6134a59cd4da72f7cb8d36b262d7b38b84c48d18
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
2
3         Unreviewed build fixing after FTL upstream.
4
5         * runtime/Executable.cpp:
6         (JSC::FunctionExecutable::produceCodeBlockFor):
7
8 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
9
10         Add missing implementation of bxxxnz in sh4 LLINT.
11         https://bugs.webkit.org/show_bug.cgi?id=119079
12
13         Reviewed by Allan Sandfeld Jensen.
14
15         * offlineasm/sh4.rb:
16
17 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
18
19         Unreviewed, build fix on the Qt port.
20
21         * Target.pri: Add additional build files for the FTL.
22
23 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
24
25         Unreviewed buildfix after FTL upstream..
26
27         * interpreter/StackIterator.cpp:
28         (JSC::StackIterator::Frame::codeType):
29         (JSC::StackIterator::Frame::functionName):
30         (JSC::StackIterator::Frame::sourceURL):
31         (JSC::StackIterator::Frame::logicalFrame):
32
33 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
34
35         Unreviewed.
36
37         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
38         method is not left undefined, causing build failures on (at least) the GTK port.
39
40 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
41
42         Unreviewed, further build fixing on the GTK port.
43
44         * GNUmakefile.list.am: Add CompilationResult source files to the build.
45
46 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
47
48         Unreviewed GTK build fixing.
49
50         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
51         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
52
53 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
54
55         Buildfix after this error:
56         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
57
58         * dfg/DFGPlan.cpp:
59         (JSC::DFG::Plan::compileInThread):
60
61 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
62
63         One more buildfix after FTL upstream.
64
65         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
66
67         * dfg/DFGLazyJSValue.cpp:
68         (JSC::DFG::LazyJSValue::getValue):
69         (JSC::DFG::LazyJSValue::strictEqual):
70
71 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
72
73         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
74         https://bugs.webkit.org/show_bug.cgi?id=119076
75
76         Reviewed by Allan Sandfeld Jensen.
77
78         * offlineasm/mips.rb:
79         * offlineasm/sh4.rb:
80
81 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
82
83         Unreviewed GTK build fix.
84
85         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
86
87 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
88
89         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
90         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
91
92         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
93
94 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
95
96         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
97
98         * GNUmakefile.am:
99         * GNUmakefile.list.am:
100
101 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
102
103         Unreviewed buildfix after FTL upstream.
104
105         * runtime/JSScope.h:
106         (JSC::needsVarInjectionChecks):
107
108 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
109
110         One more fix after FTL upstream.
111
112         * Target.pri:
113         * bytecode/CodeBlock.h:
114         * bytecode/GetByIdStatus.h:
115         (JSC::GetByIdStatus::GetByIdStatus):
116
117 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
118
119         Unreviewed buildfix after FTL upstream.
120
121         Add ftl directory as include path.
122
123         * CMakeLists.txt:
124         * JavaScriptCore.pri:
125
126 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
127
128         Unreviewed buildfix after FTL upstream for non C++11 builds.
129
130         * interpreter/CallFrame.h:
131         * interpreter/StackIteratorPrivate.h:
132         (JSC::StackIterator::end):
133
134 2013-07-24  Oliver Hunt  <oliver@apple.com>
135
136         Endeavour to fix CMakelist builds
137
138         * CMakeLists.txt:
139
140 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
141
142         fourthTier: DFG IR dumps should be easier to read
143         https://bugs.webkit.org/show_bug.cgi?id=119050
144
145         Reviewed by Mark Hahnenberg.
146         
147         Added a DumpContext that includes support for printing an endnote
148         that describes all structures in full, while the main flow of the
149         dump just uses made-up names for the structures. This is helpful
150         since Structure::dump() may print a lot. The stuff it prints is
151         useful, but if it's all inline with the surrounding thing you're        
152         dumping (often, a node in the DFG), then you get a ridiculously
153         long print-out. All classes that dump structures (including
154         Structure itself) now have dumpInContext() methods that use
155         inContext() for dumping anything that might transitively print a
156         structure. If Structure::dumpInContext() is called with a NULL
157         context, it just uses dump() like before. Hence you don't have to
158         know anything about DumpContext unless you want to.
159         
160         inContext(*structure, context) dumps something like %B4:Array,
161         and the endnote will have something like:
162         
163             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
164         
165         where B4 is the inferred name that StringHashDumpContext came up
166         with.
167         
168         Also shortened a bunch of other dumps, removing information that
169         isn't so important.
170         
171         * JavaScriptCore.xcodeproj/project.pbxproj:
172         * bytecode/ArrayProfile.cpp:
173         (JSC::dumpArrayModes):
174         * bytecode/CodeBlockHash.cpp:
175         (JSC):
176         (JSC::CodeBlockHash::CodeBlockHash):
177         (JSC::CodeBlockHash::dump):
178         * bytecode/CodeOrigin.cpp:
179         (JSC::CodeOrigin::dumpInContext):
180         (JSC):
181         (JSC::InlineCallFrame::dumpInContext):
182         (JSC::InlineCallFrame::dump):
183         * bytecode/CodeOrigin.h:
184         (CodeOrigin):
185         (InlineCallFrame):
186         * bytecode/Operands.h:
187         (JSC::OperandValueTraits::isEmptyForDump):
188         (Operands):
189         (JSC::Operands::dump):
190         (JSC):
191         * bytecode/OperandsInlines.h: Added.
192         (JSC):
193         (JSC::::dumpInContext):
194         * bytecode/StructureSet.h:
195         (JSC::StructureSet::dumpInContext):
196         (JSC::StructureSet::dump):
197         (StructureSet):
198         * dfg/DFGAbstractValue.cpp:
199         (JSC::DFG::AbstractValue::dump):
200         (DFG):
201         (JSC::DFG::AbstractValue::dumpInContext):
202         * dfg/DFGAbstractValue.h:
203         (JSC::DFG::AbstractValue::operator!):
204         (AbstractValue):
205         * dfg/DFGCFAPhase.cpp:
206         (JSC::DFG::CFAPhase::performBlockCFA):
207         * dfg/DFGCommon.cpp:
208         * dfg/DFGCommon.h:
209         (JSC::DFG::NodePointerTraits::isEmptyForDump):
210         * dfg/DFGDisassembler.cpp:
211         (JSC::DFG::Disassembler::createDumpList):
212         * dfg/DFGDisassembler.h:
213         (Disassembler):
214         * dfg/DFGFlushFormat.h:
215         (WTF::inContext):
216         (WTF):
217         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
218         * dfg/DFGGraph.cpp:
219         (JSC::DFG::Graph::dumpCodeOrigin):
220         (JSC::DFG::Graph::dump):
221         (JSC::DFG::Graph::dumpBlockHeader):
222         * dfg/DFGGraph.h:
223         (Graph):
224         * dfg/DFGLazyJSValue.cpp:
225         (JSC::DFG::LazyJSValue::dumpInContext):
226         (JSC::DFG::LazyJSValue::dump):
227         (DFG):
228         * dfg/DFGLazyJSValue.h:
229         (LazyJSValue):
230         * dfg/DFGNode.h:
231         (JSC::DFG::nodeMapDump):
232         (WTF::inContext):
233         (WTF):
234         * dfg/DFGOSRExitCompiler32_64.cpp:
235         (JSC::DFG::OSRExitCompiler::compileExit):
236         * dfg/DFGOSRExitCompiler64.cpp:
237         (JSC::DFG::OSRExitCompiler::compileExit):
238         * dfg/DFGStructureAbstractValue.h:
239         (JSC::DFG::StructureAbstractValue::dumpInContext):
240         (JSC::DFG::StructureAbstractValue::dump):
241         (StructureAbstractValue):
242         * ftl/FTLExitValue.cpp:
243         (JSC::FTL::ExitValue::dumpInContext):
244         (JSC::FTL::ExitValue::dump):
245         (FTL):
246         * ftl/FTLExitValue.h:
247         (ExitValue):
248         * ftl/FTLLowerDFGToLLVM.cpp:
249         * ftl/FTLValueSource.cpp:
250         (JSC::FTL::ValueSource::dumpInContext):
251         (FTL):
252         * ftl/FTLValueSource.h:
253         (ValueSource):
254         * runtime/DumpContext.cpp: Added.
255         (JSC):
256         (JSC::DumpContext::DumpContext):
257         (JSC::DumpContext::~DumpContext):
258         (JSC::DumpContext::isEmpty):
259         (JSC::DumpContext::dump):
260         * runtime/DumpContext.h: Added.
261         (JSC):
262         (DumpContext):
263         * runtime/JSCJSValue.cpp:
264         (JSC::JSValue::dump):
265         (JSC):
266         (JSC::JSValue::dumpInContext):
267         * runtime/JSCJSValue.h:
268         (JSC):
269         (JSValue):
270         * runtime/Structure.cpp:
271         (JSC::Structure::dumpInContext):
272         (JSC):
273         (JSC::Structure::dumpBrief):
274         (JSC::Structure::dumpContextHeader):
275         * runtime/Structure.h:
276         (JSC):
277         (Structure):
278
279 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
280
281         fourthTier: DFG should do a high-level LICM before going to FTL
282         https://bugs.webkit.org/show_bug.cgi?id=118749
283
284         Reviewed by Oliver Hunt.
285         
286         Implements LICM hoisting for nodes that never write anything and never read
287         things that are clobbered by the loop. There are some other preconditions for
288         hoisting, see DFGLICMPhase.cpp.
289
290         Also did a few fixes:
291         
292         - ClobberSet::add was failing to switch Super entries to Direct entries in
293           some cases.
294         
295         - DFGClobberize.cpp needed to #include "Operations.h".
296         
297         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
298         
299         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
300           Knowing the indexInBlock is an optional optimization that all other clients
301           of AI still opt into, but LICM doesn't.
302         
303         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
304
305         * JavaScriptCore.xcodeproj/project.pbxproj:
306         * dfg/DFGAbstractInterpreter.h:
307         (AbstractInterpreter):
308         * dfg/DFGAbstractInterpreterInlines.h:
309         (JSC::DFG::::executeEffects):
310         (JSC::DFG::::execute):
311         (DFG):
312         (JSC::DFG::::clobberWorld):
313         (JSC::DFG::::clobberStructures):
314         * dfg/DFGAtTailAbstractState.cpp: Added.
315         (DFG):
316         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
317         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
318         (JSC::DFG::AtTailAbstractState::createValueForNode):
319         (JSC::DFG::AtTailAbstractState::forNode):
320         * dfg/DFGAtTailAbstractState.h: Added.
321         (DFG):
322         (AtTailAbstractState):
323         (JSC::DFG::AtTailAbstractState::initializeTo):
324         (JSC::DFG::AtTailAbstractState::forNode):
325         (JSC::DFG::AtTailAbstractState::variables):
326         (JSC::DFG::AtTailAbstractState::block):
327         (JSC::DFG::AtTailAbstractState::isValid):
328         (JSC::DFG::AtTailAbstractState::setDidClobber):
329         (JSC::DFG::AtTailAbstractState::setIsValid):
330         (JSC::DFG::AtTailAbstractState::setBranchDirection):
331         (JSC::DFG::AtTailAbstractState::setFoundConstants):
332         (JSC::DFG::AtTailAbstractState::haveStructures):
333         (JSC::DFG::AtTailAbstractState::setHaveStructures):
334         * dfg/DFGBasicBlock.h:
335         (JSC::DFG::BasicBlock::insertBeforeLast):
336         * dfg/DFGBasicBlockInlines.h:
337         (DFG):
338         * dfg/DFGClobberSet.cpp:
339         (JSC::DFG::ClobberSet::add):
340         (JSC::DFG::ClobberSet::addAll):
341         * dfg/DFGClobberize.cpp:
342         (JSC::DFG::doesWrites):
343         * dfg/DFGClobberize.h:
344         (DFG):
345         * dfg/DFGDCEPhase.cpp:
346         (JSC::DFG::DCEPhase::DCEPhase):
347         (JSC::DFG::DCEPhase::run):
348         (JSC::DFG::DCEPhase::fixupBlock):
349         (DCEPhase):
350         * dfg/DFGEdgeDominates.h: Added.
351         (DFG):
352         (EdgeDominates):
353         (JSC::DFG::EdgeDominates::EdgeDominates):
354         (JSC::DFG::EdgeDominates::operator()):
355         (JSC::DFG::EdgeDominates::result):
356         (JSC::DFG::edgesDominate):
357         * dfg/DFGFixupPhase.cpp:
358         (JSC::DFG::FixupPhase::fixupNode):
359         (JSC::DFG::FixupPhase::checkArray):
360         * dfg/DFGLICMPhase.cpp: Added.
361         (LICMPhase):
362         (JSC::DFG::LICMPhase::LICMPhase):
363         (JSC::DFG::LICMPhase::run):
364         (JSC::DFG::LICMPhase::attemptHoist):
365         (DFG):
366         (JSC::DFG::performLICM):
367         * dfg/DFGLICMPhase.h: Added.
368         (DFG):
369         * dfg/DFGPlan.cpp:
370         (JSC::DFG::Plan::compileInThreadImpl):
371
372 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
373
374         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
375         https://bugs.webkit.org/show_bug.cgi?id=118910
376
377         Reviewed by Sam Weinig.
378         
379         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
380         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
381         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
382         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
383         create them all up front). FTL AbstractHeaps also don't actually give you the
384         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
385         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
386         They also give you aliasing machinery. The DFG AbstractHeaps are represented
387         internally by a int64_t. Many comparisons between them are just integer comaprisons.
388         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
389         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
390         payload is the direct subtype of its corresponding TOP Kind).
391         
392         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
393         clobbered. It represents the set that results from unifying a bunch of
394         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
395         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
396         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
397         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
398         member is equal to it, or if any of its ancestors are equal to a direct member.
399         
400         Example #1:
401         
402             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
403               is a subtype of Variables, which is a subtype of World.
404             - You query Variables. I.e. Variables with a TOP payload, which is the
405               supertype of Variables(X) for any X, and a subtype of World.
406             
407             The set will have Variables(5) as a direct member, and Variables and World as
408             super members. The Variables query will immediately return true, because
409             Variables is indeed a super member.
410         
411         Example #2:
412         
413             - I add Variables(5)
414             - You query NamedProperties
415             
416             NamedProperties is not a member at all (neither direct or super). We next
417             query World. World is a member, but it's a super member, so we return false.
418         
419         Example #3:
420         
421             - I add Variables
422             - You query Variables(5)
423             
424             The set will have Variables as a direct member, and World as a super member.
425             The Variables(5) query will not find Variables(5) in the set, but then it
426             will query Variables. Variables is a direct member, so we return true.
427         
428         Example #4:
429         
430             - I add Variables
431             - You query NamedProperties(5)
432             
433             Neither NamedProperties nor NamedProperties(5) are members. We next query
434             World. World is a member, but it's a super member, so we return false.
435         
436         Overlap queries require that either the heap being queried is in the set (either
437         direct or super), or that one of its ancestors is a direct member. Another way to
438         think about how this works is that two heaps A and B are said to overlap if
439         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
440         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
441         heaps and answers the question, "is any member in the set an ancestor (i.e.
442         supertype) of some other heap". We would have the set contain the heaps themselves,
443         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
444         chain of A, and repeatedly querying its membership in the set. This is what the
445         "direct" members of our set do. Now consider the other part, where we want to ask if
446         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
447         would implement this by implementing set.add(B) as adding not just B but also all of
448         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
449         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
450         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
451         heap" question. ClobberSet does this, but combines the two sets into a single
452         HashMap. The HashMap's value, "direct", means that the key is a member of both the
453         supertype set and the subtype set; if it's false then it's only a member of one of
454         them.
455         
456         Finally, this adds a functorized clobberize() method that adds the read and write
457         clobbers of a DFG::Node to read and write functors. Common functors for adding to
458         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
459         are also provided. This allows you to say things like:
460         
461             ClobberSet set;
462             addWrites(graph, node1, set);
463             if (readsOverlap(graph, node2, set))
464                 // We know that node1 may write to something that node2 may read from.
465         
466         Currently this facility is only used to improve graph dumping, but it will be
467         instrumental in both LICM and GVN. In the future, I want to completely kill the
468         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
469         of accomplishing almost exactly what AbstractHeap gives you.
470
471         * JavaScriptCore.xcodeproj/project.pbxproj:
472         * dfg/DFGAbstractHeap.cpp: Added.
473         (DFG):
474         (JSC::DFG::AbstractHeap::Payload::dump):
475         (JSC::DFG::AbstractHeap::dump):
476         (WTF):
477         (WTF::printInternal):
478         * dfg/DFGAbstractHeap.h: Added.
