCommon.cpp:
1764 (WTF::printInternal):
1766 (JSC::DFG::isProved):
1768 (JSC::DFG::proofStatusForIsProved):
1771 (JSC::DFG::Edge::dump):
1773 (JSC::DFG::Edge::Edge):
1774 (JSC::DFG::Edge::setNode):
1775 (JSC::DFG::Edge::useKindUnchecked):
1776 (JSC::DFG::Edge::setUseKind):
1778 (JSC::DFG::Edge::proofStatusUnchecked):
1779 (JSC::DFG::Edge::proofStatus):
1780 (JSC::DFG::Edge::setProofStatus):
1781 (JSC::DFG::Edge::isProved):
1782 (JSC::DFG::Edge::needsCheck):
1783 (JSC::DFG::Edge::shift):
1784 (JSC::DFG::Edge::makeWord):
1786 2013-02-28 Simon Hausmann <simon.hausmann@digia.com>
1788 [Qt][Mac] Fix massive parallel builds
1790 Reviewed by Tor Arne Vestbø.
1792 There exists a race condition that LLIntDesiredOffsets.h is written to
1793 by two parllel instances of the ruby script. This patch ensures that similar to the output file,
1794 the generated file is also prefixed according to the build configuration.
1796 * LLIntOffsetsExtractor.pro:
1798 2013-02-27 Sheriff Bot <webkit.review.bot@gmail.com>
1800 Unreviewed, rolling out r144168.
1801 http://trac.webkit.org/changeset/144168
1802 https://bugs.webkit.org/show_bug.cgi?id=111019
1804 It broke the build and tronical is unavailable (Requested by
1805 Ossy_night on #webkit).
1807 * LLIntOffsetsExtractor.pro:
1809 2013-02-26 Filip Pizlo <fpizlo@apple.com>
1811 Disable some unsound DFG DCE
1812 https://bugs.webkit.org/show_bug.cgi?id=110948
1814 Reviewed by Michael Saboff.
1816 DCE of bitops is not sound since the bitops might call some variant of valueOf.
1818 This used to work right because ValueToInt32 was MustGenerate. From the DFG IR
1819 standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is
1820 implemented entirely as a pure conversion. If we ever gave the DFG the ability to
1821 do effectful bitops, we would most likely implement them as special nodes not
1822 related to the ValueToInt32 and bitop nodes we have now.
1824 This change is performance neutral.
1826 * dfg/DFGNodeType.h:
1829 2013-02-27 Glenn Adams <glenn@skynav.com>
1831 Add ENABLE_CSS3_TEXT_LINE_BREAK flag.
1832 https://bugs.webkit.org/show_bug.cgi?id=110944
1834 Reviewed by Dean Jackson.
1836 * Configurations/FeatureDefines.xcconfig:
1838 2013-02-27 Julien Brianceau <jbrianceau@nds.com>
1840 Fix build when DFG_JIT is not enabled
1841 https://bugs.webkit.org/show_bug.cgi?id=110991
1843 Reviewed by Csaba Osztrogonác.
1846 (JSC::JIT::canBeOptimizedOrInlined):
1848 2013-02-27 Simon Hausmann <simon.hausmann@digia.com>
1850 [Qt][Mac] Fix massive parallel builds
1852 Reviewed by Tor Arne Vestbø.
1854 There exists a race condition that LLIntDesiredOffsets.h is written to
1855 by two parllel instances of the ruby script. This patch ensures that similar to the output file,
1856 the generated file is also prefixed according to the build configuration.
1858 * LLIntOffsetsExtractor.pro:
1860 2013-02-26 Filip Pizlo <fpizlo@apple.com>
1862 DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
1863 https://bugs.webkit.org/show_bug.cgi?id=109036
1864 <rdar://problem/13292139>
1866 Reviewed by Gavin Barraclough.
1868 This was a two-fold problem:
1870 1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit
1871 assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was
1872 wrong in this assumption.
1874 2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it
1875 was doing this only for code blocks that could be totally optimized, but not code blocks that could only be
1876 optimized when inlined.
1878 This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work
1879 to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR
1880 entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(),
1883 This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously
1884 we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks
1885 that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get
1886 symptoms similar to this bug.
1888 * dfg/DFGCapabilities.h:
1889 (JSC::DFG::canCompileOpcode):
1892 (JSC::JIT::privateCompile):
1894 (JSC::JIT::compilePatchGetArrayLength):
1895 (JSC::JIT::canBeOptimizedOrInlined):
1897 * jit/JITArithmetic.cpp:
1898 (JSC::JIT::emit_op_post_inc):
1899 (JSC::JIT::emit_op_post_dec):
1900 * jit/JITArithmetic32_64.cpp:
1901 (JSC::JIT::emit_op_post_inc):
1902 (JSC::JIT::emit_op_post_dec):
1904 (JSC::JIT::emit_op_call_put_result):
1905 (JSC::JIT::compileOpCall):
1906 * jit/JITCall32_64.cpp:
1907 (JSC::JIT::compileOpCall):
1909 (JSC::JIT::emitArrayProfilingSite):
1911 * jit/JITOpcodes.cpp:
1912 (JSC::JIT::emit_op_mov):
1913 * jit/JITPropertyAccess.cpp:
1914 (JSC::JIT::compileGetByIdHotPath):
1915 (JSC::JIT::privateCompilePutByIdTransition):
1916 * jit/JITPropertyAccess32_64.cpp:
1917 (JSC::JIT::compileGetByIdHotPath):
1918 (JSC::JIT::privateCompilePutByIdTransition):
1920 2013-02-26 Roger Fong <roger_fong@apple.com>
1922 Unreviewed. AppleWin VS2010 build fix.
1924 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
1926 2013-02-25 Filip Pizlo <fpizlo@apple.com>
1928 The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context
1929 https://bugs.webkit.org/show_bug.cgi?id=110433
1931 Reviewed by Oliver Hunt and Mark Hahnenberg.
1933 This introduces the equivalent of a liveness analysis, except for type checking.
1934 A variable is said to be "profitable for unboxing" (i.e. live at a type check)
1935 if there exists a type check on a GetLocal of that variable, and the type check
1936 is consistent with the variable's prediction. Variables that are not profitable
1937 for unboxing aren't unboxed. Previously they would have been.
1939 This is a slight speed-up on some things but mostly neutral.
1941 * dfg/DFGArgumentPosition.h:
1942 (JSC::DFG::ArgumentPosition::ArgumentPosition):
1943 (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
1944 (JSC::DFG::ArgumentPosition::mergeArgumentPredictionAwareness):
1945 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
1947 (JSC::DFG::ArgumentPosition::isProfitableToUnbox):
1948 (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
1950 (JSC::DFG::checkAndSet):
1952 * dfg/DFGFixupPhase.cpp:
1953 (JSC::DFG::FixupPhase::run):
1954 (JSC::DFG::FixupPhase::fixupNode):
1955 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
1957 (JSC::DFG::FixupPhase::alwaysUnboxSimplePrimitives):
1958 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
1959 * dfg/DFGPredictionPropagationPhase.cpp:
1960 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1961 * dfg/DFGSpeculativeJIT.cpp:
1962 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1963 * dfg/DFGVariableAccessData.h:
1964 (JSC::DFG::VariableAccessData::VariableAccessData):
1965 (JSC::DFG::VariableAccessData::mergeIsCaptured):
1966 (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
1967 (VariableAccessData):
1968 (JSC::DFG::VariableAccessData::isProfitableToUnbox):
1969 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
1970 (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
1971 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
1972 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
1973 (JSC::DFG::VariableAccessData::mergeFlags):
1975 2013-02-26 Oliver Hunt <oliver@apple.com>
1979 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
1981 2013-02-26 Oliver Hunt <oliver@apple.com>
1983 Web Inspector: REGRESSION: [JSC] SourceProvider reuses IDs
1984 https://bugs.webkit.org/show_bug.cgi?id=99674
1986 Reviewed by Gavin Barraclough.
1988 Simple incrementing counter for SourceProvider IDs. Uses a
1989 lock to incrementing the counter so we don't increment reuse
1990 counter values or reassign the ID for a given SourceProvider.
