1 2013-08-13 Filip Pizlo <fpizlo@apple.com>
10 * API/ObjCCallbackFunction.mm:
13 2013-08-13 Filip Pizlo <fpizlo@apple.com>
15 Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
16 https://bugs.webkit.org/show_bug.cgi?id=119770
18 Reviewed by Mark Hahnenberg.
20 * API/JSCallbackConstructor.cpp:
21 (JSC::JSCallbackConstructor::finishCreation):
22 * API/JSCallbackConstructor.h:
23 (JSC::JSCallbackConstructor::createStructure):
24 * API/JSCallbackFunction.cpp:
25 (JSC::JSCallbackFunction::finishCreation):
26 * API/JSCallbackFunction.h:
27 (JSC::JSCallbackFunction::createStructure):
28 * API/JSCallbackObject.cpp:
29 (JSC::::createStructure):
30 * API/JSCallbackObject.h:
31 (JSC::JSCallbackObject::visitChildren):
32 * API/JSCallbackObjectFunctions.h:
33 (JSC::::asCallbackObject):
34 (JSC::::finishCreation):
35 * API/JSObjectRef.cpp:
38 (JSObjectGetPrivateProperty):
39 (JSObjectSetPrivateProperty):
40 (JSObjectDeletePrivateProperty):
42 (JSValueIsObjectOfClass):
43 * API/JSWeakObjectMapRefPrivate.cpp:
44 * API/ObjCCallbackFunction.h:
45 (JSC::ObjCCallbackFunction::createStructure):
46 * JSCTypedArrayStubs.h:
47 * bytecode/CallLinkStatus.cpp:
48 (JSC::CallLinkStatus::CallLinkStatus):
49 (JSC::CallLinkStatus::function):
50 (JSC::CallLinkStatus::internalFunction):
51 * bytecode/CodeBlock.h:
52 (JSC::baselineCodeBlockForInlineCallFrame):
53 * bytecode/SpeculatedType.cpp:
54 (JSC::speculationFromClassInfo):
55 * bytecode/UnlinkedCodeBlock.cpp:
56 (JSC::UnlinkedFunctionExecutable::visitChildren):
57 (JSC::UnlinkedCodeBlock::visitChildren):
58 (JSC::UnlinkedProgramCodeBlock::visitChildren):
59 * bytecode/UnlinkedCodeBlock.h:
60 (JSC::UnlinkedFunctionExecutable::createStructure):
61 (JSC::UnlinkedProgramCodeBlock::createStructure):
62 (JSC::UnlinkedEvalCodeBlock::createStructure):
63 (JSC::UnlinkedFunctionCodeBlock::createStructure):
64 * debugger/Debugger.cpp:
65 * debugger/DebuggerActivation.cpp:
66 (JSC::DebuggerActivation::visitChildren):
67 * debugger/DebuggerActivation.h:
68 (JSC::DebuggerActivation::createStructure):
69 * debugger/DebuggerCallFrame.cpp:
70 (JSC::DebuggerCallFrame::functionName):
71 * dfg/DFGAbstractInterpreterInlines.h:
72 (JSC::DFG::::executeEffects):
73 * dfg/DFGByteCodeParser.cpp:
74 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
75 (JSC::DFG::ByteCodeParser::parseBlock):
76 * dfg/DFGFixupPhase.cpp:
77 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
78 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
80 (JSC::DFG::Graph::dump):
82 (JSC::DFG::Graph::isInternalFunctionConstant):
83 * dfg/DFGOperations.cpp:
84 * dfg/DFGSpeculativeJIT.cpp:
85 (JSC::DFG::SpeculativeJIT::checkArray):
86 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
88 (JSC::DFG::virtualForThunkGenerator):
89 * interpreter/Interpreter.cpp:
92 (GlobalObject::createStructure):
93 * profiler/LegacyProfiler.cpp:
94 (JSC::LegacyProfiler::createCallIdentifier):
95 * runtime/Arguments.cpp:
96 (JSC::Arguments::visitChildren):
97 * runtime/Arguments.h:
98 (JSC::Arguments::createStructure):
100 (JSC::Arguments::finishCreation):
101 * runtime/ArrayConstructor.cpp:
102 (JSC::arrayConstructorIsArray):
103 * runtime/ArrayConstructor.h:
104 (JSC::ArrayConstructor::createStructure):
105 * runtime/ArrayPrototype.cpp:
106 (JSC::ArrayPrototype::finishCreation):
107 (JSC::arrayProtoFuncConcat):
108 (JSC::attemptFastSort):
109 * runtime/ArrayPrototype.h:
110 (JSC::ArrayPrototype::createStructure):
111 * runtime/BooleanConstructor.h:
112 (JSC::BooleanConstructor::createStructure):
113 * runtime/BooleanObject.cpp:
114 (JSC::BooleanObject::finishCreation):
115 * runtime/BooleanObject.h:
116 (JSC::BooleanObject::createStructure):
117 (JSC::asBooleanObject):
118 * runtime/BooleanPrototype.cpp:
119 (JSC::BooleanPrototype::finishCreation):
120 (JSC::booleanProtoFuncToString):
121 (JSC::booleanProtoFuncValueOf):
122 * runtime/BooleanPrototype.h:
123 (JSC::BooleanPrototype::createStructure):
124 * runtime/DateConstructor.cpp:
125 (JSC::constructDate):
126 * runtime/DateConstructor.h:
127 (JSC::DateConstructor::createStructure):
128 * runtime/DateInstance.cpp:
129 (JSC::DateInstance::finishCreation):
130 * runtime/DateInstance.h:
131 (JSC::DateInstance::createStructure):
132 (JSC::asDateInstance):
133 * runtime/DatePrototype.cpp:
134 (JSC::formateDateInstance):
135 (JSC::DatePrototype::finishCreation):
136 (JSC::dateProtoFuncToISOString):
137 (JSC::dateProtoFuncToLocaleString):
138 (JSC::dateProtoFuncToLocaleDateString):
139 (JSC::dateProtoFuncToLocaleTimeString):
140 (JSC::dateProtoFuncGetTime):
141 (JSC::dateProtoFuncGetFullYear):
142 (JSC::dateProtoFuncGetUTCFullYear):
143 (JSC::dateProtoFuncGetMonth):
144 (JSC::dateProtoFuncGetUTCMonth):
145 (JSC::dateProtoFuncGetDate):
146 (JSC::dateProtoFuncGetUTCDate):
147 (JSC::dateProtoFuncGetDay):
148 (JSC::dateProtoFuncGetUTCDay):
149 (JSC::dateProtoFuncGetHours):
150 (JSC::dateProtoFuncGetUTCHours):
151 (JSC::dateProtoFuncGetMinutes):
152 (JSC::dateProtoFuncGetUTCMinutes):
153 (JSC::dateProtoFuncGetSeconds):
154 (JSC::dateProtoFuncGetUTCSeconds):
155 (JSC::dateProtoFuncGetMilliSeconds):
156 (JSC::dateProtoFuncGetUTCMilliseconds):
157 (JSC::dateProtoFuncGetTimezoneOffset):
158 (JSC::dateProtoFuncSetTime):
159 (JSC::setNewValueFromTimeArgs):
160 (JSC::setNewValueFromDateArgs):
161 (JSC::dateProtoFuncSetYear):
162 (JSC::dateProtoFuncGetYear):
163 * runtime/DatePrototype.h:
164 (JSC::DatePrototype::createStructure):
166 (JSC::StrictModeTypeErrorFunction::createStructure):
167 * runtime/ErrorConstructor.h:
168 (JSC::ErrorConstructor::createStructure):
169 * runtime/ErrorInstance.cpp:
170 (JSC::ErrorInstance::finishCreation):
171 * runtime/ErrorInstance.h:
172 (JSC::ErrorInstance::createStructure):
173 * runtime/ErrorPrototype.cpp:
174 (JSC::ErrorPrototype::finishCreation):
175 * runtime/ErrorPrototype.h:
176 (JSC::ErrorPrototype::createStructure):
177 * runtime/ExceptionHelpers.cpp:
178 (JSC::isTerminatedExecutionException):
179 * runtime/ExceptionHelpers.h:
180 (JSC::TerminatedExecutionError::createStructure):
181 * runtime/Executable.cpp:
182 (JSC::EvalExecutable::visitChildren):
183 (JSC::ProgramExecutable::visitChildren):
184 (JSC::FunctionExecutable::visitChildren):
185 (JSC::ExecutableBase::hashFor):
186 * runtime/Executable.h:
187 (JSC::ExecutableBase::createStructure):
188 (JSC::NativeExecutable::createStructure):
189 (JSC::EvalExecutable::createStructure):
190 (JSC::ProgramExecutable::createStructure):
191 (JSC::FunctionExecutable::compileFor):
192 (JSC::FunctionExecutable::compileOptimizedFor):
193 (JSC::FunctionExecutable::createStructure):
194 * runtime/FunctionConstructor.h:
195 (JSC::FunctionConstructor::createStructure):
196 * runtime/FunctionPrototype.cpp:
197 (JSC::functionProtoFuncToString):
198 (JSC::functionProtoFuncApply):
199 (JSC::functionProtoFuncBind):
200 * runtime/FunctionPrototype.h:
201 (JSC::FunctionPrototype::createStructure):
202 * runtime/GetterSetter.cpp:
203 (JSC::GetterSetter::visitChildren):
204 * runtime/GetterSetter.h:
205 (JSC::GetterSetter::createStructure):
206 * runtime/InternalFunction.cpp:
207 (JSC::InternalFunction::finishCreation):
208 * runtime/InternalFunction.h:
209 (JSC::InternalFunction::createStructure):
210 (JSC::asInternalFunction):
211 * runtime/JSAPIValueWrapper.h:
212 (JSC::JSAPIValueWrapper::createStructure):
213 * runtime/JSActivation.cpp:
214 (JSC::JSActivation::visitChildren):
215 (JSC::JSActivation::argumentsGetter):
216 * runtime/JSActivation.h:
217 (JSC::JSActivation::createStructure):
220 (JSC::JSArray::createStructure):
223 * runtime/JSBoundFunction.cpp:
224 (JSC::JSBoundFunction::finishCreation):
225 (JSC::JSBoundFunction::visitChildren):
226 * runtime/JSBoundFunction.h:
227 (JSC::JSBoundFunction::createStructure):
228 * runtime/JSCJSValue.cpp:
229 (JSC::JSValue::dumpInContext):
230 * runtime/JSCJSValueInlines.h:
231 (JSC::JSValue::isFunction):
234 (JSC::jsDynamicCast):
235 * runtime/JSCellInlines.h:
237 * runtime/JSFunction.cpp:
238 (JSC::JSFunction::finishCreation):
239 (JSC::JSFunction::visitChildren):
240 (JSC::skipOverBoundFunctions):
241 (JSC::JSFunction::callerGetter):
242 * runtime/JSFunction.h:
243 (JSC::JSFunction::createStructure):
244 * runtime/JSGlobalObject.cpp:
245 (JSC::JSGlobalObject::visitChildren):
246 (JSC::slowValidateCell):
247 * runtime/JSGlobalObject.h:
248 (JSC::JSGlobalObject::createStructure):
249 * runtime/JSNameScope.cpp:
250 (JSC::JSNameScope::visitChildren):
251 * runtime/JSNameScope.h:
252 (JSC::JSNameScope::createStructure):
253 * runtime/JSNotAnObject.h:
254 (JSC::JSNotAnObject::createStructure):
255 * runtime/JSONObject.cpp:
256 (JSC::JSONObject::finishCreation):
257 (JSC::unwrapBoxedPrimitive):
258 (JSC::Stringifier::Stringifier):
259 (JSC::Stringifier::appendStringifiedValue):
260 (JSC::Stringifier::Holder::Holder):
262 (JSC::JSONProtoFuncStringify):
263 * runtime/JSONObject.h:
264 (JSC::JSONObject::createStructure):
265 * runtime/JSObject.cpp:
266 (JSC::getCallableObjectSlow):
267 (JSC::JSObject::visitChildren):
268 (JSC::JSObject::copyBackingStore):
269 (JSC::JSFinalObject::visitChildren):
270 (JSC::JSObject::ensureInt32Slow):
271 (JSC::JSObject::ensureDoubleSlow):
272 (JSC::JSObject::ensureContiguousSlow):
273 (JSC::JSObject::ensureArrayStorageSlow):
274 * runtime/JSObject.h:
275 (JSC::JSObject::finishCreation):
276 (JSC::JSObject::createStructure):
277 (JSC::JSNonFinalObject::createStructure):
278 (JSC::JSFinalObject::createStructure):
279 (JSC::isJSFinalObject):
280 * runtime/JSPropertyNameIterator.cpp:
281 (JSC::JSPropertyNameIterator::visitChildren):
282 * runtime/JSPropertyNameIterator.h:
283 (JSC::JSPropertyNameIterator::createStructure):
284 * runtime/JSProxy.cpp:
285 (JSC::JSProxy::visitChildren):
287 (JSC::JSProxy::createStructure):
288 * runtime/JSScope.cpp:
289 (JSC::JSScope::visitChildren):
290 * runtime/JSSegmentedVariableObject.cpp:
291 (JSC::JSSegmentedVariableObject::visitChildren):
292 * runtime/JSString.h:
293 (JSC::JSString::createStructure):
295 * runtime/JSSymbolTableObject.cpp:
296 (JSC::JSSymbolTableObject::visitChildren):
297 * runtime/JSVariableObject.h:
298 * runtime/JSWithScope.cpp:
299 (JSC::JSWithScope::visitChildren):
300 * runtime/JSWithScope.h:
301 (JSC::JSWithScope::createStructure):
302 * runtime/JSWrapperObject.cpp:
303 (JSC::JSWrapperObject::visitChildren):
304 * runtime/JSWrapperObject.h:
305 (JSC::JSWrapperObject::createStructure):
306 * runtime/MathObject.cpp:
307 (JSC::MathObject::finishCreation):
308 * runtime/MathObject.h:
309 (JSC::MathObject::createStructure):
310 * runtime/NameConstructor.h:
311 (JSC::NameConstructor::createStructure):
312 * runtime/NameInstance.h:
313 (JSC::NameInstance::createStructure):
314 (JSC::NameInstance::finishCreation):
315 * runtime/NamePrototype.cpp:
316 (JSC::NamePrototype::finishCreation):
317 (JSC::privateNameProtoFuncToString):
318 * runtime/NamePrototype.h:
319 (JSC::NamePrototype::createStructure):
320 * runtime/NativeErrorConstructor.cpp:
321 (JSC::NativeErrorConstructor::visitChildren):
322 * runtime/NativeErrorConstructor.h:
323 (JSC::NativeErrorConstructor::createStructure):
324 (JSC::NativeErrorConstructor::finishCreation):
325 * runtime/NumberConstructor.cpp:
326 (JSC::NumberConstructor::finishCreation):
327 * runtime/NumberConstructor.h:
328 (JSC::NumberConstructor::createStructure):
329 * runtime/NumberObject.cpp:
330 (JSC::NumberObject::finishCreation):
331 * runtime/NumberObject.h:
332 (JSC::NumberObject::createStructure):
333 * runtime/NumberPrototype.cpp:
334 (JSC::NumberPrototype::finishCreation):
335 * runtime/NumberPrototype.h:
336 (JSC::NumberPrototype::createStructure):
337 * runtime/ObjectConstructor.h:
338 (JSC::ObjectConstructor::createStructure):
339 * runtime/ObjectPrototype.cpp:
340 (JSC::ObjectPrototype::finishCreation):
341 * runtime/ObjectPrototype.h:
342 (JSC::ObjectPrototype::createStructure):
343 * runtime/PropertyMapHashTable.h:
344 (JSC::PropertyTable::createStructure):
345 * runtime/PropertyTable.cpp:
346 (JSC::PropertyTable::visitChildren):
348 (JSC::RegExp::createStructure):
349 * runtime/RegExpConstructor.cpp:
350 (JSC::RegExpConstructor::finishCreation):
351 (JSC::RegExpConstructor::visitChildren):
352 (JSC::constructRegExp):
353 * runtime/RegExpConstructor.h:
354 (JSC::RegExpConstructor::createStructure):
355 (JSC::asRegExpConstructor):
356 * runtime/RegExpMatchesArray.cpp:
357 (JSC::RegExpMatchesArray::visitChildren):
358 * runtime/RegExpMatchesArray.h:
359 (JSC::RegExpMatchesArray::createStructure):
360 * runtime/RegExpObject.cpp:
361 (JSC::RegExpObject::finishCreation):
362 (JSC::RegExpObject::visitChildren):
363 * runtime/RegExpObject.h:
364 (JSC::RegExpObject::createStructure):
365 (JSC::asRegExpObject):
366 * runtime/RegExpPrototype.cpp:
367 (JSC::regExpProtoFuncTest):
368 (JSC::regExpProtoFuncExec):
369 (JSC::regExpProtoFuncCompile):
370 (JSC::regExpProtoFuncToString):
371 * runtime/RegExpPrototype.h:
372 (JSC::RegExpPrototype::createStructure):
373 * runtime/SparseArrayValueMap.cpp:
374 (JSC::SparseArrayValueMap::createStructure):
375 * runtime/SparseArrayValueMap.h:
376 * runtime/StrictEvalActivation.h:
377 (JSC::StrictEvalActivation::createStructure):
378 * runtime/StringConstructor.h:
379 (JSC::StringConstructor::createStructure):
380 * runtime/StringObject.cpp:
381 (JSC::StringObject::finishCreation):
382 * runtime/StringObject.h:
383 (JSC::StringObject::createStructure):
384 (JSC::asStringObject):
385 * runtime/StringPrototype.cpp:
386 (JSC::StringPrototype::finishCreation):
387 (JSC::stringProtoFuncReplace):
388 (JSC::stringProtoFuncToString):
389 (JSC::stringProtoFuncMatch):
390 (JSC::stringProtoFuncSearch):
391 (JSC::stringProtoFuncSplit):
392 * runtime/StringPrototype.h:
393 (JSC::StringPrototype::createStructure):
394 * runtime/Structure.cpp:
395 (JSC::Structure::Structure):
396 (JSC::Structure::materializePropertyMap):
397 (JSC::Structure::get):
398 (JSC::Structure::visitChildren):
399 * runtime/Structure.h:
400 (JSC::Structure::typeInfo):
401 (JSC::Structure::previousID):
402 (JSC::Structure::outOfLineSize):
403 (JSC::Structure::totalStorageCapacity):
404 (JSC::Structure::materializePropertyMapIfNecessary):
405 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
406 * runtime/StructureChain.cpp:
407 (JSC::StructureChain::visitChildren):
408 * runtime/StructureChain.h:
409 (JSC::StructureChain::createStructure):
410 * runtime/StructureInlines.h:
411 (JSC::Structure::get):
412 * runtime/StructureRareData.cpp:
413 (JSC::StructureRareData::createStructure):
414 (JSC::StructureRareData::visitChildren):
415 * runtime/StructureRareData.h:
416 * runtime/SymbolTable.h:
417 (JSC::SharedSymbolTable::createStructure):
420 (JSC::StackPreservingRecompiler::operator()):
421 (JSC::VM::releaseExecutableMemory):
422 * runtime/WriteBarrier.h:
425 (GlobalObject::createStructure):
427 2013-08-13 Arunprasad Rajkumar <arurajku@cisco.com>
429 [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
430 https://bugs.webkit.org/show_bug.cgi?id=119762
432 Reviewed by Geoffrey Garen.
436 (JSC::Heap::markRoots):
437 (JSC::Heap::collect):
445 2013-08-13 Julien Brianceau <jbrianceau@nds.com>
447 [sh4] Prepare LLINT for DFG_JIT implementation.
448 https://bugs.webkit.org/show_bug.cgi?id=119755
450 Reviewed by Oliver Hunt.
452 * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
454 - Handle storeb opcode.
455 - Make relative jumps when possible using braf opcode.
456 - Update bmulio implementation to be consistent with baseline JIT.
457 - Remove useless code from leap opcode.
458 - Fix incorrect comment.
460 2013-08-13 Julien Brianceau <jbrianceau@nds.com>
462 [sh4] Prepare baseline JIT for DFG_JIT implementation.
463 https://bugs.webkit.org/show_bug.cgi?id=119758
465 Reviewed by Oliver Hunt.
467 * assembler/MacroAssemblerSH4.h:
468 - Introduce a loadEffectiveAddress function to avoid code duplication.
469 - Add ASSERTs and clean code.
470 * assembler/SH4Assembler.h:
471 - Prepare DFG_JIT implementation.
474 - Add SH4 specific call for assertions.
478 - Use constants to be more flexible with sh4 JIT stack frame.
479 * jit/JSInterfaceJIT.h:
482 2013-08-13 Oliver Hunt <oliver@apple.com>
484 Harden executeConstruct against incorrect return types from host functions
485 https://bugs.webkit.org/show_bug.cgi?id=119757
487 Reviewed by Mark Hahnenberg.
489 Add logic to guard against bogus return types. There doesn't seem to be any
490 class in webkit that does this wrong, but the typed array stubs in debug JSC
491 do exhibit this bad behaviour.
493 * interpreter/Interpreter.cpp:
494 (JSC::Interpreter::executeConstruct):
496 2013-08-13 Allan Sandfeld Jensen <allan.jensen@digia.com>
498 [Qt] Fix C++11 build with gcc 4.4 and 4.5
499 https://bugs.webkit.org/show_bug.cgi?id=119736
501 Reviewed by Anders Carlsson.
503 Don't force C++11 mode off anymore.
507 2013-08-12 Oliver Hunt <oliver@apple.com>
509 Remove CodeBlock's notion of adding identifiers entirely
510 https://bugs.webkit.org/show_bug.cgi?id=119708
512 Reviewed by Geoffrey Garen.
514 Remove addAdditionalIdentifier entirely, including the bogus assertion.
515 Move the addition of identifiers to DFGPlan::reallyAdd
517 * bytecode/CodeBlock.h:
518 * dfg/DFGDesiredIdentifiers.cpp:
519 (JSC::DFG::DesiredIdentifiers::reallyAdd):
520 * dfg/DFGDesiredIdentifiers.h:
522 (JSC::DFG::Plan::reallyAdd):
523 (JSC::DFG::Plan::finalize):
526 2013-08-12 Oliver Hunt <oliver@apple.com>
532 2013-08-12 Oliver Hunt <oliver@apple.com>
534 Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
535 https://bugs.webkit.org/show_bug.cgi?id=119705
537 Reviewed by Geoffrey Garen.
539 Relatively trivial refactoring
541 * bytecode/CodeBlock.h:
542 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
543 (JSC::CodeBlock::addAdditionalIdentifier):
544 (JSC::CodeBlock::identifier):
545 (JSC::CodeBlock::numberOfIdentifiers):
546 * dfg/DFGCommonData.h:
548 2013-08-12 Oliver Hunt <oliver@apple.com>
550 Stop making unnecessary copy of CodeBlock Identifier Vector
551 https://bugs.webkit.org/show_bug.cgi?id=119702
553 Reviewed by Michael Saboff.
555 Make CodeBlock simply use a separate Vector for additional Identifiers
556 and use the UnlinkedCodeBlock for the initial set of identifiers.
558 * bytecode/CodeBlock.cpp:
559 (JSC::CodeBlock::printGetByIdOp):
560 (JSC::dumpStructure):
562 (JSC::CodeBlock::printGetByIdCacheStatus):
563 (JSC::CodeBlock::printPutByIdOp):
564 (JSC::CodeBlock::dumpBytecode):
565 (JSC::CodeBlock::CodeBlock):
566 (JSC::CodeBlock::shrinkToFit):
567 * bytecode/CodeBlock.h:
568 (JSC::CodeBlock::numberOfIdentifiers):
569 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
570 (JSC::CodeBlock::addAdditionalIdentifier):
571 (JSC::CodeBlock::identifier):
572 * dfg/DFGDesiredIdentifiers.cpp:
573 (JSC::DFG::DesiredIdentifiers::reallyAdd):
575 * jit/JITOpcodes.cpp:
576 (JSC::JIT::emitSlow_op_get_arguments_length):
577 * jit/JITPropertyAccess.cpp:
578 (JSC::JIT::emit_op_get_by_id):
579 (JSC::JIT::compileGetByIdHotPath):
580 (JSC::JIT::emitSlow_op_get_by_id):
581 (JSC::JIT::compileGetByIdSlowCase):
582 (JSC::JIT::emitSlow_op_put_by_id):
583 * jit/JITPropertyAccess32_64.cpp:
584 (JSC::JIT::emit_op_get_by_id):
585 (JSC::JIT::compileGetByIdHotPath):
586 (JSC::JIT::compileGetByIdSlowCase):
588 (JSC::DEFINE_STUB_FUNCTION):
589 * llint/LLIntSlowPaths.cpp:
590 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
592 2013-08-08 Mark Lam <mark.lam@apple.com>
594 Restoring use of StackIterator instead of Interpreter::getStacktrace().
595 https://bugs.webkit.org/show_bug.cgi?id=119575.
597 Reviewed by Oliver Hunt.
599 * interpreter/Interpreter.h:
600 - Made getStackTrace() private.
601 * interpreter/StackIterator.cpp:
602 (JSC::StackIterator::StackIterator):
603 (JSC::StackIterator::numberOfFrames):
604 - Computes the number of frames by iterating through the whole stack
605 from the starting frame. The iterator will save its current frame
606 position before counting the frames, and then restoring it after
608 (JSC::StackIterator::gotoFrameAtIndex):
609 (JSC::StackIterator::gotoNextFrame):
610 (JSC::StackIterator::resetIterator):
611 - Points the iterator to the starting frame.
612 * interpreter/StackIteratorPrivate.h:
614 2013-08-08 Mark Lam <mark.lam@apple.com>
616 Moved ErrorConstructor and NativeErrorConstructor helper functions into
617 the Interpreter class.
618 https://bugs.webkit.org/show_bug.cgi?id=119576.
620 Reviewed by Oliver Hunt.
622 This change is needed to prepare for making Interpreter::getStackTrace()
623 private. It does not change the behavior of the code, only the lexical
626 * interpreter/Interpreter.h:
627 - Added helper functions for ErrorConstructor and NativeErrorConstructor.
628 * runtime/ErrorConstructor.cpp:
629 (JSC::Interpreter::constructWithErrorConstructor):
630 (JSC::ErrorConstructor::getConstructData):
631 (JSC::Interpreter::callErrorConstructor):
632 (JSC::ErrorConstructor::getCallData):
633 - Don't want ErrorConstructor to call Interpreter::getStackTrace()
634 directly. So, we moved the helper functions into the Interpreter
636 * runtime/NativeErrorConstructor.cpp:
637 (JSC::Interpreter::constructWithNativeErrorConstructor):
638 (JSC::NativeErrorConstructor::getConstructData):
639 (JSC::Interpreter::callNativeErrorConstructor):
640 (JSC::NativeErrorConstructor::getCallData):
641 - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
642 directly. So, we moved the helper functions into the Interpreter
645 2013-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
647 32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
648 https://bugs.webkit.org/show_bug.cgi?id=119555
650 Reviewed by Geoffrey Garen.
652 It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
653 This was causing crashes on maps.google.com in 32-bit debug builds.
655 * dfg/DFGSpeculativeJIT32_64.cpp:
656 (JSC::DFG::SpeculativeJIT::compile):
658 2013-08-06 Michael Saboff <msaboff@apple.com>
660 REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
661 https://bugs.webkit.org/show_bug.cgi?id=119405
663 Reviewed by Geoffrey Garen.
665 * dfg/DFGSpeculativeJIT.cpp:
666 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
667 ourselves to save a register and then load from it.
669 2013-08-06 Filip Pizlo <fpizlo@apple.com>
671 DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
672 https://bugs.webkit.org/show_bug.cgi?id=119528
674 Reviewed by Geoffrey Garen.
676 Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
677 uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
678 the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
679 format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
680 from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
682 This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
684 * bytecode/CodeBlock.cpp:
685 (JSC::CodeBlock::finalizeUnconditionally):
688 * dfg/DFGFixupPhase.cpp:
689 (JSC::DFG::FixupPhase::fixupNode):
691 (JSC::DFG::Graph::dump):
692 * dfg/DFGSpeculativeJIT64.cpp:
693 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
694 * runtime/JSObject.h:
695 (JSC::JSObject::getIndexQuickly):
696 (JSC::JSObject::tryGetIndexQuickly):
698 2013-08-08 Stephanie Lewis <slewis@apple.com>
700 <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
704 Ensure llint symbols are in source order.
706 * JavaScriptCore.order:
708 2013-08-06 Mark Lam <mark.lam@apple.com>
710 Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
711 https://bugs.webkit.org/show_bug.cgi?id=119532.
713 Reviewed by Oliver Hunt.
717 - Just need to initialize the Parser's JSTokenLocation's initial line and
718 startOffset as well during Parser construction.
720 2013-08-06 Stephanie Lewis <slewis@apple.com>
722 Update Order Files for Safari
723 <rdar://problem/14517392>
727 * JavaScriptCore.order:
729 2013-08-04 Sam Weinig <sam@webkit.org>
731 Remove support for HTML5 MicroData
732 https://bugs.webkit.org/show_bug.cgi?id=119480
734 Reviewed by Anders Carlsson.
736 * Configurations/FeatureDefines.xcconfig:
738 2013-08-05 Oliver Hunt <oliver@apple.com>
740 Delay Arguments creation in strict mode
741 https://bugs.webkit.org/show_bug.cgi?id=119505
743 Reviewed by Geoffrey Garen.
745 Make use of the write tracking performed by the parser to
746 allow us to know if we're modifying the parameters to a function.
747 Then use that information to make strict mode function opt out
748 of eager arguments creation.
750 * bytecompiler/BytecodeGenerator.cpp:
751 (JSC::BytecodeGenerator::BytecodeGenerator):
752 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
753 (JSC::BytecodeGenerator::emitReturn):
754 * bytecompiler/BytecodeGenerator.h:
755 (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
757 (JSC::ScopeNode::modifiesParameter):
761 (JSC::Scope::declareParameter):
762 (JSC::Scope::getCapturedVariables):
763 (JSC::Parser::declareWrite):
764 * parser/ParserModes.h:
766 2013-08-06 Patrick Gansterer <paroga@webkit.org>
768 Remove useless code from COMPILER(RVCT) JITStubs
769 https://bugs.webkit.org/show_bug.cgi?id=119521
771 Reviewed by Geoffrey Garen.
773 * jit/JITStubsARMv7.h:
774 (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
775 (JSC::ctiOpThrowNotCaught): Ditto.
777 2013-07-23 David Farler <dfarler@apple.com>
779 Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
780 https://bugs.webkit.org/show_bug.cgi?id=117762
782 Reviewed by Mark Rowe.
784 * Configurations/DebugRelease.xcconfig:
785 Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
786 * Configurations/JavaScriptCore.xcconfig:
787 Add ASAN_OTHER_LDFLAGS.
788 * Configurations/ToolExecutable.xcconfig:
789 Don't use ASAN for build tools.
791 2013-08-06 Patrick Gansterer <paroga@webkit.org>
793 Build fix for ARM MSVC after r153222 and r153648.
795 * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
797 2013-08-06 Patrick Gansterer <paroga@webkit.org>
799 Build fix for ARM MSVC after r150109.
801 Read the stub template from a header files instead of the JITStubs.cpp.
804 * DerivedSources.pri:
807 2013-08-05 Oliver Hunt <oliver@apple.com>
809 Move TypedArray implementation into JSC
810 https://bugs.webkit.org/show_bug.cgi?id=119489
812 Reviewed by Filip Pizlo.
814 Move TypedArray implementation into JSC in advance of re-implementation
816 * GNUmakefile.list.am:
817 * JSCTypedArrayStubs.h:
818 * JavaScriptCore.xcodeproj/project.pbxproj:
819 * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
820 (JSC::ArrayBuffer::transfer):
821 (JSC::ArrayBuffer::addView):
822 (JSC::ArrayBuffer::removeView):
823 * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
824 (JSC::ArrayBufferContents::ArrayBufferContents):
825 (JSC::ArrayBufferContents::data):
826 (JSC::ArrayBufferContents::sizeInBytes):
827 (JSC::ArrayBufferContents::transfer):
828 (JSC::ArrayBufferContents::copyTo):
829 (JSC::ArrayBuffer::isNeutered):
830 (JSC::ArrayBuffer::~ArrayBuffer):
831 (JSC::ArrayBuffer::clampValue):
832 (JSC::ArrayBuffer::create):
833 (JSC::ArrayBuffer::createUninitialized):
834 (JSC::ArrayBuffer::ArrayBuffer):
835 (JSC::ArrayBuffer::data):
836 (JSC::ArrayBuffer::byteLength):
837 (JSC::ArrayBuffer::slice):
838 (JSC::ArrayBuffer::sliceImpl):
839 (JSC::ArrayBuffer::clampIndex):
840 (JSC::ArrayBufferContents::tryAllocate):
841 (JSC::ArrayBufferContents::~ArrayBufferContents):
842 * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
843 (JSC::ArrayBufferView::ArrayBufferView):
844 (JSC::ArrayBufferView::~ArrayBufferView):
845 (JSC::ArrayBufferView::neuter):
846 * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
847 (JSC::ArrayBufferView::buffer):
848 (JSC::ArrayBufferView::baseAddress):
849 (JSC::ArrayBufferView::byteOffset):
850 (JSC::ArrayBufferView::setNeuterable):
851 (JSC::ArrayBufferView::isNeuterable):
852 (JSC::ArrayBufferView::verifySubRange):
853 (JSC::ArrayBufferView::clampOffsetAndNumElements):
854 (JSC::ArrayBufferView::setImpl):
855 (JSC::ArrayBufferView::setRangeImpl):
856 (JSC::ArrayBufferView::zeroRangeImpl):
857 (JSC::ArrayBufferView::calculateOffsetAndLength):
858 * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
859 (JSC::Float32Array::set):
860 (JSC::Float32Array::getType):
861 (JSC::Float32Array::create):
862 (JSC::Float32Array::createUninitialized):
863 (JSC::Float32Array::Float32Array):
864 (JSC::Float32Array::subarray):
865 * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
866 (JSC::Float64Array::set):
867 (JSC::Float64Array::getType):
868 (JSC::Float64Array::create):
869 (JSC::Float64Array::createUninitialized):
870 (JSC::Float64Array::Float64Array):
871 (JSC::Float64Array::subarray):
872 * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
873 (JSC::Int16Array::getType):
874 (JSC::Int16Array::create):
875 (JSC::Int16Array::createUninitialized):
876 (JSC::Int16Array::Int16Array):
877 (JSC::Int16Array::subarray):
878 * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
879 (JSC::Int32Array::getType):
880 (JSC::Int32Array::create):
881 (JSC::Int32Array::createUninitialized):
882 (JSC::Int32Array::Int32Array):
883 (JSC::Int32Array::subarray):
884 * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
885 (JSC::Int8Array::getType):
886 (JSC::Int8Array::create):
887 (JSC::Int8Array::createUninitialized):
888 (JSC::Int8Array::Int8Array):
889 (JSC::Int8Array::subarray):
890 * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
891 (JSC::IntegralTypedArrayBase::set):
892 (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
893 * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
894 (JSC::TypedArrayBase::data):
895 (JSC::TypedArrayBase::set):
896 (JSC::TypedArrayBase::setRange):
897 (JSC::TypedArrayBase::zeroRange):
898 (JSC::TypedArrayBase::length):
899 (JSC::TypedArrayBase::byteLength):
900 (JSC::TypedArrayBase::item):
901 (JSC::TypedArrayBase::checkInboundData):
902 (JSC::TypedArrayBase::TypedArrayBase):
903 (JSC::TypedArrayBase::create):
904 (JSC::TypedArrayBase::createUninitialized):
905 (JSC::TypedArrayBase::subarrayImpl):
906 (JSC::TypedArrayBase::neuter):
907 * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
908 (JSC::Uint16Array::getType):
909 (JSC::Uint16Array::create):
910 (JSC::Uint16Array::createUninitialized):
911 (JSC::Uint16Array::Uint16Array):
912 (JSC::Uint16Array::subarray):
913 * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
914 (JSC::Uint32Array::getType):
915 (JSC::Uint32Array::create):
916 (JSC::Uint32Array::createUninitialized):
917 (JSC::Uint32Array::Uint32Array):
918 (JSC::Uint32Array::subarray):
919 * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
920 (JSC::Uint8Array::getType):
921 (JSC::Uint8Array::create):
922 (JSC::Uint8Array::createUninitialized):
923 (JSC::Uint8Array::Uint8Array):
924 (JSC::Uint8Array::subarray):
925 * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
926 (JSC::Uint8ClampedArray::getType):
927 (JSC::Uint8ClampedArray::create):
928 (JSC::Uint8ClampedArray::createUninitialized):
929 (JSC::Uint8ClampedArray::zeroFill):
930 (JSC::Uint8ClampedArray::set):
931 (JSC::Uint8ClampedArray::Uint8ClampedArray):
932 (JSC::Uint8ClampedArray::subarray):
935 2013-08-03 Filip Pizlo <fpizlo@apple.com>
937 Copied space should be able to handle more than one copied backing store per JSCell
938 https://bugs.webkit.org/show_bug.cgi?id=119471
940 Reviewed by Mark Hahnenberg.
942 This allows a cell to call copyLater() multiple times for multiple different
943 backing stores, and then have copyBackingStore() called exactly once for each
944 of those. A token tells it which backing store to copy. All backing stores
945 must be named using the CopyToken, an enumeration which currently cannot
946 exceed eight entries.
948 When copyBackingStore() is called, it's up to the callee to (a) use the token
949 to decide what to copy and (b) call its base class's copyBackingStore() in
950 case the base class had something that needed copying. The only exception is
951 that JSCell never asks anything to be copied, and so if your base is JSCell
952 then you don't have to do anything.
954 * GNUmakefile.list.am:
955 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
956 * JavaScriptCore.xcodeproj/project.pbxproj:
957 * heap/CopiedBlock.h:
958 * heap/CopiedBlockInlines.h:
959 (JSC::CopiedBlock::reportLiveBytes):
960 * heap/CopyToken.h: Added.
961 * heap/CopyVisitor.cpp:
962 (JSC::CopyVisitor::copyFromShared):
963 * heap/CopyVisitor.h:
964 * heap/CopyVisitorInlines.h:
965 (JSC::CopyVisitor::visitItem):
966 * heap/CopyWorkList.h:
967 (JSC::CopyWorklistItem::CopyWorklistItem):
968 (JSC::CopyWorklistItem::cell):
969 (JSC::CopyWorklistItem::token):
970 (JSC::CopyWorkListSegment::get):
971 (JSC::CopyWorkListSegment::append):
972 (JSC::CopyWorkListSegment::data):
973 (JSC::CopyWorkListIterator::get):
974 (JSC::CopyWorkListIterator::operator*):
975 (JSC::CopyWorkListIterator::operator->):
976 (JSC::CopyWorkList::append):
977 * heap/SlotVisitor.h:
978 * heap/SlotVisitorInlines.h:
979 (JSC::SlotVisitor::copyLater):
980 * runtime/ClassInfo.h:
981 * runtime/JSCell.cpp:
982 (JSC::JSCell::copyBackingStore):
984 * runtime/JSObject.cpp:
985 (JSC::JSObject::visitButterfly):
986 (JSC::JSObject::copyBackingStore):
987 * runtime/JSObject.h:
989 2013-08-05 Zan Dobersek <zdobersek@igalia.com>
991 [Automake] Define ENABLE_JIT through the Autoconf header
992 https://bugs.webkit.org/show_bug.cgi?id=119445
994 Reviewed by Martin Robinson.
996 * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
998 2013-08-03 Filip Pizlo <fpizlo@apple.com>
1000 hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
1001 https://bugs.webkit.org/show_bug.cgi?id=119470
1003 Reviewed by Oliver Hunt.
1005 Structure can still tell you if the object "could" (in the conservative sense)
1006 have an indexing header; that's used by the compiler.
1008 Most of the time if you want to know if there's an indexing header, you ask the
1011 In some cases, the JSObject wants to know if it would have an indexing header if
1012 it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
1014 * dfg/DFGRepatch.cpp:
1015 (JSC::DFG::tryCachePutByID):
1016 (JSC::DFG::tryBuildPutByIdList):
1017 * dfg/DFGSpeculativeJIT.cpp:
1018 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1019 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1020 * runtime/ButterflyInlines.h:
1021 (JSC::Butterfly::create):
1022 (JSC::Butterfly::growPropertyStorage):
1023 (JSC::Butterfly::growArrayRight):
1024 (JSC::Butterfly::resizeArray):
1025 * runtime/JSObject.cpp:
1026 (JSC::JSObject::copyButterfly):
1027 (JSC::JSObject::visitButterfly):
1028 * runtime/JSObject.h:
1029 (JSC::JSObject::hasIndexingHeader):
1030 (JSC::JSObject::setButterfly):
1031 * runtime/Structure.h:
1032 (JSC::Structure::couldHaveIndexingHeader):
1033 (JSC::Structure::hasIndexingHeader):
1035 2013-08-02 Chris Curtis <chris_curtis@apple.com>
1037 Give the error object's stack property accessor attributes.
1038 https://bugs.webkit.org/show_bug.cgi?id=119404
1040 Reviewed by Geoffrey Garen.
1042 Changed the attributes of error object's stack property to allow developers to write
1043 and delete the stack property. This will match the functionality of Chrome. Firefox
1044 allows developers to write the error's stack, but not delete it.
1046 * interpreter/Interpreter.cpp:
1047 (JSC::Interpreter::addStackTraceIfNecessary):
1048 * runtime/ErrorInstance.cpp:
1049 (JSC::ErrorInstance::finishCreation):
1051 2013-08-02 Oliver Hunt <oliver@apple.com>
1053 Incorrect type speculation reported by ToPrimitive
1054 https://bugs.webkit.org/show_bug.cgi?id=119458
1056 Reviewed by Mark Hahnenberg.
1058 Make sure that we report the correct type possibilities for the output
1061 * dfg/DFGAbstractInterpreterInlines.h:
1062 (JSC::DFG::::executeEffects):
1064 2013-08-02 Gavin Barraclough <barraclough@apple.com>
1066 Remove no-arguments constructor to PropertySlot
1067 https://bugs.webkit.org/show_bug.cgi?id=119460
1069 Reviewed by Geoff Garen.
1071 This constructor was unsafe if getValue is subsequently called,
1072 and the property is a getter. Simplest to just remove it.
1074 * runtime/Arguments.cpp:
1075 (JSC::Arguments::defineOwnProperty):
1076 * runtime/JSActivation.cpp:
1077 (JSC::JSActivation::getOwnPropertyDescriptor):
1078 * runtime/JSFunction.cpp:
1079 (JSC::JSFunction::getOwnPropertyDescriptor):
1080 (JSC::JSFunction::getOwnNonIndexPropertyNames):
1081 (JSC::JSFunction::put):
1082 (JSC::JSFunction::defineOwnProperty):
1083 * runtime/JSGlobalObject.cpp:
1084 (JSC::JSGlobalObject::defineOwnProperty):
1085 * runtime/JSGlobalObject.h:
1086 (JSC::JSGlobalObject::hasOwnPropertyForWrite):
1087 * runtime/JSNameScope.cpp:
1088 (JSC::JSNameScope::put):
1089 * runtime/JSONObject.cpp:
1090 (JSC::Stringifier::Holder::appendNextProperty):
1091 (JSC::Walker::walk):
1092 * runtime/JSObject.cpp:
1093 (JSC::JSObject::hasProperty):
1094 (JSC::JSObject::hasOwnProperty):
1095 (JSC::JSObject::reifyStaticFunctionsForDelete):
1097 (JSC::getStaticPropertyDescriptor):
1098 (JSC::getStaticFunctionDescriptor):
1099 (JSC::getStaticValueDescriptor):
1100 * runtime/ObjectConstructor.cpp:
1101 (JSC::defineProperties):
1102 * runtime/PropertySlot.h:
1104 2013-08-02 Mark Hahnenberg <mhahnenberg@apple.com>
1106 DFG validation can cause assertion failures due to dumping
1107 https://bugs.webkit.org/show_bug.cgi?id=119456
1109 Reviewed by Geoffrey Garen.
1111 * bytecode/CodeBlock.cpp:
1112 (JSC::CodeBlock::hasHash):
1113 (JSC::CodeBlock::isSafeToComputeHash):
1114 (JSC::CodeBlock::hash):
1115 (JSC::CodeBlock::dumpAssumingJITType):
1116 * bytecode/CodeBlock.h:
1118 2013-08-02 Chris Curtis <chris_curtis@apple.com>
1120 Have vm's exceptionStack match java's vm's exceptionStack.
1121 https://bugs.webkit.org/show_bug.cgi?id=119362
1123 Reviewed by Geoffrey Garen.
1125 The error object's stack is only updated if it does not exist yet. This matches
1126 the functionality of other browsers, and Java VMs.
1128 * interpreter/Interpreter.cpp:
1129 (JSC::Interpreter::addStackTraceIfNecessary):
1130 (JSC::Interpreter::throwException):
1132 (JSC::VM::clearExceptionStack):
1134 (JSC::VM::lastExceptionStack):
1136 2013-08-02 Julien Brianceau <jbrianceau@nds.com>
1138 REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
1139 https://bugs.webkit.org/show_bug.cgi?id=119447
1141 Reviewed by Geoffrey Garen.
1143 Fix .cpload, update call frame and do not restore registers from JIT stack frame in
1144 mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
1145 r153583 (sh4) and r153648 (ARM).
1147 * jit/JITStubsMIPS.h:
1149 2013-08-01 Filip Pizlo <fpizlo@apple.com>
1151 hasIndexingHeader should be a property of the Structure, not just the IndexingType
1152 https://bugs.webkit.org/show_bug.cgi?id=119422
1154 Reviewed by Oliver Hunt.
1156 This simplifies some code and also allows Structure to claim that an object
1157 has an indexing header even if it doesn't have indexed properties.
1159 I also changed some calls to use hasIndexedProperties() since in some cases,
1160 that's what we actually meant. Currently the two are synonyms.
1162 * dfg/DFGRepatch.cpp:
1163 (JSC::DFG::tryCachePutByID):
1164 (JSC::DFG::tryBuildPutByIdList):
1165 * dfg/DFGSpeculativeJIT.cpp:
1166 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1167 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1168 * runtime/ButterflyInlines.h:
1169 (JSC::Butterfly::create):
1170 (JSC::Butterfly::growPropertyStorage):
1171 (JSC::Butterfly::growArrayRight):
1172 (JSC::Butterfly::resizeArray):
1173 * runtime/IndexingType.h:
1174 * runtime/JSObject.cpp:
1175 (JSC::JSObject::copyButterfly):
1176 (JSC::JSObject::visitButterfly):
1177 (JSC::JSObject::setPrototype):
1178 * runtime/JSObject.h:
1179 (JSC::JSObject::setButterfly):
1180 * runtime/JSPropertyNameIterator.cpp:
1181 (JSC::JSPropertyNameIterator::create):
1182 * runtime/Structure.h:
1183 (JSC::Structure::hasIndexingHeader):
1185 2013-08-02 Julien Brianceau <jbrianceau@nds.com>
1187 REGRESSION: ARM still crashes after change set r153612.
1188 https://bugs.webkit.org/show_bug.cgi?id=119433
1190 Reviewed by Michael Saboff.
1192 Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
1193 implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
1194 for sh4 architecture.
1196 * jit/JITStubsARM.h:
1197 * jit/JITStubsARMv7.h:
1199 2013-08-02 Michael Saboff <msaboff@apple.com>
1201 REGRESSION(r153612): It made jsc and layout tests crash
1202 https://bugs.webkit.org/show_bug.cgi?id=119440
1204 Reviewed by Csaba Osztrogonác.
1206 Made the changes if changeset r153612 only apply to 32 bit builds.
1208 * jit/JITExceptions.cpp:
1209 * jit/JITExceptions.h:
1211 (JSC::cti_vm_throw_slowpath):
1214 2013-08-02 Patrick Gansterer <paroga@webkit.org>
1216 Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
1220 2013-08-01 Ruth Fong <ruth_fong@apple.com>
1222 [Forms: color] <input type='color'> popover color well implementation
1223 <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
1225 Reviewed by Benjamin Poulain.
1227 * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
1229 2013-08-01 Oliver Hunt <oliver@apple.com>
1231 DFG is not enforcing correct ordering of ToString conversion in MakeRope
1232 https://bugs.webkit.org/show_bug.cgi?id=119408
1234 Reviewed by Filip Pizlo.
1236 Construct ToString and Phantom nodes in advance of MakeRope
1237 nodes to ensure that ordering is ensured, and correct values
1238 will be reified on OSR exit.
1240 * dfg/DFGByteCodeParser.cpp:
1241 (JSC::DFG::ByteCodeParser::parseBlock):
1243 2013-08-01 Michael Saboff <msaboff@apple.com>
1245 REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
1246 https://bugs.webkit.org/show_bug.cgi?id=119140
1248 Reviewed by Filip Pizlo.
1250 Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
1252 * jit/JITExceptions.cpp:
1254 * jit/JITExceptions.h:
1256 (JSC::cti_vm_throw_slowpath):
1259 2013-08-01 Julien Brianceau <jbrianceau@nds.com>
1261 REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
1262 https://bugs.webkit.org/show_bug.cgi?id=119391
1264 Reviewed by Csaba Osztrogonác.
1266 * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
1267 - Call frame is in r14 register.
1268 - Do not restore registers from JIT stack frame here.
1270 2013-07-31 Gavin Barraclough <barraclough@apple.com>
1272 More cleanup in PropertySlot
1273 https://bugs.webkit.org/show_bug.cgi?id=119359
1275 Reviewed by Geoff Garen.
1277 m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
1278 This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
1280 * dfg/DFGRepatch.cpp:
1281 (JSC::DFG::tryCacheGetByID):
1282 (JSC::DFG::tryBuildGetByIDList):
1283 - No need to ASSERT slotBase is an object.
1285 (JSC::tryCacheGetByID):
1286 (JSC::DEFINE_STUB_FUNCTION):
1287 - No need to ASSERT slotBase is an object.
1288 * runtime/JSObject.cpp:
1289 (JSC::JSObject::getOwnPropertySlotByIndex):
1290 (JSC::JSObject::fillGetterPropertySlot):
1291 - Pass an object through to setGetterSlot.
1292 * runtime/JSObject.h:
1293 (JSC::PropertySlot::getValue):
1294 - Moved from PropertySlot (need to know anout JSObject).
1295 * runtime/PropertySlot.cpp:
1296 (JSC::PropertySlot::functionGetter):
1297 - update per member name changes
1298 * runtime/PropertySlot.h:
1299 (JSC::PropertySlot::PropertySlot):
1300 - Argument to constructor set to 'thisValue'.
1301 (JSC::PropertySlot::slotBase):
1302 - This returns a JSObject*.
1303 (JSC::PropertySlot::setValue):
1304 (JSC::PropertySlot::setCustom):
1305 (JSC::PropertySlot::setCacheableCustom):
1306 (JSC::PropertySlot::setCustomIndex):
1307 (JSC::PropertySlot::setGetterSlot):
1308 (JSC::PropertySlot::setCacheableGetterSlot):
1309 - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
1310 * runtime/SparseArrayValueMap.cpp:
1311 (JSC::SparseArrayEntry::get):
1312 - Pass an object through to setGetterSlot.
1313 * runtime/SparseArrayValueMap.h:
1314 - Pass an object through to setGetterSlot.
1316 2013-07-31 Yi Shen <max.hong.shen@gmail.com>
1318 Reduce JSC API static value setter/getter overhead.
1319 https://bugs.webkit.org/show_bug.cgi?id=119277
1321 Reviewed by Geoffrey Garen.
1323 Add property name to the static value entry, so that OpaqueJSString::create() doesn't
1324 need to get called every time when set or get the static value.
1326 * API/JSCallbackObjectFunctions.h:
1328 (JSC::::putByIndex):
1329 (JSC::::getStaticValue):
1330 * API/JSClassRef.cpp:
1331 (OpaqueJSClassContextData::OpaqueJSClassContextData):
1333 (StaticValueEntry::StaticValueEntry):
1335 2013-07-31 Kwang Yul Seo <skyul@company100.net>
1337 Use emptyString instead of String("")
1338 https://bugs.webkit.org/show_bug.cgi?id=119335
1340 Reviewed by Darin Adler.
1342 Use emptyString() instead of String("") because it is better style and
1343 faster. This is a followup to r116908, removing all occurrences of
1344 String("") from WebKit.
1346 * runtime/RegExpConstructor.cpp:
1347 (JSC::constructRegExp):
1348 * runtime/RegExpPrototype.cpp:
1349 (JSC::regExpProtoFuncCompile):
1350 * runtime/StringPrototype.cpp:
1351 (JSC::stringProtoFuncMatch):
1352 (JSC::stringProtoFuncSearch):
1354 2013-07-31 Ruth Fong <ruth_fong@apple.com>
1356 <input type=color> Mac UI behaviour
1357 <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
1359 Reviewed by Brady Eidson.
1361 * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
1363 2013-07-31 Mark Hahnenberg <mhahnenberg@apple.com>
1365 DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
1366 https://bugs.webkit.org/show_bug.cgi?id=119349
1368 Reviewed by Geoffrey Garen.
1370 Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for
1371 SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
1372 on code it compiled with any switch statements to have been run in the baseline JIT first.
1373 However, if the DFG chooses to inline a function that has never been compiled by the baseline
1374 JIT then this resizing never happens and we crash at link time in the DFG.
1376 We can fix this by also doing the resize in the DFG to catch this case.
1378 * dfg/DFGJITCompiler.cpp:
1379 (JSC::DFG::JITCompiler::link):
1381 2013-07-31 Gavin Barraclough <barraclough@apple.com>
1383 Speculative Windows build fix.
1387 * runtime/JSString.cpp:
1388 (JSC::JSRopeString::getIndexSlowCase):
1389 * runtime/JSString.h:
1391 2013-07-30 Gavin Barraclough <barraclough@apple.com>
1393 Some cleanup in JSValue::get
1394 https://bugs.webkit.org/show_bug.cgi?id=119343
1396 Reviewed by Geoff Garen.
1398 JSValue::get is implemented to:
1399 1) Check if the value is a cell – if not, synthesize a prototype to search,
1400 2) call getOwnPropertySlot on the cell,
1401 3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
1402 By all rights this should crash when passed a string and accessing a property that does not exist, because
1403 the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
1404 To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
1405 prototype chain, and faking out a return value of undefined if no property is found.
1407 This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
1408 from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
1410 The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
1413 Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
1415 2013-07-31 Michael Saboff <msaboff@apple.com>
1417 [Win] JavaScript crash.
1418 https://bugs.webkit.org/show_bug.cgi?id=119339
1420 Reviewed by Mark Hahnenberg.
1422 * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
1423 ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
1425 2013-07-30 Mark Hahnenberg <mhahnenberg@apple.com>
1427 GetByVal on Arguments does the wrong size load when checking the Arguments object length
1428 https://bugs.webkit.org/show_bug.cgi?id=119281
1430 Reviewed by Geoffrey Garen.
1432 This leads to out of bounds accesses and subsequent crashes.
1434 * dfg/DFGSpeculativeJIT.cpp:
1435 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1436 * dfg/DFGSpeculativeJIT64.cpp:
1437 (JSC::DFG::SpeculativeJIT::compile):
1439 2013-07-30 Oliver Hunt <oliver@apple.com>
1441 Add an assertion to SpeculateCellOperand
1442 https://bugs.webkit.org/show_bug.cgi?id=119276
1444 Reviewed by Michael Saboff.
1446 More assertions are better
1448 * dfg/DFGSpeculativeJIT64.cpp:
1449 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1450 (JSC::DFG::SpeculativeJIT::compile):
1452 2013-07-30 Mark Lam <mark.lam@apple.com>
1454 Fix problems with divot and lineStart mismatches.
1455 https://bugs.webkit.org/show_bug.cgi?id=118662.
1457 Reviewed by Oliver Hunt.
1459 r152494 added the recording of lineStart values for divot positions.
1460 This is needed for the computation of column numbers. Similarly, it also
1461 added the recording of line numbers for the divot positions. One problem
1462 with the approach taken was that the line and lineStart values were
1463 recorded independently, and hence were not always guaranteed to be
1464 sampled at the same place that the divot position is recorded. This
1465 resulted in potential mismatches that cause some assertions to fail.
1467 The solution is to introduce a JSTextPosition abstraction that records
1468 the divot position, line, and lineStart as a single quantity. Wherever
1469 we record the divot position as an unsigned int previously, we now record
1470 its JSTextPosition which captures all 3 values in one go. This ensures
1471 that the captured line and lineStart will always match the captured divot
1474 * bytecompiler/BytecodeGenerator.cpp:
1475 (JSC::BytecodeGenerator::emitCall):
1476 (JSC::BytecodeGenerator::emitCallEval):
1477 (JSC::BytecodeGenerator::emitCallVarargs):
1478 (JSC::BytecodeGenerator::emitConstruct):
1479 (JSC::BytecodeGenerator::emitDebugHook):
1480 - Use JSTextPosition instead of passing line and lineStart explicitly.
1481 * bytecompiler/BytecodeGenerator.h:
1482 (JSC::BytecodeGenerator::emitExpressionInfo):
1483 - Use JSTextPosition instead of passing line and lineStart explicitly.
1484 * bytecompiler/NodesCodegen.cpp:
1485 (JSC::ThrowableExpressionData::emitThrowReferenceError):
1486 (JSC::ResolveNode::emitBytecode):
1487 (JSC::BracketAccessorNode::emitBytecode):
1488 (JSC::DotAccessorNode::emitBytecode):
1489 (JSC::NewExprNode::emitBytecode):
1490 (JSC::EvalFunctionCallNode::emitBytecode):
1491 (JSC::FunctionCallValueNode::emitBytecode):
1492 (JSC::FunctionCallResolveNode::emitBytecode):
1493 (JSC::FunctionCallBracketNode::emitBytecode):
1494 (JSC::FunctionCallDotNode::emitBytecode):
1495 (JSC::CallFunctionCallDotNode::emitBytecode):
1496 (JSC::ApplyFunctionCallDotNode::emitBytecode):
1497 (JSC::PostfixNode::emitResolve):
1498 (JSC::PostfixNode::emitBracket):
1499 (JSC::PostfixNode::emitDot):
1500 (JSC::DeleteResolveNode::emitBytecode):
1501 (JSC::DeleteBracketNode::emitBytecode):
1502 (JSC::DeleteDotNode::emitBytecode):
1503 (JSC::PrefixNode::emitResolve):
1504 (JSC::PrefixNode::emitBracket):
1505 (JSC::PrefixNode::emitDot):
1506 (JSC::UnaryOpNode::emitBytecode):
1507 (JSC::BinaryOpNode::emitStrcat):
1508 (JSC::BinaryOpNode::emitBytecode):
1509 (JSC::ThrowableBinaryOpNode::emitBytecode):
1510 (JSC::InstanceOfNode::emitBytecode):
1511 (JSC::emitReadModifyAssignment):
1512 (JSC::ReadModifyResolveNode::emitBytecode):
1513 (JSC::AssignResolveNode::emitBytecode):
1514 (JSC::AssignDotNode::emitBytecode):
1515 (JSC::ReadModifyDotNode::emitBytecode):
1516 (JSC::AssignBracketNode::emitBytecode):
1517 (JSC::ReadModifyBracketNode::emitBytecode):
1518 (JSC::ForInNode::emitBytecode):
1519 (JSC::WithNode::emitBytecode):
1520 (JSC::ThrowNode::emitBytecode):
1521 - Use JSTextPosition instead of passing line and lineStart explicitly.
1522 * parser/ASTBuilder.h:
1523 - Replaced ASTBuilder::PositionInfo with JSTextPosition.
1524 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
1525 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
1526 (JSC::ASTBuilder::createResolve):
1527 (JSC::ASTBuilder::createBracketAccess):
1528 (JSC::ASTBuilder::createDotAccess):
1529 (JSC::ASTBuilder::createRegExp):
1530 (JSC::ASTBuilder::createNewExpr):
1531 (JSC::ASTBuilder::createAssignResolve):
1532 (JSC::ASTBuilder::createExprStatement):
1533 (JSC::ASTBuilder::createForInLoop):
1534 (JSC::ASTBuilder::createReturnStatement):
1535 (JSC::ASTBuilder::createBreakStatement):
1536 (JSC::ASTBuilder::createContinueStatement):
1537 (JSC::ASTBuilder::createLabelStatement):
1538 (JSC::ASTBuilder::createWithStatement):
1539 (JSC::ASTBuilder::createThrowStatement):
1540 (JSC::ASTBuilder::appendBinaryExpressionInfo):
1541 (JSC::ASTBuilder::appendUnaryToken):
1542 (JSC::ASTBuilder::unaryTokenStackLastStart):
1543 (JSC::ASTBuilder::assignmentStackAppend):
1544 (JSC::ASTBuilder::createAssignment):
1545 (JSC::ASTBuilder::setExceptionLocation):
1546 (JSC::ASTBuilder::makeDeleteNode):
1547 (JSC::ASTBuilder::makeFunctionCallNode):
1548 (JSC::ASTBuilder::makeBinaryNode):
1549 (JSC::ASTBuilder::makeAssignNode):
1550 (JSC::ASTBuilder::makePrefixNode):
1551 (JSC::ASTBuilder::makePostfixNode):
1552 - Use JSTextPosition instead of passing line and lineStart explicitly.
1555 - Added support for capturing the appropriate JSTextPositions instead
1556 of just the character offset.
1558 (JSC::Lexer::currentPosition):
1559 (JSC::::lexExpectIdentifier):
1560 - Added support for capturing the appropriate JSTextPositions instead
1561 of just the character offset.
1562 * parser/NodeConstructors.h:
1564 (JSC::ResolveNode::ResolveNode):
1565 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
1566 (JSC::FunctionCallValueNode::FunctionCallValueNode):
1567 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
1568 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
1569 (JSC::FunctionCallDotNode::FunctionCallDotNode):
1570 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
1571 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
1572 (JSC::PostfixNode::PostfixNode):
1573 (JSC::DeleteResolveNode::DeleteResolveNode):
1574 (JSC::DeleteBracketNode::DeleteBracketNode):
1575 (JSC::DeleteDotNode::DeleteDotNode):
1576 (JSC::PrefixNode::PrefixNode):
1577 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
1578 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
1579 (JSC::AssignBracketNode::AssignBracketNode):
1580 (JSC::AssignDotNode::AssignDotNode):
1581 (JSC::ReadModifyDotNode::ReadModifyDotNode):
1582 (JSC::AssignErrorNode::AssignErrorNode):
1583 (JSC::WithNode::WithNode):
1584 (JSC::ForInNode::ForInNode):
1585 - Use JSTextPosition instead of passing line and lineStart explicitly.
1587 (JSC::StatementNode::setLoc):
1588 - Use JSTextPosition instead of passing line and lineStart explicitly.
1590 (JSC::Node::lineNo):
1591 (JSC::Node::startOffset):
1592 (JSC::Node::lineStartOffset):
1593 (JSC::Node::position):
1594 (JSC::ThrowableExpressionData::ThrowableExpressionData):
1595 (JSC::ThrowableExpressionData::setExceptionSourceCode):
1596 (JSC::ThrowableExpressionData::divot):
1597 (JSC::ThrowableExpressionData::divotStart):
1598 (JSC::ThrowableExpressionData::divotEnd):
1599 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
1600 (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
1601 (JSC::ThrowableSubExpressionData::subexpressionDivot):
1602 (JSC::ThrowableSubExpressionData::subexpressionStart):
1603 (JSC::ThrowableSubExpressionData::subexpressionEnd):
1604 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
1605 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
1606 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
1607 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
1608 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
1609 - Use JSTextPosition instead of passing line and lineStart explicitly.
1610 * parser/Parser.cpp:
1612 (JSC::::parseInner):
1613 - Use JSTextPosition instead of passing line and lineStart explicitly.
1614 (JSC::::didFinishParsing):
1615 - Remove setting of m_lastLine value. We always pass in the value from
1616 m_lastLine anyway. So, this assignment is effectively a nop.
1617 (JSC::::parseVarDeclaration):
1618 (JSC::::parseVarDeclarationList):
1619 (JSC::::parseForStatement):
1620 (JSC::::parseBreakStatement):
1621 (JSC::::parseContinueStatement):
1622 (JSC::::parseReturnStatement):
1623 (JSC::::parseThrowStatement):
1624 (JSC::::parseWithStatement):
1625 (JSC::::parseTryStatement):
1626 (JSC::::parseBlockStatement):
1627 (JSC::::parseFunctionDeclaration):
1628 (JSC::LabelInfo::LabelInfo):
1629 (JSC::::parseExpressionOrLabelStatement):
1630 (JSC::::parseExpressionStatement):
1631 (JSC::::parseAssignmentExpression):
1632 (JSC::::parseBinaryExpression):
1633 (JSC::::parseProperty):
1634 (JSC::::parsePrimaryExpression):
1635 (JSC::::parseMemberExpression):
1636 (JSC::::parseUnaryExpression):
1637 - Use JSTextPosition instead of passing line and lineStart explicitly.
1639 (JSC::Parser::next):
1640 (JSC::Parser::nextExpectIdentifier):
1641 (JSC::Parser::getToken):
1642 (JSC::Parser::tokenStartPosition):
1643 (JSC::Parser::tokenEndPosition):
1644 (JSC::Parser::lastTokenEndPosition):
1646 - Use JSTextPosition instead of passing line and lineStart explicitly.
1647 * parser/ParserTokens.h:
1648 (JSC::JSTextPosition::JSTextPosition):
1649 (JSC::JSTextPosition::operator+):
1650 (JSC::JSTextPosition::operator-):
1651 (JSC::JSTextPosition::operator int):
1652 - Added JSTextPosition.
1653 * parser/SyntaxChecker.h:
1654 (JSC::SyntaxChecker::makeFunctionCallNode):
1655 (JSC::SyntaxChecker::makeAssignNode):
1656 (JSC::SyntaxChecker::makePrefixNode):
1657 (JSC::SyntaxChecker::makePostfixNode):
1658 (JSC::SyntaxChecker::makeDeleteNode):
1659 (JSC::SyntaxChecker::createResolve):
1660 (JSC::SyntaxChecker::createBracketAccess):
1661 (JSC::SyntaxChecker::createDotAccess):
1662 (JSC::SyntaxChecker::createRegExp):
1663 (JSC::SyntaxChecker::createNewExpr):
1664 (JSC::SyntaxChecker::createAssignResolve):
1665 (JSC::SyntaxChecker::createForInLoop):
1666 (JSC::SyntaxChecker::createReturnStatement):
1667 (JSC::SyntaxChecker::createBreakStatement):
1668 (JSC::SyntaxChecker::createContinueStatement):
1669 (JSC::SyntaxChecker::createWithStatement):
1670 (JSC::SyntaxChecker::createLabelStatement):
1671 (JSC::SyntaxChecker::createThrowStatement):
1672 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
1673 (JSC::SyntaxChecker::operatorStackPop):
1674 - Use JSTextPosition instead of passing line and lineStart explicitly.
1676 2013-07-29 Carlos Garcia Campos <cgarcia@igalia.com>
1678 Unreviewed. Fix make distcheck.
1680 * GNUmakefile.list.am: Add missing files to compilation.
1681 * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
1682 include FTL header files not included in the compilation.
1683 * dfg/DFGDriver.cpp: Ditto.
1684 * dfg/DFGPlan.cpp: Ditto.
1686 2013-07-29 Chris Curtis <chris_curtis@apple.com>
1688 Eager stack trace for error objects.
1689 https://bugs.webkit.org/show_bug.cgi?id=118918
1691 Reviewed by Geoffrey Garen.
1693 Chrome and Firefox give error objects the stack property and we wanted to match
1694 that functionality. This allows developers to see the stack without throwing an object.
1696 * runtime/ErrorInstance.cpp:
1697 (JSC::ErrorInstance::finishCreation):
1698 For error objects that are not thrown as an exception, we pass the stackTrace in
1699 as a parameter. This allows the error object to have the stack property.
1701 * interpreter/Interpreter.cpp:
1702 (JSC::stackTraceAsString):
1703 Helper function used to eliminate duplicate code.
1705 (JSC::Interpreter::addStackTraceIfNecessary):
1706 When an error object is created by the user the vm->exceptionStack is not set.
1707 If the user throws this error object later the stack that is in the error object
1708 may not be the correct stack for the throw, so when we set the vm->exception stack,
1709 the stack property on the error object is set as well.
1711 * runtime/ErrorConstructor.cpp:
1712 (JSC::constructWithErrorConstructor):
1713 (JSC::callErrorConstructor):
1714 * runtime/NativeErrorConstructor.cpp:
1715 (JSC::constructWithNativeErrorConstructor):
1716 (JSC::callNativeErrorConstructor):
1717 These functions indicate that the user created an error object. For all error objects
1718 that the user explicitly creates, the topCallFrame is at a new frame created to
1719 handle the user's call. In this case though, the error object needs the caller's
1720 frame to create the stack trace correctly.
1722 * interpreter/Interpreter.h:
1723 * runtime/ErrorInstance.h:
1724 (JSC::ErrorInstance::create):
1726 2013-07-29 Gavin Barraclough <barraclough@apple.com>
1728 Some cleanup in PropertySlot
1729 https://bugs.webkit.org/show_bug.cgi?id=119189
1731 Reviewed by Geoff Garen.
1733 PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
1734 The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
1735 is set to a special value to indicate the type (other than custom), and the type is also tracked by
1736 an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
1737 (this is invalidOffset if not cacheable).
1739 * Internally, always track the type of the property using an enum value, PropertyType.
1740 * Use m_offset to indicate cacheable.
1741 * Keep the external interface (CachedPropertyType) unchanged.
1742 * Better pack data into the m_data union.
1744 Performance neutral.
1746 * dfg/DFGRepatch.cpp:
1747 (JSC::DFG::tryCacheGetByID):
1748 (JSC::DFG::tryBuildGetByIDList):
1749 - cachedPropertyType() -> isCacheable*()
1750 * jit/JITPropertyAccess.cpp:
1751 (JSC::JIT::privateCompileGetByIdProto):
1752 (JSC::JIT::privateCompileGetByIdSelfList):
1753 (JSC::JIT::privateCompileGetByIdProtoList):
1754 (JSC::JIT::privateCompileGetByIdChainList):
1755 (JSC::JIT::privateCompileGetByIdChain):
1756 - cachedPropertyType() -> isCacheable*()
1757 * jit/JITPropertyAccess32_64.cpp:
1758 (JSC::JIT::privateCompileGetByIdProto):
1759 (JSC::JIT::privateCompileGetByIdSelfList):
1760 (JSC::JIT::privateCompileGetByIdProtoList):
1761 (JSC::JIT::privateCompileGetByIdChainList):
1762 (JSC::JIT::privateCompileGetByIdChain):
1763 - cachedPropertyType() -> isCacheable*()
1765 (JSC::tryCacheGetByID):
1766 - cachedPropertyType() -> isCacheable*()
1767 * llint/LLIntSlowPaths.cpp:
1768 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1769 - cachedPropertyType() -> isCacheable*()
1770 * runtime/PropertySlot.cpp:
1771 (JSC::PropertySlot::functionGetter):
1772 - refactoring described above.
1773 * runtime/PropertySlot.h:
1774 (JSC::PropertySlot::PropertySlot):
1775 (JSC::PropertySlot::getValue):
1776 (JSC::PropertySlot::isCacheable):
1777 (JSC::PropertySlot::isCacheableValue):
1778 (JSC::PropertySlot::isCacheableGetter):
1779 (JSC::PropertySlot::isCacheableCustom):
1780 (JSC::PropertySlot::cachedOffset):
1781 (JSC::PropertySlot::customGetter):
1782 (JSC::PropertySlot::setValue):
1783 (JSC::PropertySlot::setCustom):
1784 (JSC::PropertySlot::setCacheableCustom):
1785 (JSC::PropertySlot::setCustomIndex):
1786 (JSC::PropertySlot::setGetterSlot):
1787 (JSC::PropertySlot::setCacheableGetterSlot):
1788 (JSC::PropertySlot::setUndefined):
1789 (JSC::PropertySlot::slotBase):
1790 (JSC::PropertySlot::setBase):
1791 - refactoring described above.
1793 2013-07-28 Oliver Hunt <oliver@apple.com>
1795 REGRESSION: Crash when opening Facebook.com
1796 https://bugs.webkit.org/show_bug.cgi?id=119155
1798 Reviewed by Andreas Kling.
1800 Scope nodes are always objects, so we should be using SpecObjectOther
1801 rather than SpecCellOther. Marking Scopes as CellOther leads to a
1802 contradiction in the CFA, resulting in bogus codegen.
1804 * dfg/DFGAbstractInterpreterInlines.h:
1805 (JSC::DFG::::executeEffects):
1806 * dfg/DFGPredictionPropagationPhase.cpp:
1807 (JSC::DFG::PredictionPropagationPhase::propagate):
1809 2013-07-26 Oliver Hunt <oliver@apple.com>
1811 REGRESSION(FTL?): Crashes in plugin tests
1812 https://bugs.webkit.org/show_bug.cgi?id=119141
1814 Reviewed by Michael Saboff.
1816 Re-export getStackTrace
1818 * interpreter/Interpreter.h:
1820 2013-07-26 Filip Pizlo <fpizlo@apple.com>
1822 REGRESSION: Crash when opening a message on Gmail
1823 https://bugs.webkit.org/show_bug.cgi?id=119105
1825 Reviewed by Oliver Hunt and Mark Hahnenberg.
1827 - GetById patching in the DFG needs to be more disciplined about how it derives the
1830 - Fix some dumping code thread safety issues.
1832 * bytecode/CallLinkStatus.cpp:
1833 (JSC::CallLinkStatus::dump):
1834 * bytecode/CodeBlock.cpp:
1835 (JSC::CodeBlock::dumpBytecode):
1836 * dfg/DFGRepatch.cpp:
1837 (JSC::DFG::getPolymorphicStructureList):
1838 (JSC::DFG::tryBuildGetByIDList):
1840 2013-07-26 Balazs Kilvady <kilvadyb@homejinni.com>
1842 [mips] Fix LLINT build for mips backend
1843 https://bugs.webkit.org/show_bug.cgi?id=119152
1845 Reviewed by Oliver Hunt.
1847 * offlineasm/mips.rb:
1849 2013-07-19 Mark Hahnenberg <mhahnenberg@apple.com>
1851 Setting a large numeric property on an object causes it to allocate a huge backing store
1852 https://bugs.webkit.org/show_bug.cgi?id=118914
1854 Reviewed by Geoffrey Garen.
1856 There are two distinct actions that we're trying to optimize for:
1865 In the first case, the programmer has indicated that they expect this Array to be very big,
1866 so they should get a contiguous array up until some threshold, above which we perform density
1867 calculations to see if it is indeed dense enough to warrant being contiguous.
1869 In the second case, the programmer hasn't indicated anything about the size of the Array, so
1870 we should be more conservative and assume it should be sparse until we've proven otherwise.
1872 Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish
1873 between them for the purposes of not over-allocating large backing stores like we see on
1874 http://www.peekanalytics.com/burgerjoints/
1876 The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and
1877 introduce a new heuristic for the second case. If we are putting to an index above a certain
1878 threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse
1879 map instead. So for example, in the second case above the empty array has a blank indexing
1880 type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
1882 This fix is ~800x speedup on the accompanying regression test :-o
1884 * runtime/ArrayConventions.h:
1885 (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
1886 * runtime/JSObject.cpp:
1887 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1888 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1889 (JSC::JSObject::putByIndexBeyondVectorLength):
1890 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1892 2013-07-26 Julien Brianceau <jbrianceau@nds.com>
1894 REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
1895 https://bugs.webkit.org/show_bug.cgi?id=119148
1897 Reviewed by Csaba Osztrogonác.
1899 * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
1900 * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
1901 in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
1904 2013-07-26 Julien Brianceau <jbrianceau@nds.com>
1906 REGRESSION(FTL): Crash in sh4 baseline JIT.
1907 https://bugs.webkit.org/show_bug.cgi?id=119138
1909 Reviewed by Csaba Osztrogonác.
1911 This crash is due to incomplete report of r150146 and r148474.
1913 * jit/JITStubsSH4.h:
1915 2013-07-26 Zan Dobersek <zdobersek@igalia.com>
1919 * Target.pri: Adding missing DFG files to the Qt build.
1921 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
1923 GTK and Qt buildfix after the intrusive win buildfix r153360.
1925 * GNUmakefile.list.am:
1928 2013-07-25 Gyuyoung Kim <gyuyoung.kim@samsung.com>
1930 Unreviewed, fix build break after r153360.
1932 * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
1934 2013-07-25 Roger Fong <roger_fong@apple.com>
1936 Unreviewed build fix, AppleWin port.
1938 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1939 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1940 * JavaScriptCore.vcxproj/copy-files.cmd:
1942 2013-07-25 Roger Fong <roger_fong@apple.com>
1944 Unreviewed. Followup to r153360.
1946 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1947 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1949 2013-07-25 Michael Saboff <msaboff@apple.com>
1951 [Windows] Speculative build fix.
1953 Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
1954 that is always compiled. Made LLInt::returnToThrow() conditional on LLINT being enabled.
1956 * JavaScriptCore.xcodeproj/project.pbxproj:
1957 * llint/LLIntExceptions.cpp:
1958 * llint/LLIntExceptions.h:
1959 * llint/LLIntSlowPaths.cpp:
1960 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1961 * runtime/CommonSlowPaths.cpp:
1962 (JSC::SLOW_PATH_DECL):
1963 * runtime/CommonSlowPathsExceptions.cpp: Added.
1964 (JSC::CommonSlowPaths::interpreterThrowInCaller):
1965 * runtime/CommonSlowPathsExceptions.h: Added.
1967 2013-07-25 Brent Fulgham <bfulgham@apple.com>
1969 [Windows] Unreviewed build fix.
1971 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
1972 parser/SourceCode.h,.cpp.
1973 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1975 2013-07-25 Anders Carlsson <andersca@apple.com>
1977 ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
1978 https://bugs.webkit.org/show_bug.cgi?id=119108
1980 Reviewed by Mark Hahnenberg.
1982 Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
1984 * heap/CopiedSpace.cpp:
1985 (JSC::CopiedSpace::tryAllocateSlowCase):
1987 (JSC::Heap::protect):
1988 (JSC::Heap::unprotect):
1989 (JSC::Heap::collect):
1990 * heap/MarkedAllocator.cpp:
1991 (JSC::MarkedAllocator::allocateSlowCase):
1992 * runtime/JSGlobalObject.cpp:
1993 (JSC::JSGlobalObject::init):
1995 (JSC::VM::currentThreadIsHoldingAPILock):
1997 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
1999 REGRESSION(FTL): Most layout tests crashes
2000 https://bugs.webkit.org/show_bug.cgi?id=119089
2002 Reviewed by Oliver Hunt.
2004 * runtime/ExecutionHarness.h:
2005 (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
2006 code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
2007 RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
2008 Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
2009 JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
2010 (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
2012 2013-07-25 Brent Fulgham <bfulgham@apple.com>
2014 [Windows] Unreviewed build fix.
2016 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
2019 2013-07-25 Brent Fulgham <bfulgham@apple.com>
2021 [Windows] Unreviewed build fix.
2023 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
2024 runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
2025 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2027 2013-07-25 Oliver Hunt <oliver@apple.com>
2029 Make all jit & non-jit combos build cleanly
2030 https://bugs.webkit.org/show_bug.cgi?id=119102
2032 Reviewed by Anders Carlsson.
2034 * bytecode/CodeBlock.cpp:
2035 (JSC::CodeBlock::counterValueForOptimizeSoon):
2036 * bytecode/CodeBlock.h:
2037 (JSC::CodeBlock::optimizeAfterWarmUp):
2038 (JSC::CodeBlock::numberOfDFGCompiles):
2040 2013-07-25 Oliver Hunt <oliver@apple.com>
2042 32 bit portion of load validation logic
2043 https://bugs.webkit.org/show_bug.cgi?id=118878
2045 Reviewed by NOBODY (Build fix).
2047 * dfg/DFGSpeculativeJIT32_64.cpp:
2048 (JSC::DFG::SpeculativeJIT::compile):
2050 2013-07-25 Oliver Hunt <oliver@apple.com>
2052 More 32bit build fixes
2054 - Apparnetly some compilers don't track the fastcall directive everywhere we expect
2056 * API/APICallbackFunction.h:
2057 (JSC::APICallbackFunction::call):
2058 * bytecode/CodeBlock.cpp:
2059 * runtime/Structure.cpp:
2061 2013-07-25 Yi Shen <max.hong.shen@gmail.com>
2063 Optimize the thread locks for API Shims
2064 https://bugs.webkit.org/show_bug.cgi?id=118573
2066 Reviewed by Geoffrey Garen.
2068 Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM
2069 only used by WebCore's main thread).
2072 (JSC::APIEntryShim::APIEntryShim):
2073 (JSC::APICallbackShim::APICallbackShim):
2074 * runtime/JSLock.cpp:
2075 (JSC::JSLockHolder::JSLockHolder):
2076 (JSC::JSLockHolder::init):
2077 (JSC::JSLockHolder::~JSLockHolder):
2078 (JSC::JSLock::DropAllLocks::DropAllLocks):
2079 (JSC::JSLock::DropAllLocks::~DropAllLocks):
2084 2013-07-25 Christophe Dumez <ch.dumez@sisa.samsung.com>
2086 Unreviewed build fix after r153218.
2088 Broke the EFL port build with gcc 4.7.
2090 * interpreter/StackIterator.cpp:
2093 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
2095 Build fix: add missing #include.
2096 https://bugs.webkit.org/show_bug.cgi?id=119087
2098 Reviewed by Allan Sandfeld Jensen.
2100 * bytecode/ArrayProfile.cpp:
2102 2013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
2104 Unreviewed, build fix on the EFL port.
2106 * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
2108 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
2110 [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
2111 https://bugs.webkit.org/show_bug.cgi?id=119083
2113 Reviewed by Allan Sandfeld Jensen.
2115 * assembler/MacroAssemblerSH4.h:
2116 (JSC::MacroAssemblerSH4::store8):
2118 2013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
2120 [Qt] Fix test build after FTL upstream
2122 Unreviewed build fix.
2126 2013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
2128 [Qt] Build fix after FTL.
2130 Un Reviewed build fix.
2133 * interpreter/StackIterator.cpp:
2134 (JSC::StackIterator::Frame::print):
2136 2013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
2138 Unreviewed build fix after FTL upstream.
2140 * dfg/DFGWorklist.cpp:
2141 (JSC::DFG::Worklist::~Worklist):
2143 2013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
2145 Unreviewed, build fix on the EFL port.
2148 Added SourceCode.cpp and removed BlackBerry file.
2150 (JSC::JITCode::nextTierJIT):
2151 Fixed to build break because of -Werror=return-type
2152 * parser/Lexer.cpp: Includes JSFunctionInlines.h
2153 * runtime/JSScope.h:
2155 Fixed to build break because of -Werror=return-type
2157 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
2159 Unreviewed build fixing after FTL upstream.
2161 * runtime/Executable.cpp:
2162 (JSC::FunctionExecutable::produceCodeBlockFor):
2164 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
2166 Add missing implementation of bxxxnz in sh4 LLINT.
2167 https://bugs.webkit.org/show_bug.cgi?id=119079
2169 Reviewed by Allan Sandfeld Jensen.
2171 * offlineasm/sh4.rb:
2173 2013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
2175 Unreviewed, build fix on the Qt port.
2177 * Target.pri: Add additional build files for the FTL.
2179 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
2181 Unreviewed buildfix after FTL upstream..
2183 * interpreter/StackIterator.cpp:
2184 (JSC::StackIterator::Frame::codeType):
2185 (JSC::StackIterator::Frame::functionName):
2186 (JSC::StackIterator::Frame::sourceURL):
2187 (JSC::StackIterator::Frame::logicalFrame):
2189 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2193 * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
2194 method is not left undefined, causing build failures on (at least) the GTK port.
2196 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2198 Unreviewed, further build fixing on the GTK port.
2200 * GNUmakefile.list.am: Add CompilationResult source files to the build.
2202 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2204 Unreviewed GTK build fixing.
2206 * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
2207 * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
2209 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
2211 Buildfix after this error:
2212 error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
2215 (JSC::DFG::Plan::compileInThread):
2217 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
2219 One more buildfix after FTL upstream.
2221 Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
2223 * dfg/DFGLazyJSValue.cpp:
2224 (JSC::DFG::LazyJSValue::getValue):
2225 (JSC::DFG::LazyJSValue::strictEqual):
2227 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
2229 Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
2230 https://bugs.webkit.org/show_bug.cgi?id=119076
2232 Reviewed by Allan Sandfeld Jensen.
2234 * offlineasm/mips.rb:
2235 * offlineasm/sh4.rb:
2237 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2239 Unreviewed GTK build fix.
2241 * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
2243 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2245 Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
2246 for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
2248 * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
2250 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
2252 Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
2255 * GNUmakefile.list.am:
2257 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
2259 Unreviewed buildfix after FTL upstream.
2261 * runtime/JSScope.h:
2262 (JSC::needsVarInjectionChecks):
2264 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
2266 One more fix after FTL upstream.
2269 * bytecode/CodeBlock.h:
2270 * bytecode/GetByIdStatus.h:
2271 (JSC::GetByIdStatus::GetByIdStatus):
2273 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
2275 Unreviewed buildfix after FTL upstream.
2277 Add ftl directory as include path.
2280 * JavaScriptCore.pri:
2282 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
2284 Unreviewed buildfix after FTL upstream for non C++11 builds.
2286 * interpreter/CallFrame.h:
2287 * interpreter/StackIteratorPrivate.h:
2288 (JSC::StackIterator::end):
2290 2013-07-24 Oliver Hunt <oliver@apple.com>
2292 Endeavour to fix CMakelist builds
2296 2013-07-24 Filip Pizlo <fpizlo@apple.com>
2298 fourthTier: DFG IR dumps should be easier to read
2299 https://bugs.webkit.org/show_bug.cgi?id=119050
2301 Reviewed by Mark Hahnenberg.
2303 Added a DumpContext that includes support for printing an endnote
2304 that describes all structures in full, while the main flow of the
2305 dump just uses made-up names for the structures. This is helpful
2306 since Structure::dump() may print a lot. The stuff it prints is
2307 useful, but if it's all inline with the surrounding thing you're
2308 dumping (often, a node in the DFG), then you get a ridiculously
2309 long print-out. All classes that dump structures (including
2310 Structure itself) now have dumpInContext() methods that use
2311 inContext() for dumping anything that might transitively print a
2312 structure. If Structure::dumpInContext() is called with a NULL
2313 context, it just uses dump() like before. Hence you don't have to
2314 know anything about DumpContext unless you want to.
2316 inContext(*structure, context) dumps something like %B4:Array,
2317 and the endnote will have something like:
2319 %B4:Array = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
2321 where B4 is the inferred name that StringHashDumpContext came up
2324 Also shortened a bunch of other dumps, removing information that
2327 * JavaScriptCore.xcodeproj/project.pbxproj:
2328 * bytecode/ArrayProfile.cpp:
2329 (JSC::dumpArrayModes):
2330 * bytecode/CodeBlockHash.cpp:
2332 (JSC::CodeBlockHash::CodeBlockHash):
2333 (JSC::CodeBlockHash::dump):
2334 * bytecode/CodeOrigin.cpp:
2335 (JSC::CodeOrigin::dumpInContext):
2337 (JSC::InlineCallFrame::dumpInContext):
2338 (JSC::InlineCallFrame::dump):
2339 * bytecode/CodeOrigin.h:
2342 * bytecode/Operands.h:
2343 (JSC::OperandValueTraits::isEmptyForDump):
2345 (JSC::Operands::dump):
2347 * bytecode/OperandsInlines.h: Added.
2349 (JSC::::dumpInContext):
2350 * bytecode/StructureSet.h:
2351 (JSC::StructureSet::dumpInContext):
2352 (JSC::StructureSet::dump):
2354 * dfg/DFGAbstractValue.cpp:
2355 (JSC::DFG::AbstractValue::dump):
2357 (JSC::DFG::AbstractValue::dumpInContext):
2358 * dfg/DFGAbstractValue.h:
2359 (JSC::DFG::AbstractValue::operator!):
2361 * dfg/DFGCFAPhase.cpp:
2362 (JSC::DFG::CFAPhase::performBlockCFA):
2363 * dfg/DFGCommon.cpp:
2365 (JSC::DFG::NodePointerTraits::isEmptyForDump):
2366 * dfg/DFGDisassembler.cpp:
2367 (JSC::DFG::Disassembler::createDumpList):
2368 * dfg/DFGDisassembler.h:
2370 * dfg/DFGFlushFormat.h:
2373 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2375 (JSC::DFG::Graph::dumpCodeOrigin):
2376 (JSC::DFG::Graph::dump):
2377 (JSC::DFG::Graph::dumpBlockHeader):
2380 * dfg/DFGLazyJSValue.cpp:
2381 (JSC::DFG::LazyJSValue::dumpInContext):
2382 (JSC::DFG::LazyJSValue::dump):
2384 * dfg/DFGLazyJSValue.h:
2387 (JSC::DFG::nodeMapDump):
2390 * dfg/DFGOSRExitCompiler32_64.cpp:
2391 (JSC::DFG::OSRExitCompiler::compileExit):
2392 * dfg/DFGOSRExitCompiler64.cpp:
2393 (JSC::DFG::OSRExitCompiler::compileExit):
2394 * dfg/DFGStructureAbstractValue.h:
2395 (JSC::DFG::StructureAbstractValue::dumpInContext):
2396 (JSC::DFG::StructureAbstractValue::dump):
2397 (StructureAbstractValue):
2398 * ftl/FTLExitValue.cpp:
2399 (JSC::FTL::ExitValue::dumpInContext):
2400 (JSC::FTL::ExitValue::dump):
2402 * ftl/FTLExitValue.h:
2404 * ftl/FTLLowerDFGToLLVM.cpp:
2405 * ftl/FTLValueSource.cpp:
2406 (JSC::FTL::ValueSource::dumpInContext):
2408 * ftl/FTLValueSource.h:
2410 * runtime/DumpContext.cpp: Added.
2412 (JSC::DumpContext::DumpContext):
2413 (JSC::DumpContext::~DumpContext):
2414 (JSC::DumpContext::isEmpty):
2415 (JSC::DumpContext::dump):
2416 * runtime/DumpContext.h: Added.
2419 * runtime/JSCJSValue.cpp:
2420 (JSC::JSValue::dump):
2422 (JSC::JSValue::dumpInContext):
2423 * runtime/JSCJSValue.h:
2426 * runtime/Structure.cpp:
2427 (JSC::Structure::dumpInContext):
2429 (JSC::Structure::dumpBrief):
2430 (JSC::Structure::dumpContextHeader):
2431 * runtime/Structure.h:
2435 2013-07-22 Filip Pizlo <fpizlo@apple.com>
2437 fourthTier: DFG should do a high-level LICM before going to FTL
2438 https://bugs.webkit.org/show_bug.cgi?id=118749
2440 Reviewed by Oliver Hunt.
2442 Implements LICM hoisting for nodes that never write anything and never read
2443 things that are clobbered by the loop. There are some other preconditions for
2444 hoisting, see DFGLICMPhase.cpp.
2446 Also did a few fixes:
2448 - ClobberSet::add was failing to switch Super entries to Direct entries in
2451 - DFGClobberize.cpp needed to #include "Operations.h".
2453 - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
2455 - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
2456 Knowing the indexInBlock is an optional optimization that all other clients
2457 of AI still opt into, but LICM doesn't.
2459 This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
2461 * JavaScriptCore.xcodeproj/project.pbxproj:
2462 * dfg/DFGAbstractInterpreter.h:
2463 (AbstractInterpreter):
2464 * dfg/DFGAbstractInterpreterInlines.h:
2465 (JSC::DFG::::executeEffects):
2466 (JSC::DFG::::execute):
2468 (JSC::DFG::::clobberWorld):
2469 (JSC::DFG::::clobberStructures):
2470 * dfg/DFGAtTailAbstractState.cpp: Added.
2472 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
2473 (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
2474 (JSC::DFG::AtTailAbstractState::createValueForNode):
2475 (JSC::DFG::AtTailAbstractState::forNode):
2476 * dfg/DFGAtTailAbstractState.h: Added.
2478 (AtTailAbstractState):
2479 (JSC::DFG::AtTailAbstractState::initializeTo):
2480 (JSC::DFG::AtTailAbstractState::forNode):
2481 (JSC::DFG::AtTailAbstractState::variables):
2482 (JSC::DFG::AtTailAbstractState::block):
2483 (JSC::DFG::AtTailAbstractState::isValid):
2484 (JSC::DFG::AtTailAbstractState::setDidClobber):
2485 (JSC::DFG::AtTailAbstractState::setIsValid):
2486 (JSC::DFG::AtTailAbstractState::setBranchDirection):
2487 (JSC::DFG::AtTailAbstractState::setFoundConstants):
2488 (JSC::DFG::AtTailAbstractState::haveStructures):
2489 (JSC::DFG::AtTailAbstractState::setHaveStructures):
2490 * dfg/DFGBasicBlock.h:
2491 (JSC::DFG::BasicBlock::insertBeforeLast):
2492 * dfg/DFGBasicBlockInlines.h:
2494 * dfg/DFGClobberSet.cpp:
2495 (JSC::DFG::ClobberSet::add):
2496 (JSC::DFG::ClobberSet::addAll):
2497 * dfg/DFGClobberize.cpp:
2498 (JSC::DFG::doesWrites):
2499 * dfg/DFGClobberize.h:
2501 * dfg/DFGDCEPhase.cpp:
2502 (JSC::DFG::DCEPhase::DCEPhase):
2503 (JSC::DFG::DCEPhase::run):
2504 (JSC::DFG::DCEPhase::fixupBlock):
2506 * dfg/DFGEdgeDominates.h: Added.
2509 (JSC::DFG::EdgeDominates::EdgeDominates):
2510 (JSC::DFG::EdgeDominates::operator()):
2511 (JSC::DFG::EdgeDominates::result):
2512 (JSC::DFG::edgesDominate):
2513 * dfg/DFGFixupPhase.cpp:
2514 (JSC::DFG::FixupPhase::fixupNode):
2515 (JSC::DFG::FixupPhase::checkArray):
2516 * dfg/DFGLICMPhase.cpp: Added.
2518 (JSC::DFG::LICMPhase::LICMPhase):
2519 (JSC::DFG::LICMPhase::run):
2520 (JSC::DFG::LICMPhase::attemptHoist):
2522 (JSC::DFG::performLICM):
2523 * dfg/DFGLICMPhase.h: Added.
2526 (JSC::DFG::Plan::compileInThreadImpl):
2528 2013-07-21 Filip Pizlo <fpizlo@apple.com>
2530 fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
2531 https://bugs.webkit.org/show_bug.cgi?id=118910
2533 Reviewed by Sam Weinig.
2535 Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
2536 the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
2537 engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
2538 be inexpensive to use (they just give you a TBAA node) but expensive to create (you
2539 create them all up front). FTL AbstractHeaps also don't actually give you the
2540 ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
2541 The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
2542 They also give you aliasing machinery. The DFG AbstractHeaps are represented
2543 internally by a int64_t. Many comparisons between them are just integer comaprisons.
2544 AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
2545 Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
2546 payload is the direct subtype of its corresponding TOP Kind).
2548 Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
2549 clobbered. It represents the set that results from unifying a bunch of
2550 AbstractHeaps, and is intended to quickly answer overlap questions: does the given
2551 AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
2552 AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
2553 its ancestors. An AbstractHeap is said to overlap a set if any direct or super
2554 member is equal to it, or if any of its ancestors are equal to a direct member.
2558 - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
2559 is a subtype of Variables, which is a subtype of World.
2560 - You query Variables. I.e. Variables with a TOP payload, which is the
2561 supertype of Variables(X) for any X, and a subtype of World.
2563 The set will have Variables(5) as a direct member, and Variables and World as
2564 super members. The Variables query will immediately return true, because
2565 Variables is indeed a super member.
2569 - I add Variables(5)
2570 - You query NamedProperties
2572 NamedProperties is not a member at all (neither direct or super). We next
2573 query World. World is a member, but it's a super member, so we return false.
2578 - You query Variables(5)
2580 The set will have Variables as a direct member, and World as a super member.
2581 The Variables(5) query will not find Variables(5) in the set, but then it
2582 will query Variables. Variables is a direct member, so we return true.
2587 - You query NamedProperties(5)
2589 Neither NamedProperties nor NamedProperties(5) are members. We next query
2590 World. World is a member, but it's a super member, so we return false.
2592 Overlap queries require that either the heap being queried is in the set (either
2593 direct or super), or that one of its ancestors is a direct member. Another way to
2594 think about how this works is that two heaps A and B are said to overlap if
2595 A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
2596 single-inheritance heirarchy. Consider that we wanted to implement a set that holds
2597 heaps and answers the question, "is any member in the set an ancestor (i.e.
2598 supertype) of some other heap". We would have the set contain the heaps themselves,
2599 and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
2600 chain of A, and repeatedly querying its membership in the set. This is what the
2601 "direct" members of our set do. Now consider the other part, where we want to ask if
2602 any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
2603 would implement this by implementing set.add(B) as adding not just B but also all of
2604 B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
2605 in the set. With two such sets - one that answers isSubtypeOfAny() and another that
2606 answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
2607 heap" question. ClobberSet does this, but combines the two sets into a single
2608 HashMap. The HashMap's value, "direct", means that the key is a member of both the
2609 supertype set and the subtype set; if it's false then it's only a member of one of
2612 Finally, this adds a functorized clobberize() method that adds the read and write
2613 clobbers of a DFG::Node to read and write functors. Common functors for adding to
2614 ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
2615 are also provided. This allows you to say things like:
2618 addWrites(graph, node1, set);
2619 if (readsOverlap(graph, node2, set))
2620 // We know that node1 may write to something that node2 may read from.
2622 Currently this facility is only used to improve graph dumping, but it will be
2623 instrumental in both LICM and GVN. In the future, I want to completely kill the
2624 NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
2625 of accomplishing almost exactly what AbstractHeap gives you.
2627 * JavaScriptCore.xcodeproj/project.pbxproj:
2628 * dfg/DFGAbstractHeap.cpp: Added.
2630 (JSC::DFG::AbstractHeap::Payload::dump):
2631 (JSC::DFG::AbstractHeap::dump):
2633 (WTF::printInternal):
2634 * dfg/DFGAbstractHeap.h: Added.
2638 (JSC::DFG::AbstractHeap::Payload::Payload):
2639 (JSC::DFG::AbstractHeap::Payload::top):
2640 (JSC::DFG::AbstractHeap::Payload::isTop):
2641 (JSC::DFG::AbstractHeap::Payload::value):
2642 (JSC::DFG::AbstractHeap::Payload::valueImpl):
2643 (JSC::DFG::AbstractHeap::Payload::operator==):
2644 (JSC::DFG::AbstractHeap::Payload::operator!=):
2645 (JSC::DFG::AbstractHeap::Payload::operator<):
2646 (JSC::DFG::AbstractHeap::Payload::isDisjoint):
2647 (JSC::DFG::AbstractHeap::Payload::overlaps):
2648 (JSC::DFG::AbstractHeap::AbstractHeap):
2649 (JSC::DFG::AbstractHeap::operator!):
2650 (JSC::DFG::AbstractHeap::kind):
2651 (JSC::DFG::AbstractHeap::payload):
2652 (JSC::DFG::AbstractHeap::isDisjoint):
2653 (JSC::DFG::AbstractHeap::overlaps):
2654 (JSC::DFG::AbstractHeap::supertype):
2655 (JSC::DFG::AbstractHeap::hash):
2656 (JSC::DFG::AbstractHeap::operator==):
2657 (JSC::DFG::AbstractHeap::operator!=):
2658 (JSC::DFG::AbstractHeap::operator<):
2659 (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
2660 (JSC::DFG::AbstractHeap::payloadImpl):
2661 (JSC::DFG::AbstractHeap::encode):
2662 (JSC::DFG::AbstractHeapHash::hash):
2663 (JSC::DFG::AbstractHeapHash::equal):
2666 * dfg/DFGClobberSet.cpp: Added.
2668 (JSC::DFG::ClobberSet::ClobberSet):
2669 (JSC::DFG::ClobberSet::~ClobberSet):
2670 (JSC::DFG::ClobberSet::add):
2671 (JSC::DFG::ClobberSet::addAll):
2672 (JSC::DFG::ClobberSet::contains):
2673 (JSC::DFG::ClobberSet::overlaps):
2674 (JSC::DFG::ClobberSet::clear):
2675 (JSC::DFG::ClobberSet::direct):
2676 (JSC::DFG::ClobberSet::super):
2677 (JSC::DFG::ClobberSet::dump):
2678 (JSC::DFG::ClobberSet::setOf):
2679 (JSC::DFG::addReads):
2680 (JSC::DFG::addWrites):
2681 (JSC::DFG::addReadsAndWrites):
2682 (JSC::DFG::readsOverlap):
2683 (JSC::DFG::writesOverlap):
2684 * dfg/DFGClobberSet.h: Added.
2687 (JSC::DFG::ClobberSet::isEmpty):
2689 (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
2690 (JSC::DFG::ClobberSetAdd::operator()):
2691 (ClobberSetOverlaps):
2692 (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
2693 (JSC::DFG::ClobberSetOverlaps::operator()):
2694 (JSC::DFG::ClobberSetOverlaps::result):
2695 * dfg/DFGClobberize.cpp: Added.
2697 (JSC::DFG::didWrites):
2698 * dfg/DFGClobberize.h: Added.
2700 (JSC::DFG::clobberize):
2702 (JSC::DFG::NoOpClobberize::NoOpClobberize):
2703 (JSC::DFG::NoOpClobberize::operator()):
2705 (JSC::DFG::CheckClobberize::CheckClobberize):
2706 (JSC::DFG::CheckClobberize::operator()):
2707 (JSC::DFG::CheckClobberize::result):
2709 (JSC::DFG::Graph::dump):
2711 2013-07-21 Filip Pizlo <fpizlo@apple.com>
2713 fourthTier: It should be easy to figure out which blocks nodes belong to
2714 https://bugs.webkit.org/show_bug.cgi?id=118957
2716 Reviewed by Sam Weinig.
2720 (JSC::DFG::Graph::initializeNodeOwners):
2725 2013-07-21 Filip Pizlo <fpizlo@apple.com>
2727 fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
2728 https://bugs.webkit.org/show_bug.cgi?id=118956
2730 Reviewed by Sam Weinig.
2732 We had two way of expressing that something exits forward: the NodeExitsForward
2733 flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
2734 makes it just be a flag.
2736 * dfg/DFGAbstractInterpreterInlines.h:
2737 (JSC::DFG::::executeEffects):
2738 * dfg/DFGArgumentsSimplificationPhase.cpp:
2739 (JSC::DFG::ArgumentsSimplificationPhase::run):
2740 * dfg/DFGCSEPhase.cpp:
2741 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
2742 (JSC::DFG::CSEPhase::checkStructureElimination):
2743 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
2744 (JSC::DFG::CSEPhase::putStructureStoreElimination):
2745 (JSC::DFG::CSEPhase::checkArrayElimination):
2746 (JSC::DFG::CSEPhase::performNodeCSE):
2747 * dfg/DFGConstantFoldingPhase.cpp:
2748 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2749 * dfg/DFGFixupPhase.cpp:
2750 (JSC::DFG::FixupPhase::fixupNode):
2751 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2752 * dfg/DFGMinifiedNode.h:
2753 (JSC::DFG::belongsInMinifiedGraph):
2754 (JSC::DFG::MinifiedNode::hasChild):
2756 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
2757 (JSC::DFG::Node::hasStructureSet):
2758 (JSC::DFG::Node::hasStructure):
2759 (JSC::DFG::Node::hasArrayMode):
2760 (JSC::DFG::Node::willHaveCodeGenOrOSR):
2761 * dfg/DFGNodeType.h:
2763 (JSC::DFG::needsOSRForwardRewiring):
2764 * dfg/DFGPredictionPropagationPhase.cpp:
2765 (JSC::DFG::PredictionPropagationPhase::propagate):
2766 * dfg/DFGSafeToExecute.h:
2767 (JSC::DFG::safeToExecute):
2768 * dfg/DFGSpeculativeJIT.cpp:
2769 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
2770 * dfg/DFGSpeculativeJIT32_64.cpp:
2771 (JSC::DFG::SpeculativeJIT::compile):
2772 * dfg/DFGSpeculativeJIT64.cpp:
2773 (JSC::DFG::SpeculativeJIT::compile):
2774 * dfg/DFGTypeCheckHoistingPhase.cpp:
2775 (JSC::DFG::TypeCheckHoistingPhase::run):
2776 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2777 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2778 * dfg/DFGVariableEventStream.cpp:
2779 (JSC::DFG::VariableEventStream::reconstruct):
2780 * ftl/FTLCapabilities.cpp:
2781 (JSC::FTL::canCompile):
2782 * ftl/FTLLowerDFGToLLVM.cpp:
2783 (JSC::FTL::LowerDFGToLLVM::compileNode):
2784 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2786 2013-07-21 Filip Pizlo <fpizlo@apple.com>
2788 fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
2789 https://bugs.webkit.org/show_bug.cgi?id=118946
2791 Reviewed by Geoffrey Garen.
2793 We want to decouple the exit target code origin of a node from the code origin
2794 for all other purposes. The purposes of code origins are:
2796 - Where the node will exit, if it exits. The exit target should be consistent with
2797 the surrounding nodes, in that if you just looked at the code origins of nodes in
2798 the graph, they would be consistent with the code origins in bytecode. This is
2799 necessary for live-at-bytecode analyses to work, and to preserve the original
2800 bytecode semantics when exiting.
2802 - What kind of code the node came from, for semantics thingies. For example, we
2803 might use the code origin to find the node's global object for doing an original
2804 array check. Or we might use it to determine if the code is in strict mode. Or
2805 other similar things. When we use the code origin in this way, we're basically
2806 using it as a way of describing the node's meta-data without putting it into the
2807 node directly, to save space. In the absurd extreme you could imagine nodes not
2808 even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
2809 what bytecode the node originated from. We won't do that, but you can think of
2810 this use of code origins as just a way of compressing meta-data.
2812 - What code origin we should supply profiling to, if we exit. This is closely
2813 related to the semantics thingies, in that the exit profiling is a persistent
2814 kind of semantic meta-data that survives between recompiles, and the only way to
2815 do that is to ascribe it to the original bytecode via the code origin.
2817 If we hoist a node, we need to change the exit target code origin, but we must not
2818 change the code origin for other purposes. The best way to do this is to decouple
2819 the two kinds of code origin.
2821 OSR exit data structures already do this, because they may edit the exit target
2822 code origin while keeping the code origin for profiling intact. This happens for
2823 forward exits. So, we just need to thread separation all the way back to DFG::Node.
2824 That's what this patch does.
2827 (JSC::DFG::Node::Node):
2829 * dfg/DFGOSRExit.cpp:
2830 (JSC::DFG::OSRExit::OSRExit):
2831 * dfg/DFGOSRExitBase.h:
2832 (JSC::DFG::OSRExitBase::OSRExitBase):
2833 * dfg/DFGSpeculativeJIT.cpp:
2834 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2835 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2836 * dfg/DFGSpeculativeJIT.h:
2838 * ftl/FTLLowerDFGToLLVM.cpp:
2839 (JSC::FTL::LowerDFGToLLVM::compileNode):
2840 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2842 * ftl/FTLOSRExit.cpp:
2843 (JSC::FTL::OSRExit::OSRExit):
2847 2013-07-20 Filip Pizlo <fpizlo@apple.com>
2849 fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
2850 https://bugs.webkit.org/show_bug.cgi?id=118866
2852 Reviewed by Sam Weinig.
2854 Adds a safeToExecute() method that takes a node and an abstract state and tells you
2855 if the node will run without crashing under that state.
2857 * JavaScriptCore.xcodeproj/project.pbxproj:
2858 * bytecode/CodeBlock.cpp:
2859 (JSC::CodeBlock::CodeBlock):
2860 * dfg/DFGCFAPhase.cpp:
2862 (JSC::DFG::CFAPhase::CFAPhase):
2863 (JSC::DFG::CFAPhase::run):
2864 (JSC::DFG::CFAPhase::performBlockCFA):
2865 (JSC::DFG::CFAPhase::performForwardCFA):
2866 * dfg/DFGSafeToExecute.h: Added.
2868 (SafeToExecuteEdge):
2869 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
2870 (JSC::DFG::SafeToExecuteEdge::operator()):
2871 (JSC::DFG::SafeToExecuteEdge::result):
2872 (JSC::DFG::safeToExecute):
2873 * dfg/DFGStructureAbstractValue.h:
2874 (JSC::DFG::StructureAbstractValue::isValidOffset):
2875 (StructureAbstractValue):
2876 * runtime/Options.h:
2879 2013-07-20 Filip Pizlo <fpizlo@apple.com>
2881 fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
2882 https://bugs.webkit.org/show_bug.cgi?id=118948
2884 Reviewed by Sam Weinig.
2886 - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
2887 This allows doing "what if" experiments with IR generation, even if the generated IR
2890 - Add an OSR exit path that just calls an intrinsic that combines the branch and the
2893 * JavaScriptCore.xcodeproj/project.pbxproj:
2895 (JSC::DFG::Plan::compileInThreadImpl):
2896 * ftl/FTLFail.cpp: Added.
2899 * ftl/FTLFail.h: Added.
2901 * ftl/FTLIntrinsicRepository.h:
2903 * ftl/FTLLowerDFGToLLVM.cpp:
2904 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2905 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
2906 * runtime/Options.h:
2909 2013-07-19 Filip Pizlo <fpizlo@apple.com>
2911 fourthTier: StringObjectUse uses structures, and CSE should know that
2912 https://bugs.webkit.org/show_bug.cgi?id=118940
2914 Reviewed by Geoffrey Garen.
2916 This is asymptomatic right now, but we should fix it.
2918 * JavaScriptCore.xcodeproj/project.pbxproj:
2919 * dfg/DFGCSEPhase.cpp:
2920 (JSC::DFG::CSEPhase::putStructureStoreElimination):
2921 * dfg/DFGEdgeUsesStructure.h: Added.
2923 (EdgeUsesStructure):
2924 (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
2925 (JSC::DFG::EdgeUsesStructure::operator()):
2926 (JSC::DFG::EdgeUsesStructure::result):
2927 (JSC::DFG::edgesUseStructure):
2930 (JSC::DFG::usesStructure):
2932 2013-07-19 Filip Pizlo <fpizlo@apple.com>
2934 fourthTier: String GetByVal out-of-bounds handling is so wrong
2935 https://bugs.webkit.org/show_bug.cgi?id=118935
2937 Reviewed by Geoffrey Garen.
2939 Bunch of String GetByVal out-of-bounds fixes:
2941 - Even if the string proto chain is sane, we need to watch out for negative
2942 indices. They may get values or call getters in the prototypes, since proto
2943 sanity doesn't check for negative indexed properties, as they are not
2944 technically indexed properties.
2946 - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
2947 given this information.
2949 - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
2950 given this information.
2952 Also fixed some other things:
2954 - If the DFG is disabled, the testRunner should pretend that we've done a
2955 bunch of DFG compiles. That's necessary to prevent the tests from timing
2958 - Disassembler shouldn't try to dump source code since it's not safe in the
2961 * API/JSCTestRunnerUtils.cpp:
2962 (JSC::numberOfDFGCompiles):
2963 * JavaScriptCore.xcodeproj/project.pbxproj:
2964 * dfg/DFGAbstractInterpreterInlines.h:
2965 (JSC::DFG::::executeEffects):
2966 * dfg/DFGDisassembler.cpp:
2967 (JSC::DFG::Disassembler::dumpHeader):
2969 (JSC::DFG::Graph::byValIsPure):
2970 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
2972 (SaneStringGetByValSlowPathGenerator):
2973 (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
2974 (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
2975 * dfg/DFGSpeculativeJIT.cpp:
2976 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2978 2013-07-19 Filip Pizlo <fpizlo@apple.com>
2980 fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
2981 https://bugs.webkit.org/show_bug.cgi?id=118911
2983 Reviewed by Geoffrey Garen.
2985 We could also have a separate method like "willNotCrash(offset)", but that's not
2986 what isValidOffset() is intended to mean.
2988 * runtime/Structure.h:
2989 (JSC::Structure::isValidOffset):
2991 2013-07-19 Filip Pizlo <fpizlo@apple.com>
2993 fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
2994 https://bugs.webkit.org/show_bug.cgi?id=118878
2996 Reviewed by Oliver Hunt.
2998 - Change Structure::isValidOffset() to actually answer the question "If I attempted
2999 to load from an object of this structure, at this offset, would I commit suicide
3000 or would I get back some kind of value?"
3002 - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
3005 - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
3007 - Make GetByOffset also reference the base object in addition to the butterfly.
3009 The future use of this power will be to answer questions like "If I hoisted this
3010 GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
3013 I don't currently plan to use this power to perform validation, since the CSE has
3014 the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
3015 remove - both in the case of StructureSets where size >= 2 and in the case of
3016 CheckStructures that match across PutStructures. At first I tried to write a
3017 validator that was aware of this, but the validation code got way too complicated
3018 and I started having nightmares of spurious assertion bugs being filed against me.
3020 This also changes some of the code for how we hash FunctionExecutable's for debug
3021 dumps, since that code still had some thread-safety issues. Basically, the
3022 concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
3023 that could transitively try to compute the hash from the source code. The source
3024 code is a string that may be lazily computed, and that involves all manner of thread
3027 * bytecode/CodeOrigin.cpp:
3028 (JSC::InlineCallFrame::hash):
3029 * dfg/DFGAbstractInterpreterInlines.h:
3030 (JSC::DFG::::executeEffects):
3031 * dfg/DFGByteCodeParser.cpp:
3032 (JSC::DFG::ByteCodeParser::handleGetByOffset):
3033 (JSC::DFG::ByteCodeParser::handlePutByOffset):
3034 (JSC::DFG::ByteCodeParser::parseBlock):
3035 * dfg/DFGCFAPhase.cpp:
3036 (JSC::DFG::CFAPhase::performBlockCFA):
3037 * dfg/DFGConstantFoldingPhase.cpp:
3038 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3039 * dfg/DFGFixupPhase.cpp:
3040 (JSC::DFG::FixupPhase::fixupNode):
3042 (StorageAccessData):
3044 (JSC::DFG::Node::convertToGetByOffset):
3045 * dfg/DFGSpeculativeJIT64.cpp:
3046 (JSC::DFG::SpeculativeJIT::compile):
3047 * ftl/FTLLowerDFGToLLVM.cpp:
3048 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
3049 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
3050 * runtime/FunctionExecutableDump.cpp:
3051 (JSC::FunctionExecutableDump::dump):
3052 * runtime/Structure.h:
3054 (JSC::Structure::isValidOffset):
3056 2013-07-18 Filip Pizlo <fpizlo@apple.com>
3058 fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
3059 https://bugs.webkit.org/show_bug.cgi?id=118880
3061 Reviewed by Sam Weinig.
3063 It should be possible to have an AbstractState that is backed by a HashMap. But to
3064 do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
3065 the map, since otherwise the idiom of getting a reference to the AbstractValue
3066 returned by forNode() would cause really subtle memory corruption bugs.
3068 * dfg/DFGAbstractInterpreterInlines.h:
3069 (JSC::DFG::::executeEffects):
3070 * dfg/DFGInPlaceAbstractState.h:
3071 (JSC::DFG::InPlaceAbstractState::createValueForNode):
3072 (InPlaceAbstractState):
3074 2013-07-18 Filip Pizlo <fpizlo@apple.com>
3076 fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
3077 https://bugs.webkit.org/show_bug.cgi?id=118835
3079 Reviewed by Oliver Hunt.
3081 This separates AbstractState into two things:
3083 - InPlaceAbstractState, which can tell you the abstract state of anything you
3084 might care about, and uses the old AbstractState's algorithms and data
3085 structures for doing so.
3087 - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
3088 respect to an AbstractStateType. Currently we always use
3089 AbstractStateType = InPlaceAbstractState. But we could drop in an other
3090 class that supports basic primitives like forNode() and variables().
3092 This is important because:
3094 - We want to hoist things out of loops.
3096 - We don't know what things rely on what type checks.
3098 - We only want to hoist type checks out of loops if they aren't clobbered.
3100 - We may want to still hoist things that depended on those type checks, if it's
3101 safe to do those things based on the CFA state at the tail of the loop
3104 - We don't want things to rely on their type checks by way of a token, because
3107 So, we want to be able to have a special form of the CFA that can
3108 incrementally update a basic block's state-at-tail, and we want to be able to
3109 do this for multiple blocks simultaneously. This requires *not* storing the
3110 per-node state in the nodes themselves, but instead using the at-tail HashMap
3113 Hence we need to have a way of making the abstract interpreter (i.e.
3114 AbstractState::execute) polymorphic with respect to state representation. Put
3115 another way, we need to separate the way that abstract state is represented
3116 from the way DFG IR is abstractly interpreted.
3118 * JavaScriptCore.xcodeproj/project.pbxproj:
3119 * dfg/DFGAbstractInterpreter.h: Added.
3121 (AbstractInterpreter):
3122 (JSC::DFG::AbstractInterpreter::forNode):
3123 (JSC::DFG::AbstractInterpreter::variables):
3124 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
3125 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
3126 (JSC::DFG::AbstractInterpreter::filter):
3127 (JSC::DFG::AbstractInterpreter::filterArrayModes):
3128 (JSC::DFG::AbstractInterpreter::filterByValue):
3129 (JSC::DFG::AbstractInterpreter::trySetConstant):
3130 (JSC::DFG::AbstractInterpreter::filterByType):
3131 * dfg/DFGAbstractInterpreterInlines.h: Added.
3133 (JSC::DFG::::AbstractInterpreter):
3134 (JSC::DFG::::~AbstractInterpreter):
3135 (JSC::DFG::::booleanResult):
3136 (JSC::DFG::::startExecuting):
3137 (JSC::DFG::::executeEdges):
3138 (JSC::DFG::::verifyEdge):
3139 (JSC::DFG::::verifyEdges):
3140 (JSC::DFG::::executeEffects):
3141 (JSC::DFG::::execute):
3142 (JSC::DFG::::clobberWorld):
3143 (JSC::DFG::::clobberCapturedVars):
3144 (JSC::DFG::::clobberStructures):
3146 (JSC::DFG::::filter):
3147 (JSC::DFG::::filterArrayModes):
3148 (JSC::DFG::::filterByValue):
3149 * dfg/DFGAbstractState.cpp: Removed.
3150 * dfg/DFGAbstractState.h: Removed.
3151 * dfg/DFGArgumentsSimplificationPhase.cpp:
3152 * dfg/DFGCFAPhase.cpp:
3153 (JSC::DFG::CFAPhase::CFAPhase):
3154 (JSC::DFG::CFAPhase::performBlockCFA):
3156 * dfg/DFGCFGSimplificationPhase.cpp:
3157 * dfg/DFGConstantFoldingPhase.cpp:
3158 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
3159 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3160 (ConstantFoldingPhase):
3161 * dfg/DFGInPlaceAbstractState.cpp: Added.
3163 (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
3164 (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
3165 (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
3166 (JSC::DFG::setLiveValues):
3167 (JSC::DFG::InPlaceAbstractState::initialize):
3168 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
3169 (JSC::DFG::InPlaceAbstractState::reset):
3170 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
3171 (JSC::DFG::InPlaceAbstractState::merge):
3172 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
3173 (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
3174 * dfg/DFGInPlaceAbstractState.h: Added.
3176 (InPlaceAbstractState):
3177 (JSC::DFG::InPlaceAbstractState::forNode):
3178 (JSC::DFG::InPlaceAbstractState::variables):
3179 (JSC::DFG::InPlaceAbstractState::block):
3180 (JSC::DFG::InPlaceAbstractState::didClobber):
3181 (JSC::DFG::InPlaceAbstractState::isValid):
3182 (JSC::DFG::InPlaceAbstractState::setDidClobber):
3183 (JSC::DFG::InPlaceAbstractState::setIsValid):
3184 (JSC::DFG::InPlaceAbstractState::setBranchDirection):
3185 (JSC::DFG::InPlaceAbstractState::setFoundConstants):
3186 (JSC::DFG::InPlaceAbstractState::haveStructures):
3187 (JSC::DFG::InPlaceAbstractState::setHaveStructures):
3188 * dfg/DFGMergeMode.h: Added.
3190 * dfg/DFGSpeculativeJIT.cpp:
3191 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3192 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
3193 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3194 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3195 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
3196 (JSC::DFG::SpeculativeJIT::speculateStringObject):
3197 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
3198 * dfg/DFGSpeculativeJIT.h:
3199 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
3201 * dfg/DFGSpeculativeJIT32_64.cpp:
3202 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3203 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3204 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3205 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3206 * dfg/DFGSpeculativeJIT64.cpp:
3207 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
3208 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3209 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3210 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
3211 * ftl/FTLLowerDFGToLLVM.cpp:
3213 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3214 (JSC::FTL::LowerDFGToLLVM::compileNode):
3215 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
3216 (JSC::FTL::LowerDFGToLLVM::speculate):
3217 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3218 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3221 2013-07-18 Filip Pizlo <fpizlo@apple.com>
3223 fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
3224 https://bugs.webkit.org/show_bug.cgi?id=118867
3226 Reviewed by Mark Hahnenberg.
3228 This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
3231 It also makes it easier to ask any array-using node how to create its type check.
3233 Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
3234 an array profile, thinking that it was storing into a value profile. Reshuffling the
3235 fields in ArrayProfile revealed this.
3237 * bytecode/ArrayProfile.cpp:
3238 (JSC::ArrayProfile::computeUpdatedPrediction):
3239 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3240 * bytecode/ArrayProfile.h:
3241 (JSC::ArrayProfile::ArrayProfile):
3243 * bytecode/CodeBlock.cpp:
3244 (JSC::CodeBlock::updateAllArrayPredictions):
3245 (JSC::CodeBlock::updateAllPredictions):
3246 * bytecode/CodeBlock.h:
3248 (JSC::CodeBlock::updateAllArrayPredictions):
3249 * dfg/DFGArrayMode.h:
3251 * dfg/DFGByteCodeParser.cpp:
3252 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
3253 (JSC::DFG::ByteCodeParser::parseBlock):
3254 * dfg/DFGFixupPhase.cpp:
3255 (JSC::DFG::FixupPhase::fixupNode):
3257 (JSC::DFG::FixupPhase::checkArray):
3258 (JSC::DFG::FixupPhase::blessArrayOperation):
3259 * llint/LowLevelInterpreter64.asm:
3261 2013-07-18 Filip Pizlo <fpizlo@apple.com>
3263 fourthTier: CFA should consider live-at-head for clobbering and dumping
3264 https://bugs.webkit.org/show_bug.cgi?id=118857
3266 Reviewed by Mark Hahnenberg.
3268 - clobberStructures() was not considering nodes live-at-head when in SSA
3269 form. This means it would fail to clobber some structures.
3271 - dump() was not considering nodes live-at-head when in SSA form. This
3272 means it wouldn't dump everything that you might be interested in.
3274 - AbstractState::m_currentNode is a useless variable and we should get
3277 * dfg/DFGAbstractState.cpp:
3278 (JSC::DFG::AbstractState::AbstractState):
3279 (JSC::DFG::AbstractState::beginBasicBlock):
3280 (JSC::DFG::AbstractState::reset):
3281 (JSC::DFG::AbstractState::startExecuting):
3282 (JSC::DFG::AbstractState::clobberStructures):
3283 (JSC::DFG::AbstractState::dump):
3284 * dfg/DFGAbstractState.h:
3287 2013-07-16 Filip Pizlo <fpizlo@apple.com>
3289 fourthTier: Add a phase to create loop pre-headers
3290 https://bugs.webkit.org/show_bug.cgi?id=118778
3292 Reviewed by Oliver Hunt.
3294 Add a loop pre-header creation phase. Any loop that doesn't already have
3295 just one predecessor that isn't part of the loop has a pre-header
3296 prepended. All non-loop predecessors then jump to that pre-header.
3298 Also fix a handful of bugs:
3300 - DFG::Analysis should set m_valid before running the analysis, since that
3301 makes it easier to use ASSERT(m_valid) in the analysis' methods, which
3302 may be called by the analysis before the analysis completes. NaturalLoops
3303 does this with loopsOf().
3305 - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
3306 returning 0, since that'll happen if the block isn't in any loop.
3308 - Change BlockInsertionSet to dethread the graph, since anyone using it
3311 - Change dethreading to ignore SSA form graphs.
3313 This also adds NaturalLoops::belongsTo(), which I always used in the
3314 pre-header creation phase. I didn't end up using it but I'll probably use
3315 it in the near future.
3317 * JavaScriptCore.xcodeproj/project.pbxproj:
3318 * dfg/DFGAnalysis.h:
3319 (JSC::DFG::Analysis::computeIfNecessary):
3320 * dfg/DFGBlockInsertionSet.cpp:
3321 (JSC::DFG::BlockInsertionSet::execute):
3322 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3323 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
3325 (JSC::DFG::Graph::dethread):
3326 * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
3328 (LoopPreHeaderCreationPhase):
3329 (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
3330 (JSC::DFG::LoopPreHeaderCreationPhase::run):
3331 (JSC::DFG::performLoopPreHeaderCreation):
3332 * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
3334 * dfg/DFGNaturalLoops.h:
3336 (JSC::DFG::NaturalLoops::headerOf):
3337 (JSC::DFG::NaturalLoops::innerMostLoopOf):
3338 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
3339 (JSC::DFG::NaturalLoops::belongsTo):
3342 (JSC::DFG::Plan::compileInThreadImpl):
3344 2013-07-16 Filip Pizlo <fpizlo@apple.com>
3346 fourthTier: Rationalize Node::replacement
3347 https://bugs.webkit.org/show_bug.cgi?id=118774
3349 Reviewed by Oliver Hunt.
3351 - Clearing of replacements is now done in Graph::clearReplacements().
3353 - New nodes now have replacement set to 0.
3355 - Node::replacement is now part of a 'misc' union. I'll be putting at least
3356 one other field into that union as part of LICM work (see
3357 https://bugs.webkit.org/show_bug.cgi?id=118749).
3359 * dfg/DFGCPSRethreadingPhase.cpp:
3360 (JSC::DFG::CPSRethreadingPhase::run):
3361 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
3362 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3363 * dfg/DFGCSEPhase.cpp:
3364 (JSC::DFG::CSEPhase::run):
3365 (JSC::DFG::CSEPhase::setReplacement):
3366 (JSC::DFG::CSEPhase::performBlockCSE):
3369 (JSC::DFG::Graph::clearReplacements):
3371 (JSC::DFG::Graph::performSubstitutionForEdge):
3374 (JSC::DFG::Node::Node):
3375 * dfg/DFGSSAConversionPhase.cpp:
3376 (JSC::DFG::SSAConversionPhase::run):
3378 2013-07-16 Filip Pizlo <fpizlo@apple.com>
3380 fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
3381 https://bugs.webkit.org/show_bug.cgi?id=118750
3383 Reviewed by Mark Hahnenberg.
3385 * dfg/DFGBasicBlock.h:
3387 * dfg/DFGNaturalLoops.cpp:
3388 (JSC::DFG::NaturalLoops::compute):
3389 (JSC::DFG::NaturalLoops::loopsOf):
3390 * dfg/DFGNaturalLoops.h:
3392 (JSC::DFG::NaturalLoop::NaturalLoop):
3394 (JSC::DFG::NaturalLoop::index):
3395 (JSC::DFG::NaturalLoop::isOuterMostLoop):
3396 (JSC::DFG::NaturalLoop::addBlock):
3397 (JSC::DFG::NaturalLoops::headerOf):
3398 (JSC::DFG::NaturalLoops::innerMostLoopOf):
git://git.webkit.org / WebKit-https.git / blob