479         (DFG):
480         (AbstractHeap):
481         (Payload):
482         (JSC::DFG::AbstractHeap::Payload::Payload):
483         (JSC::DFG::AbstractHeap::Payload::top):
484         (JSC::DFG::AbstractHeap::Payload::isTop):
485         (JSC::DFG::AbstractHeap::Payload::value):
486         (JSC::DFG::AbstractHeap::Payload::valueImpl):
487         (JSC::DFG::AbstractHeap::Payload::operator==):
488         (JSC::DFG::AbstractHeap::Payload::operator!=):
489         (JSC::DFG::AbstractHeap::Payload::operator<):
490         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
491         (JSC::DFG::AbstractHeap::Payload::overlaps):
492         (JSC::DFG::AbstractHeap::AbstractHeap):
493         (JSC::DFG::AbstractHeap::operator!):
494         (JSC::DFG::AbstractHeap::kind):
495         (JSC::DFG::AbstractHeap::payload):
496         (JSC::DFG::AbstractHeap::isDisjoint):
497         (JSC::DFG::AbstractHeap::overlaps):
498         (JSC::DFG::AbstractHeap::supertype):
499         (JSC::DFG::AbstractHeap::hash):
500         (JSC::DFG::AbstractHeap::operator==):
501         (JSC::DFG::AbstractHeap::operator!=):
502         (JSC::DFG::AbstractHeap::operator<):
503         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
504         (JSC::DFG::AbstractHeap::payloadImpl):
505         (JSC::DFG::AbstractHeap::encode):
506         (JSC::DFG::AbstractHeapHash::hash):
507         (JSC::DFG::AbstractHeapHash::equal):
508         (AbstractHeapHash):
509         (WTF):
510         * dfg/DFGClobberSet.cpp: Added.
511         (DFG):
512         (JSC::DFG::ClobberSet::ClobberSet):
513         (JSC::DFG::ClobberSet::~ClobberSet):
514         (JSC::DFG::ClobberSet::add):
515         (JSC::DFG::ClobberSet::addAll):
516         (JSC::DFG::ClobberSet::contains):
517         (JSC::DFG::ClobberSet::overlaps):
518         (JSC::DFG::ClobberSet::clear):
519         (JSC::DFG::ClobberSet::direct):
520         (JSC::DFG::ClobberSet::super):
521         (JSC::DFG::ClobberSet::dump):
522         (JSC::DFG::ClobberSet::setOf):
523         (JSC::DFG::addReads):
524         (JSC::DFG::addWrites):
525         (JSC::DFG::addReadsAndWrites):
526         (JSC::DFG::readsOverlap):
527         (JSC::DFG::writesOverlap):
528         * dfg/DFGClobberSet.h: Added.
529         (DFG):
530         (ClobberSet):
531         (JSC::DFG::ClobberSet::isEmpty):
532         (ClobberSetAdd):
533         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
534         (JSC::DFG::ClobberSetAdd::operator()):
535         (ClobberSetOverlaps):
536         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
537         (JSC::DFG::ClobberSetOverlaps::operator()):
538         (JSC::DFG::ClobberSetOverlaps::result):
539         * dfg/DFGClobberize.cpp: Added.
540         (DFG):
541         (JSC::DFG::didWrites):
542         * dfg/DFGClobberize.h: Added.
543         (DFG):
544         (JSC::DFG::clobberize):
545         (NoOpClobberize):
546         (JSC::DFG::NoOpClobberize::NoOpClobberize):
547         (JSC::DFG::NoOpClobberize::operator()):
548         (CheckClobberize):
549         (JSC::DFG::CheckClobberize::CheckClobberize):
550         (JSC::DFG::CheckClobberize::operator()):
551         (JSC::DFG::CheckClobberize::result):
552         * dfg/DFGGraph.cpp:
553         (JSC::DFG::Graph::dump):
554
555 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
556
557         fourthTier: It should be easy to figure out which blocks nodes belong to
558         https://bugs.webkit.org/show_bug.cgi?id=118957
559
560         Reviewed by Sam Weinig.
561
562         * dfg/DFGGraph.cpp:
563         (DFG):
564         (JSC::DFG::Graph::initializeNodeOwners):
565         * dfg/DFGGraph.h:
566         (Graph):
567         * dfg/DFGNode.h:
568
569 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
570
571         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
572         https://bugs.webkit.org/show_bug.cgi?id=118956
573
574         Reviewed by Sam Weinig.
575         
576         We had two way of expressing that something exits forward: the NodeExitsForward
577         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
578         makes it just be a flag.
579
580         * dfg/DFGAbstractInterpreterInlines.h:
581         (JSC::DFG::::executeEffects):
582         * dfg/DFGArgumentsSimplificationPhase.cpp:
583         (JSC::DFG::ArgumentsSimplificationPhase::run):
584         * dfg/DFGCSEPhase.cpp:
585         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
586         (JSC::DFG::CSEPhase::checkStructureElimination):
587         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
588         (JSC::DFG::CSEPhase::putStructureStoreElimination):
589         (JSC::DFG::CSEPhase::checkArrayElimination):
590         (JSC::DFG::CSEPhase::performNodeCSE):
591         * dfg/DFGConstantFoldingPhase.cpp:
592         (JSC::DFG::ConstantFoldingPhase::foldConstants):
593         * dfg/DFGFixupPhase.cpp:
594         (JSC::DFG::FixupPhase::fixupNode):
595         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
596         * dfg/DFGMinifiedNode.h:
597         (JSC::DFG::belongsInMinifiedGraph):
598         (JSC::DFG::MinifiedNode::hasChild):
599         * dfg/DFGNode.h:
600         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
601         (JSC::DFG::Node::hasStructureSet):
602         (JSC::DFG::Node::hasStructure):
603         (JSC::DFG::Node::hasArrayMode):
604         (JSC::DFG::Node::willHaveCodeGenOrOSR):
605         * dfg/DFGNodeType.h:
606         (DFG):
607         (JSC::DFG::needsOSRForwardRewiring):
608         * dfg/DFGPredictionPropagationPhase.cpp:
609         (JSC::DFG::PredictionPropagationPhase::propagate):
610         * dfg/DFGSafeToExecute.h:
611         (JSC::DFG::safeToExecute):
612         * dfg/DFGSpeculativeJIT.cpp:
613         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
614         * dfg/DFGSpeculativeJIT32_64.cpp:
615         (JSC::DFG::SpeculativeJIT::compile):
616         * dfg/DFGSpeculativeJIT64.cpp:
617         (JSC::DFG::SpeculativeJIT::compile):
618         * dfg/DFGTypeCheckHoistingPhase.cpp:
619         (JSC::DFG::TypeCheckHoistingPhase::run):
620         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
621         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
622         * dfg/DFGVariableEventStream.cpp:
623         (JSC::DFG::VariableEventStream::reconstruct):
624         * ftl/FTLCapabilities.cpp:
625         (JSC::FTL::canCompile):
626         * ftl/FTLLowerDFGToLLVM.cpp:
627         (JSC::FTL::LowerDFGToLLVM::compileNode):
628         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
629
630 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
631
632         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
633         https://bugs.webkit.org/show_bug.cgi?id=118946
634
635         Reviewed by Geoffrey Garen.
636         
637         We want to decouple the exit target code origin of a node from the code origin
638         for all other purposes. The purposes of code origins are:
639         
640         - Where the node will exit, if it exits. The exit target should be consistent with
641           the surrounding nodes, in that if you just looked at the code origins of nodes in
642           the graph, they would be consistent with the code origins in bytecode. This is
643           necessary for live-at-bytecode analyses to work, and to preserve the original
644           bytecode semantics when exiting.
645         
646         - What kind of code the node came from, for semantics thingies. For example, we
647           might use the code origin to find the node's global object for doing an original
648           array check. Or we might use it to determine if the code is in strict mode. Or
649           other similar things. When we use the code origin in this way, we're basically
650           using it as a way of describing the node's meta-data without putting it into the
651           node directly, to save space. In the absurd extreme you could imagine nodes not
652           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
653           what bytecode the node originated from. We won't do that, but you can think of
654           this use of code origins as just a way of compressing meta-data.
655         
656         - What code origin we should supply profiling to, if we exit. This is closely
657           related to the semantics thingies, in that the exit profiling is a persistent
658           kind of semantic meta-data that survives between recompiles, and the only way to
659           do that is to ascribe it to the original bytecode via the code origin.
660         
661         If we hoist a node, we need to change the exit target code origin, but we must not
662         change the code origin for other purposes. The best way to do this is to decouple
663         the two kinds of code origin.
664         
665         OSR exit data structures already do this, because they may edit the exit target
666         code origin while keeping the code origin for profiling intact. This happens for
667         forward exits. So, we just need to thread separation all the way back to DFG::Node.
668         That's what this patch does.
669
670         * dfg/DFGNode.h:
671         (JSC::DFG::Node::Node):
672         (Node):
673         * dfg/DFGOSRExit.cpp:
674         (JSC::DFG::OSRExit::OSRExit):
675         * dfg/DFGOSRExitBase.h:
676         (JSC::DFG::OSRExitBase::OSRExitBase):
677         * dfg/DFGSpeculativeJIT.cpp:
678         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
679         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
680         * dfg/DFGSpeculativeJIT.h:
681         (SpeculativeJIT):
682         * ftl/FTLLowerDFGToLLVM.cpp:
683         (JSC::FTL::LowerDFGToLLVM::compileNode):
684         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
685         (LowerDFGToLLVM):
686         * ftl/FTLOSRExit.cpp:
687         (JSC::FTL::OSRExit::OSRExit):
688         * ftl/FTLOSRExit.h:
689         (OSRExit):
690
691 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
692
693         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
694         https://bugs.webkit.org/show_bug.cgi?id=118866
695
696         Reviewed by Sam Weinig.
697         
698         Adds a safeToExecute() method that takes a node and an abstract state and tells you
699         if the node will run without crashing under that state.
700
701         * JavaScriptCore.xcodeproj/project.pbxproj:
702         * bytecode/CodeBlock.cpp:
703         (JSC::CodeBlock::CodeBlock):
704         * dfg/DFGCFAPhase.cpp:
705         (CFAPhase):
706         (JSC::DFG::CFAPhase::CFAPhase):
707         (JSC::DFG::CFAPhase::run):
708         (JSC::DFG::CFAPhase::performBlockCFA):
709         (JSC::DFG::CFAPhase::performForwardCFA):
710         * dfg/DFGSafeToExecute.h: Added.
711         (DFG):
712         (SafeToExecuteEdge):
713         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
714         (JSC::DFG::SafeToExecuteEdge::operator()):
715         (JSC::DFG::SafeToExecuteEdge::result):
716         (JSC::DFG::safeToExecute):
717         * dfg/DFGStructureAbstractValue.h:
718         (JSC::DFG::StructureAbstractValue::isValidOffset):
719         (StructureAbstractValue):
720         * runtime/Options.h:
721         (JSC):
722
723 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
724
725         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
726         https://bugs.webkit.org/show_bug.cgi?id=118948
727
728         Reviewed by Sam Weinig.
729         
730         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
731           This allows doing "what if" experiments with IR generation, even if the generated IR
732           can't yet execute.
733         
734         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
735           off-ramp.
736
737         * JavaScriptCore.xcodeproj/project.pbxproj:
738         * dfg/DFGPlan.cpp:
739         (JSC::DFG::Plan::compileInThreadImpl):
740         * ftl/FTLFail.cpp: Added.
741         (FTL):
742         (JSC::FTL::fail):
743         * ftl/FTLFail.h: Added.
744         (FTL):
745         * ftl/FTLIntrinsicRepository.h:
746         (FTL):
747         * ftl/FTLLowerDFGToLLVM.cpp:
748         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
749         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
750         * runtime/Options.h:
751         (JSC):
752
753 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
754
755         fourthTier: StringObjectUse uses structures, and CSE should know that
756         https://bugs.webkit.org/show_bug.cgi?id=118940
757
758         Reviewed by Geoffrey Garen.
759         
760         This is asymptomatic right now, but we should fix it.
761
762         * JavaScriptCore.xcodeproj/project.pbxproj:
763         * dfg/DFGCSEPhase.cpp:
764         (JSC::DFG::CSEPhase::putStructureStoreElimination):
765         * dfg/DFGEdgeUsesStructure.h: Added.
766         (DFG):
767         (EdgeUsesStructure):
768         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
769         (JSC::DFG::EdgeUsesStructure::operator()):
770         (JSC::DFG::EdgeUsesStructure::result):
771         (JSC::DFG::edgesUseStructure):
772         * dfg/DFGUseKind.h:
773         (DFG):
774         (JSC::DFG::usesStructure):
775
776 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
777
778         fourthTier: String GetByVal out-of-bounds handling is so wrong
779         https://bugs.webkit.org/show_bug.cgi?id=118935
780
781         Reviewed by Geoffrey Garen.
782         
783         Bunch of String GetByVal out-of-bounds fixes:
784         
785         - Even if the string proto chain is sane, we need to watch out for negative
786           indices. They may get values or call getters in the prototypes, since proto
787           sanity doesn't check for negative indexed properties, as they are not
788           technically indexed properties.
789         
790         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
791           given this information.
792         
793         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
794           given this information.
795         
796         Also fixed some other things:
797         
798         - If the DFG is disabled, the testRunner should pretend that we've done a
799           bunch of DFG compiles. That's necessary to prevent the tests from timing
800           out.
801         
802         - Disassembler shouldn't try to dump source code since it's not safe in the
803           concurrent JIT.
804
805         * API/JSCTestRunnerUtils.cpp:
806         (JSC::numberOfDFGCompiles):
807         * JavaScriptCore.xcodeproj/project.pbxproj:
808         * dfg/DFGAbstractInterpreterInlines.h:
809         (JSC::DFG::::executeEffects):
810         * dfg/DFGDisassembler.cpp:
811         (JSC::DFG::Disassembler::dumpHeader):
812         * dfg/DFGGraph.h:
813         (JSC::DFG::Graph::byValIsPure):
814         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
815         (DFG):
816         (SaneStringGetByValSlowPathGenerator):
817         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
818         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
819         * dfg/DFGSpeculativeJIT.cpp:
820         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
821
822 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
823
824         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
825         https://bugs.webkit.org/show_bug.cgi?id=118911
826
827         Reviewed by Geoffrey Garen.
828         
829         We could also have a separate method like "willNotCrash(offset)", but that's not
830         what isValidOffset() is intended to mean.
831
832         * runtime/Structure.h:
833         (JSC::Structure::isValidOffset):
834
835 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
836
837         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
838         https://bugs.webkit.org/show_bug.cgi?id=118878
839
840         Reviewed by Oliver Hunt.
841         
842         - Change Structure::isValidOffset() to actually answer the question "If I attempted
843           to load from an object of this structure, at this offset, would I commit suicide
844           or would I get back some kind of value?"
845         
846         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
847           way from the start.
848         
849         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
850         
851         - Make GetByOffset also reference the base object in addition to the butterfly.
852         
853         The future use of this power will be to answer questions like "If I hoisted this
854         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
855         fine?"
856         
857         I don't currently plan to use this power to perform validation, since the CSE has
858         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
859         remove - both in the case of StructureSets where size >= 2 and in the case of
860         CheckStructures that match across PutStructures. At first I tried to write a
861         validator that was aware of this, but the validation code got way too complicated
862         and I started having nightmares of spurious assertion bugs being filed against me.
863         
864         This also changes some of the code for how we hash FunctionExecutable's for debug
865         dumps, since that code still had some thread-safety issues. Basically, the
866         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
867         that could transitively try to compute the hash from the source code. The source
868         code is a string that may be lazily computed, and that involves all manner of thread
869         unsafe things.
870
871         * bytecode/CodeOrigin.cpp:
872         (JSC::InlineCallFrame::hash):
873         * dfg/DFGAbstractInterpreterInlines.h:
874         (JSC::DFG::::executeEffects):
875         * dfg/DFGByteCodeParser.cpp:
876         (JSC::DFG::ByteCodeParser::handleGetByOffset):
877         (JSC::DFG::ByteCodeParser::handlePutByOffset):
878         (JSC::DFG::ByteCodeParser::parseBlock):
879         * dfg/DFGCFAPhase.cpp:
880         (JSC::DFG::CFAPhase::performBlockCFA):
881         * dfg/DFGConstantFoldingPhase.cpp:
882         (JSC::DFG::ConstantFoldingPhase::foldConstants):
883         * dfg/DFGFixupPhase.cpp:
884         (JSC::DFG::FixupPhase::fixupNode):
885         * dfg/DFGGraph.h:
886         (StorageAccessData):
887         * dfg/DFGNode.h:
888         (JSC::DFG::Node::convertToGetByOffset):
889         * dfg/DFGSpeculativeJIT64.cpp:
890         (JSC::DFG::SpeculativeJIT::compile):
891         * ftl/FTLLowerDFGToLLVM.cpp:
892         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
893         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
894         * runtime/FunctionExecutableDump.cpp:
895         (JSC::FunctionExecutableDump::dump):
896         * runtime/Structure.h:
897         (Structure):
898         (JSC::Structure::isValidOffset):
899
900 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
901
902         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
903         https://bugs.webkit.org/show_bug.cgi?id=118880
904
905         Reviewed by Sam Weinig.
906         
907         It should be possible to have an AbstractState that is backed by a HashMap. But to
908         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
909         the map, since otherwise the idiom of getting a reference to the AbstractValue
910         returned by forNode() would cause really subtle memory corruption bugs.
911
912         * dfg/DFGAbstractInterpreterInlines.h:
913         (JSC::DFG::::executeEffects):
914         * dfg/DFGInPlaceAbstractState.h:
915         (JSC::DFG::InPlaceAbstractState::createValueForNode):
916         (InPlaceAbstractState):
917
918 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
919
920         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
921         https://bugs.webkit.org/show_bug.cgi?id=118835
922
923         Reviewed by Oliver Hunt.
924         
925         This separates AbstractState into two things:
926         
927         - InPlaceAbstractState, which can tell you the abstract state of anything you
928           might care about, and uses the old AbstractState's algorithms and data
929           structures for doing so.