1992 * parser/SourceProvider.cpp:
1993 (JSC::SourceProvider::SourceProvider):
1995 (JSC::SourceProvider::getID):
1996 * parser/SourceProvider.h:
1997 (JSC::SourceProvider::asID):
2000 2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
2002 Unreviewed, rolling out r144074.
2003 http://trac.webkit.org/changeset/144074
2004 https://bugs.webkit.org/show_bug.cgi?id=110897
2006 Causing 20+ crashes on Mac (Requested by bradee-oh on
2010 * GNUmakefile.list.am:
2011 * JavaScriptCore.gypi:
2012 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2013 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2014 * JavaScriptCore.xcodeproj/project.pbxproj:
2016 * runtime/JSGlobalData.cpp:
2017 (JSC::JSGlobalData::JSGlobalData):
2018 * runtime/JSGlobalData.h:
2020 * runtime/PropertyMapHashTable.h:
2022 (JSC::PropertyTable::PropertyTable):
2024 (JSC::PropertyTable::~PropertyTable):
2025 (JSC::PropertyTable::copy):
2026 * runtime/PropertyTable.cpp: Removed.
2027 * runtime/Structure.cpp:
2028 (JSC::Structure::materializePropertyMap):
2029 (JSC::Structure::addPropertyTransition):
2030 (JSC::Structure::changePrototypeTransition):
2031 (JSC::Structure::despecifyFunctionTransition):
2032 (JSC::Structure::attributeChangeTransition):
2033 (JSC::Structure::toDictionaryTransition):
2034 (JSC::Structure::preventExtensionsTransition):
2035 (JSC::Structure::nonPropertyTransition):
2036 (JSC::Structure::copyPropertyTable):
2037 (JSC::Structure::copyPropertyTableForPinning):
2038 (JSC::Structure::putSpecificValue):
2039 (JSC::Structure::createPropertyMap):
2040 (JSC::Structure::visitChildren):
2041 * runtime/Structure.h:
2043 (JSC::Structure::putWillGrowOutOfLineStorage):
2044 (JSC::Structure::checkOffsetConsistency):
2046 * runtime/StructureInlines.h:
2048 2013-02-26 Roger Fong <roger_fong@apple.com>
2050 Unreviewed. AppleWin VS2010 build fix.
2052 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
2054 2013-02-26 Jer Noble <jer.noble@apple.com>
2056 Unreviewed build fix; use correct macro for platform name in FeatureDefines.xcconfig.
2058 * Configurations/FeatureDefines.xcconfig:
2060 2013-02-26 Michael Saboff <msaboff@apple.com>
2062 Potential crash in YARR JIT generated code when building 64 bit
2063 https://bugs.webkit.org/show_bug.cgi?id=110893
2065 Reviewed by Gavin Barraclough.
2067 The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
2068 Therefore, we zero extend both the count and length registers to assure that these unsigned values
2069 don't have garbage upper bits.
2072 (JSC::Yarr::YarrGenerator::generateEnter):
2074 2013-02-26 Andreas Kling <akling@apple.com>
2076 Unused Structure property tables waste 14MB on Membuster.
2077 <http://webkit.org/b/110854>
2078 <rdar://problem/13292104>
2080 Reviewed by Filip Pizlo.
2082 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
2083 14 MB progression on Membuster3.
2086 * GNUmakefile.list.am:
2087 * JavaScriptCore.gypi:
2088 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2089 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2090 * JavaScriptCore.xcodeproj/project.pbxproj:
2093 Added PropertyTable.cpp.
2095 * runtime/PropertyTable.cpp: Added.
2096 (JSC::PropertyTable::create):
2097 (JSC::PropertyTable::clone):
2098 (JSC::PropertyTable::PropertyTable):
2099 (JSC::PropertyTable::destroy):
2100 (JSC::PropertyTable::~PropertyTable):
2101 (JSC::PropertyTable::visitChildren):
2103 Moved marking of property table values here from Structure::visitChildren().
2105 * runtime/StructureInlines.h:
2106 (JSC::Structure::putWillGrowOutOfLineStorage):
2107 (JSC::Structure::checkOffsetConsistency):
2109 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
2111 * runtime/Structure.cpp:
2112 (JSC::Structure::visitChildren):
2114 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
2116 (JSC::Structure::materializePropertyMap):
2117 (JSC::Structure::addPropertyTransition):
2118 (JSC::Structure::changePrototypeTransition):
2119 (JSC::Structure::despecifyFunctionTransition):
2120 (JSC::Structure::attributeChangeTransition):
2121 (JSC::Structure::toDictionaryTransition):
2122 (JSC::Structure::preventExtensionsTransition):
2123 (JSC::Structure::nonPropertyTransition):
2124 (JSC::Structure::copyPropertyTable):
2125 (JSC::Structure::copyPropertyTableForPinning):
2126 (JSC::Structure::putSpecificValue):
2127 (JSC::Structure::createPropertyMap):
2128 * runtime/Structure.h:
2130 * runtime/JSGlobalData.cpp:
2131 (JSC::JSGlobalData::JSGlobalData):
2132 * runtime/JSGlobalData.h:
2134 * runtime/PropertyMapHashTable.h:
2136 (JSC::PropertyTable::createStructure):
2137 (JSC::PropertyTable::copy):
2139 2013-02-26 Andreas Kling <akling@apple.com>
2141 Unreviewed, rolling out r144054.
2142 http://trac.webkit.org/changeset/144054
2143 https://bugs.webkit.org/show_bug.cgi?id=110854
2148 * GNUmakefile.list.am:
2149 * JavaScriptCore.gypi:
2150 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2151 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2152 * JavaScriptCore.xcodeproj/project.pbxproj:
2154 * runtime/JSGlobalData.cpp:
2155 (JSC::JSGlobalData::JSGlobalData):
2156 * runtime/JSGlobalData.h:
2158 * runtime/PropertyMapHashTable.h:
2160 (JSC::PropertyTable::PropertyTable):
2162 (JSC::PropertyTable::~PropertyTable):
2163 (JSC::PropertyTable::copy):
2164 * runtime/PropertyTable.cpp: Removed.
2165 * runtime/Structure.cpp:
2166 (JSC::Structure::materializePropertyMap):
2167 (JSC::Structure::addPropertyTransition):
2168 (JSC::Structure::changePrototypeTransition):
2169 (JSC::Structure::despecifyFunctionTransition):
2170 (JSC::Structure::attributeChangeTransition):
2171 (JSC::Structure::toDictionaryTransition):
2172 (JSC::Structure::preventExtensionsTransition):
2173 (JSC::Structure::nonPropertyTransition):
2174 (JSC::Structure::copyPropertyTable):
2175 (JSC::Structure::copyPropertyTableForPinning):
2176 (JSC::Structure::putSpecificValue):
2177 (JSC::Structure::createPropertyMap):
2178 (JSC::Structure::visitChildren):
2179 * runtime/Structure.h:
2181 (JSC::Structure::putWillGrowOutOfLineStorage):
2182 (JSC::Structure::checkOffsetConsistency):
2184 * runtime/StructureInlines.h:
2186 2013-02-26 Andreas Kling <akling@apple.com>
2188 Unused Structure property tables waste 14MB on Membuster.
2189 <http://webkit.org/b/110854>
2190 <rdar://problem/13292104>
2192 Reviewed by Filip Pizlo.
2194 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
2195 14 MB progression on Membuster3.