930         
931         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
932           respect to an AbstractStateType. Currently we always use
933           AbstractStateType = InPlaceAbstractState. But we could drop in an other
934           class that supports basic primitives like forNode() and variables().
935         
936         This is important because:
937         
938         - We want to hoist things out of loops.
939
940         - We don't know what things rely on what type checks.
941
942         - We only want to hoist type checks out of loops if they aren't clobbered.
943
944         - We may want to still hoist things that depended on those type checks, if it's
945           safe to do those things based on the CFA state at the tail of the loop
946           pre-header.
947
948         - We don't want things to rely on their type checks by way of a token, because
949           that's just weird.
950
951         So, we want to be able to have a special form of the CFA that can
952         incrementally update a basic block's state-at-tail, and we want to be able to
953         do this for multiple blocks simultaneously. This requires *not* storing the
954         per-node state in the nodes themselves, but instead using the at-tail HashMap
955         directly.
956
957         Hence we need to have a way of making the abstract interpreter (i.e.
958         AbstractState::execute) polymorphic with respect to state representation. Put
959         another way, we need to separate the way that abstract state is represented
960         from the way DFG IR is abstractly interpreted.
961
962         * JavaScriptCore.xcodeproj/project.pbxproj:
963         * dfg/DFGAbstractInterpreter.h: Added.
964         (DFG):
965         (AbstractInterpreter):
966         (JSC::DFG::AbstractInterpreter::forNode):
967         (JSC::DFG::AbstractInterpreter::variables):
968         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
969         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
970         (JSC::DFG::AbstractInterpreter::filter):
971         (JSC::DFG::AbstractInterpreter::filterArrayModes):
972         (JSC::DFG::AbstractInterpreter::filterByValue):
973         (JSC::DFG::AbstractInterpreter::trySetConstant):
974         (JSC::DFG::AbstractInterpreter::filterByType):
975         * dfg/DFGAbstractInterpreterInlines.h: Added.
976         (DFG):
977         (JSC::DFG::::AbstractInterpreter):
978         (JSC::DFG::::~AbstractInterpreter):
979         (JSC::DFG::::booleanResult):
980         (JSC::DFG::::startExecuting):
981         (JSC::DFG::::executeEdges):
982         (JSC::DFG::::verifyEdge):
983         (JSC::DFG::::verifyEdges):
984         (JSC::DFG::::executeEffects):
985         (JSC::DFG::::execute):
986         (JSC::DFG::::clobberWorld):
987         (JSC::DFG::::clobberCapturedVars):
988         (JSC::DFG::::clobberStructures):
989         (JSC::DFG::::dump):
990         (JSC::DFG::::filter):
991         (JSC::DFG::::filterArrayModes):
992         (JSC::DFG::::filterByValue):
993         * dfg/DFGAbstractState.cpp: Removed.
994         * dfg/DFGAbstractState.h: Removed.
995         * dfg/DFGArgumentsSimplificationPhase.cpp:
996         * dfg/DFGCFAPhase.cpp:
997         (JSC::DFG::CFAPhase::CFAPhase):
998         (JSC::DFG::CFAPhase::performBlockCFA):
999         (CFAPhase):
1000         * dfg/DFGCFGSimplificationPhase.cpp:
1001         * dfg/DFGConstantFoldingPhase.cpp:
1002         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
1003         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1004         (ConstantFoldingPhase):
1005         * dfg/DFGInPlaceAbstractState.cpp: Added.
1006         (DFG):
1007         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1008         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
1009         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1010         (JSC::DFG::setLiveValues):
1011         (JSC::DFG::InPlaceAbstractState::initialize):
1012         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1013         (JSC::DFG::InPlaceAbstractState::reset):
1014         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1015         (JSC::DFG::InPlaceAbstractState::merge):
1016         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1017         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
1018         * dfg/DFGInPlaceAbstractState.h: Added.
1019         (DFG):
1020         (InPlaceAbstractState):
1021         (JSC::DFG::InPlaceAbstractState::forNode):
1022         (JSC::DFG::InPlaceAbstractState::variables):
1023         (JSC::DFG::InPlaceAbstractState::block):
1024         (JSC::DFG::InPlaceAbstractState::didClobber):
1025         (JSC::DFG::InPlaceAbstractState::isValid):
1026         (JSC::DFG::InPlaceAbstractState::setDidClobber):
1027         (JSC::DFG::InPlaceAbstractState::setIsValid):
1028         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
1029         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
1030         (JSC::DFG::InPlaceAbstractState::haveStructures):
1031         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
1032         * dfg/DFGMergeMode.h: Added.
1033         (DFG):
1034         * dfg/DFGSpeculativeJIT.cpp:
1035         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1036         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
1037         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1038         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1039         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1040         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1041         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1042         * dfg/DFGSpeculativeJIT.h:
1043         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
1044         (SpeculativeJIT):
1045         * dfg/DFGSpeculativeJIT32_64.cpp:
1046         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1047         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1048         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1049         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1050         * dfg/DFGSpeculativeJIT64.cpp:
1051         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1052         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1053         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1054         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1055         * ftl/FTLLowerDFGToLLVM.cpp:
1056         (FTL):
1057         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1058         (JSC::FTL::LowerDFGToLLVM::compileNode):
1059         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
1060         (JSC::FTL::LowerDFGToLLVM::speculate):
1061         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
1062         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
1063         (LowerDFGToLLVM):
1064
1065 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1066
1067         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
1068         https://bugs.webkit.org/show_bug.cgi?id=118867
1069
1070         Reviewed by Mark Hahnenberg.
1071         
1072         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
1073         ArrayProfile.
1074
1075         It also makes it easier to ask any array-using node how to create its type check.
1076         
1077         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
1078         an array profile, thinking that it was storing into a value profile. Reshuffling the
1079         fields in ArrayProfile revealed this.
1080
1081         * bytecode/ArrayProfile.cpp:
1082         (JSC::ArrayProfile::computeUpdatedPrediction):
1083         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1084         * bytecode/ArrayProfile.h:
1085         (JSC::ArrayProfile::ArrayProfile):
1086         (ArrayProfile):
1087         * bytecode/CodeBlock.cpp:
1088         (JSC::CodeBlock::updateAllArrayPredictions):
1089         (JSC::CodeBlock::updateAllPredictions):
1090         * bytecode/CodeBlock.h:
1091         (CodeBlock):
1092         (JSC::CodeBlock::updateAllArrayPredictions):
1093         * dfg/DFGArrayMode.h:
1094         (ArrayMode):
1095         * dfg/DFGByteCodeParser.cpp:
1096         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
1097         (JSC::DFG::ByteCodeParser::parseBlock):
1098         * dfg/DFGFixupPhase.cpp:
1099         (JSC::DFG::FixupPhase::fixupNode):
1100         (FixupPhase):
1101         (JSC::DFG::FixupPhase::checkArray):
1102         (JSC::DFG::FixupPhase::blessArrayOperation):
1103         * llint/LowLevelInterpreter64.asm:
1104
1105 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1106
1107         fourthTier: CFA should consider live-at-head for clobbering and dumping
1108         https://bugs.webkit.org/show_bug.cgi?id=118857
1109
1110         Reviewed by Mark Hahnenberg.
1111         
1112         - clobberStructures() was not considering nodes live-at-head when in SSA
1113           form. This means it would fail to clobber some structures.
1114         
1115         - dump() was not considering nodes live-at-head when in SSA form. This
1116           means it wouldn't dump everything that you might be interested in.
1117         
1118         - AbstractState::m_currentNode is a useless variable and we should get
1119           rid of it.
1120
1121         * dfg/DFGAbstractState.cpp:
1122         (JSC::DFG::AbstractState::AbstractState):
1123         (JSC::DFG::AbstractState::beginBasicBlock):
1124         (JSC::DFG::AbstractState::reset):
1125         (JSC::DFG::AbstractState::startExecuting):
1126         (JSC::DFG::AbstractState::clobberStructures):
1127         (JSC::DFG::AbstractState::dump):
1128         * dfg/DFGAbstractState.h:
1129         (AbstractState):
1130
1131 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1132
1133         fourthTier: Add a phase to create loop pre-headers
1134         https://bugs.webkit.org/show_bug.cgi?id=118778
1135
1136         Reviewed by Oliver Hunt.
1137         
1138         Add a loop pre-header creation phase. Any loop that doesn't already have
1139         just one predecessor that isn't part of the loop has a pre-header
1140         prepended. All non-loop predecessors then jump to that pre-header.
1141         
1142         Also fix a handful of bugs:
1143         
1144         - DFG::Analysis should set m_valid before running the analysis, since that
1145           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
1146           may be called by the analysis before the analysis completes. NaturalLoops
1147           does this with loopsOf().
1148         
1149         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
1150           returning 0, since that'll happen if the block isn't in any loop.
1151         
1152         - Change BlockInsertionSet to dethread the graph, since anyone using it
1153           will want to do so.
1154         
1155         - Change dethreading to ignore SSA form graphs.
1156         
1157         This also adds NaturalLoops::belongsTo(), which I always used in the
1158         pre-header creation phase. I didn't end up using it but I'll probably use
1159         it in the near future.
1160         
1161         * JavaScriptCore.xcodeproj/project.pbxproj:
1162         * dfg/DFGAnalysis.h:
1163         (JSC::DFG::Analysis::computeIfNecessary):
1164         * dfg/DFGBlockInsertionSet.cpp:
1165         (JSC::DFG::BlockInsertionSet::execute):
1166         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1167         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1168         * dfg/DFGGraph.cpp:
1169         (JSC::DFG::Graph::dethread):
1170         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
1171         (DFG):
1172         (LoopPreHeaderCreationPhase):
1173         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
1174         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1175         (JSC::DFG::performLoopPreHeaderCreation):
1176         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
1177         (DFG):
1178         * dfg/DFGNaturalLoops.h:
1179         (NaturalLoop):
1180         (JSC::DFG::NaturalLoops::headerOf):
1181         (JSC::DFG::NaturalLoops::innerMostLoopOf):
1182         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1183         (JSC::DFG::NaturalLoops::belongsTo):
1184         (NaturalLoops):
1185         * dfg/DFGPlan.cpp:
1186         (JSC::DFG::Plan::compileInThreadImpl):
1187
1188 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1189
1190         fourthTier: Rationalize Node::replacement
1191         https://bugs.webkit.org/show_bug.cgi?id=118774
1192
1193         Reviewed by Oliver Hunt.
1194         
1195         - Clearing of replacements is now done in Graph::clearReplacements().
1196         
1197         - New nodes now have replacement set to 0.
1198         
1199         - Node::replacement is now part of a 'misc' union. I'll be putting at least
1200           one other field into that union as part of LICM work (see
1201           https://bugs.webkit.org/show_bug.cgi?id=118749).
1202
1203         * dfg/DFGCPSRethreadingPhase.cpp:
1204         (JSC::DFG::CPSRethreadingPhase::run):
1205         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1206         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1207         * dfg/DFGCSEPhase.cpp:
1208         (JSC::DFG::CSEPhase::run):
1209         (JSC::DFG::CSEPhase::setReplacement):
1210         (JSC::DFG::CSEPhase::performBlockCSE):
1211         * dfg/DFGGraph.cpp:
1212         (DFG):
1213         (JSC::DFG::Graph::clearReplacements):
1214         * dfg/DFGGraph.h:
1215         (JSC::DFG::Graph::performSubstitutionForEdge):
1216         (Graph):
1217         * dfg/DFGNode.h:
1218         (JSC::DFG::Node::Node):
1219         * dfg/DFGSSAConversionPhase.cpp:
1220         (JSC::DFG::SSAConversionPhase::run):
1221
1222 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1223
1224         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
1225         https://bugs.webkit.org/show_bug.cgi?id=118750
1226
1227         Reviewed by Mark Hahnenberg.
1228
1229         * dfg/DFGBasicBlock.h:
1230         (BasicBlock):
1231         * dfg/DFGNaturalLoops.cpp:
1232         (JSC::DFG::NaturalLoops::compute):
1233         (JSC::DFG::NaturalLoops::loopsOf):
1234         * dfg/DFGNaturalLoops.h:
1235         (DFG):
1236         (JSC::DFG::NaturalLoop::NaturalLoop):
1237         (NaturalLoop):
1238         (JSC::DFG::NaturalLoop::index):
1239         (JSC::DFG::NaturalLoop::isOuterMostLoop):
1240         (JSC::DFG::NaturalLoop::addBlock):
1241         (JSC::DFG::NaturalLoops::headerOf):
1242         (JSC::DFG::NaturalLoops::innerMostLoopOf):
1243         (NaturalLoops):
1244         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1245         * dfg/DFGPlan.cpp:
1246         (JSC::DFG::Plan::compileInThreadImpl):
1247
1248 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1249
1250         fourthTier: don't GC when shutting down the VM
1251         https://bugs.webkit.org/show_bug.cgi?id=118751
1252
1253         Reviewed by Mark Hahnenberg.
1254
1255         * heap/Heap.h:
1256         (Heap):
1257         * runtime/VM.cpp:
1258         (JSC::VM::~VM):
1259
1260 2013-07-12  Filip Pizlo  <fpizlo@apple.com>
1261
1262         fourthTier: DFG should have an SSA form for use by FTL
1263         https://bugs.webkit.org/show_bug.cgi?id=118338
1264
1265         Reviewed by Mark Hahnenberg.
1266         
1267         Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
1268         after breaking critical edges. The conversion algorithm follows Aycock and
1269         Horspool, and the SSA form itself follows something I've done before, where
1270         instead of having Phi functions specify input nodes corresponding to block
1271         predecessors, we instead have Upsilon functions in the predecessors that
1272         specify which value in that block goes into which subsequent Phi. Upsilons
1273         don't have to dominate Phis (usually they don't) and they correspond to a
1274         non-SSA "mov" into the Phi's "variable". This gives all of the good
1275         properties of SSA, while ensuring that a bunch of CFG transformations don't
1276         have to be SSA-aware.
1277         
1278         So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
1279         simplification is probably SSA-aware by default, though I haven't tried it.
1280         Constant folding probably needs a few tweaks, but is likely ready. Ditto
1281         for CSE, though it's not clear that we'd want to use block-local CSE when
1282         we could be doing GVN.
1283         
1284         Currently only the FTL can generate code from the SSA form, and there is no
1285         way to convert from SSA to ThreadedCPS or LoadStore. There probably will
1286         never be such a capability.
1287         
1288         In order to handle OSR exit state in the SSA, we place MovHints at Phi
1289         points. Other than that, you can reconstruct state-at-exit by forward
1290         propagating MovHints. Note that MovHint is the new SetLocal in SSA.
1291         SetLocal and GetLocal only survive into SSA if they are on captured
1292         variables, or in the case of flushes. A "live SetLocal" will be
1293         NodeMustGenerate and will always correspond to a flush. Computing the
1294         state-at-exit requires running SSA liveness analysis, OSR availability
1295         analysis, and flush liveness analysis. The FTL runs all of these prior to
1296         generating code. While OSR exit continues to be tricky, much of the logic
1297         is now factored into separate phases and the backend has to do less work
1298         to reason about what happened outside of the basic block that is being
1299         lowered.
1300         
1301         Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
1302         code in depth-first order, thus guaranteeing that a node will always be
1303         lowered (and hence have a LValue) before any of the blocks dominated by
1304         that node's block have code generated. For Upsilon/Phi, we just use
1305         alloca's. We could do something more clever there, but it's probably not
1306         worth it, at least not now.
1307         
1308         Finally, while the SSA form is currently only being converted to LLVM IR,
1309         there is nothing that prevents us from considering other backends in the
1310         future - with the caveat that this form is designed to be first lowered to
1311         a lower-level SSA before actual machine code generation commences. So we
1312         ought to either use LLVM (the intended path) or we will have to write our
1313         own SSA low-level backend.
1314         
1315         This runs all of the code that the FTL was known to run previously. No
1316         change in performance for now. But it does open some exciting
1317         possibilities!
1318
1319         * JavaScriptCore.xcodeproj/project.pbxproj:
1320         * bytecode/Operands.h:
1321         (JSC::OperandValueTraits::dump):
1322         (JSC::Operands::fill):
1323         (Operands):
1324         (JSC::Operands::clear):
1325         (JSC::Operands::operator==):
1326         * dfg/DFGAbstractState.cpp:
1327         (JSC::DFG::AbstractState::beginBasicBlock):
1328         (JSC::DFG::setLiveValues):
1329         (DFG):
1330         (JSC::DFG::AbstractState::initialize):
1331         (JSC::DFG::AbstractState::endBasicBlock):
1332         (JSC::DFG::AbstractState::executeEffects):
1333         (JSC::DFG::AbstractState::mergeStateAtTail):
1334         (JSC::DFG::AbstractState::merge):
1335         * dfg/DFGAbstractState.h:
1336         (AbstractState):
1337         * dfg/DFGAdjacencyList.h:
1338         (JSC::DFG::AdjacencyList::justOneChild):
1339         (AdjacencyList):
1340         * dfg/DFGBasicBlock.cpp: Added.
1341         (DFG):
1342         (JSC::DFG::BasicBlock::BasicBlock):
1343         (JSC::DFG::BasicBlock::~BasicBlock):
1344         (JSC::DFG::BasicBlock::ensureLocals):
1345         (JSC::DFG::BasicBlock::isInPhis):
1346         (JSC::DFG::BasicBlock::isInBlock):
1347         (JSC::DFG::BasicBlock::removePredecessor):
1348         (JSC::DFG::BasicBlock::replacePredecessor):
1349         (JSC::DFG::BasicBlock::dump):
1350         (JSC::DFG::BasicBlock::SSAData::SSAData):
1351         (JSC::DFG::BasicBlock::SSAData::~SSAData):
1352         * dfg/DFGBasicBlock.h:
1353         (BasicBlock):
1354         (JSC::DFG::BasicBlock::operator[]):
1355         (JSC::DFG::BasicBlock::successor):
1356         (JSC::DFG::BasicBlock::successorForCondition):
1357         (SSAData):
1358         * dfg/DFGBasicBlockInlines.h:
1359         (DFG):
1360         * dfg/DFGBlockInsertionSet.cpp: Added.
1361         (DFG):
1362         (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
1363         (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
1364         (JSC::DFG::BlockInsertionSet::insert):
1365         (JSC::DFG::BlockInsertionSet::insertBefore):
1366         (JSC::DFG::BlockInsertionSet::execute):
1367         * dfg/DFGBlockInsertionSet.h: Added.
1368         (DFG):
1369         (BlockInsertionSet):
1370         * dfg/DFGCFAPhase.cpp:
1371         (JSC::DFG::CFAPhase::run):
1372         * dfg/DFGCFGSimplificationPhase.cpp:
1373         * dfg/DFGCPSRethreadingPhase.cpp:
1374         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1375         * dfg/DFGCommon.cpp:
1376         (WTF::printInternal):
1377         * dfg/DFGCommon.h:
1378         (JSC::DFG::doesKill):
1379         (DFG):
1380         (JSC::DFG::killStatusForDoesKill):
1381         * dfg/DFGConstantFoldingPhase.cpp:
1382         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1383         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1384         * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
1385         (DFG):
1386         (CriticalEdgeBreakingPhase):
1387         (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
1388         (JSC::DFG::CriticalEdgeBreakingPhase::run):
1389         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1390         (JSC::DFG::performCriticalEdgeBreaking):
1391         * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
1392         (DFG):
1393         * dfg/DFGDCEPhase.cpp:
1394         (JSC::DFG::DCEPhase::run):
1395         (JSC::DFG::DCEPhase::findTypeCheckRoot):
1396         (JSC::DFG::DCEPhase::countNode):
1397         (DCEPhase):
1398         (JSC::DFG::DCEPhase::countEdge):
1399         (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1400         * dfg/DFGDriver.cpp:
1401         (JSC::DFG::compile):
1402         * dfg/DFGEdge.cpp:
1403         (JSC::DFG::Edge::dump):
1404         * dfg/DFGEdge.h:
1405         (JSC::DFG::Edge::Edge):
1406         (JSC::DFG::Edge::setNode):
1407         (JSC::DFG::Edge::useKindUnchecked):
1408         (JSC::DFG::Edge::setUseKind):
1409         (JSC::DFG::Edge::setProofStatus):
1410         (JSC::DFG::Edge::willNotHaveCheck):
1411         (JSC::DFG::Edge::willHaveCheck):
1412         (Edge):
1413         (JSC::DFG::Edge::killStatusUnchecked):
1414         (JSC::DFG::Edge::killStatus):
1415         (JSC::DFG::Edge::setKillStatus):
1416         (JSC::DFG::Edge::doesKill):
1417         (JSC::DFG::Edge::doesNotKill):
1418         (JSC::DFG::Edge::shift):
1419         (JSC::DFG::Edge::makeWord):
1420         * dfg/DFGFixupPhase.cpp:
1421         (JSC::DFG::FixupPhase::fixupNode):
1422         * dfg/DFGFlushFormat.cpp: Added.
1423         (WTF):
1424         (WTF::printInternal):
1425         * dfg/DFGFlushFormat.h: Added.
1426         (DFG):
1427         (JSC::DFG::resultFor):
1428         (JSC::DFG::useKindFor):
1429         (WTF):
1430         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
1431         (DFG):
1432         (FlushLivenessAnalysisPhase):
1433         (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
1434         (JSC::DFG::FlushLivenessAnalysisPhase::run):
1435         (JSC::DFG::FlushLivenessAnalysisPhase::process):
1436         (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
1437         (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
1438         (JSC::DFG::performFlushLivenessAnalysis):
1439         * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
1440         (DFG):
1441         * dfg/DFGGraph.cpp:
1442         (JSC::DFG::Graph::dump):
1443         (JSC::DFG::Graph::dumpBlockHeader):
1444         (DFG):
1445         (JSC::DFG::Graph::addForDepthFirstSort):
1446         (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
1447         * dfg/DFGGraph.h:
1448         (JSC::DFG::Graph::convertToConstant):
1449         (JSC::DFG::Graph::valueProfileFor):
1450         (Graph):
1451         * dfg/DFGInsertionSet.h:
1452         (DFG):
1453         (JSC::DFG::InsertionSet::execute):
1454         * dfg/DFGLivenessAnalysisPhase.cpp: Added.
1455         (DFG):
1456         (LivenessAnalysisPhase):
1457         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
1458         (JSC::DFG::LivenessAnalysisPhase::run):
1459         (JSC::DFG::LivenessAnalysisPhase::process):
1460         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
1461         (JSC::DFG::performLivenessAnalysis):
1462         * dfg/DFGLivenessAnalysisPhase.h: Added.
1463         (DFG):
1464         * dfg/DFGNode.cpp:
1465         (JSC::DFG::Node::hasVariableAccessData):
1466         (DFG):
1467         * dfg/DFGNode.h:
1468         (DFG):
1469         (Node):
1470         (JSC::DFG::Node::hasLocal):
1471         (JSC::DFG::Node::variableAccessData):
1472         (JSC::DFG::Node::hasPhi):
1473         (JSC::DFG::Node::phi):
1474         (JSC::DFG::Node::takenBlock):
1475         (JSC::DFG::Node::notTakenBlock):
1476         (JSC::DFG::Node::successor):
1477         (JSC::DFG::Node::successorForCondition):
1478         (JSC::DFG::nodeComparator):
1479         (JSC::DFG::nodeListDump):
1480         (JSC::DFG::nodeMapDump):
1481         * dfg/DFGNodeFlags.cpp:
1482         (JSC::DFG::dumpNodeFlags):
1483         * dfg/DFGNodeType.h:
1484         (DFG):
1485         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
1486         (DFG):
1487         (OSRAvailabilityAnalysisPhase):
1488         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
1489         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1490         (JSC::DFG::performOSRAvailabilityAnalysis):
1491         * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
1492         (DFG):
1493         * dfg/DFGPlan.cpp:
1494         (JSC::DFG::Plan::compileInThreadImpl):
1495         * dfg/DFGPredictionInjectionPhase.cpp:
1496         (JSC::DFG::PredictionInjectionPhase::run):
1497         * dfg/DFGPredictionPropagationPhase.cpp:
1498         (JSC::DFG::PredictionPropagationPhase::propagate):
1499         * dfg/DFGSSAConversionPhase.cpp: Added.
1500         (DFG):
1501         (SSAConversionPhase):
1502         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
1503         (JSC::DFG::SSAConversionPhase::run):
1504         (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
1505         (JSC::DFG::SSAConversionPhase::forwardPhi):
1506         (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
1507         (JSC::DFG::SSAConversionPhase::deduplicateChildren):
1508         (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
1509         (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
1510         (JSC::DFG::performSSAConversion):
1511         * dfg/DFGSSAConversionPhase.h: Added.
1512         (DFG):
1513         * dfg/DFGSpeculativeJIT32_64.cpp:
1514         (JSC::DFG::SpeculativeJIT::compile):
1515         * dfg/DFGSpeculativeJIT64.cpp:
1516         (JSC::DFG::SpeculativeJIT::compile):
1517         * dfg/DFGValidate.cpp:
1518         (JSC::DFG::Validate::validate):
1519         (Validate):
1520         (JSC::DFG::Validate::validateCPS):
1521         * dfg/DFGVariableAccessData.h:
1522         (JSC::DFG::VariableAccessData::flushFormat):
1523         (VariableAccessData):
1524         * ftl/FTLCapabilities.cpp:
1525         (JSC::FTL::canCompile):
1526         * ftl/FTLLowerDFGToLLVM.cpp:
1527         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1528         (JSC::FTL::LowerDFGToLLVM::lower):
1529         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1530         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1531         (JSC::FTL::LowerDFGToLLVM::compileNode):
1532         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1533         (LowerDFGToLLVM):
1534         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1535         (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
1536         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
1537         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1538         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
1539         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1540         (JSC::FTL::LowerDFGToLLVM::compileAdd):
1541         (JSC::FTL::LowerDFGToLLVM::compileArithSub):
1542         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1543         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1544         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1545         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1546         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1547         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1548         (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
1549         (JSC::FTL::LowerDFGToLLVM::compileBitOr):
1550         (JSC::FTL::LowerDFGToLLVM::compileBitXor):
1551         (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
1552         (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
1553         (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
1554         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1555         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
1556         (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
1557         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1558         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1559         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1560         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1561         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
1562         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1563         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
1564         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
1565         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
1566         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
1567         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
1568         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1569         (JSC::FTL::LowerDFGToLLVM::speculateBackward):
1570         (JSC::FTL::LowerDFGToLLVM::lowInt32):
1571         (JSC::FTL::LowerDFGToLLVM::lowCell):
1572         (JSC::FTL::LowerDFGToLLVM::lowBoolean):
1573         (JSC::FTL::LowerDFGToLLVM::lowDouble):
1574         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1575         (JSC::FTL::LowerDFGToLLVM::lowStorage):
1576         (JSC::FTL::LowerDFGToLLVM::speculate):
1577         (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
1578         (JSC::FTL::LowerDFGToLLVM::isLive):
1579         (JSC::FTL::LowerDFGToLLVM::use):
1580         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
1581         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1582         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1583         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1584         (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
1585         (JSC::FTL::LowerDFGToLLVM::setInt32):
1586         (JSC::FTL::LowerDFGToLLVM::setJSValue):
1587         (JSC::FTL::LowerDFGToLLVM::setBoolean):
1588         (JSC::FTL::LowerDFGToLLVM::setStorage):
1589         (JSC::FTL::LowerDFGToLLVM::setDouble):
1590         (JSC::FTL::LowerDFGToLLVM::isValid):
1591         * ftl/FTLLoweredNodeValue.h: Added.
1592         (FTL):
1593         (LoweredNodeValue):
1594         (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
1595         (JSC::FTL::LoweredNodeValue::isSet):
1596         (JSC::FTL::LoweredNodeValue::operator!):
1597         (JSC::FTL::LoweredNodeValue::value):
1598         (JSC::FTL::LoweredNodeValue::block):
1599         * ftl/FTLValueFromBlock.h:
1600         (JSC::FTL::ValueFromBlock::ValueFromBlock):
1601         (ValueFromBlock):
1602         * ftl/FTLValueSource.cpp:
1603         (JSC::FTL::ValueSource::dump):
1604         * ftl/FTLValueSource.h:
1605
1606 2013-07-11  Mark Lam  <mark.lam@apple.com>
1607
1608         Resurrect the CLoop LLINT on the FTL branch.
1609         https://bugs.webkit.org/show_bug.cgi?id=118144.
1610
1611         Reviewed by Mark Hahnenberg.
1612
1613         * bytecode/CodeBlock.h:
1614         (JSC::CodeBlock::jitType):
1615           - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
1616         * bytecode/JumpTable.h:
1617         (JSC::SimpleJumpTable::clear):
1618         * interpreter/StackIterator.cpp:
1619         (JSC::StackIterator::Frame::bytecodeOffset):
1620         (JSC::StackIterator::Frame::print):
1621         * jit/JITCode.cpp:
1622         (JSC):
1623         * jit/JITExceptions.cpp:
1624         (JSC::getExceptionLocation):
1625         * llint/LowLevelInterpreter.cpp:
1626         * offlineasm/cloop.rb:
1627         * runtime/Structure.cpp:
1628
1629 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
1630
1631         NaturalLoops + Profiler = Crash
1632         https://bugs.webkit.org/show_bug.cgi?id=118486
1633
1634         Reviewed by Geoffrey Garen.
1635         
1636         I borked dominators in:
1637         http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
1638         
1639         This patch also adds some debug support, and fixes the loop that adds a block to
1640         an already-existing natural loop. Note that we currently don't take that path in
1641         most programs, but it will arise, for example if you use 'continue' - though you'd
1642         have to use it rather cleverly since the bytecode will not jump to the loop header
1643         in most uses of 'continue'.
1644
1645         * dfg/DFGDominators.cpp:
1646         (JSC::DFG::Dominators::dump):
1647         (DFG):
1648         * dfg/DFGDominators.h:
1649         (JSC::DFG::Dominators::dominates):
1650         (Dominators):
1651         * dfg/DFGNaturalLoops.cpp:
1652         (JSC::DFG::NaturalLoops::compute):
1653
1654 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
1655
1656         fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
1657         https://bugs.webkit.org/show_bug.cgi?id=118489
1658
1659         Reviewed by Mark Hahnenberg.
1660
1661         * bytecode/ArrayProfile.h:
1662         (JSC::arrayModesAreClearOrTop):
1663         (JSC):
1664         * dfg/DFGAbstractState.cpp:
1665         (JSC::DFG::AbstractState::beginBasicBlock):
1666         * dfg/DFGAbstractValue.h:
1667         (JSC::DFG::AbstractValue::hasClobberableState):
1668         (AbstractValue):
1669
1670 2013-07-08  Mark Hahnenberg  <mhahnenberg@apple.com>
1671
1672         CheckArray should call the right version of filterArrayModes
1673         https://bugs.webkit.org/show_bug.cgi?id=118488
1674
1675         Reviewed by Filip Pizlo.
1676
1677         Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 
1678         the CFA to ignore when it sees a contradiction.
1679
1680         * dfg/DFGAbstractState.cpp:
1681         (JSC::DFG::AbstractState::executeEffects):
1682
1683 2013-07-07  Filip Pizlo  <fpizlo@apple.com>
1684
1685         fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
1686         https://bugs.webkit.org/show_bug.cgi?id=118452
1687
1688         Reviewed by Sam Weinig.
1689         
1690         Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
1691         resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
1692         holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
1693         clearAndDerefChild() was necessary back when we did eager reference counting. We
1694         don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
1695         any reference counting, so it was badly named to begin with.
1696
1697         * dfg/DFGAbstractState.cpp:
1698         (JSC::DFG::AbstractState::executeEffects):
1699         * dfg/DFGArgumentsSimplificationPhase.cpp:
1700         (JSC::DFG::ArgumentsSimplificationPhase::run):
1701         * dfg/DFGCPSRethreadingPhase.cpp:
1702         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1703         * dfg/DFGCSEPhase.cpp:
1704         (JSC::DFG::CSEPhase::performNodeCSE):
1705         * dfg/DFGFixupPhase.cpp:
1706         (JSC::DFG::FixupPhase::fixupNode):
1707         * dfg/DFGGraph.h:
1708         (Graph):
1709         * dfg/DFGNode.h:
1710         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1711         * dfg/DFGNodeType.h:
1712         (DFG):
1713         * dfg/DFGPredictionPropagationPhase.cpp:
1714         (JSC::DFG::PredictionPropagationPhase::propagate):
1715         * dfg/DFGSpeculativeJIT32_64.cpp:
1716         (JSC::DFG::SpeculativeJIT::compile):
1717         * dfg/DFGSpeculativeJIT64.cpp:
1718         (JSC::DFG::SpeculativeJIT::compile):
1719
1720 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
1721
1722         fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
1723         https://bugs.webkit.org/show_bug.cgi?id=118401
1724
1725         Reviewed by Sam Weinig.
1726         
1727         Add two new OSR exit modes, which are useful only for playing with compile times:
1728         
1729         - All OSR exits are llvm.trap().
1730         
1731         - OSR exits don't take arguments and have no exit value marshaling.
1732
1733         * dfg/DFGPlan.cpp:
1734         (JSC::DFG::Plan::compileInThread):
1735         (JSC::DFG::Plan::compileInThreadImpl):
1736         * dfg/DFGPlan.h:
1737         (Plan):
1738         * ftl/FTLIntrinsicRepository.h:
1739         (FTL):
1740         * ftl/FTLLowerDFGToLLVM.cpp:
1741         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1742         (LowerDFGToLLVM):
1743         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1744         * ftl/FTLOutput.h:
1745         (JSC::FTL::Output::trap):
1746         * runtime/Options.h:
1747         (JSC):
1748
1749 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
1750
1751         fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
1752         https://bugs.webkit.org/show_bug.cgi?id=118339
1753
1754         Reviewed by Michael Saboff.
1755         
1756         This accomplishes two goals:
1757
1758         1) Simplifies a bunch of code. You can now much more directly get to a successor
1759            or predecessor, since you just get the pointer directly. The backend(s) always
1760            hold onto a pointer to the block they're on, so you don't have to do work to
1761            get the block from the index.