2198 * GNUmakefile.list.am:
2199 * JavaScriptCore.gypi:
2200 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2201 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2202 * JavaScriptCore.xcodeproj/project.pbxproj:
2205 Added PropertyTable.cpp.
2207 * runtime/PropertyTable.cpp: Added.
2208 (JSC::PropertyTable::create):
2209 (JSC::PropertyTable::clone):
2210 (JSC::PropertyTable::PropertyTable):
2211 (JSC::PropertyTable::destroy):
2212 (JSC::PropertyTable::~PropertyTable):
2213 (JSC::PropertyTable::visitChildren):
2215 Moved marking of property table values here from Structure::visitChildren().
2217 * runtime/StructureInlines.h:
2218 (JSC::Structure::putWillGrowOutOfLineStorage):
2219 (JSC::Structure::checkOffsetConsistency):
2221 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
2223 * runtime/Structure.cpp:
2224 (JSC::Structure::visitChildren):
2226 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
2228 (JSC::Structure::materializePropertyMap):
2229 (JSC::Structure::addPropertyTransition):
2230 (JSC::Structure::changePrototypeTransition):
2231 (JSC::Structure::despecifyFunctionTransition):
2232 (JSC::Structure::attributeChangeTransition):
2233 (JSC::Structure::toDictionaryTransition):
2234 (JSC::Structure::preventExtensionsTransition):
2235 (JSC::Structure::nonPropertyTransition):
2236 (JSC::Structure::copyPropertyTable):
2237 (JSC::Structure::copyPropertyTableForPinning):
2238 (JSC::Structure::putSpecificValue):
2239 (JSC::Structure::createPropertyMap):
2240 * runtime/Structure.h:
2242 * runtime/JSGlobalData.cpp:
2243 (JSC::JSGlobalData::JSGlobalData):
2244 * runtime/JSGlobalData.h:
2246 * runtime/PropertyMapHashTable.h:
2248 (JSC::PropertyTable::createStructure):
2249 (JSC::PropertyTable::copy):
2251 2013-02-26 Jocelyn Turcotte <jocelyn.turcotte@digia.com>
2253 Implement JIT on Windows 64 bits
2254 https://bugs.webkit.org/show_bug.cgi?id=107965
2256 Reviewed by Simon Hausmann.
2258 1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file.
2260 2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI.
2261 Differences that we have to handle here:
2262 - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9
2263 - RDI and RSI must be preserved by callee
2264 - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word)
2265 - There is no red-zone after RIP on the stack, but instead 4 reserved words before it
2272 (JSC::JITStackFrame::returnAddressSlot):
2273 * jit/JITStubsMSVC64.asm: Added.
2274 * jit/JSInterfaceJIT.h:
2276 * jit/ThunkGenerators.cpp:
2277 (JSC::nativeForGenerator):
2280 (JSC::Yarr::YarrGenerator::generateEnter):
2281 (JSC::Yarr::YarrGenerator::generateReturn):
2283 2013-02-26 Oliver Hunt <oliver@apple.com>
2285 Kill another analyzer warning in javascriptcore
2286 https://bugs.webkit.org/show_bug.cgi?id=110802
2288 Reviewed by Benjamin Poulain.
2292 * profiler/LegacyProfiler.cpp:
2293 (JSC::LegacyProfiler::startProfiling):
2294 (JSC::LegacyProfiler::stopProfiling):
2296 2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
2298 Unreviewed, rolling out r144004.
2299 http://trac.webkit.org/changeset/144004
2300 https://bugs.webkit.org/show_bug.cgi?id=110858
2302 This iOS change is outdated (Requested by notbenjamin on
2305 * bytecompiler/BytecodeGenerator.cpp:
2306 (JSC::BytecodeGenerator::BytecodeGenerator):
2307 * bytecompiler/BytecodeGenerator.h:
2308 (JSC::BytecodeGenerator::emitNode):
2309 (JSC::BytecodeGenerator::emitNodeInConditionContext):
2310 (BytecodeGenerator):
2311 * parser/Parser.cpp:
2314 (JSC::Parser::canRecurse):
2317 2013-02-25 Filip Pizlo <fpizlo@apple.com>
2319 REGRESSION(r143654): some jquery test asserts on 32 bit debug build
2320 https://bugs.webkit.org/show_bug.cgi?id=110756
2322 Reviewed by Geoffrey Garen.
2324 TypeOf does speculations manually, so it should mark its JSValueOperand as doing ManualOperandSpeculation.
2326 * dfg/DFGSpeculativeJIT32_64.cpp:
2327 (JSC::DFG::SpeculativeJIT::compile):
2329 2013-02-25 Benjamin Poulain <bpoulain@apple.com>
2331 [JSC] Upstream iOS Stack bound checking
2332 https://bugs.webkit.org/show_bug.cgi?id=110813
2334 Reviewed by Filip Pizlo.
2336 On iOS, the StackBounds cannot be cached because the stack
2337 can be in one of two threads (the web thread or the UI thread).
2339 We simply always consider the current stack bound when testing
2342 * bytecompiler/BytecodeGenerator.cpp:
2343 (JSC::BytecodeGenerator::BytecodeGenerator):
2344 * bytecompiler/BytecodeGenerator.h:
2345 (JSC::BytecodeGenerator::emitNode):
2346 (JSC::BytecodeGenerator::emitNodeInConditionContext):
2347 (BytecodeGenerator):
2348 * parser/Parser.cpp:
2351 (JSC::Parser::canRecurse):
2354 2013-02-25 Michael Saboff <msaboff@apple.com>
2356 For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
2357 https://bugs.webkit.org/show_bug.cgi?id=110828
2359 Reviewed by Oliver Hunt.
2361 * runtime/JSObject.h:
2362 (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
2363 That way this function will return the offset farthest from 0 needed to access either the payload
2366 2013-02-25 Jeffrey Pfau <jpfau@apple.com>
2368 Optionally partition cache to prevent using cache for tracking
2369 https://bugs.webkit.org/show_bug.cgi?id=110269
2371 Reviewed by Maciej Stachowiak.
2373 * Configurations/FeatureDefines.xcconfig: Add defines for cache partitioning and public suffix list usage
2375 2013-02-25 Roger Fong <roger_fong@apple.com>
2377 Unreviewed. VS2010 solution build fix.
2379 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
2381 2013-02-24 Filip Pizlo <fpizlo@apple.com>
2383 DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler
2384 https://bugs.webkit.org/show_bug.cgi?id=110722
2386 Reviewed by Oliver Hunt.
2388 This rolls out the DFG::Allocator part of http://trac.webkit.org/changeset/143654,
2389 and changes Edge to have more room for UseKinds and possibly other things.
2391 This is performance-neutral on both 32-bit and 64-bit. It reduces the size of
2392 DFG::Node on 64-bit (by virtue of getting rid of the 16-byte alignment of Node)
2393 and increases it slightly on 32-bit (by 4 bytes total - 16-byte alignment led to
2394 80 bytes, but the base size of Node plus the 12 bytes of new m_encodedWords in
2395 Edge gets 84 bytes). But, it will mean that we don't have to increase Node by
2396 another 16 bytes if we ever want to add more UseKinds or other things to Edge.