1762         
1763         2) It allows for the possibility of inserting blocks into the program.
1764            Previously, if you did that, you'd have to edit all references to blocks since
1765            those references would have outdated indexing after an insertion. Now, if you
1766            change the indexing, you just have to invalidate some analyses and make sure
1767            that you change each block's BasicBlock::index accordingly.
1768
1769         * dfg/DFGAbstractState.cpp:
1770         (JSC::DFG::AbstractState::initialize):
1771         (JSC::DFG::AbstractState::endBasicBlock):
1772         (JSC::DFG::AbstractState::mergeToSuccessors):
1773         * dfg/DFGAbstractState.h:
1774         (AbstractState):
1775         * dfg/DFGArgumentsSimplificationPhase.cpp:
1776         (JSC::DFG::ArgumentsSimplificationPhase::run):
1777         * dfg/DFGBackwardsPropagationPhase.cpp:
1778         (JSC::DFG::BackwardsPropagationPhase::run):
1779         * dfg/DFGBasicBlock.h:
1780         (DFG):
1781         (JSC::DFG::BasicBlock::BasicBlock):
1782         (JSC::DFG::BasicBlock::size):
1783         (JSC::DFG::BasicBlock::isEmpty):
1784         (JSC::DFG::BasicBlock::at):
1785         (JSC::DFG::BasicBlock::operator[]):
1786         (JSC::DFG::BasicBlock::last):
1787         (JSC::DFG::BasicBlock::resize):
1788         (JSC::DFG::BasicBlock::grow):
1789         (BasicBlock):
1790         (JSC::DFG::BasicBlock::append):
1791         (JSC::DFG::BasicBlock::numSuccessors):
1792         (JSC::DFG::BasicBlock::successor):
1793         (JSC::DFG::BasicBlock::successorForCondition):
1794         (JSC::DFG::BasicBlock::dump):
1795         (UnlinkedBlock):
1796         (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
1797         (JSC::DFG::getBytecodeBeginForBlock):
1798         (JSC::DFG::blockForBytecodeOffset):
1799         * dfg/DFGByteCodeParser.cpp:
1800         (ByteCodeParser):
1801         (InlineStackEntry):
1802         (JSC::DFG::ByteCodeParser::handleInlining):
1803         (JSC::DFG::ByteCodeParser::parseBlock):
1804         (JSC::DFG::ByteCodeParser::linkBlock):
1805         (JSC::DFG::ByteCodeParser::linkBlocks):
1806         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1807         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1808         (JSC::DFG::ByteCodeParser::parse):
1809         * dfg/DFGCFAPhase.cpp:
1810         (JSC::DFG::CFAPhase::performBlockCFA):
1811         (JSC::DFG::CFAPhase::performForwardCFA):
1812         * dfg/DFGCFGSimplificationPhase.cpp:
1813         (JSC::DFG::CFGSimplificationPhase::run):
1814         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1815         * dfg/DFGCPSRethreadingPhase.cpp:
1816         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1817         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
1818         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1819         (CPSRethreadingPhase):
1820         * dfg/DFGCSEPhase.cpp:
1821         (JSC::DFG::CSEPhase::run):
1822         * dfg/DFGConstantFoldingPhase.cpp:
1823         (JSC::DFG::ConstantFoldingPhase::run):
1824         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1825         * dfg/DFGDCEPhase.cpp:
1826         (JSC::DFG::DCEPhase::run):
1827         * dfg/DFGDisassembler.cpp:
1828         (JSC::DFG::Disassembler::Disassembler):
1829         (JSC::DFG::Disassembler::createDumpList):
1830         * dfg/DFGDisassembler.h:
1831         (JSC::DFG::Disassembler::setForBlockIndex):
1832         * dfg/DFGDominators.cpp:
1833         (JSC::DFG::Dominators::compute):
1834         (JSC::DFG::Dominators::iterateForBlock):
1835         * dfg/DFGDominators.h:
1836         (JSC::DFG::Dominators::dominates):
1837         * dfg/DFGFixupPhase.cpp:
1838         (JSC::DFG::FixupPhase::run):
1839         (JSC::DFG::FixupPhase::fixupNode):
1840         * dfg/DFGGraph.cpp:
1841         (JSC::DFG::Graph::dump):
1842         (JSC::DFG::Graph::dumpBlockHeader):
1843         (JSC::DFG::Graph::handleSuccessor):
1844         (JSC::DFG::Graph::determineReachability):
1845         (JSC::DFG::Graph::resetReachability):
1846         * dfg/DFGGraph.h:
1847         (JSC::DFG::Graph::numBlocks):
1848         (JSC::DFG::Graph::block):
1849         (JSC::DFG::Graph::lastBlock):
1850         (Graph):
1851         (JSC::DFG::Graph::appendBlock):
1852         (JSC::DFG::Graph::killBlock):
1853         (DFG):
1854         * dfg/DFGJITCompiler.cpp:
1855         (JSC::DFG::JITCompiler::JITCompiler):
1856         (JSC::DFG::JITCompiler::link):
1857         * dfg/DFGJITCompiler.h:
1858         (JSC::DFG::JITCompiler::setForBlockIndex):
1859         * dfg/DFGNaturalLoops.cpp:
1860         (JSC::DFG::NaturalLoop::dump):
1861         (JSC::DFG::NaturalLoops::compute):
1862         (JSC::DFG::NaturalLoops::loopsOf):
1863         * dfg/DFGNaturalLoops.h:
1864         (JSC::DFG::NaturalLoop::NaturalLoop):
1865         (JSC::DFG::NaturalLoop::addBlock):
1866         (JSC::DFG::NaturalLoop::header):
1867         (JSC::DFG::NaturalLoop::at):
1868         (JSC::DFG::NaturalLoop::operator[]):
1869         (JSC::DFG::NaturalLoop::contains):
1870         (NaturalLoop):
1871         (JSC::DFG::NaturalLoops::headerOf):
1872         (NaturalLoops):
1873         * dfg/DFGNode.h:
1874         (DFG):
1875         (JSC::DFG::SwitchCase::SwitchCase):
1876         (JSC::DFG::SwitchCase::withBytecodeIndex):
1877         (SwitchCase):
1878         (JSC::DFG::SwitchCase::targetBytecodeIndex):
1879         (JSC::DFG::SwitchData::SwitchData):
1880         (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
1881         (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
1882         (SwitchData):
1883         (JSC::DFG::Node::setTakenBlock):
1884         (JSC::DFG::Node::setNotTakenBlock):
1885         (JSC::DFG::Node::takenBlock):
1886         (JSC::DFG::Node::notTakenBlock):
1887         (JSC::DFG::Node::successor):
1888         (JSC::DFG::Node::successorForCondition):
1889         * dfg/DFGPredictionInjectionPhase.cpp:
1890         (JSC::DFG::PredictionInjectionPhase::run):
1891         * dfg/DFGPredictionPropagationPhase.cpp:
1892         (JSC::DFG::PredictionPropagationPhase::propagateForward):
1893         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1894         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1895         * dfg/DFGSpeculativeJIT.cpp:
1896         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1897         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1898         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1899         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1900         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1901         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1902         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1903         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1904         (JSC::DFG::SpeculativeJIT::compile):
1905         (JSC::DFG::SpeculativeJIT::createOSREntries):
1906         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1907         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1908         (JSC::DFG::SpeculativeJIT::compileStrictEq):
1909         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1910         (JSC::DFG::SpeculativeJIT::addBranch):
1911         (JSC::DFG::SpeculativeJIT::linkBranches):
1912         * dfg/DFGSpeculativeJIT.h:
1913         (JSC::DFG::SpeculativeJIT::nextBlock):
1914         (SpeculativeJIT):
1915         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1916         (JSC::DFG::SpeculativeJIT::branchDouble):
1917         (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
1918         (JSC::DFG::SpeculativeJIT::branch32):
1919         (JSC::DFG::SpeculativeJIT::branchTest32):
1920         (JSC::DFG::SpeculativeJIT::branch64):
1921         (JSC::DFG::SpeculativeJIT::branch8):
1922         (JSC::DFG::SpeculativeJIT::branchPtr):
1923         (JSC::DFG::SpeculativeJIT::branchTestPtr):
1924         (JSC::DFG::SpeculativeJIT::branchTest8):
1925         (JSC::DFG::SpeculativeJIT::jump):
1926         (JSC::DFG::SpeculativeJIT::addBranch):
1927         (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
1928         (StringSwitchCase):
1929         (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
1930         (BranchRecord):
1931         * dfg/DFGSpeculativeJIT32_64.cpp:
1932         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1933         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1934         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1935         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1936         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1937         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1938         (JSC::DFG::SpeculativeJIT::emitBranch):
1939         (JSC::DFG::SpeculativeJIT::compile):
1940         * dfg/DFGSpeculativeJIT64.cpp:
1941         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1942         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1943         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1944         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1945         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1946         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1947         (JSC::DFG::SpeculativeJIT::emitBranch):
1948         (JSC::DFG::SpeculativeJIT::compile):
1949         * dfg/DFGTypeCheckHoistingPhase.cpp:
1950         (JSC::DFG::TypeCheckHoistingPhase::run):
1951         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1952         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1953         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
1954         * dfg/DFGUnificationPhase.cpp:
1955         (JSC::DFG::UnificationPhase::run):
1956         * dfg/DFGValidate.cpp:
1957         (JSC::DFG::Validate::validate):
1958         (JSC::DFG::Validate::checkOperand):
1959         (JSC::DFG::Validate::reportValidationContext):
1960         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1961         (JSC::DFG::VirtualRegisterAllocationPhase::run):
1962         * ftl/FTLCapabilities.cpp:
1963         (JSC::FTL::canCompile):
1964         * ftl/FTLLowerDFGToLLVM.cpp:
1965         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1966         (JSC::FTL::LowerDFGToLLVM::lower):
1967         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1968         (JSC::FTL::LowerDFGToLLVM::compileJump):
1969         (JSC::FTL::LowerDFGToLLVM::compileBranch):
1970         (JSC::FTL::LowerDFGToLLVM::lowBlock):
1971
1972 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
1973
1974         Unreviewed, add a helpful comment for why DCE is needed in the FTL.
1975
1976         I believe I've now twice down the experiment of disabling DCE in the FTL,
1977         only to realize that this can't work, and that DCE is needed. I'd kind of
1978         like to not make that mistake again.
1979
1980         * dfg/DFGPlan.cpp:
1981         (JSC::DFG::Plan::compileInThreadImpl):
1982
1983 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
1984
1985         fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
1986         https://bugs.webkit.org/show_bug.cgi?id=118340
1987
1988         Reviewed by Sam Weinig.
1989
1990         * dfg/DFGNode.h:
1991         (JSC::DFG::Node::Node):
1992
1993 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
1994
1995         Unreviewed, fix 32-bit build.
1996
1997         * assembler/MacroAssembler.h:
1998         (JSC::MacroAssembler::comparePtr):
1999         (MacroAssembler):
2000         * dfg/DFGBinarySwitch.cpp:
2001         (JSC::DFG::BinarySwitch::advance):
2002         * dfg/DFGBinarySwitch.h:
2003         (JSC::DFG::BinarySwitch::caseValue):
2004
2005 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2006
2007         fourthTier: Have fewer Arrayify's
2008         https://bugs.webkit.org/show_bug.cgi?id=118335
2009
2010         Reviewed by Mark Hahnenberg.
2011         
2012         A lot of Arrayify's arise because some program saw Int32 arrays early on in
2013         execution, but then they all got converted to Double arrays and the program
2014         will never see Int32 arrays ever again. Prior to this change you would always
2015         have an Arrayify in this case. But with this change, the first time that an
2016         ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
2017         instead forcibly monomorphises itself to the latest-seen structure.
2018         Thereafter it will never again perform this monomorphisation. This is
2019         controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
2020         speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
2021         unblocks a bunch of stuff we want to do in the future because it makes a
2022         bunch of loops effect-free.
2023         
2024         We will still want to implement Arrayify hoisting in the future, but this is
2025         great anyway because it's better to not have Arrayifications than it is to
2026         have hoisted Arrayifications.
2027
2028         * bytecode/ArrayProfile.cpp:
2029         (JSC::ArrayProfile::computeUpdatedPrediction):
2030         (JSC::ArrayProfile::briefDescription):
2031         (JSC):
2032         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2033         * bytecode/ArrayProfile.h:
2034         (JSC::ArrayProfile::ArrayProfile):
2035         (ArrayProfile):
2036
2037 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2038
2039         fourthTier: add option to disable OSR entry in loops
2040         https://bugs.webkit.org/show_bug.cgi?id=118329
2041
2042         Reviewed by Mark Hahnenberg.
2043         
2044         This adds that option, and also makes the OSR exit reoptimization trigger rely less on
2045         OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
2046         high after a small number of OSR exits, we will recompile.
2047
2048         * dfg/DFGOSRExitCompilerCommon.cpp:
2049         (JSC::DFG::handleExitCounts):
2050         * dfg/DFGOperations.cpp:
2051         * jit/JITOpcodes.cpp:
2052         (JSC::JIT::emit_op_loop_hint):
2053         (JSC::JIT::emitSlow_op_loop_hint):
2054         * runtime/Options.h:
2055         (JSC):
2056
2057 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2058
2059         fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
2060         https://bugs.webkit.org/show_bug.cgi?id=118313
2061
2062         Reviewed by Mark Hahnenberg.
2063         
2064         Give it a mode where we can still crash on unrecognized reference types, so that we might
2065         implement them in the future, but by default just print some stuff and keep going.
2066
2067         * disassembler/LLVMDisassembler.cpp:
2068         (JSC):
2069         (JSC::symbolLookupCallback):
2070
2071 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2072
2073         fourthTier: FTL should use the equivalent of llvm opt -O2 by default
2074         https://bugs.webkit.org/show_bug.cgi?id=118311
2075
2076         Reviewed by Mark Hahnenberg.
2077         
2078         Use a PassManagerBuilder instead of rolling our own.
2079         
2080         This boosts our speed-up by another 5% or so.
2081
2082         * ftl/FTLCompile.cpp:
2083         (JSC::FTL::compile):
2084         * runtime/Options.h:
2085         (JSC):
2086
2087 2013-07-01  Filip Pizlo  <fpizlo@apple.com>
2088
2089         fourthTier: FTL should run LICM after AA setup
2090         https://bugs.webkit.org/show_bug.cgi?id=118277
2091
2092         Reviewed by Maciej Stachowiak.
2093         
2094         LICM queries alias analysis. Hence, just like GVN, it should run after
2095         we have set up the alias analysis.
2096
2097         * ftl/FTLCompile.cpp:
2098         (JSC::FTL::compile):
2099
2100 2013-07-01  Filip Pizlo  <fpizlo@apple.com>
2101
2102         fourthTier: FTL should run AA passes before GVN
2103         https://bugs.webkit.org/show_bug.cgi?id=118276
2104
2105         Rubber stamped by Geoffrey Garen.
2106         
2107         These enable load elimination in GVN.
2108         
2109         Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
2110         properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
2111         warning: the stock version of that benchmark won't see speed-ups -
2112         probably slow-downs instead - because the FTL can't do OSR entry yet.)
2113         Another example is the findGraphNode function, which now sees a 7%
2114         speed-up, and that's without even doing LICM or other good things.
2115
2116         * ftl/FTLCompile.cpp:
2117         (JSC::FTL::compile):
2118
2119 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2120
2121         Make Graph::substituteGetLocal() out-of-line
2122
2123         Rubber stamped by Geoffrey Garen.
2124
2125         * dfg/DFGGraph.cpp:
2126         (JSC::DFG::Graph::substituteGetLocal):
2127         (DFG):
2128         * dfg/DFGGraph.h:
2129         (Graph):
2130
2131 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2132
2133         fourthTier: DFG should know how to find natural loops
2134         https://bugs.webkit.org/show_bug.cgi?id=118152
2135
2136         Reviewed by Mark Hahnenberg.
2137         
2138         There are a bunch of things we can do when we know where the loops are.
2139         Previously we didn't. With this patch, we do.
2140         
2141         This patch adds the classic dominator based natural loop finder.
2142         
2143         The only client of this right now is the DFG::Disassembler. It prints out
2144         a summary of the analysis for each block.
2145         
2146         This will become more important when I do
2147         https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
2148         this kind of analysis, at least if we want to do the optimization over
2149         DFG IR (and I'm pretty sure we do).
2150
2151         * JavaScriptCore.xcodeproj/project.pbxproj:
2152         * dfg/DFGAnalysis.h: Added.
2153         (DFG):
2154         (Analysis):
2155         (JSC::DFG::Analysis::Analysis):
2156         (JSC::DFG::Analysis::invalidate):
2157         (JSC::DFG::Analysis::computeIfNecessary):
2158         (JSC::DFG::Analysis::isValid):
2159         * dfg/DFGCFGSimplificationPhase.cpp:
2160         (JSC::DFG::CFGSimplificationPhase::run):
2161         * dfg/DFGDisassembler.cpp:
2162         (JSC::DFG::Disassembler::createDumpList):
2163         * dfg/DFGDominators.cpp:
2164         (JSC::DFG::Dominators::Dominators):
2165         (JSC::DFG::Dominators::compute):
2166         * dfg/DFGDominators.h:
2167         (Dominators):
2168         * dfg/DFGGraph.cpp:
2169         (JSC::DFG::Graph::dumpBlockHeader):
2170         (JSC::DFG::Graph::invalidateCFG):
2171         (DFG):
2172         * dfg/DFGGraph.h:
2173         (Graph):
2174         * dfg/DFGNaturalLoops.cpp: Added.