2398 * dfg/DFGAllocator.h:
2401 (JSC::DFG::Allocator::Region::headerSize):
2402 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
2403 (JSC::DFG::Allocator::Region::data):
2404 (JSC::DFG::Allocator::Region::isInThisRegion):
2405 (JSC::DFG::::Allocator):
2406 (JSC::DFG::::~Allocator):
2407 (JSC::DFG::::allocate):
2409 (JSC::DFG::::freeAll):
2410 (JSC::DFG::::reset):
2411 (JSC::DFG::::indexOf):
2412 (JSC::DFG::::allocatorOf):
2413 (JSC::DFG::::bumpAllocate):
2414 (JSC::DFG::::freeListAllocate):
2415 (JSC::DFG::::allocateSlow):
2416 (JSC::DFG::::freeRegionsStartingAt):
2417 (JSC::DFG::::startBumpingIn):
2419 (JSC::DFG::Edge::Edge):
2421 (JSC::DFG::Edge::node):
2422 (JSC::DFG::Edge::setNode):
2423 (JSC::DFG::Edge::useKindUnchecked):
2424 (JSC::DFG::Edge::setUseKind):
2425 (JSC::DFG::Edge::operator==):
2426 (JSC::DFG::Edge::operator!=):
2427 (JSC::DFG::Edge::makeWord):
2428 * dfg/DFGNodeAllocator.h:
2431 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2433 The DFG special case checks for isCreatedThisArgument are fragile
2434 https://bugs.webkit.org/show_bug.cgi?id=110535
2436 Reviewed by Oliver Hunt.
2438 There may be many situations in which we want to force a variable to never be
2439 unboxed. Capturing is one such case, and the created this argument is another.
2440 Previously all code that dealt with this issue had to query both scenarios.
2442 Now DFG::VariableAccessData knows these things. You just have to ask
2443 VariableAccessData for whether a variable should be unboxed. Anyone wishing to
2444 force a variable to never be unboxed just tells VariableAccessData.
2446 * dfg/DFGAbstractState.cpp:
2447 (JSC::DFG::AbstractState::initialize):
2448 * dfg/DFGByteCodeParser.cpp:
2449 (JSC::DFG::ByteCodeParser::parseBlock):
2451 * dfg/DFGCFGSimplificationPhase.cpp:
2452 (CFGSimplificationPhase):
2453 * dfg/DFGFixupPhase.cpp:
2454 (JSC::DFG::FixupPhase::fixupNode):
2457 * dfg/DFGPredictionPropagationPhase.cpp:
2458 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2459 * dfg/DFGSpeculativeJIT.cpp:
2460 (JSC::DFG::SpeculativeJIT::compile):
2461 * dfg/DFGSpeculativeJIT32_64.cpp:
2462 (JSC::DFG::SpeculativeJIT::compile):
2463 * dfg/DFGSpeculativeJIT64.cpp:
2464 (JSC::DFG::SpeculativeJIT::compile):
2465 * dfg/DFGUnificationPhase.cpp:
2466 (JSC::DFG::UnificationPhase::run):
2467 * dfg/DFGVariableAccessData.h:
2468 (JSC::DFG::VariableAccessData::VariableAccessData):
2469 (JSC::DFG::VariableAccessData::mergeIsCaptured):
2470 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
2471 (VariableAccessData):
2472 (JSC::DFG::VariableAccessData::shouldNeverUnbox):
2473 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
2474 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
2475 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
2477 2013-02-25 Geoffrey Garen <ggaren@apple.com>
2479 Do one lookup per code cache insertion instead of two
2480 https://bugs.webkit.org/show_bug.cgi?id=110674
2482 Reviewed by Sam Weinig.
2484 Deployed the idiomatic "add null value" trick to avoid a second hash
2485 lookup when inserting an item.
2487 * runtime/CodeCache.cpp:
2488 (JSC::CodeCacheMap::pruneSlowCase): Factored this into a helper function
2489 to improve clarity and get some code off the hot path.
2491 (JSC::CodeCache::getCodeBlock):
2492 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Use the add() API
2493 to avoid two hash lookups. Be sure to remove items if parsing fails,
2494 otherwise we'll leave nulls in the table. (I'm guessing that caching parse
2495 errors is not a win.)
2497 * runtime/CodeCache.h:
2498 (JSC::SourceCodeValue::SourceCodeValue):
2500 (JSC::CodeCacheMap::add): Combined find() and set() into add().
2502 (JSC::CodeCacheMap::remove):
2503 (JSC::CodeCacheMap::age):
2504 (JSC::CodeCacheMap::prune): Refactored to support above changes.
2506 2013-02-25 Carlos Garcia Campos <cgarcia@igalia.com>
2508 [BlackBerry][ARM] Fix cast-align warnings in JavaScriptCore
2509 https://bugs.webkit.org/show_bug.cgi?id=110738
2511 Reviewed by Rob Buis.
2513 Use reinterpret_cast_ptr instead of reinterpret_cast for
2516 * dfg/DFGOperations.cpp:
2517 * heap/CopiedBlock.h:
2518 (JSC::CopiedBlock::zeroFillWilderness):
2520 (JSC::WeakBlock::asWeakImpl):
2521 (JSC::WeakBlock::asFreeCell):
2522 (JSC::WeakBlock::weakImpls):
2524 (JSC::WeakImpl::asWeakImpl):
2525 * interpreter/JSStack.cpp:
2526 (JSC::JSStack::disableErrorStackReserve):
2527 * interpreter/JSStack.h:
2528 (JSC::JSStack::reservationEnd):
2529 * runtime/ArrayStorage.h:
2530 (JSC::ArrayStorage::from):
2531 * runtime/Butterfly.h:
2532 (JSC::Butterfly::indexingPayload):
2533 * runtime/IndexingHeader.h:
2534 (JSC::IndexingHeader::propertyStorage):
2535 * runtime/JSActivation.h:
2536 (JSC::JSActivation::tearOff):
2537 (JSC::JSActivation::isTornOff):
2538 (JSC::JSActivation::storage):
2540 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2542 DFG::SpeculativeJIT::speculateNumber() should just use SpeculateDoubleOperand instead of doing its own thing
2543 https://bugs.webkit.org/show_bug.cgi?id=110659
2545 Reviewed by Oliver Hunt and Mark Hahnenberg.
2547 This simplifies the code, and also has the effect that if speculateNumber() is called
2548 prior to someone actually using the number in a double context, then the number will
2549 already be up-converted to double and ready to go.
2551 Previously if this ever came up, the subsequent use would have to again branch to see
2552 if the value is tagged as int or tagged as double.
2554 On the other hand, if you ever did speculateNumber() and then used the value as a
2555 JSValue, this will be a slow down now.
2557 I suspect that the former (speculateNumber() and then use as number) is more likely
2558 than the latter (speculateNumber() and then use as JSValue).
2560 * dfg/DFGSpeculativeJIT.cpp:
2561 (JSC::DFG::SpeculativeJIT::speculateNumber):
2563 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2565 DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way
2566 https://bugs.webkit.org/show_bug.cgi?id=110650
2568 Reviewed by Mark Hahnenberg.
2570 Changes almost all calls to edge.setUseKind(kind) to be
2571 setUseKindAndUnboxIfProfitable<kind>(edge). This will allow us to use the latter
2572 as a hook for deciding which locals to unbox (webkit.org/b/110433).