2175         (DFG):
2176         (JSC::DFG::NaturalLoop::dump):
2177         (JSC::DFG::NaturalLoops::NaturalLoops):
2178         (JSC::DFG::NaturalLoops::~NaturalLoops):
2179         (JSC::DFG::NaturalLoops::compute):
2180         (JSC::DFG::NaturalLoops::loopsOf):
2181         (JSC::DFG::NaturalLoops::dump):
2182         * dfg/DFGNaturalLoops.h: Added.
2183         (DFG):
2184         (NaturalLoop):
2185         (JSC::DFG::NaturalLoop::NaturalLoop):
2186         (JSC::DFG::NaturalLoop::addBlock):
2187         (JSC::DFG::NaturalLoop::header):
2188         (JSC::DFG::NaturalLoop::size):
2189         (JSC::DFG::NaturalLoop::at):
2190         (JSC::DFG::NaturalLoop::operator[]):
2191         (JSC::DFG::NaturalLoop::contains):
2192         (NaturalLoops):
2193         (JSC::DFG::NaturalLoops::numLoops):
2194         (JSC::DFG::NaturalLoops::loop):
2195         (JSC::DFG::NaturalLoops::headerOf):
2196
2197 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2198
2199         fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
2200         https://bugs.webkit.org/show_bug.cgi?id=118148
2201
2202         Reviewed by Anders Carlsson.
2203         
2204         Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
2205         that LLVM generates for floating point. So the right decision is to
2206         switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
2207         cannot disassemble the load-from-absolute-address-into-%rax instructions
2208         that our JIT generates quite a lot of.
2209         
2210         So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
2211         and requires the caller of disassemble() to hint which one is likely to
2212         be less wrong for the given code.
2213         
2214         Maybe in the future LLVM will catch up to UDis86, but it's definitely not
2215         there right now.
2216         
2217         This now allows us to disassemble all of the code that LLVM generates.
2218
2219         * JavaScriptCore.xcodeproj/project.pbxproj:
2220         * disassembler/Disassembler.cpp:
2221         (JSC::disassemble):
2222         * disassembler/Disassembler.h:
2223         (JSC::tryToDisassemble):
2224         (JSC):
2225         * disassembler/LLVMDisassembler.cpp: Added.
2226         (JSC):
2227         (JSC::symbolLookupCallback):
2228         (JSC::tryToDisassembleWithLLVM):
2229         * disassembler/LLVMDisassembler.h: Added.
2230         (JSC):
2231         (JSC::tryToDisassembleWithLLVM):
2232         * disassembler/UDis86Disassembler.cpp:
2233         (JSC::tryToDisassembleWithUDis86):
2234         * disassembler/UDis86Disassembler.h: Added.
2235         (JSC):
2236         (JSC::tryToDisassembleWithUDis86):
2237         * disassembler/X86Disassembler.cpp: Added.
2238         (JSC):
2239         (JSC::tryToDisassemble):
2240         * ftl/FTLAbbreviatedTypes.h:
2241         * ftl/FTLCompile.cpp:
2242         (JSC::FTL::compile):
2243         * ftl/FTLJITCode.h:
2244         * ftl/FTLJITFinalizer.h:
2245         * ftl/FTLLLVMHeaders.h: Removed.
2246         * ftl/FTLLink.cpp:
2247         * runtime/InitializeThreading.cpp:
2248         (JSC::initializeThreadingOnce):
2249         * runtime/Options.h:
2250         (JSC):
2251
2252 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2253
2254         fourthTier: FTL should be able to dump disassembly
2255         https://bugs.webkit.org/show_bug.cgi?id=118141
2256
2257         Reviewed by Geoffrey Garen.
2258
2259         * ftl/FTLCompile.cpp:
2260         (JSC::FTL::compile):
2261
2262 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2263
2264         Unreviewed, fix build for LLVM ToT.
2265
2266         This doesn't affect those using the binary drops, but if you're building from
2267         LLVM ToT you'll get link errors. These arise because we expect there to be a
2268         libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
2269         to fall back on the system's libLLVMArchive, which is incompatible with the
2270         other LLVM libs we pull in.
2271         
2272         Also, we didn't need that library anyway and shouldn't have been linking
2273         against it.
2274
2275         * Configurations/JavaScriptCore.xcconfig:
2276
2277 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2278
2279         fourthTier: FTL should support hole/OOB PutByVal's
2280         https://bugs.webkit.org/show_bug.cgi?id=118112
2281
2282         Reviewed by Geoffrey Garen.
2283         
2284         Added a common code generator for the out-of-bounds case that is reused by
2285         all contiguous-like arrays (Int32, Double, Contiguous).
2286         
2287         This is relatively straight-forward, except that it's the first time that
2288         the FTL has to call DFG operations that take more than two arguments.
2289
2290         * ftl/FTLAbbreviations.h:
2291         (JSC::FTL::functionType):
2292         (JSC::FTL::buildCall):
2293         * ftl/FTLAbstractHeapRepository.h:
2294         (FTL):
2295         * ftl/FTLCapabilities.cpp:
2296         (JSC::FTL::canCompile):
2297         * ftl/FTLIntrinsicRepository.h:
2298         (FTL):
2299         * ftl/FTLLowerDFGToLLVM.cpp:
2300         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2301         (LowerDFGToLLVM):
2302         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2303         (JSC::FTL::LowerDFGToLLVM::vmCall):
2304         * ftl/FTLOutput.h:
2305         (JSC::FTL::Output::call):
2306
2307 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2308
2309         fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
2310         https://bugs.webkit.org/show_bug.cgi?id=118097
2311
2312         Reviewed by Mark Hahnenberg.
2313         
2314         This increases coverage to include programs that have unprofiled paths. Those paths will
2315         often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
2316         support those; except that it doesn't matter since the reason why they were untyped is
2317         that they were unprofiled and anyway we won't run them because we'll exit before them.
2318
2319         * ftl/FTLCapabilities.cpp:
2320         (JSC::FTL::canCompile):
2321
2322 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2323
2324         fourthTier: FTL should support ArrayifyToStructure
2325         https://bugs.webkit.org/show_bug.cgi?id=118095
2326
2327         Reviewed by Mark Hahnenberg.
2328
2329         * ftl/FTLCapabilities.cpp:
2330         (JSC::FTL::canCompile):
2331         * ftl/FTLIntrinsicRepository.h:
2332         (FTL):
2333         * ftl/FTLLowerDFGToLLVM.cpp:
2334         (JSC::FTL::LowerDFGToLLVM::compileNode):
2335         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2336         (LowerDFGToLLVM):
2337
2338 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2339
2340         fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
2341         https://bugs.webkit.org/show_bug.cgi?id=118091
2342
2343         Reviewed by Mark Hahnenberg.
2344         
2345         I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
2346         which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
2347         the FTL. I then fixed those bugs, also:
2348         
2349         - The FTL should not attempt to compile a block that is not reachable according to the CFA.
2350           This is analogous to terminating basic block compilation if the CFA becomes !isValid().
2351           Attempting to compile such a block means that you're running on broken CFA state, and the
2352           CFA will become inconsistent with the code you're generating, leading to some
2353           strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
2354           a node and hence don't have LValue's for that node (by virtue of us giving up due to
2355           !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
2356           weren't visited by the CFA at all, and the CFA expects you to know this because it
2357           expects that you already checked BasicBlock::cfaHasVisited.
2358         
2359         - SetLocal needs to change the ValueSource of the operand to indicate that its value has
2360           been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
2361           speak). This is because although OSR exit already knows that the value of the operand is
2362           stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
2363           will also assume that if the Node dies then the value-at-exit for that operand should be
2364           Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
2365           things; in particular the local always outlives the Node in the case of a SetLocal. So,
2366           we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
2367           to ensure that OSR exit knows that the darn thing is really live until the end of the
2368           basic block, as opposed to until whenever the Node dies (which could be at any time).
2369         
2370         - PutByOffset was erroneously storing to an offset from the base object, rather than an
2371           offset from the storage. Note that the storage will be the base object (exactly - i.e.
2372           same node, same value) for inline stores, but will be a distinct thing for out-of-line
2373           stores.
2374         
2375         - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
2376           when it should have been using DoubleInLocals.
2377
2378         * ftl/FTLCapabilities.cpp:
2379         (JSC::FTL::canCompile):
2380         * ftl/FTLLowerDFGToLLVM.cpp:
2381         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2382         (JSC::FTL::LowerDFGToLLVM::compileNode):
2383         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2384         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2385         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
2386         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2387
2388 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2389
2390         fourthTier: FTL should support PutByVal
2391         https://bugs.webkit.org/show_bug.cgi?id=118075
2392
2393         Reviewed by Mark Hahnenberg.
2394
2395         * ftl/FTLCapabilities.cpp:
2396         (JSC::FTL::canCompile):
2397         * ftl/FTLLowerDFGToLLVM.cpp:
2398         (JSC::FTL::LowerDFGToLLVM::lower):
2399         (JSC::FTL::LowerDFGToLLVM::compileNode):
2400         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2401         (LowerDFGToLLVM):
2402         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2403
2404 2013-06-25  Filip Pizlo  <fpizlo@apple.com>
2405
2406         fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
2407         https://bugs.webkit.org/show_bug.cgi?id=118028
2408
2409         Reviewed by Sam Weinig.
2410         
2411         The SaneChain optimization allows us to get rid of the NaN check on loading from
2412         a double array, if the result is used in an arithmetic op that wouldn't
2413         distinguish between NaN and undefined. Normally the NaN check would be needed
2414         because NaN is the hole marker.
2415         
2416         The SaneChain optimization definitely requires that you're an Original array,
2417         since we need to watchpoint the array prototype chain. And so it also needs to
2418         be a JSArray, and not an object that has indexed double properties. We also
2419         require an in-bounds access, since the backend is only capable of the
2420         optimization in the in-bounds case (though we could extend it to OOB in the
2421         future). But whether the array is being converted or is as-is isn't relevant.
2422         Either way, if it's a double original array in-bounds access by the time that
2423         the array check (or conversion!) completes, we can do the optimization.
2424         
2425         Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.
2426
2427         * dfg/DFGFixupPhase.cpp:
2428         (JSC::DFG::FixupPhase::fixupNode):
2429
2430 2013-06-25  Filip Pizlo  <fpizlo@apple.com>
2431
2432         fourthTier: DFG should support switch_string
2433         https://bugs.webkit.org/show_bug.cgi?id=117967
2434
2435         Reviewed by Sam Weinig.
2436         
2437         Add a reusable binary switch creator.
2438         
2439         Implement switch on string using three modes:
2440         
2441         - Binary switch on StringImpl* in the case of identifiers.
2442         
2443         - Trie of binary switches on characters in the case of a not-too-big
2444           switch over not-too-big 8-bit strings.
2445         
2446         - Hash lookup if all else fails.
2447         
2448         Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
2449         string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
2450         pdfjs.
2451
2452         * JavaScriptCore.xcodeproj/project.pbxproj:
2453         * bytecode/JumpTable.h:
2454         (StringJumpTable):
2455         (JSC::StringJumpTable::clear):
2456         * dfg/DFGBackwardsPropagationPhase.cpp:
2457         (JSC::DFG::BackwardsPropagationPhase::propagate):
2458         * dfg/DFGBinarySwitch.cpp: Added.
2459         (DFG):
2460         (JSC::DFG::BinarySwitch::BinarySwitch):
2461         (JSC::DFG::BinarySwitch::advance):
2462         (JSC::DFG::BinarySwitch::build):
2463         * dfg/DFGBinarySwitch.h: Added.
2464         (DFG):
2465         (BinarySwitch):
2466         (JSC::DFG::BinarySwitch::caseIndex):
2467         (JSC::DFG::BinarySwitch::caseValue):
2468         (JSC::DFG::BinarySwitch::fallThrough):
2469         (JSC::DFG::BinarySwitch::Case::Case):
2470         (Case):
2471         (JSC::DFG::BinarySwitch::Case::operator<):
2472         (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
2473         (BranchCode):
2474         * dfg/DFGByteCodeParser.cpp:
2475         (JSC::DFG::ByteCodeParser::parseBlock):
2476         * dfg/DFGCapabilities.cpp:
2477         (JSC::DFG::capabilityLevel):
2478         * dfg/DFGFixupPhase.cpp:
2479         (JSC::DFG::FixupPhase::fixupNode):
2480         * dfg/DFGJITCompiler.cpp:
2481         (JSC::DFG::JITCompiler::link):
2482         * dfg/DFGLazyJSValue.cpp:
2483         (JSC::DFG::LazyJSValue::getValue):
2484         (JSC::DFG::equalToStringImpl):
2485         (DFG):
2486         (JSC::DFG::LazyJSValue::strictEqual):
2487         (JSC::DFG::LazyJSValue::dump):
2488         * dfg/DFGLazyJSValue.h:
2489         (JSC::DFG::LazyJSValue::knownStringImpl):
2490         (LazyJSValue):
2491         (JSC::DFG::LazyJSValue::stringImpl):
2492         (JSC::DFG::LazyJSValue::switchLookupValue):
2493         * dfg/DFGNode.cpp:
2494         (WTF::printInternal):
2495         * dfg/DFGNode.h:
2496         * dfg/DFGOperations.cpp:
2497         * dfg/DFGOperations.h:
2498         * dfg/DFGSpeculativeJIT.cpp:
2499         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2500         (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
2501         (DFG):
2502         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
2503         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2504         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2505         (JSC::DFG::SpeculativeJIT::emitSwitch):
2506         (JSC::DFG::SpeculativeJIT::addBranch):
2507         * dfg/DFGSpeculativeJIT.h:
2508         (JSC::DFG::SpeculativeJIT::callOperation):
2509         (JSC::DFG::SpeculativeJIT::branch8):
2510         (SpeculativeJIT):
2511         (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
2512         (StringSwitchCase):
2513         * ftl/FTLLowerDFGToLLVM.cpp:
2514         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2515         * runtime/Options.h:
2516         (JSC):
2517
2518 2013-06-24  Filip Pizlo  <fpizlo@apple.com>
2519
2520         fourthTier: Count external memory usage towards heap footprint
2521         https://bugs.webkit.org/show_bug.cgi?id=117948
2522
2523         Reviewed by Geoffrey Garen.
2524
2525         Currently just count strings. Strings get counted in such a way that we won't re-count strings
2526         that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
2527         the collector to appropriately amortize itself.
2528
2529         * heap/Heap.cpp:
2530         (JSC::Heap::Heap):
2531         (JSC::Heap::size):
2532         (JSC::Heap::collect):
2533         * heap/Heap.h:
2534         (Heap):
2535         * heap/SlotVisitor.h:
2536         * heap/SlotVisitorInlines.h:
2537         (JSC::SlotVisitor::reportExtraMemoryUsage):
2538         (JSC):
2539         * runtime/JSString.cpp:
2540         (JSC::JSString::visitChildren):
2541
2542 2013-06-23  Filip Pizlo  <fpizlo@apple.com>
2543
2544         fourthTier: DFG should optimize identifier string equality
2545         https://bugs.webkit.org/show_bug.cgi?id=117920
2546
2547         Reviewed by Sam Weinig.
2548         
2549         This is a 20% speed-up for string equality comparisons when both strings are
2550         identifiers.
2551         
2552         This is important for two reasons:
2553         
2554         1) Using strings as enumerations is an idiom. A great example is typeof. It
2555            would be great if this performed better.
2556         
2557         2) When I implement switch_string in the DFG, it would be great to optimize
2558            the case where the switched-on value is an identifier. That would involve
2559            a simple binary switch rather than a more complicated trie-switch over
2560            characters.
2561
2562         * bytecode/SpeculatedType.cpp:
2563         (JSC::dumpSpeculation):
2564         (JSC::speculationToAbbreviatedString):
2565         (JSC::speculationFromCell):
2566         * bytecode/SpeculatedType.h:
2567         (JSC):
2568         (JSC::isStringIdentSpeculation):
2569         (JSC::isStringSpeculation):
2570         * dfg/DFGAbstractState.cpp:
2571         (JSC::DFG::AbstractState::executeEffects):
2572         * dfg/DFGFixupPhase.cpp:
2573         (JSC::DFG::FixupPhase::fixupNode):
2574         * dfg/DFGNode.h:
2575         (JSC::DFG::Node::shouldSpeculateStringIdent):
2576         (Node):
2577         * dfg/DFGSpeculativeJIT.cpp:
2578         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2579         (JSC::DFG::SpeculativeJIT::compare):
2580         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2581         (JSC::DFG::SpeculativeJIT::compileStringEquality):
2582         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
2583         (DFG):
2584         (JSC::DFG::SpeculativeJIT::speculateString):
2585         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
2586         (JSC::DFG::SpeculativeJIT::speculateStringIdent):
2587         (JSC::DFG::SpeculativeJIT::speculate):
2588         * dfg/DFGSpeculativeJIT.h:
2589         (SpeculativeJIT):
2590         * dfg/DFGUseKind.cpp:
2591         (WTF::printInternal):
2592         * dfg/DFGUseKind.h:
2593         (JSC::DFG::typeFilterFor):
2594         (JSC::DFG::isCell):
2595
2596 2013-06-22  Filip Pizlo  <fpizlo@apple.com>
2597
2598         fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
2599         https://bugs.webkit.org/show_bug.cgi?id=117906
2600
2601         Reviewed by Mark Hahnenberg.
2602         
2603         This does the obvious thing, but also makes sure that out-of-bounds accesses
2604         don't fall off into a C call, but try to do the fast thing if the prototype
2605         chain is sane. We ought to probably do this for other array accesses in the
2606         future, as well, since it's so darn easy.
2607
2608         * dfg/DFGAbstractState.cpp:
2609         (JSC::DFG::AbstractState::executeEffects):
2610         * dfg/DFGFixupPhase.cpp:
2611         (JSC::DFG::FixupPhase::fixupNode):
2612         * dfg/DFGOperations.cpp:
2613         * dfg/DFGOperations.h:
2614         * dfg/DFGSpeculativeJIT.cpp:
2615         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2616         * dfg/DFGSpeculativeJIT.h:
2617         (JSC::DFG::SpeculativeJIT::callOperation):
2618         * runtime/JSGlobalObject.cpp:
2619         (JSC::JSGlobalObject::objectPrototypeIsSane):
2620         (JSC):
2621         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2622         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2623         * runtime/JSGlobalObject.h:
2624         (JSGlobalObject):
2625
2626 2013-06-22  Filip Pizlo  <fpizlo@apple.com>
2627
2628         fourthTier: GC's put_by_id transition fixpoint should converge more quickly
2629         https://bugs.webkit.org/show_bug.cgi?id=117912
2630
2631         Reviewed by Mark Hahnenberg.
2632
2633         This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
2634         iterate the program in program order, or at least something close to program order. Because I enjoy reverse
2635         loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
2636         pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.
2637
2638         Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.
2639
2640         * bytecode/CodeBlock.cpp:
2641         (JSC::CodeBlock::propagateTransitions):
2642
2643 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2644
2645         fourthTier: DFG should CSE MakeRope
2646         https://bugs.webkit.org/show_bug.cgi?id=117905
2647
2648         Reviewed by Geoffrey Garen.
2649         
2650         Adds MakeRope to the CSE phase and removes the comment that says that
2651         we could do it but aren't doing it.
2652         
2653         Also fixed SpeculatedType dumping so that if you have a Cell type then
2654         it just prints "Cell" and if you just have Object then it just prints
2655         "Object", instead of printing the long list of types.
2656
2657         * bytecode/SpeculatedType.cpp:
2658         (JSC::dumpSpeculation):
2659         * dfg/DFGCSEPhase.cpp:
2660         (JSC::DFG::CSEPhase::performNodeCSE):
2661
2662 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2663
2664         fourthTier: DFG should't exit just because it GetByVal'd a big character
2665         https://bugs.webkit.org/show_bug.cgi?id=117899
2666
2667         Reviewed by Mark Hahnenberg.
2668         
2669         Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
2670         Previously it would fail due to canExit() but now we can also fail because
2671         GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
2672         a very explicit way.
2673
2674         * dfg/DFGCSEPhase.cpp:
2675         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2676         * dfg/DFGOperations.cpp:
2677         * dfg/DFGOperations.h:
2678         * dfg/DFGSpeculativeJIT.cpp:
2679         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2680         * dfg/DFGSpeculativeJIT.h:
2681         (JSC::DFG::SpeculativeJIT::callOperation):
2682         (SpeculativeJIT):
2683
2684 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2685
2686         fourthTier: Small strings shouldn't get GC'd
2687         https://bugs.webkit.org/show_bug.cgi?id=117897
2688
2689         Reviewed by Mark Hahnenberg.
2690         
2691         Kill off the code needed to allocate them lazily and finalize them.
2692
2693         * dfg/DFGSpeculativeJIT.cpp:
2694         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2695         * heap/Heap.cpp:
2696         (JSC::Heap::collect):
2697         * runtime/JSString.h:
2698         (JSC::jsSingleCharacterString):
2699         (JSC::jsSingleCharacterSubstring):
2700         (JSC::jsString):
2701         (JSC::jsSubstring8):
2702         (JSC::jsSubstring):
2703         (JSC::jsOwnedString):
2704         * runtime/NumberPrototype.cpp:
2705         (JSC::integerValueToString):
2706         * runtime/SmallStrings.cpp:
2707         (JSC):
2708         (JSC::SmallStrings::initializeCommonStrings):
2709         (JSC::SmallStrings::visitStrongReferences):
2710         * runtime/SmallStrings.h:
2711         (JSC::SmallStrings::singleCharacterString):
2712         (SmallStrings):
2713
2714 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2715
2716         fourthTier: Structure should have a dump()
2717         https://bugs.webkit.org/show_bug.cgi?id=117859
2718
2719         Reviewed by Geoffrey Garen.
2720         
2721         This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
2722         we now print a bunch of other info as well. For example, for an object literal
2723         like "{f:42, g:64, h:24}", when we print the structure we'll now get:
2724
2725             0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
2726         
2727         This also changes a bunch of places to use the dump method.
2728
2729         * bytecode/StructureSet.h:
2730         (JSC::StructureSet::dump):
2731         * dfg/DFGGraph.cpp:
2732         (JSC::DFG::Graph::dump):
2733         * dfg/DFGStructureAbstractValue.h:
2734         (JSC::DFG::StructureAbstractValue::dump):
2735         * runtime/JSCJSValue.cpp:
2736         (JSC::JSValue::dump):
2737         * runtime/Structure.cpp:
2738         (JSC::Structure::dump):
2739         (JSC):
2740         * runtime/Structure.h:
2741         (Structure):
2742
2743 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2744
2745         fourthTier: There should only be one table of SimpleJumpTables
2746         https://bugs.webkit.org/show_bug.cgi?id=117856
2747
2748         Reviewed by Geoffrey Garen.
2749         
2750         Having multiple tables of SimpleJumpTables just means we have to duplicate a
2751         ton of code. This patch deduplicates all of it.
2752
2753         * bytecode/CodeBlock.cpp:
2754         (JSC::CodeBlock::dumpBytecode):
2755         (JSC):
2756         (JSC::CodeBlock::CodeBlock):
2757         (JSC::CodeBlock::shrinkToFit):
2758         * bytecode/CodeBlock.h:
2759         (JSC::CodeBlock::numberOfSwitchJumpTables):
2760         (JSC::CodeBlock::addSwitchJumpTable):
2761         (JSC::CodeBlock::switchJumpTable):
2762         (JSC::CodeBlock::clearSwitchJumpTables):
2763         (RareData):
2764         * bytecode/PreciseJumpTargets.cpp:
2765         (JSC):
2766         (JSC::computePreciseJumpTargets):
2767         * bytecode/UnlinkedCodeBlock.h:
2768         (JSC::UnlinkedCodeBlock::shrinkToFit):
2769         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
2770         (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
2771         (JSC::UnlinkedCodeBlock::switchJumpTable):
2772         (RareData):
2773         * bytecompiler/BytecodeGenerator.cpp:
2774         (JSC):
2775         (JSC::prepareJumpTableForSwitch):
2776         (JSC::BytecodeGenerator::endSwitch):
2777         * dfg/DFGByteCodeParser.cpp:
2778         (InlineStackEntry):
2779         (JSC::DFG::ByteCodeParser::parseBlock):
2780         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2781         * dfg/DFGJITCompiler.cpp:
2782         (JSC::DFG::JITCompiler::link):
2783         * dfg/DFGJITCompiler.h:
2784         (JITCompiler):
2785         * dfg/DFGOperations.cpp:
2786         * dfg/DFGSpeculativeJIT.cpp:
2787         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2788         (DFG):
2789         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2790         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2791         * dfg/DFGSpeculativeJIT.h:
2792         (SpeculativeJIT):
2793         * ftl/FTLLink.cpp:
2794         (JSC::FTL::link):
2795         * jit/JITOpcodes.cpp:
2796         (JSC::JIT::emit_op_switch_imm):
2797         (JSC::JIT::emit_op_switch_char):
2798         * jit/JITOpcodes32_64.cpp:
2799         (JSC::JIT::emit_op_switch_imm):
2800         (JSC::JIT::emit_op_switch_char):
2801         * jit/JITStubs.cpp:
2802         (JSC::DEFINE_STUB_FUNCTION):
2803         * llint/LLIntSlowPaths.cpp:
2804         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2805         * llint/LowLevelInterpreter32_64.asm:
2806         * llint/LowLevelInterpreter64.asm:
2807
2808 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2809
2810         fourthTier: FTL should clear character switch jump tables
2811         https://bugs.webkit.org/show_bug.cgi?id=117852
2812
2813         Reviewed by Sam Weinig.
2814         
2815         The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
2816         jump tables as needed.
2817
2818         * bytecode/CodeBlock.h:
2819         (JSC::CodeBlock::clearCharacterSwitchJumpTables):
2820         * ftl/FTLLink.cpp:
2821         (JSC::FTL::link):
2822
2823 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2824
2825         fourthTier: FTL should support SwitchChar
2826         https://bugs.webkit.org/show_bug.cgi?id=117849
2827
2828         Reviewed by Geoffrey Garen.
2829         
2830         This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
2831         SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
2832         support for calling slow paths, and we avoided adding coverage that would require
2833         that. Well, this patch adds the ability to call slow paths and just uses that for
2834         resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
2835         so I did that, too.
2836
2837         * bytecode/CodeBlock.h:
2838         (CodeBlock):
2839         (JSC::CodeBlock::addCodeOrigin):
2840         * dfg/DFGBackwardsPropagationPhase.cpp:
2841         (JSC::DFG::BackwardsPropagationPhase::propagate):
2842         * dfg/DFGGraph.cpp:
2843         (JSC::DFG::Graph::dump):
2844         * dfg/DFGNode.cpp:
2845         (WTF):
2846         (WTF::printInternal):
2847         * dfg/DFGNode.h:
2848         (WTF):
2849         * dfg/DFGOperations.h:
2850         * dfg/DFGSpeculativeJIT.h:
2851         (JSC::DFG::SpeculativeJIT::callOperation):
2852         * ftl/FTLAbbreviations.h:
2853         (JSC::FTL::int16Type):
2854         (JSC::FTL::constInt):
2855         * ftl/FTLAbstractHeapRepository.h:
2856         (FTL):
2857         * ftl/FTLCapabilities.cpp:
2858         (JSC::FTL::canCompile):
2859         * ftl/FTLCommonValues.cpp:
2860         (JSC::FTL::CommonValues::CommonValues):
2861         * ftl/FTLCommonValues.h:
2862         (CommonValues):
2863         * ftl/FTLIntrinsicRepository.cpp:
2864         (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
2865         (FTL):
2866         * ftl/FTLIntrinsicRepository.h:
2867         (FTL):
2868         (IntrinsicRepository):
2869         * ftl/FTLLowerDFGToLLVM.cpp:
2870         (JSC::FTL::LowerDFGToLLVM::lower):
2871         (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
2872         (JSC::FTL::LowerDFGToLLVM::compileJump):
2873         (JSC::FTL::LowerDFGToLLVM::compileBranch):
2874         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2875         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2876         (LowerDFGToLLVM):
2877         (JSC::FTL::LowerDFGToLLVM::lowString):
2878         (JSC::FTL::LowerDFGToLLVM::speculate):
2879         (JSC::FTL::LowerDFGToLLVM::isObject):
2880         (JSC::FTL::LowerDFGToLLVM::isNotString):
2881         (JSC::FTL::LowerDFGToLLVM::isString):
2882         (JSC::FTL::LowerDFGToLLVM::isNotObject):
2883         (JSC::FTL::LowerDFGToLLVM::speculateObject):
2884         (JSC::FTL::LowerDFGToLLVM::speculateString):
2885         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2886         (JSC::FTL::LowerDFGToLLVM::vmCall):
2887         (JSC::FTL::LowerDFGToLLVM::callPreflight):
2888         (JSC::FTL::LowerDFGToLLVM::callCheck):
2889         (JSC::FTL::LowerDFGToLLVM::lowBlock):
2890         * ftl/FTLOutput.h:
2891         (JSC::FTL::Output::constBool):
2892         (JSC::FTL::Output::constInt8):
2893         (JSC::FTL::Output::constInt32):
2894         (JSC::FTL::Output::constIntPtr):
2895         (JSC::FTL::Output::constInt64):
2896         (JSC::FTL::Output::load16):
2897         (JSC::FTL::Output::isNull):
2898         (JSC::FTL::Output::notNull):
2899         (JSC::FTL::Output::testIsZero32):
2900         (JSC::FTL::Output::testNonZero32):
2901         (Output):
2902         (JSC::FTL::Output::operation):
2903         (JSC::FTL::Output::crash):
2904
2905 2013-06-18  Filip Pizlo  <fpizlo@apple.com>
2906
2907         fourthTier: DFG should have switch_char
2908         https://bugs.webkit.org/show_bug.cgi?id=117710
2909
2910         Reviewed by Michael Saboff.
2911         
2912         Add op_switch_char. Most of this is fairly simple, except for the whole
2913         LazyJSValue thing.
2914         
2915         It's long been the case that anytime you wanted the DFG to speak of a string
2916         that didn't appear in the constant pool, you would have a hard time since
2917         the DFG isn't allowed to allocate in the GC heap. For example, if you know
2918         that you want to speak of a single character string, you might find that
2919         the one you wanted to speak of had been GC'd. Another example is if you
2920         wanted to add constant folding for string concatenation - something we don't
2921         have yet but will want eventually.
2922         
2923         I solve this by finally adding the notion of LazyJSValue. In the future I
2924         anticipate using this for a variety of string-related things. The idea here
2925         is that the DFG can either say that it already knows what the value is, or
2926         it can describe the value. For example, in this patch I needed to be able to
2927         describe single-character strings.
2928
2929         * JavaScriptCore.xcodeproj/project.pbxproj:
2930         * bytecode/CodeBlock.cpp:
2931         (JSC::CodeBlock::dumpBytecode):
2932         (JSC::CodeBlock::CodeBlock):
2933         * bytecode/JumpTable.h:
2934         * dfg/DFGBackwardsPropagationPhase.cpp:
2935         (JSC::DFG::BackwardsPropagationPhase::propagate):
2936         * dfg/DFGByteCodeParser.cpp:
2937         (InlineStackEntry):
2938         (JSC::DFG::ByteCodeParser::parseBlock):
2939         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2940         * dfg/DFGCFGSimplificationPhase.cpp:
2941         (JSC::DFG::CFGSimplificationPhase::run):
2942         * dfg/DFGCapabilities.cpp:
2943         (JSC::DFG::capabilityLevel):
2944         * dfg/DFGDriver.cpp:
2945         (JSC::DFG::compile):
2946         * dfg/DFGFixupPhase.cpp:
2947         (JSC::DFG::FixupPhase::fixupNode):
2948         * dfg/DFGGPRInfo.h:
2949         (JSC::DFG::JSValueRegs::payloadGPR):
2950         * dfg/DFGJITCompiler.cpp:
2951         (JSC::DFG::JITCompiler::jumpTable):
2952         (DFG):
2953         (JSC::DFG::JITCompiler::numberOfJumpTables):
2954         (JSC::DFG::JITCompiler::linkSwitches):
2955         (JSC::DFG::JITCompiler::link):
2956         * dfg/DFGJITCompiler.h:
2957         (JITCompiler):
2958         * dfg/DFGLazyJSValue.cpp: Added.
2959         (DFG):
2960         (JSC::DFG::LazyJSValue::getValue):
2961         (JSC::DFG::equalToSingleCharacter):
2962         (JSC::DFG::LazyJSValue::strictEqual):
2963         (JSC::DFG::LazyJSValue::dump):
2964         * dfg/DFGLazyJSValue.h: Added.
2965         (DFG):
2966         (LazyJSValue):
2967         (JSC::DFG::LazyJSValue::LazyJSValue):
2968         (JSC::DFG::LazyJSValue::singleCharacterString):
2969         (JSC::DFG::LazyJSValue::tryGetValue):
2970         (JSC::DFG::LazyJSValue::value):
2971         (JSC::DFG::LazyJSValue::character):
2972         (JSC::DFG::LazyJSValue::switchLookupValue):
2973         * dfg/DFGNode.h:
2974         (JSC::DFG::SwitchCase::SwitchCase):
2975         (SwitchCase):
2976         * dfg/DFGSpeculativeJIT.cpp:
2977         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2978         (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
2979         (DFG):
2980         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2981         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2982         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2983         (JSC::DFG::SpeculativeJIT::emitSwitch):
2984         * dfg/DFGSpeculativeJIT.h:
2985         (SpeculativeJIT):
2986
2987 2013-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
2988
2989         Refactor ObjCCallbackFunction to inherit directly from InternalFunction
2990         https://bugs.webkit.org/show_bug.cgi?id=117595
2991
2992         Reviewed by Geoffrey Garen.
2993
2994         * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and 
2995         ObjCCallbackFunction to share their host call() implementation through the magic of 
2996         templates.