2574 * dfg/DFGFixupPhase.cpp:
2575 (JSC::DFG::FixupPhase::fixupNode):
2577 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
2578 (JSC::DFG::FixupPhase::fixIntEdge):
2579 (JSC::DFG::FixupPhase::fixDoubleEdge):
2580 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2582 2013-02-22 Filip Pizlo <fpizlo@apple.com>
2584 REGRESSION(r143654): some fast/js test crashes on 32 bit build
2585 https://bugs.webkit.org/show_bug.cgi?id=110590
2587 Reviewed by Mark Hahnenberg.
2589 In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
2590 r143314 due to a merge goof.
2592 In speculateNumber, we were simply forgetting to indicate that we need a
2593 ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
2594 be passed whenever you will be performing the type checks yourself rather than
2595 using the operand class to do it for you.
2597 * dfg/DFGSpeculativeJIT.cpp:
2598 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2599 (JSC::DFG::SpeculativeJIT::speculateNumber):
2601 2013-02-22 Geoffrey Garen <ggaren@apple.com>
2605 Fix the 32-bit build by using the right data type in more places.
2607 * runtime/CodeCache.h:
2610 2013-02-22 Geoffrey Garen <ggaren@apple.com>
2614 Fix the 32-bit build by using the right data type.
2616 * runtime/CodeCache.h:
2617 (JSC::CodeCacheMap::find):
2619 2013-02-21 Geoffrey Garen <ggaren@apple.com>
2621 Code cache size should adapt to workload
2622 https://bugs.webkit.org/show_bug.cgi?id=110560
2624 Reviewed by Antti Koivisto.
2626 (*) 5% PLT arithmetic mean speedup
2627 (*) 10% PLT geometric mean speedup
2628 (*) 3.4X microbenchmark speedup
2629 (*) Reduces initial cache capacity by 16X
2631 * runtime/CodeCache.cpp:
2632 (JSC::CodeCache::CodeCache): Updated for interface change.
2634 * runtime/CodeCache.h:
2635 (JSC::SourceCodeValue::SourceCodeValue):
2636 (SourceCodeValue): Turned the cache value into a struct so it can track its age.
2639 (JSC::CodeCacheMap::CodeCacheMap):
2640 (JSC::CodeCacheMap::find):
2641 (JSC::CodeCacheMap::set):
2642 (JSC::CodeCacheMap::clear):
2643 (JSC::CodeCacheMap::pruneIfNeeded):
2644 (CodeCache): Grow and shrink in response to usage.
2646 2013-02-21 Jessie Berlin <jberlin@apple.com>
2648 Fix a typo that broke the 32 bit build.
2650 * dfg/DFGSpeculativeJIT32_64.cpp:
2651 (JSC::DFG::SpeculativeJIT::compile):
2653 2013-02-21 Michael Saboff <msaboff@apple.com>
2655 25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled
2656 https://bugs.webkit.org/show_bug.cgi?id=110539
2658 Reviewed by Filip Pizlo.
2660 Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for
2661 the 32 bit version of the interpreter.
2663 * llint/LowLevelInterpreter32_64.asm:
2665 2013-02-21 Roger Fong <roger_fong@apple.com>
2667 Unreviewed. Add executable property to cmd file.
2668 Required for executable files to maintain their executable permissions over svn.
2670 * JavaScriptCore.vcxproj/copy-files.cmd: Added property svn:executable.
2672 2013-02-21 Filip Pizlo <fpizlo@apple.com>
2674 Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
2675 https://bugs.webkit.org/show_bug.cgi?id=110519
2676 <rdar://problem/13218566>
2678 Reviewed by Geoffrey Garen.
2680 * runtime/JSFunction.h:
2681 (JSC::JSFunction::allocationProfile):
2683 2013-02-21 Roger Fong <roger_fong@apple.com>
2685 Unreviewed. Build fix for VS2010 WebKit solution.
2687 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
2689 2013-02-20 Filip Pizlo <fpizlo@apple.com>
2691 DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
2692 https://bugs.webkit.org/show_bug.cgi?id=109371
2694 Reviewed by Oliver Hunt.
2696 FixupPhase now locks in the speculations that each node will do. The DFG then
2697 remembers those speculations, and doesn't change its mind about them even if the
2698 graph is transformed - for example if a node's child is repointed to a different
2699 node as part of CSE, CFG simplification, or folding. Each node ensures that it
2700 executes the speculations promised by its edges. This is true even for Phantom
2703 This still leaves some craziness on the table for future work, like the
2704 elimination of speculating SetLocal's due to CFG simplification
2705 (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
2707 In all, this allows for a huge simplification of the DFG. Instead of having to
2708 execute the right speculation heuristic each time you want to decide what a node
2709 does (for example Node::shouldSpeculateInteger(child1, child2) &&
2710 node->canSpeculateInteger()), you just ask for the use kinds of its children
2711 (typically node->binaryUseKind() == Int32Use). Because the use kinds are
2712 discrete, you can often just switch over them. This makes many parts of the code
2713 more clear than they were before.
2715 Having UseKinds describe the speculations being performed also makes it far
2716 easier to perform analyses that need to know what speculations are done. This is
2717 so far only used to simplify large parts of the CFA.
2719 To have a larger vocabulary of UseKinds, this also changes the node allocator to
2720 be able to round up Node sizes to the nearest multiple of 16.
2722 This appears to be neutral on benchmarks, except for some goofy speed-ups, like
2726 * GNUmakefile.list.am:
2727 * JavaScriptCore.xcodeproj/project.pbxproj:
2729 * dfg/DFGAbstractState.cpp:
2730 (JSC::DFG::AbstractState::startExecuting):
2732 (JSC::DFG::AbstractState::executeEdges):
2733 (JSC::DFG::AbstractState::verifyEdge):
2734 (JSC::DFG::AbstractState::verifyEdges):
2735 (JSC::DFG::AbstractState::executeEffects):
2736 (JSC::DFG::AbstractState::execute):
2737 * dfg/DFGAbstractState.h:
2739 (JSC::DFG::AbstractState::filterEdgeByUse):
2740 (JSC::DFG::AbstractState::filterByType):
2741 * dfg/DFGAbstractValue.h:
2742 (JSC::DFG::AbstractValue::filter):
2743 * dfg/DFGAdjacencyList.h:
2744 (JSC::DFG::AdjacencyList::AdjacencyList):
2745 (JSC::DFG::AdjacencyList::child):
2746 (JSC::DFG::AdjacencyList::setChild):
2747 (JSC::DFG::AdjacencyList::reset):
2748 (JSC::DFG::AdjacencyList::firstChild):
2749 (JSC::DFG::AdjacencyList::setFirstChild):
2750 (JSC::DFG::AdjacencyList::numChildren):
2751 (JSC::DFG::AdjacencyList::setNumChildren):
2753 * dfg/DFGAllocator.h:
2756 (JSC::DFG::Allocator::cellSize):
2757 (JSC::DFG::Allocator::Region::headerSize):
2758 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
2759 (JSC::DFG::Allocator::Region::payloadSize):
2760 (JSC::DFG::Allocator::Region::payloadBegin):
2761 (JSC::DFG::Allocator::Region::payloadEnd):
2762 (JSC::DFG::Allocator::Region::isInThisRegion):
2763 (JSC::DFG::::Allocator):
2764 (JSC::DFG::::~Allocator):
2765 (JSC::DFG::::allocate):
2767 (JSC::DFG::::freeAll):
2768 (JSC::DFG::::reset):
2769 (JSC::DFG::::indexOf):
2770 (JSC::DFG::::allocatorOf):
2771 (JSC::DFG::::bumpAllocate):
2772 (JSC::DFG::::freeListAllocate):
2773 (JSC::DFG::::allocateSlow):
2774 (JSC::DFG::::freeRegionsStartingAt):
2775 (JSC::DFG::::startBumpingIn):
2776 * dfg/DFGByteCodeParser.cpp:
2777 (JSC::DFG::ByteCodeParser::addToGraph):
2778 (JSC::DFG::ByteCodeParser::handleMinMax):
2779 * dfg/DFGCSEPhase.cpp:
2780 (JSC::DFG::CSEPhase::setLocalStoreElimination):
2781 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2782 (JSC::DFG::CSEPhase::setReplacement):
2783 (JSC::DFG::CSEPhase::performNodeCSE):
2786 * dfg/DFGConstantFoldingPhase.cpp:
2787 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2788 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2789 * dfg/DFGDriver.cpp:
2790 (JSC::DFG::compile):
2792 (JSC::DFG::Edge::dump):
2794 (JSC::DFG::Edge::useKindUnchecked):
2795 (JSC::DFG::Edge::useKind):
2796 (JSC::DFG::Edge::shift):
2797 * dfg/DFGFixupPhase.cpp:
2798 (JSC::DFG::FixupPhase::run):
2799 (JSC::DFG::FixupPhase::fixupNode):
2800 (JSC::DFG::FixupPhase::checkArray):
2801 (JSC::DFG::FixupPhase::blessArrayOperation):
2802 (JSC::DFG::FixupPhase::fixIntEdge):
2803 (JSC::DFG::FixupPhase::fixDoubleEdge):
2804 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2806 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2807 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
2808 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2811 (JSC::DFG::Graph::refChildren):
2812 (JSC::DFG::Graph::derefChildren):
2814 (JSC::DFG::Graph::ref):
2815 (JSC::DFG::Graph::deref):
2816 (JSC::DFG::Graph::performSubstitution):
2817 (JSC::DFG::Graph::isPredictedNumerical):
2818 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
2821 (JSC::DFG::Node::Node):
2822 (JSC::DFG::Node::convertToGetByOffset):
2823 (JSC::DFG::Node::convertToPutByOffset):
2824 (JSC::DFG::Node::willHaveCodeGenOrOSR):
2825 (JSC::DFG::Node::child1):
2826 (JSC::DFG::Node::child2):
2827 (JSC::DFG::Node::child3):
2828 (JSC::DFG::Node::binaryUseKind):
2830 (JSC::DFG::Node::isBinaryUseKind):
2831 * dfg/DFGNodeAllocator.h:
2833 * dfg/DFGNodeFlags.cpp:
2834 (JSC::DFG::nodeFlagsAsString):
2835 * dfg/DFGNodeType.h:
2837 * dfg/DFGPredictionPropagationPhase.cpp:
2838 (JSC::DFG::PredictionPropagationPhase::propagate):
2839 * dfg/DFGSpeculativeJIT.cpp:
2840 (JSC::DFG::SpeculativeJIT::speculationCheck):
2842 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
2843 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
2844 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
2845 (JSC::DFG::SpeculativeJIT::typeCheck):
2846 (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
2847 (JSC::DFG::SpeculativeJIT::fillStorage):
2848 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2849 (JSC::DFG::SpeculativeJIT::compile):
2850 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
2851 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2852 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2853 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
2854 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
2855 (JSC::DFG::SpeculativeJIT::compileAdd):
2856 (JSC::DFG::SpeculativeJIT::compileArithSub):
2857 (JSC::DFG::SpeculativeJIT::compileArithNegate):
2858 (JSC::DFG::SpeculativeJIT::compileArithMul):
2859 (JSC::DFG::SpeculativeJIT::compileArithMod):
2860 (JSC::DFG::SpeculativeJIT::compare):
2861 (JSC::DFG::SpeculativeJIT::compileStrictEq):
2862 (JSC::DFG::SpeculativeJIT::speculateInt32):
2863 (JSC::DFG::SpeculativeJIT::speculateNumber):
2864 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
2865 (JSC::DFG::SpeculativeJIT::speculateBoolean):
2866 (JSC::DFG::SpeculativeJIT::speculateCell):
2867 (JSC::DFG::SpeculativeJIT::speculateObject):
2868 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2869 (JSC::DFG::SpeculativeJIT::speculateString):
2870 (JSC::DFG::SpeculativeJIT::speculateNotCell):
2871 (JSC::DFG::SpeculativeJIT::speculateOther):
2872 (JSC::DFG::SpeculativeJIT::speculate):
2873 * dfg/DFGSpeculativeJIT.h:
2875 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
2876 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
2877 (JSC::DFG::IntegerOperand::IntegerOperand):
2878 (JSC::DFG::IntegerOperand::edge):
2880 (JSC::DFG::IntegerOperand::node):
2881 (JSC::DFG::IntegerOperand::gpr):
2882 (JSC::DFG::IntegerOperand::use):
2883 (JSC::DFG::JSValueOperand::JSValueOperand):
2885 (JSC::DFG::JSValueOperand::edge):
2886 (JSC::DFG::JSValueOperand::node):
2887 (JSC::DFG::JSValueOperand::gpr):
2888 (JSC::DFG::JSValueOperand::fill):
2889 (JSC::DFG::JSValueOperand::use):
2890 (JSC::DFG::StorageOperand::StorageOperand):
2891 (JSC::DFG::StorageOperand::edge):
2893 (JSC::DFG::StorageOperand::node):
2894 (JSC::DFG::StorageOperand::gpr):
2895 (JSC::DFG::StorageOperand::use):
2896 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
2897 (SpeculateIntegerOperand):
2898 (JSC::DFG::SpeculateIntegerOperand::edge):
2899 (JSC::DFG::SpeculateIntegerOperand::node):
2900 (JSC::DFG::SpeculateIntegerOperand::gpr):
2901 (JSC::DFG::SpeculateIntegerOperand::use):
2902 (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
2903 (SpeculateStrictInt32Operand):
2904 (JSC::DFG::SpeculateStrictInt32Operand::edge):
2905 (JSC::DFG::SpeculateStrictInt32Operand::node):
2906 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
2907 (JSC::DFG::SpeculateStrictInt32Operand::use):
2908 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
2909 (SpeculateDoubleOperand):
2910 (JSC::DFG::SpeculateDoubleOperand::edge):
2911 (JSC::DFG::SpeculateDoubleOperand::node):
2912 (JSC::DFG::SpeculateDoubleOperand::fpr):
2913 (JSC::DFG::SpeculateDoubleOperand::use):
2914 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
2915 (SpeculateCellOperand):
2916 (JSC::DFG::SpeculateCellOperand::edge):
2917 (JSC::DFG::SpeculateCellOperand::node):
2918 (JSC::DFG::SpeculateCellOperand::gpr):
2919 (JSC::DFG::SpeculateCellOperand::use):
2920 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
2921 (JSC::DFG::SpeculateBooleanOperand::edge):
2922 (SpeculateBooleanOperand):
2923 (JSC::DFG::SpeculateBooleanOperand::node):
2924 (JSC::DFG::SpeculateBooleanOperand::gpr):
2925 (JSC::DFG::SpeculateBooleanOperand::use):
2927 * dfg/DFGSpeculativeJIT32_64.cpp:
2928 (JSC::DFG::SpeculativeJIT::fillInteger):
2929 (JSC::DFG::SpeculativeJIT::fillJSValue):
2930 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2931 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2932 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2933 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2934 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2935 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2936 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2937 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2938 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2939 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2940 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2941 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2942 (JSC::DFG::SpeculativeJIT::emitBranch):
2943 (JSC::DFG::SpeculativeJIT::compile):
2944 * dfg/DFGSpeculativeJIT64.cpp:
2945 (JSC::DFG::SpeculativeJIT::fillInteger):
2946 (JSC::DFG::SpeculativeJIT::fillJSValue):
2947 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2948 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
2949 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2950 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2951 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2952 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2953 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
2954 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2955 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2956 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2957 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2958 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2959 (JSC::DFG::SpeculativeJIT::emitBranch):
2960 (JSC::DFG::SpeculativeJIT::compile):
2961 * dfg/DFGStructureCheckHoistingPhase.cpp:
2962 (JSC::DFG::StructureCheckHoistingPhase::run):
2963 * dfg/DFGUseKind.cpp: Added.
2965 (WTF::printInternal):
2966 * dfg/DFGUseKind.h: Added.
2968 (JSC::DFG::typeFilterFor):
2969 (JSC::DFG::isNumerical):
2971 * dfg/DFGValidate.cpp:
2972 (JSC::DFG::Validate::reportValidationContext):
2974 2013-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
2976 Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit
2977 https://bugs.webkit.org/show_bug.cgi?id=106059
2979 Reviewed by Geoffrey Garen.
2981 * API/JSBase.h: Renamed enable flag for API.
2982 * API/JSBlockAdaptor.h: Using new flag.
2983 * API/JSBlockAdaptor.mm: Ditto.
2984 * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef.
2986 (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function.
2987 (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more.
2988 (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef.
2989 (-[JSContext dealloc]): No more m_apiData.
2990 (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject.
2991 (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext.
2992 (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given
2993 JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one.
2994 * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef.
2995 * API/JSExport.h: New flag.
2996 * API/JSValue.h: New flag and new C API convenience method.
2998 (-[JSValue JSValueRef]): Implementation of the C API convenience method.
2999 (objectToValueWithoutCopy):
3000 (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache
3001 in its internal JSWrapperMap.
3002 * API/JSValueInternal.h:
3003 * API/JSVirtualMachine.h:
3004 * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers.
3007 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
3008 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
3009 (-[JSVirtualMachine init]):
3010 (-[JSVirtualMachine initWithContextGroupRef:]):
3011 (-[JSVirtualMachine dealloc]):
3012 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
3013 (-[JSVirtualMachine contextForGlobalContextRef:]):
3014 (-[JSVirtualMachine addContext:forGlobalContextRef:]):
3015 * API/JSVirtualMachineInternal.h:
3016 * API/JSWrapperMap.h:
3017 * API/JSWrapperMap.mm:
3018 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because
3019 setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on
3020 when it gets called.
3021 (-[JSWrapperMap initWithContext:]):
3022 (-[JSWrapperMap jsWrapperForObject:]):
3023 (-[JSWrapperMap objcWrapperForJSValueRef:]):
3024 * API/JavaScriptCore.h:
3025 * API/ObjCCallbackFunction.h:
3026 * API/ObjCCallbackFunction.mm:
3027 (ObjCCallbackFunction::ObjCCallbackFunction): We never actually should have retained the target in the case that we had a
3028 block as a callback. Blocks are initially allocated on the stack and are only moved to the heap if we call their copy method.
3029 Retaining the block on the stack was a bad idea because if that stack frame ever went away and we called the block later,
3030 we'd crash and burn.
3031 (ObjCCallbackFunction::setContext): We need a new setter for when the weak reference to a JSContext inside an ObjCCallbackFunction
3032 disappears, we can allocate a new one in its place.
3033 (ObjCCallbackFunction):
3034 (objCCallbackFunctionCallAsFunction): Reset the callback's context if it's ever destroyed.
3035 (objCCallbackFunctionForInvocation): Again, don't set the __proto__ property because it uses black magic that can cause us to crash
3036 depending on when this is called.
3037 (objCCallbackFunctionForBlock): Here is where we copy the block to the heap when we're first creating the callback object for it.
3038 * API/tests/testapi.c:
3040 * API/tests/testapi.mm: We're going to get rid of the automatic block conversion, since that is causing leaks. I changed it
3041 here in this test just so that it wouldn't mask any other potential leaks. Also modified some of the tests since JSContexts are
3042 just lightweight wrappers now, we're not guaranteed to get the same pointer back from the call to [JSValue context] as the one
3043 that the value was created in.
3044 (-[TestObject callback:]):
3045 * JavaScriptCore.xcodeproj/project.pbxproj:
3046 * runtime/JSGlobalData.cpp:
3047 (JSC::JSGlobalData::JSGlobalData): No more m_apiData.
3048 * runtime/JSGlobalData.h: Ditto.
3049 * runtime/JSGlobalObject.cpp:
3050 (JSC::JSGlobalObject::JSGlobalObject): Ditto.
3051 * runtime/JSGlobalObject.h:
3053 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3055 DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands
3056 https://bugs.webkit.org/show_bug.cgi?id=110309
3058 Reviewed by Sam Weinig.
3060 It used to be necessary, back when we didn't have constant folding. Now we have
3061 constant folding. So we don't need it.
3063 * dfg/DFGSpeculativeJIT.cpp:
3064 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3066 2013-02-20 Filip Pizlo <fpizlo@apple.com>
3068 DFG inlines Resolves that it doesn't know how to handle correctly
3069 https://bugs.webkit.org/show_bug.cgi?id=110405
3071 Reviewed by Geoffrey Garen.
3073 Don't try to be clever: if there's a failing resolve, we can't inline it, period.
3075 * dfg/DFGCapabilities.h:
3076 (JSC::DFG::canInlineResolveOperations):
3077 (JSC::DFG::canInlineOpcode):
3079 2013-02-20 Roger Fong <roger_fong@apple.com>
3081 Get VS2010 Solution B&I ready.
3082 <rdar://problem/1322988>
3084 Rubberstamped by Timothy Horton.
3086 Add Production configuration.
3087 Add a JavaScriptCore submit solution with a DebugSuffix configuration.
3088 Modify JavaScriptCore.make as necessary.
3090 * JavaScriptCore.vcxproj/JavaScriptCore.make: Added.
3091 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
3092 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.sln.
3093 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3094 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
3095 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
3096 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
3097 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
3098 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
3099 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Added.
3100 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
3101 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
3102 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
3103 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Added.
3104 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
3105 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Added.
3106 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
3107 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
3108 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
3109 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
3110 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
3111 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
3112 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Added.
3113 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
3114 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
3115 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
3116 * JavaScriptCore.vcxproj/jsc/jscProduction.props: Added.
3117 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
3118 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
3119 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
3120 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Added.
3121 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
3122 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
3123 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
3124 * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Added.
3125 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
3127 2013-02-19 Jer Noble <jer.noble@apple.com>
3129 EME: Enable both ENCRYPTED_MEDIA and ENCRYPTED_MEDIA_V2 until clients transition to the new API.
3130 https://bugs.webkit.org/show_bug.cgi?id=110284
3132 Reviewed by Eric Carlson.
3134 Re-enable the ENCRYPTED_MEDIA flag.
3136 * Configurations/FeatureDefines.xcconfig:
3138 2013-02-20 Dirk Schulze <krit@webkit.org>
3140 Enable CANVAS_PATH flag
3141 https://bugs.webkit.org/show_bug.cgi?id=108508
3143 Reviewed by Simon Fraser.
3145 Enable CANVAS_PATH flag on trunk.
3147 Existing tests cover the feature.
3149 * Configurations/FeatureDefines.xcconfig:
3151 2013-02-19 Mark Rowe <mrowe@apple.com>
3153 Unreviewed, uninteresting change to test a theory about bad dependency handling.
3155 * API/JSStringRefCF.cpp:
3156 (JSStringCreateWithCFString): Remove an unnecessary else clause.
3158 2013-02-19 Oliver Hunt <oliver@apple.com>
3160 Silence some analyzer warnings
3161 https://bugs.webkit.org/show_bug.cgi?id=110281
3163 Reviewed by Mark Hahnenberg.
3165 The static analyzer believes that callerCodeBlock can be null,
3166 based on other code performing null tests. This should not
3167 ever be the case, but we'll add RELEASE_ASSERTs to make it
3168 obvious if we're ever wrong.
3170 * interpreter/Interpreter.cpp:
3171 (JSC::getCallerInfo):
3173 2013-02-19 Oliver Hunt <oliver@apple.com>
3175 Don't force everything to be blinded in debug builds
3176 https://bugs.webkit.org/show_bug.cgi?id=110279
3178 Reviewed by Mark Hahnenberg.
3180 Switch to an explicit flag for indicating that we want
3181 every constant to be blinded.
3183 * assembler/MacroAssembler.h:
3184 (JSC::MacroAssembler::shouldBlind):
3186 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3188 Fix indentation of Opcode.h
3190 Rubber stamped by Mark Hahnenberg.
3192 * bytecode/Opcode.h:
3194 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3196 Moved PolymorphicAccessStructureList into its own file.
3198 Rubber stamped by Mark Hahnenberg.
3200 * GNUmakefile.list.am:
3201 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3202 * JavaScriptCore.xcodeproj/project.pbxproj:
3203 * bytecode/Instruction.h:
3205 * bytecode/PolymorphicAccessStructureList.h: Added.
3207 (PolymorphicAccessStructureList):
3208 (PolymorphicStubInfo):
3209 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
3210 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
3211 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
3212 (JSC::PolymorphicAccessStructureList::visitWeak):
3213 * bytecode/StructureStubInfo.h:
3215 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3217 Fix indentation of Instruction.h
3219 Rubber stamped by Mark Hahnenberg.
3221 * bytecode/Instruction.h:
3223 2013-02-18 Geoffrey Garen <ggaren@apple.com>
3225 Unreviewed, rolling in r143348.
3226 http://trac.webkit.org/changeset/143348
3227 https://bugs.webkit.org/show_bug.cgi?id=110242
3229 The bug was that isEmptyValue() was returning true for the deleted value.
3230 Fixed this and simplified things further by delegating to m_sourceCode
3231 for both isNull() and isHashTableDeletedValue(), so they can't be out of
3234 * runtime/CodeCache.cpp:
3235 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3236 * runtime/CodeCache.h:
3237 (JSC::SourceCodeKey::SourceCodeKey):
3238 (JSC::SourceCodeKey::isHashTableDeletedValue):
3239 (JSC::SourceCodeKey::hash):
3240 (JSC::SourceCodeKey::length):
3241 (JSC::SourceCodeKey::isNull):
3242 (JSC::SourceCodeKey::operator==):
3245 2013-02-15 Martin Robinson <mrobinson@igalia.com>
3247 [GTK] Improve gyp build JavaScriptCore code generation
3248 https://bugs.webkit.org/show_bug.cgi?id=109969
3250 Reviewed by Dirk Pranke.
3252 Switch away from using DerivedSources.make when building JavaScriptCore generated
3253 sources. This bring a couple advantages, such as building the sources in parallel,
3254 but requires us to list the generated sources more than once.
3256 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Add rules for generating JavaScriptCore sources.
3257 * JavaScriptCore.gyp/generate-derived-sources.sh: Added.
3258 * JavaScriptCore.gyp/redirect-stdout.sh: Added.
3260 2013-02-19 Sheriff Bot <webkit.review.bot@gmail.com>
3262 Unreviewed, rolling out r143348.
3263 http://trac.webkit.org/changeset/143348
3264 https://bugs.webkit.org/show_bug.cgi?id=110242
3266 "Caused a deleted value sentinel crash on the layout tests"
3267 (Requested by ggaren on #webkit).
3269 * runtime/CodeCache.cpp:
3270 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3271 * runtime/CodeCache.h:
3272 (JSC::SourceCodeKey::SourceCodeKey):
3273 (JSC::SourceCodeKey::isHashTableDeletedValue):
3274 (JSC::SourceCodeKey::hash):
3275 (JSC::SourceCodeKey::length):
3276 (JSC::SourceCodeKey::isNull):
3277 (JSC::SourceCodeKey::operator==):
3280 2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
3282 HeapBlock::destroy should issue warning if result is unused
3283 https://bugs.webkit.org/show_bug.cgi?id=110233
3285 Reviewed by Oliver Hunt.
3287 To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy,
3288 we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses.
3292 2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
3294 WeakSet::removeAllocator leaks WeakBlocks
3295 https://bugs.webkit.org/show_bug.cgi?id=110228
3297 Reviewed by Geoffrey Garen.
3299 We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.
3302 (JSC::WeakSet::removeAllocator):
3304 2013-02-18 Geoffrey Garen <ggaren@apple.com>
3306 Save space on keys in the CodeCache
3307 https://bugs.webkit.org/show_bug.cgi?id=110179
3309 Reviewed by Oliver Hunt.
3311 Share the SourceProvider's string instead of making our own copy. This
3312 chops off 16MB - 32MB from the CodeCache's memory footprint when full.
3313 (It's 16MB when the strings are LChar, and 32MB when they're UChar.)
3315 * runtime/CodeCache.cpp:
3316 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
3317 * runtime/CodeCache.h: Removed a defunct enum value.
3319 (JSC::SourceCodeKey::SourceCodeKey):
3320 (JSC::SourceCodeKey::isHashTableDeletedValue):
3322 (JSC::SourceCodeKey::hash):
3323 (JSC::SourceCodeKey::length):
3324 (JSC::SourceCodeKey::isNull):
3325 (JSC::SourceCodeKey::string):
3326 (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String
3327 so we can share our string with our SourceProvider. Cache our hash so
3328 we don't have to re-decode our string just to re-hash the table.
3330 2013-02-19 Zoltan Herczeg <zherczeg@webkit.org>
3332 revertBranchPtrWithPatch is incorrect on ARM traditional
3333 https://bugs.webkit.org/show_bug.cgi?id=110201
3335 Reviewed by Oliver Hunt.
3337 Revert two instructions back to their original value.
3339 * assembler/ARMAssembler.h:
3340 (JSC::ARMAssembler::revertBranchPtrWithPatch):
3342 * assembler/MacroAssemblerARM.h:
3343 (JSC::MacroAssemblerARM::branchPtrWithPatch):
3344 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
3346 2013-02-19 Filip Pizlo <fpizlo@apple.com>
3348 REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
3349 https://bugs.webkit.org/show_bug.cgi?id=110184
3351 Reviewed by Zoltan Herczeg.
3353 32-bit backend was making all sorts of crazy assumptions, which happened to mostly
3354 not break things prior to http://trac.webkit.org/changeset/143241. This brings the
3355 32-bit backend's type speculation fully into compliance with what the 64-bit
3358 * dfg/DFGSpeculativeJIT.cpp:
3359 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
3360 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3361 * dfg/DFGSpeculativeJIT32_64.cpp:
3362 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3363 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3364 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3365 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3367 2013-02-18 Ilya Tikhonovsky <loislo@chromium.org>
3369 Unreviewed build fix for Apple Windows. Second stage.
3370 Add missed export statement.
3372 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3374 2013-02-18 Roger Fong <roger_fong@apple.com>
git://git.webkit.org / WebKit-https.git / blob