2997         (JSC::APICallbackFunction::call):
2998         * API/JSCallbackFunction.cpp:
2999         (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of 
3000         the host function.
3001         * API/JSCallbackFunction.h:
3002         * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
3003         * API/ObjCCallbackFunction.mm:
3004         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3005         (JSC::ObjCCallbackFunction::getCallData): Ditto.
3006         * GNUmakefile.list.am: Build files!
3007         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3008         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3009         * JavaScriptCore.xcodeproj/project.pbxproj:
3010
3011 2013-06-19  Michael Saboff  <msaboff@apple.com>
3012
3013         fourthTier: Arity fixup should be done while on same stack
3014         https://bugs.webkit.org/show_bug.cgi?id=117102
3015
3016         Reviewed by Oliver Hunt.
3017
3018         Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
3019         a thunk for the JITs and as assembly for the llint.  This patch provides the plumbing needed to
3020         move to the C stack for JS execution.  The fixup thunk and llint code would need to be change to
3021         work with a stack that grows down when we do move to the C stack.
3022         
3023         Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
3024         and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm.  The problem is that a const defined in
3025         one file that are used in a macro doesn't resolve the const if the macro is used in another file.  This
3026         seemed like the quickest path.
3027
3028         * dfg/DFGJITCompiler.cpp:
3029         (JSC::DFG::JITCompiler::compileFunction):
3030         (JSC::DFG::JITCompiler::linkFunction):
3031         * dfg/DFGJITCompiler.h:
3032         (JITCompiler):
3033         * ftl/FTLLink.cpp:
3034         (JSC::FTL::link):
3035         * jit/JIT.cpp:
3036         (JSC::JIT::privateCompile):
3037         * jit/JITStubs.cpp:
3038         (JSC::DEFINE_STUB_FUNCTION):
3039         * jit/JITStubs.h:
3040         * jit/ThunkGenerators.cpp:
3041         (JSC::arityFixup):
3042         * jit/ThunkGenerators.h:
3043         * llint/LowLevelInterpreter.asm:
3044         * llint/LowLevelInterpreter32_64.asm:
3045         * llint/LowLevelInterpreter64.asm:
3046         * runtime/CommonSlowPaths.cpp:
3047         (JSC::SLOW_PATH_DECL):
3048         * runtime/CommonSlowPaths.h:
3049         (JSC::CommonSlowPaths::arityCheckFor):
3050
3051 2013-06-19  Michael Saboff  <msaboff@apple.com>
3052
3053         FTL: arm build is broken in ToT
3054         https://bugs.webkit.org/show_bug.cgi?id=117800
3055
3056         Unreviewed build fixes.
3057
3058         * assembler/ARMv7Assembler.h:
3059         (ARMv7Assembler): Merge of r147941
3060         * jit/JITArithmetic32_64.cpp:
3061         (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.
3062
3063 2013-06-17  Michael Saboff  <msaboff@apple.com>
3064
3065         FTL: Add another temp register regT4 to JSInterfaceJIT
3066         https://bugs.webkit.org/show_bug.cgi?id=117719
3067
3068         Reviewed by Geoffrey Garen.
3069
3070         Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
3071         bucketCounterRegister had been used.  Since it is masked whenever it is used and
3072         we are looking for some randomness in the register anyway, we can use it without
3073         any issues.
3074
3075         * jit/JIT.cpp:
3076         (JSC::JIT::privateCompile):
3077         * jit/JIT.h:
3078         (JSC::JIT::emitValueProfilingSite):
3079         * jit/JITCall.cpp:
3080         (JSC::JIT::emitPutCallResult):
3081         * jit/JITCall32_64.cpp:
3082         (JSC::JIT::emitPutCallResult):
3083         * jit/JITInlines.h:
3084         (JSC::JIT::emitValueProfilingSite):
3085         * jit/JITOpcodes.cpp:
3086         (JSC::JIT::emit_op_to_this):
3087         (JSC::JIT::emit_op_get_callee):
3088         (JSC::JIT::emit_op_get_argument_by_val):
3089         * jit/JITOpcodes32_64.cpp:
3090         (JSC::JIT::emit_op_get_callee):
3091         (JSC::JIT::emit_op_to_this):
3092         (JSC::JIT::emit_op_get_argument_by_val):
3093         * jit/JITPropertyAccess.cpp:
3094         (JSC::JIT::emit_op_get_by_val):
3095         (JSC::JIT::emitSlow_op_get_by_val):
3096         (JSC::JIT::emit_op_get_by_id):
3097         (JSC::JIT::emitSlow_op_get_by_id):
3098         (JSC::JIT::emit_op_get_from_scope):
3099         (JSC::JIT::emitSlow_op_get_from_scope):
3100         * jit/JITPropertyAccess32_64.cpp:
3101         (JSC::JIT::emit_op_get_by_val):
3102         (JSC::JIT::emitSlow_op_get_by_val):
3103         (JSC::JIT::emit_op_get_by_id):
3104         (JSC::JIT::emitSlow_op_get_by_id):
3105         (JSC::JIT::emit_op_get_from_scope):
3106         (JSC::JIT::emitSlow_op_get_from_scope):
3107         * jit/JITStubCall.h:
3108         (JSC::JITStubCall::callWithValueProfiling):
3109         * jit/JSInterfaceJIT.h:
3110         (JSInterfaceJIT):
3111
3112 2013-06-17  Filip Pizlo  <fpizlo@apple.com>
3113
3114         fourthTier: FTL should support Switch
3115         https://bugs.webkit.org/show_bug.cgi?id=117704
3116
3117         Reviewed by Oliver Hunt.
3118
3119         * bytecode/CodeBlock.h:
3120         (JSC::CodeBlock::clearImmediateSwitchJumpTables):
3121         * ftl/FTLAbbreviations.h:
3122         (JSC::FTL::buildFPToSI):
3123         (JSC::FTL::buildSwitch):
3124         (JSC::FTL::addCase):
3125         (FTL):
3126         * ftl/FTLCapabilities.cpp:
3127         (JSC::FTL::canCompile):
3128         * ftl/FTLLink.cpp:
3129         (JSC::FTL::link):
3130         * ftl/FTLLowerDFGToLLVM.cpp:
3131         (JSC::FTL::LowerDFGToLLVM::compileNode):
3132         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3133         (LowerDFGToLLVM):
3134         * ftl/FTLOutput.h:
3135         (JSC::FTL::Output::fpToInt):
3136         (JSC::FTL::Output::fpToInt32):
3137         (Output):
3138         (JSC::FTL::Output::switchInstruction):
3139         * ftl/FTLSwitchCase.h: Added.
3140         (FTL):
3141         (SwitchCase):
3142         (JSC::FTL::SwitchCase::SwitchCase):
3143         (JSC::FTL::SwitchCase::value):
3144         (JSC::FTL::SwitchCase::target):
3145
3146 2013-06-15  Filip Pizlo  <fpizlo@apple.com>
3147
3148         fourthTier: Add CFG simplification for Switch
3149         https://bugs.webkit.org/show_bug.cgi?id=117677
3150
3151         Reviewed by Mark Hahnenberg.
3152         
3153         This is for completeness. It only speeds up a microbenchmark at this point.
3154         Broadly, we want all control constructs to be known to the CFG simplifier.
3155
3156         * dfg/DFGCFGSimplificationPhase.cpp:
3157         (JSC::DFG::CFGSimplificationPhase::run):
3158         (JSC::DFG::CFGSimplificationPhase::convertToJump):
3159         (CFGSimplificationPhase):
3160         (JSC::DFG::CFGSimplificationPhase::noBlocks):
3161         (JSC::DFG::CFGSimplificationPhase::oneBlock):
3162         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3163         * runtime/JSCJSValue.h:
3164         (JSValue):
3165         * runtime/JSCJSValueInlines.h:
3166         (JSC::JSValue::pureStrictEqual):
3167         (JSC):
3168
3169 2013-06-13  Filip Pizlo  <fpizlo@apple.com>
3170
3171         fourthTier: DFG should support op_switch_imm
3172         https://bugs.webkit.org/show_bug.cgi?id=117559
3173
3174         Reviewed by Oliver Hunt.
3175         
3176         Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
3177         threshold for using op_switch.
3178         
3179         Also get rid of edge code support, since we haven't used it in the year since
3180         I introduced it. It was supposed to allow us to break critical edges late in
3181         the backend, thus enabling global register allocation from an SSA-form graph.
3182         But we aren't doing that so I figure we should just kill the code for now. It
3183         would have made implementing switch harder.
3184
3185         * assembler/AbstractMacroAssembler.h:
3186         (JSC::AbstractMacroAssembler::timesPtr):
3187         * assembler/MacroAssemblerCodeRef.h:
3188         (JSC::MacroAssemblerCodePtr::dumpWithName):
3189         (MacroAssemblerCodePtr):
3190         (JSC::MacroAssemblerCodePtr::dump):
3191         (MacroAssemblerCodeRef):
3192         (JSC::MacroAssemblerCodeRef::dump):
3193         * bytecode/CodeBlock.cpp:
3194         (JSC::CodeBlock::shrinkToFit):
3195         * bytecode/JumpTable.h:
3196         (SimpleJumpTable):
3197         (JSC::SimpleJumpTable::clear):
3198         * dfg/DFGAbstractState.cpp:
3199         (JSC::DFG::AbstractState::executeEffects):
3200         (JSC::DFG::AbstractState::mergeToSuccessors):
3201         * dfg/DFGBackwardsPropagationPhase.cpp:
3202         (JSC::DFG::BackwardsPropagationPhase::propagate):
3203         * dfg/DFGByteCodeParser.cpp:
3204         (InlineStackEntry):
3205         (JSC::DFG::ByteCodeParser::parseBlock):
3206         (JSC::DFG::ByteCodeParser::linkBlock):
3207         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3208         * dfg/DFGCapabilities.cpp:
3209         (JSC::DFG::capabilityLevel):
3210         * dfg/DFGCommon.h:
3211         * dfg/DFGFixupPhase.cpp:
3212         (JSC::DFG::FixupPhase::fixupNode):
3213         * dfg/DFGGraph.cpp:
3214         (JSC::DFG::Graph::dump):
3215         (JSC::DFG::Graph::determineReachability):
3216         * dfg/DFGGraph.h:
3217         (Graph):
3218         * dfg/DFGJITCompiler.cpp:
3219         (JSC::DFG::JITCompiler::JITCompiler):
3220         (JSC::DFG::JITCompiler::link):
3221         * dfg/DFGJITCompiler.h:
3222         (JITCompiler):
3223         (JSC::DFG::JITCompiler::blockHeads):
3224         * dfg/DFGNode.h:
3225         (DFG):
3226         (JSC::DFG::SwitchCase::SwitchCase):
3227         (SwitchCase):
3228         (SwitchData):
3229         (JSC::DFG::SwitchData::SwitchData):
3230         (Node):
3231         (JSC::DFG::Node::isSwitch):
3232         (JSC::DFG::Node::isTerminal):
3233         (JSC::DFG::Node::switchData):
3234         (JSC::DFG::Node::numSuccessors):
3235         (JSC::DFG::Node::successor):
3236         * dfg/DFGNodeType.h:
3237         (DFG):
3238         * dfg/DFGOperations.cpp:
3239         * dfg/DFGOperations.h:
3240         * dfg/DFGPredictionPropagationPhase.cpp:
3241         (JSC::DFG::PredictionPropagationPhase::propagate):
3242         * dfg/DFGSpeculativeJIT.cpp:
3243         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3244         (JSC::DFG::SpeculativeJIT::compile):
3245         (JSC::DFG::SpeculativeJIT::createOSREntries):
3246         (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
3247         (DFG):
3248         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3249         (JSC::DFG::SpeculativeJIT::emitSwitch):
3250         (JSC::DFG::SpeculativeJIT::linkBranches):
3251         * dfg/DFGSpeculativeJIT.h:
3252         (JSC::DFG::SpeculativeJIT::callOperation):
3253         (SpeculativeJIT):
3254         (JSC::DFG::SpeculativeJIT::branchDouble):
3255         (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
3256         (JSC::DFG::SpeculativeJIT::branch32):
3257         (JSC::DFG::SpeculativeJIT::branchTest32):
3258         (JSC::DFG::SpeculativeJIT::branch64):
3259         (JSC::DFG::SpeculativeJIT::branchPtr):
3260         (JSC::DFG::SpeculativeJIT::branchTestPtr):
3261         (JSC::DFG::SpeculativeJIT::branchTest8):
3262         (JSC::DFG::SpeculativeJIT::jump):
3263         * dfg/DFGSpeculativeJIT32_64.cpp:
3264         (JSC::DFG::SpeculativeJIT::compile):
3265         * dfg/DFGSpeculativeJIT64.cpp:
3266         (JSC::DFG::SpeculativeJIT::compile):
3267         * jit/JITStubs.cpp:
3268         (JSC::DEFINE_STUB_FUNCTION):
3269         * parser/Nodes.h:
3270         (CaseBlockNode):
3271
3272 2013-06-15  Filip Pizlo  <fpizlo@apple.com>
3273
3274         Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy
3275         https://bugs.webkit.org/show_bug.cgi?id=117676
3276
3277         Reviewed by Sam Weinig.
3278
3279         CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind.
3280         
3281         Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the
3282         initialization of m_capabilityLevelState.
3283
3284         * bytecode/CodeBlock.cpp:
3285         (JSC::CodeBlock::hash):
3286         (JSC::CodeBlock::CodeBlock):
3287         * bytecode/CodeBlock.h:
3288         (CodeBlock):
3289         * bytecode/CodeBlockHash.cpp:
3290         (JSC::CodeBlockHash::CodeBlockHash):
3291         * bytecode/CodeBlockHash.h:
3292         (CodeBlockHash):
3293         (JSC::CodeBlockHash::isSet):
3294         (JSC::CodeBlockHash::operator!):
3295         * dfg/DFGDriver.cpp:
3296         (JSC::DFG::compile):
3297
3298 2013-06-11  Filip Pizlo  <fpizlo@apple.com>
3299
3300         fourthTier: DFG should support op_in and it should use patching to make it fast
3301         https://bugs.webkit.org/show_bug.cgi?id=117385
3302
3303         Reviewed by Geoffrey Garen.
3304         
3305         Implement op_in in the DFG and give it patching. The code we generate is just
3306         a jump on the hot path, and the slow paths generate stubs and link the jump to
3307         them. I didn't want to bother with patching structures and load offsets and
3308         the like, although I probably could have.
3309         
3310         This is a ginormous speed-up on microbenchmarks for "in", obviously.
3311
3312         * bytecode/CodeBlock.cpp:
3313         (JSC::CodeBlock::dumpAssumingJITType):
3314         (JSC::CodeBlock::resetStubInternal):
3315         (JSC::structureStubInfoLessThan):
3316         (JSC):
3317         (JSC::CodeBlock::sortStructureStubInfos):
3318         * bytecode/CodeBlock.h:
3319         (CodeBlock):
3320         * bytecode/StructureStubInfo.cpp:
3321         (JSC::StructureStubInfo::deref):
3322         (JSC::StructureStubInfo::visitWeakReferences):
3323         * bytecode/StructureStubInfo.h:
3324         (JSC::isInAccess):
3325         (JSC):
3326         (StructureStubInfo):
3327         (JSC::StructureStubInfo::initInList):
3328         * dfg/DFGAbstractState.cpp:
3329         (JSC::DFG::AbstractState::executeEffects):
3330         * dfg/DFGByteCodeParser.cpp:
3331         (JSC::DFG::ByteCodeParser::parseBlock):
3332         * dfg/DFGCCallHelpers.h:
3333         (JSC::DFG::CCallHelpers::setupResults):
3334         * dfg/DFGCapabilities.cpp:
3335         (JSC::DFG::capabilityLevel):
3336         * dfg/DFGFixupPhase.cpp:
3337         (JSC::DFG::FixupPhase::fixupNode):
3338         * dfg/DFGGPRInfo.h:
3339         (JSC::DFG::JSValueRegs::payloadOnly):
3340         (JSValueRegs):
3341         (JSC::DFG::JSValueRegs::JSValueRegs):
3342         (JSC::DFG::JSValueRegs::operator!):
3343         (JSC::DFG::JSValueSource::operator!):
3344         * dfg/DFGJITCompiler.cpp:
3345         (JSC::DFG::JITCompiler::link):
3346         * dfg/DFGJITCompiler.h:
3347         (JSC::DFG::InRecord::InRecord):
3348         (InRecord):
3349         (DFG):
3350         (JITCompiler):
3351         (JSC::DFG::JITCompiler::addIn):
3352         * dfg/DFGNodeType.h:
3353         (DFG):
3354         * dfg/DFGOperations.cpp:
3355         * dfg/DFGOperations.h:
3356         * dfg/DFGPredictionPropagationPhase.cpp:
3357         (JSC::DFG::PredictionPropagationPhase::propagate):
3358         * dfg/DFGRepatch.cpp:
3359         (JSC::DFG::tryRepatchIn):
3360         (DFG):
3361         (JSC::DFG::dfgRepatchIn):
3362         (JSC::DFG::dfgResetIn):
3363         * dfg/DFGRepatch.h:
3364         (DFG):
3365         (JSC::DFG::dfgResetIn):
3366         * dfg/DFGSlowPathGenerator.h:
3367         (JSC: