More 32bit build fixes
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2013-07-25  Oliver Hunt  <oliver@apple.com>
2
3         More 32bit build fixes
4
5         - Apparnetly some compilers don't track the fastcall directive everywhere we expect
6
7         * API/APICallbackFunction.h:
8         (JSC::APICallbackFunction::call):
9         * bytecode/CodeBlock.cpp:
10         * runtime/Structure.cpp:
11
12 2013-07-25  Yi Shen  <max.hong.shen@gmail.com>
13
14         Optimize the thread locks for API Shims
15         https://bugs.webkit.org/show_bug.cgi?id=118573
16
17         Reviewed by Geoffrey Garen.
18
19         Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
20         only used by WebCore's main thread).
21
22         * API/APIShims.h:
23         (JSC::APIEntryShim::APIEntryShim):
24         (JSC::APICallbackShim::APICallbackShim):
25         * runtime/JSLock.cpp:
26         (JSC::JSLockHolder::JSLockHolder):
27         (JSC::JSLockHolder::init):
28         (JSC::JSLockHolder::~JSLockHolder):
29         (JSC::JSLock::DropAllLocks::DropAllLocks):
30         (JSC::JSLock::DropAllLocks::~DropAllLocks):
31         * runtime/VM.cpp:
32         (JSC::VM::VM):
33         * runtime/VM.h:
34
35 2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>
36
37         Unreviewed build fix after r153218.
38
39         Broke the EFL port build with gcc 4.7.
40
41         * interpreter/StackIterator.cpp:
42         (JSC::printif):
43
44 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
45
46         Build fix: add missing #include.
47         https://bugs.webkit.org/show_bug.cgi?id=119087
48
49         Reviewed by Allan Sandfeld Jensen.
50
51         * bytecode/ArrayProfile.cpp:
52
53 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
54
55         Unreviewed, build fix on the EFL port.
56
57         * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
58
59 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
60
61         [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
62         https://bugs.webkit.org/show_bug.cgi?id=119083
63
64         Reviewed by Allan Sandfeld Jensen.
65
66         * assembler/MacroAssemblerSH4.h:
67         (JSC::MacroAssemblerSH4::store8):
68
69 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
70
71         [Qt] Fix test build after FTL upstream
72
73         Unreviewed build fix.
74
75         * Target.pri:
76
77 2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>
78
79         [Qt] Build fix after FTL.
80
81         Un Reviewed build fix.
82
83         * Target.pri:
84         * interpreter/StackIterator.cpp:
85         (JSC::StackIterator::Frame::print):
86
87 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
88
89         Unreviewed build fix after FTL upstream.
90
91         * dfg/DFGWorklist.cpp:
92         (JSC::DFG::Worklist::~Worklist):
93
94 2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>
95
96         Unreviewed, build fix on the EFL port.
97
98         * CMakeLists.txt:
99         Added SourceCode.cpp and removed BlackBerry file.
100         * jit/JITCode.h:
101         (JSC::JITCode::nextTierJIT):
102         Fixed to build break because of -Werror=return-type
103         * parser/Lexer.cpp: Includes JSFunctionInlines.h
104         * runtime/JSScope.h:
105         (JSC::makeType):
106         Fixed to build break because of -Werror=return-type
107
108 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
109
110         Unreviewed build fixing after FTL upstream.
111
112         * runtime/Executable.cpp:
113         (JSC::FunctionExecutable::produceCodeBlockFor):
114
115 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
116
117         Add missing implementation of bxxxnz in sh4 LLINT.
118         https://bugs.webkit.org/show_bug.cgi?id=119079
119
120         Reviewed by Allan Sandfeld Jensen.
121
122         * offlineasm/sh4.rb:
123
124 2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>
125
126         Unreviewed, build fix on the Qt port.
127
128         * Target.pri: Add additional build files for the FTL.
129
130 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
131
132         Unreviewed buildfix after FTL upstream..
133
134         * interpreter/StackIterator.cpp:
135         (JSC::StackIterator::Frame::codeType):
136         (JSC::StackIterator::Frame::functionName):
137         (JSC::StackIterator::Frame::sourceURL):
138         (JSC::StackIterator::Frame::logicalFrame):
139
140 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
141
142         Unreviewed.
143
144         * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
145         method is not left undefined, causing build failures on (at least) the GTK port.
146
147 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
148
149         Unreviewed, further build fixing on the GTK port.
150
151         * GNUmakefile.list.am: Add CompilationResult source files to the build.
152
153 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
154
155         Unreviewed GTK build fixing.
156
157         * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
158         * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
159
160 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
161
162         Buildfix after this error:
163         error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
164
165         * dfg/DFGPlan.cpp:
166         (JSC::DFG::Plan::compileInThread):
167
168 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
169
170         One more buildfix after FTL upstream.
171
172         Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
173
174         * dfg/DFGLazyJSValue.cpp:
175         (JSC::DFG::LazyJSValue::getValue):
176         (JSC::DFG::LazyJSValue::strictEqual):
177
178 2013-07-25  Julien Brianceau  <jbrianceau@nds.com>
179
180         Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
181         https://bugs.webkit.org/show_bug.cgi?id=119076
182
183         Reviewed by Allan Sandfeld Jensen.
184
185         * offlineasm/mips.rb:
186         * offlineasm/sh4.rb:
187
188 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
189
190         Unreviewed GTK build fix.
191
192         * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
193
194 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
195
196         Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
197         for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
198
199         * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
200
201 2013-07-25  Zan Dobersek  <zdobersek@igalia.com>
202
203         Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
204
205         * GNUmakefile.am:
206         * GNUmakefile.list.am:
207
208 2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>
209
210         Unreviewed buildfix after FTL upstream.
211
212         * runtime/JSScope.h:
213         (JSC::needsVarInjectionChecks):
214
215 2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>
216
217         One more fix after FTL upstream.
218
219         * Target.pri:
220         * bytecode/CodeBlock.h:
221         * bytecode/GetByIdStatus.h:
222         (JSC::GetByIdStatus::GetByIdStatus):
223
224 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
225
226         Unreviewed buildfix after FTL upstream.
227
228         Add ftl directory as include path.
229
230         * CMakeLists.txt:
231         * JavaScriptCore.pri:
232
233 2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>
234
235         Unreviewed buildfix after FTL upstream for non C++11 builds.
236
237         * interpreter/CallFrame.h:
238         * interpreter/StackIteratorPrivate.h:
239         (JSC::StackIterator::end):
240
241 2013-07-24  Oliver Hunt  <oliver@apple.com>
242
243         Endeavour to fix CMakelist builds
244
245         * CMakeLists.txt:
246
247 2013-07-24  Filip Pizlo  <fpizlo@apple.com>
248
249         fourthTier: DFG IR dumps should be easier to read
250         https://bugs.webkit.org/show_bug.cgi?id=119050
251
252         Reviewed by Mark Hahnenberg.
253         
254         Added a DumpContext that includes support for printing an endnote
255         that describes all structures in full, while the main flow of the
256         dump just uses made-up names for the structures. This is helpful
257         since Structure::dump() may print a lot. The stuff it prints is
258         useful, but if it's all inline with the surrounding thing you're        
259         dumping (often, a node in the DFG), then you get a ridiculously
260         long print-out. All classes that dump structures (including
261         Structure itself) now have dumpInContext() methods that use
262         inContext() for dumping anything that might transitively print a
263         structure. If Structure::dumpInContext() is called with a NULL
264         context, it just uses dump() like before. Hence you don't have to
265         know anything about DumpContext unless you want to.
266         
267         inContext(*structure, context) dumps something like %B4:Array,
268         and the endnote will have something like:
269         
270             %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
271         
272         where B4 is the inferred name that StringHashDumpContext came up
273         with.
274         
275         Also shortened a bunch of other dumps, removing information that
276         isn't so important.
277         
278         * JavaScriptCore.xcodeproj/project.pbxproj:
279         * bytecode/ArrayProfile.cpp:
280         (JSC::dumpArrayModes):
281         * bytecode/CodeBlockHash.cpp:
282         (JSC):
283         (JSC::CodeBlockHash::CodeBlockHash):
284         (JSC::CodeBlockHash::dump):
285         * bytecode/CodeOrigin.cpp:
286         (JSC::CodeOrigin::dumpInContext):
287         (JSC):
288         (JSC::InlineCallFrame::dumpInContext):
289         (JSC::InlineCallFrame::dump):
290         * bytecode/CodeOrigin.h:
291         (CodeOrigin):
292         (InlineCallFrame):
293         * bytecode/Operands.h:
294         (JSC::OperandValueTraits::isEmptyForDump):
295         (Operands):
296         (JSC::Operands::dump):
297         (JSC):
298         * bytecode/OperandsInlines.h: Added.
299         (JSC):
300         (JSC::::dumpInContext):
301         * bytecode/StructureSet.h:
302         (JSC::StructureSet::dumpInContext):
303         (JSC::StructureSet::dump):
304         (StructureSet):
305         * dfg/DFGAbstractValue.cpp:
306         (JSC::DFG::AbstractValue::dump):
307         (DFG):
308         (JSC::DFG::AbstractValue::dumpInContext):
309         * dfg/DFGAbstractValue.h:
310         (JSC::DFG::AbstractValue::operator!):
311         (AbstractValue):
312         * dfg/DFGCFAPhase.cpp:
313         (JSC::DFG::CFAPhase::performBlockCFA):
314         * dfg/DFGCommon.cpp:
315         * dfg/DFGCommon.h:
316         (JSC::DFG::NodePointerTraits::isEmptyForDump):
317         * dfg/DFGDisassembler.cpp:
318         (JSC::DFG::Disassembler::createDumpList):
319         * dfg/DFGDisassembler.h:
320         (Disassembler):
321         * dfg/DFGFlushFormat.h:
322         (WTF::inContext):
323         (WTF):
324         * dfg/DFGFlushLivenessAnalysisPhase.cpp:
325         * dfg/DFGGraph.cpp:
326         (JSC::DFG::Graph::dumpCodeOrigin):
327         (JSC::DFG::Graph::dump):
328         (JSC::DFG::Graph::dumpBlockHeader):
329         * dfg/DFGGraph.h:
330         (Graph):
331         * dfg/DFGLazyJSValue.cpp:
332         (JSC::DFG::LazyJSValue::dumpInContext):
333         (JSC::DFG::LazyJSValue::dump):
334         (DFG):
335         * dfg/DFGLazyJSValue.h:
336         (LazyJSValue):
337         * dfg/DFGNode.h:
338         (JSC::DFG::nodeMapDump):
339         (WTF::inContext):
340         (WTF):
341         * dfg/DFGOSRExitCompiler32_64.cpp:
342         (JSC::DFG::OSRExitCompiler::compileExit):
343         * dfg/DFGOSRExitCompiler64.cpp:
344         (JSC::DFG::OSRExitCompiler::compileExit):
345         * dfg/DFGStructureAbstractValue.h:
346         (JSC::DFG::StructureAbstractValue::dumpInContext):
347         (JSC::DFG::StructureAbstractValue::dump):
348         (StructureAbstractValue):
349         * ftl/FTLExitValue.cpp:
350         (JSC::FTL::ExitValue::dumpInContext):
351         (JSC::FTL::ExitValue::dump):
352         (FTL):
353         * ftl/FTLExitValue.h:
354         (ExitValue):
355         * ftl/FTLLowerDFGToLLVM.cpp:
356         * ftl/FTLValueSource.cpp:
357         (JSC::FTL::ValueSource::dumpInContext):
358         (FTL):
359         * ftl/FTLValueSource.h:
360         (ValueSource):
361         * runtime/DumpContext.cpp: Added.
362         (JSC):
363         (JSC::DumpContext::DumpContext):
364         (JSC::DumpContext::~DumpContext):
365         (JSC::DumpContext::isEmpty):
366         (JSC::DumpContext::dump):
367         * runtime/DumpContext.h: Added.
368         (JSC):
369         (DumpContext):
370         * runtime/JSCJSValue.cpp:
371         (JSC::JSValue::dump):
372         (JSC):
373         (JSC::JSValue::dumpInContext):
374         * runtime/JSCJSValue.h:
375         (JSC):
376         (JSValue):
377         * runtime/Structure.cpp:
378         (JSC::Structure::dumpInContext):
379         (JSC):
380         (JSC::Structure::dumpBrief):
381         (JSC::Structure::dumpContextHeader):
382         * runtime/Structure.h:
383         (JSC):
384         (Structure):
385
386 2013-07-22  Filip Pizlo  <fpizlo@apple.com>
387
388         fourthTier: DFG should do a high-level LICM before going to FTL
389         https://bugs.webkit.org/show_bug.cgi?id=118749
390
391         Reviewed by Oliver Hunt.
392         
393         Implements LICM hoisting for nodes that never write anything and never read
394         things that are clobbered by the loop. There are some other preconditions for
395         hoisting, see DFGLICMPhase.cpp.
396
397         Also did a few fixes:
398         
399         - ClobberSet::add was failing to switch Super entries to Direct entries in
400           some cases.
401         
402         - DFGClobberize.cpp needed to #include "Operations.h".
403         
404         - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
405         
406         - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
407           Knowing the indexInBlock is an optional optimization that all other clients
408           of AI still opt into, but LICM doesn't.
409         
410         This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
411
412         * JavaScriptCore.xcodeproj/project.pbxproj:
413         * dfg/DFGAbstractInterpreter.h:
414         (AbstractInterpreter):
415         * dfg/DFGAbstractInterpreterInlines.h:
416         (JSC::DFG::::executeEffects):
417         (JSC::DFG::::execute):
418         (DFG):
419         (JSC::DFG::::clobberWorld):
420         (JSC::DFG::::clobberStructures):
421         * dfg/DFGAtTailAbstractState.cpp: Added.
422         (DFG):
423         (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
424         (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
425         (JSC::DFG::AtTailAbstractState::createValueForNode):
426         (JSC::DFG::AtTailAbstractState::forNode):
427         * dfg/DFGAtTailAbstractState.h: Added.
428         (DFG):
429         (AtTailAbstractState):
430         (JSC::DFG::AtTailAbstractState::initializeTo):
431         (JSC::DFG::AtTailAbstractState::forNode):
432         (JSC::DFG::AtTailAbstractState::variables):
433         (JSC::DFG::AtTailAbstractState::block):
434         (JSC::DFG::AtTailAbstractState::isValid):
435         (JSC::DFG::AtTailAbstractState::setDidClobber):
436         (JSC::DFG::AtTailAbstractState::setIsValid):
437         (JSC::DFG::AtTailAbstractState::setBranchDirection):
438         (JSC::DFG::AtTailAbstractState::setFoundConstants):
439         (JSC::DFG::AtTailAbstractState::haveStructures):
440         (JSC::DFG::AtTailAbstractState::setHaveStructures):
441         * dfg/DFGBasicBlock.h:
442         (JSC::DFG::BasicBlock::insertBeforeLast):
443         * dfg/DFGBasicBlockInlines.h:
444         (DFG):
445         * dfg/DFGClobberSet.cpp:
446         (JSC::DFG::ClobberSet::add):
447         (JSC::DFG::ClobberSet::addAll):
448         * dfg/DFGClobberize.cpp:
449         (JSC::DFG::doesWrites):
450         * dfg/DFGClobberize.h:
451         (DFG):
452         * dfg/DFGDCEPhase.cpp:
453         (JSC::DFG::DCEPhase::DCEPhase):
454         (JSC::DFG::DCEPhase::run):
455         (JSC::DFG::DCEPhase::fixupBlock):
456         (DCEPhase):
457         * dfg/DFGEdgeDominates.h: Added.
458         (DFG):
459         (EdgeDominates):
460         (JSC::DFG::EdgeDominates::EdgeDominates):
461         (JSC::DFG::EdgeDominates::operator()):
462         (JSC::DFG::EdgeDominates::result):
463         (JSC::DFG::edgesDominate):
464         * dfg/DFGFixupPhase.cpp:
465         (JSC::DFG::FixupPhase::fixupNode):
466         (JSC::DFG::FixupPhase::checkArray):
467         * dfg/DFGLICMPhase.cpp: Added.
468         (LICMPhase):
469         (JSC::DFG::LICMPhase::LICMPhase):
470         (JSC::DFG::LICMPhase::run):
471         (JSC::DFG::LICMPhase::attemptHoist):
472         (DFG):
473         (JSC::DFG::performLICM):
474         * dfg/DFGLICMPhase.h: Added.
475         (DFG):
476         * dfg/DFGPlan.cpp:
477         (JSC::DFG::Plan::compileInThreadImpl):
478
479 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
480
481         fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
482         https://bugs.webkit.org/show_bug.cgi?id=118910
483
484         Reviewed by Sam Weinig.
485         
486         Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
487         the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
488         engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
489         be inexpensive to use (they just give you a TBAA node) but expensive to create (you
490         create them all up front). FTL AbstractHeaps also don't actually give you the
491         ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
492         The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
493         They also give you aliasing machinery. The DFG AbstractHeaps are represented
494         internally by a int64_t. Many comparisons between them are just integer comaprisons.
495         AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
496         Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
497         payload is the direct subtype of its corresponding TOP Kind).
498         
499         Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
500         clobbered. It represents the set that results from unifying a bunch of
501         AbstractHeaps, and is intended to quickly answer overlap questions: does the given
502         AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
503         AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
504         its ancestors. An AbstractHeap is said to overlap a set if any direct or super
505         member is equal to it, or if any of its ancestors are equal to a direct member.
506         
507         Example #1:
508         
509             - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
510               is a subtype of Variables, which is a subtype of World.
511             - You query Variables. I.e. Variables with a TOP payload, which is the
512               supertype of Variables(X) for any X, and a subtype of World.
513             
514             The set will have Variables(5) as a direct member, and Variables and World as
515             super members. The Variables query will immediately return true, because
516             Variables is indeed a super member.
517         
518         Example #2:
519         
520             - I add Variables(5)
521             - You query NamedProperties
522             
523             NamedProperties is not a member at all (neither direct or super). We next
524             query World. World is a member, but it's a super member, so we return false.
525         
526         Example #3:
527         
528             - I add Variables
529             - You query Variables(5)
530             
531             The set will have Variables as a direct member, and World as a super member.
532             The Variables(5) query will not find Variables(5) in the set, but then it
533             will query Variables. Variables is a direct member, so we return true.
534         
535         Example #4:
536         
537             - I add Variables
538             - You query NamedProperties(5)
539             
540             Neither NamedProperties nor NamedProperties(5) are members. We next query
541             World. World is a member, but it's a super member, so we return false.
542         
543         Overlap queries require that either the heap being queried is in the set (either
544         direct or super), or that one of its ancestors is a direct member. Another way to
545         think about how this works is that two heaps A and B are said to overlap if
546         A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
547         single-inheritance heirarchy. Consider that we wanted to implement a set that holds
548         heaps and answers the question, "is any member in the set an ancestor (i.e.
549         supertype) of some other heap". We would have the set contain the heaps themselves,
550         and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
551         chain of A, and repeatedly querying its membership in the set. This is what the
552         "direct" members of our set do. Now consider the other part, where we want to ask if
553         any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
554         would implement this by implementing set.add(B) as adding not just B but also all of
555         B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
556         in the set. With two such sets - one that answers isSubtypeOfAny() and another that
557         answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
558         heap" question. ClobberSet does this, but combines the two sets into a single
559         HashMap. The HashMap's value, "direct", means that the key is a member of both the
560         supertype set and the subtype set; if it's false then it's only a member of one of
561         them.
562         
563         Finally, this adds a functorized clobberize() method that adds the read and write
564         clobbers of a DFG::Node to read and write functors. Common functors for adding to
565         ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
566         are also provided. This allows you to say things like:
567         
568             ClobberSet set;
569             addWrites(graph, node1, set);
570             if (readsOverlap(graph, node2, set))
571                 // We know that node1 may write to something that node2 may read from.
572         
573         Currently this facility is only used to improve graph dumping, but it will be
574         instrumental in both LICM and GVN. In the future, I want to completely kill the
575         NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
576         of accomplishing almost exactly what AbstractHeap gives you.
577
578         * JavaScriptCore.xcodeproj/project.pbxproj:
579         * dfg/DFGAbstractHeap.cpp: Added.
580         (DFG):
581         (JSC::DFG::AbstractHeap::Payload::dump):
582         (JSC::DFG::AbstractHeap::dump):
583         (WTF):
584         (WTF::printInternal):
585         * dfg/DFGAbstractHeap.h: Added.
586         (DFG):
587         (AbstractHeap):
588         (Payload):
589         (JSC::DFG::AbstractHeap::Payload::Payload):
590         (JSC::DFG::AbstractHeap::Payload::top):
591         (JSC::DFG::AbstractHeap::Payload::isTop):
592         (JSC::DFG::AbstractHeap::Payload::value):
593         (JSC::DFG::AbstractHeap::Payload::valueImpl):
594         (JSC::DFG::AbstractHeap::Payload::operator==):
595         (JSC::DFG::AbstractHeap::Payload::operator!=):
596         (JSC::DFG::AbstractHeap::Payload::operator<):
597         (JSC::DFG::AbstractHeap::Payload::isDisjoint):
598         (JSC::DFG::AbstractHeap::Payload::overlaps):
599         (JSC::DFG::AbstractHeap::AbstractHeap):
600         (JSC::DFG::AbstractHeap::operator!):
601         (JSC::DFG::AbstractHeap::kind):
602         (JSC::DFG::AbstractHeap::payload):
603         (JSC::DFG::AbstractHeap::isDisjoint):
604         (JSC::DFG::AbstractHeap::overlaps):
605         (JSC::DFG::AbstractHeap::supertype):
606         (JSC::DFG::AbstractHeap::hash):
607         (JSC::DFG::AbstractHeap::operator==):
608         (JSC::DFG::AbstractHeap::operator!=):
609         (JSC::DFG::AbstractHeap::operator<):
610         (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
611         (JSC::DFG::AbstractHeap::payloadImpl):
612         (JSC::DFG::AbstractHeap::encode):
613         (JSC::DFG::AbstractHeapHash::hash):
614         (JSC::DFG::AbstractHeapHash::equal):
615         (AbstractHeapHash):
616         (WTF):
617         * dfg/DFGClobberSet.cpp: Added.
618         (DFG):
619         (JSC::DFG::ClobberSet::ClobberSet):
620         (JSC::DFG::ClobberSet::~ClobberSet):
621         (JSC::DFG::ClobberSet::add):
622         (JSC::DFG::ClobberSet::addAll):
623         (JSC::DFG::ClobberSet::contains):
624         (JSC::DFG::ClobberSet::overlaps):
625         (JSC::DFG::ClobberSet::clear):
626         (JSC::DFG::ClobberSet::direct):
627         (JSC::DFG::ClobberSet::super):
628         (JSC::DFG::ClobberSet::dump):
629         (JSC::DFG::ClobberSet::setOf):
630         (JSC::DFG::addReads):
631         (JSC::DFG::addWrites):
632         (JSC::DFG::addReadsAndWrites):
633         (JSC::DFG::readsOverlap):
634         (JSC::DFG::writesOverlap):
635         * dfg/DFGClobberSet.h: Added.
636         (DFG):
637         (ClobberSet):
638         (JSC::DFG::ClobberSet::isEmpty):
639         (ClobberSetAdd):
640         (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
641         (JSC::DFG::ClobberSetAdd::operator()):
642         (ClobberSetOverlaps):
643         (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
644         (JSC::DFG::ClobberSetOverlaps::operator()):
645         (JSC::DFG::ClobberSetOverlaps::result):
646         * dfg/DFGClobberize.cpp: Added.
647         (DFG):
648         (JSC::DFG::didWrites):
649         * dfg/DFGClobberize.h: Added.
650         (DFG):
651         (JSC::DFG::clobberize):
652         (NoOpClobberize):
653         (JSC::DFG::NoOpClobberize::NoOpClobberize):
654         (JSC::DFG::NoOpClobberize::operator()):
655         (CheckClobberize):
656         (JSC::DFG::CheckClobberize::CheckClobberize):
657         (JSC::DFG::CheckClobberize::operator()):
658         (JSC::DFG::CheckClobberize::result):
659         * dfg/DFGGraph.cpp:
660         (JSC::DFG::Graph::dump):
661
662 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
663
664         fourthTier: It should be easy to figure out which blocks nodes belong to
665         https://bugs.webkit.org/show_bug.cgi?id=118957
666
667         Reviewed by Sam Weinig.
668
669         * dfg/DFGGraph.cpp:
670         (DFG):
671         (JSC::DFG::Graph::initializeNodeOwners):
672         * dfg/DFGGraph.h:
673         (Graph):
674         * dfg/DFGNode.h:
675
676 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
677
678         fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
679         https://bugs.webkit.org/show_bug.cgi?id=118956
680
681         Reviewed by Sam Weinig.
682         
683         We had two way of expressing that something exits forward: the NodeExitsForward
684         flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
685         makes it just be a flag.
686
687         * dfg/DFGAbstractInterpreterInlines.h:
688         (JSC::DFG::::executeEffects):
689         * dfg/DFGArgumentsSimplificationPhase.cpp:
690         (JSC::DFG::ArgumentsSimplificationPhase::run):
691         * dfg/DFGCSEPhase.cpp:
692         (JSC::DFG::CSEPhase::int32ToDoubleCSE):
693         (JSC::DFG::CSEPhase::checkStructureElimination):
694         (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
695         (JSC::DFG::CSEPhase::putStructureStoreElimination):
696         (JSC::DFG::CSEPhase::checkArrayElimination):
697         (JSC::DFG::CSEPhase::performNodeCSE):
698         * dfg/DFGConstantFoldingPhase.cpp:
699         (JSC::DFG::ConstantFoldingPhase::foldConstants):
700         * dfg/DFGFixupPhase.cpp:
701         (JSC::DFG::FixupPhase::fixupNode):
702         (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
703         * dfg/DFGMinifiedNode.h:
704         (JSC::DFG::belongsInMinifiedGraph):
705         (JSC::DFG::MinifiedNode::hasChild):
706         * dfg/DFGNode.h:
707         (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
708         (JSC::DFG::Node::hasStructureSet):
709         (JSC::DFG::Node::hasStructure):
710         (JSC::DFG::Node::hasArrayMode):
711         (JSC::DFG::Node::willHaveCodeGenOrOSR):
712         * dfg/DFGNodeType.h:
713         (DFG):
714         (JSC::DFG::needsOSRForwardRewiring):
715         * dfg/DFGPredictionPropagationPhase.cpp:
716         (JSC::DFG::PredictionPropagationPhase::propagate):
717         * dfg/DFGSafeToExecute.h:
718         (JSC::DFG::safeToExecute):
719         * dfg/DFGSpeculativeJIT.cpp:
720         (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
721         * dfg/DFGSpeculativeJIT32_64.cpp:
722         (JSC::DFG::SpeculativeJIT::compile):
723         * dfg/DFGSpeculativeJIT64.cpp:
724         (JSC::DFG::SpeculativeJIT::compile):
725         * dfg/DFGTypeCheckHoistingPhase.cpp:
726         (JSC::DFG::TypeCheckHoistingPhase::run):
727         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
728         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
729         * dfg/DFGVariableEventStream.cpp:
730         (JSC::DFG::VariableEventStream::reconstruct):
731         * ftl/FTLCapabilities.cpp:
732         (JSC::FTL::canCompile):
733         * ftl/FTLLowerDFGToLLVM.cpp:
734         (JSC::FTL::LowerDFGToLLVM::compileNode):
735         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
736
737 2013-07-21  Filip Pizlo  <fpizlo@apple.com>
738
739         fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
740         https://bugs.webkit.org/show_bug.cgi?id=118946
741
742         Reviewed by Geoffrey Garen.
743         
744         We want to decouple the exit target code origin of a node from the code origin
745         for all other purposes. The purposes of code origins are:
746         
747         - Where the node will exit, if it exits. The exit target should be consistent with
748           the surrounding nodes, in that if you just looked at the code origins of nodes in
749           the graph, they would be consistent with the code origins in bytecode. This is
750           necessary for live-at-bytecode analyses to work, and to preserve the original
751           bytecode semantics when exiting.
752         
753         - What kind of code the node came from, for semantics thingies. For example, we
754           might use the code origin to find the node's global object for doing an original
755           array check. Or we might use it to determine if the code is in strict mode. Or
756           other similar things. When we use the code origin in this way, we're basically
757           using it as a way of describing the node's meta-data without putting it into the
758           node directly, to save space. In the absurd extreme you could imagine nodes not
759           even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
760           what bytecode the node originated from. We won't do that, but you can think of
761           this use of code origins as just a way of compressing meta-data.
762         
763         - What code origin we should supply profiling to, if we exit. This is closely
764           related to the semantics thingies, in that the exit profiling is a persistent
765           kind of semantic meta-data that survives between recompiles, and the only way to
766           do that is to ascribe it to the original bytecode via the code origin.
767         
768         If we hoist a node, we need to change the exit target code origin, but we must not
769         change the code origin for other purposes. The best way to do this is to decouple
770         the two kinds of code origin.
771         
772         OSR exit data structures already do this, because they may edit the exit target
773         code origin while keeping the code origin for profiling intact. This happens for
774         forward exits. So, we just need to thread separation all the way back to DFG::Node.
775         That's what this patch does.
776
777         * dfg/DFGNode.h:
778         (JSC::DFG::Node::Node):
779         (Node):
780         * dfg/DFGOSRExit.cpp:
781         (JSC::DFG::OSRExit::OSRExit):
782         * dfg/DFGOSRExitBase.h:
783         (JSC::DFG::OSRExitBase::OSRExitBase):
784         * dfg/DFGSpeculativeJIT.cpp:
785         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
786         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
787         * dfg/DFGSpeculativeJIT.h:
788         (SpeculativeJIT):
789         * ftl/FTLLowerDFGToLLVM.cpp:
790         (JSC::FTL::LowerDFGToLLVM::compileNode):
791         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
792         (LowerDFGToLLVM):
793         * ftl/FTLOSRExit.cpp:
794         (JSC::FTL::OSRExit::OSRExit):
795         * ftl/FTLOSRExit.h:
796         (OSRExit):
797
798 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
799
800         fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
801         https://bugs.webkit.org/show_bug.cgi?id=118866
802
803         Reviewed by Sam Weinig.
804         
805         Adds a safeToExecute() method that takes a node and an abstract state and tells you
806         if the node will run without crashing under that state.
807
808         * JavaScriptCore.xcodeproj/project.pbxproj:
809         * bytecode/CodeBlock.cpp:
810         (JSC::CodeBlock::CodeBlock):
811         * dfg/DFGCFAPhase.cpp:
812         (CFAPhase):
813         (JSC::DFG::CFAPhase::CFAPhase):
814         (JSC::DFG::CFAPhase::run):
815         (JSC::DFG::CFAPhase::performBlockCFA):
816         (JSC::DFG::CFAPhase::performForwardCFA):
817         * dfg/DFGSafeToExecute.h: Added.
818         (DFG):
819         (SafeToExecuteEdge):
820         (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
821         (JSC::DFG::SafeToExecuteEdge::operator()):
822         (JSC::DFG::SafeToExecuteEdge::result):
823         (JSC::DFG::safeToExecute):
824         * dfg/DFGStructureAbstractValue.h:
825         (JSC::DFG::StructureAbstractValue::isValidOffset):
826         (StructureAbstractValue):
827         * runtime/Options.h:
828         (JSC):
829
830 2013-07-20  Filip Pizlo  <fpizlo@apple.com>
831
832         fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
833         https://bugs.webkit.org/show_bug.cgi?id=118948
834
835         Reviewed by Sam Weinig.
836         
837         - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
838           This allows doing "what if" experiments with IR generation, even if the generated IR
839           can't yet execute.
840         
841         - Add an OSR exit path that just calls an intrinsic that combines the branch and the
842           off-ramp.
843
844         * JavaScriptCore.xcodeproj/project.pbxproj:
845         * dfg/DFGPlan.cpp:
846         (JSC::DFG::Plan::compileInThreadImpl):
847         * ftl/FTLFail.cpp: Added.
848         (FTL):
849         (JSC::FTL::fail):
850         * ftl/FTLFail.h: Added.
851         (FTL):
852         * ftl/FTLIntrinsicRepository.h:
853         (FTL):
854         * ftl/FTLLowerDFGToLLVM.cpp:
855         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
856         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
857         * runtime/Options.h:
858         (JSC):
859
860 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
861
862         fourthTier: StringObjectUse uses structures, and CSE should know that
863         https://bugs.webkit.org/show_bug.cgi?id=118940
864
865         Reviewed by Geoffrey Garen.
866         
867         This is asymptomatic right now, but we should fix it.
868
869         * JavaScriptCore.xcodeproj/project.pbxproj:
870         * dfg/DFGCSEPhase.cpp:
871         (JSC::DFG::CSEPhase::putStructureStoreElimination):
872         * dfg/DFGEdgeUsesStructure.h: Added.
873         (DFG):
874         (EdgeUsesStructure):
875         (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
876         (JSC::DFG::EdgeUsesStructure::operator()):
877         (JSC::DFG::EdgeUsesStructure::result):
878         (JSC::DFG::edgesUseStructure):
879         * dfg/DFGUseKind.h:
880         (DFG):
881         (JSC::DFG::usesStructure):
882
883 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
884
885         fourthTier: String GetByVal out-of-bounds handling is so wrong
886         https://bugs.webkit.org/show_bug.cgi?id=118935
887
888         Reviewed by Geoffrey Garen.
889         
890         Bunch of String GetByVal out-of-bounds fixes:
891         
892         - Even if the string proto chain is sane, we need to watch out for negative
893           indices. They may get values or call getters in the prototypes, since proto
894           sanity doesn't check for negative indexed properties, as they are not
895           technically indexed properties.
896         
897         - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
898           given this information.
899         
900         - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
901           given this information.
902         
903         Also fixed some other things:
904         
905         - If the DFG is disabled, the testRunner should pretend that we've done a
906           bunch of DFG compiles. That's necessary to prevent the tests from timing
907           out.
908         
909         - Disassembler shouldn't try to dump source code since it's not safe in the
910           concurrent JIT.
911
912         * API/JSCTestRunnerUtils.cpp:
913         (JSC::numberOfDFGCompiles):
914         * JavaScriptCore.xcodeproj/project.pbxproj:
915         * dfg/DFGAbstractInterpreterInlines.h:
916         (JSC::DFG::::executeEffects):
917         * dfg/DFGDisassembler.cpp:
918         (JSC::DFG::Disassembler::dumpHeader):
919         * dfg/DFGGraph.h:
920         (JSC::DFG::Graph::byValIsPure):
921         * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
922         (DFG):
923         (SaneStringGetByValSlowPathGenerator):
924         (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
925         (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
926         * dfg/DFGSpeculativeJIT.cpp:
927         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
928
929 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
930
931         fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
932         https://bugs.webkit.org/show_bug.cgi?id=118911
933
934         Reviewed by Geoffrey Garen.
935         
936         We could also have a separate method like "willNotCrash(offset)", but that's not
937         what isValidOffset() is intended to mean.
938
939         * runtime/Structure.h:
940         (JSC::Structure::isValidOffset):
941
942 2013-07-19  Filip Pizlo  <fpizlo@apple.com>
943
944         fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
945         https://bugs.webkit.org/show_bug.cgi?id=118878
946
947         Reviewed by Oliver Hunt.
948         
949         - Change Structure::isValidOffset() to actually answer the question "If I attempted
950           to load from an object of this structure, at this offset, would I commit suicide
951           or would I get back some kind of value?"
952         
953         - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
954           way from the start.
955         
956         - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
957         
958         - Make GetByOffset also reference the base object in addition to the butterfly.
959         
960         The future use of this power will be to answer questions like "If I hoisted this
961         GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
962         fine?"
963         
964         I don't currently plan to use this power to perform validation, since the CSE has
965         the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
966         remove - both in the case of StructureSets where size >= 2 and in the case of
967         CheckStructures that match across PutStructures. At first I tried to write a
968         validator that was aware of this, but the validation code got way too complicated
969         and I started having nightmares of spurious assertion bugs being filed against me.
970         
971         This also changes some of the code for how we hash FunctionExecutable's for debug
972         dumps, since that code still had some thread-safety issues. Basically, the
973         concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
974         that could transitively try to compute the hash from the source code. The source
975         code is a string that may be lazily computed, and that involves all manner of thread
976         unsafe things.
977
978         * bytecode/CodeOrigin.cpp:
979         (JSC::InlineCallFrame::hash):
980         * dfg/DFGAbstractInterpreterInlines.h:
981         (JSC::DFG::::executeEffects):
982         * dfg/DFGByteCodeParser.cpp:
983         (JSC::DFG::ByteCodeParser::handleGetByOffset):
984         (JSC::DFG::ByteCodeParser::handlePutByOffset):
985         (JSC::DFG::ByteCodeParser::parseBlock):
986         * dfg/DFGCFAPhase.cpp:
987         (JSC::DFG::CFAPhase::performBlockCFA):
988         * dfg/DFGConstantFoldingPhase.cpp:
989         (JSC::DFG::ConstantFoldingPhase::foldConstants):
990         * dfg/DFGFixupPhase.cpp:
991         (JSC::DFG::FixupPhase::fixupNode):
992         * dfg/DFGGraph.h:
993         (StorageAccessData):
994         * dfg/DFGNode.h:
995         (JSC::DFG::Node::convertToGetByOffset):
996         * dfg/DFGSpeculativeJIT64.cpp:
997         (JSC::DFG::SpeculativeJIT::compile):
998         * ftl/FTLLowerDFGToLLVM.cpp:
999         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1000         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
1001         * runtime/FunctionExecutableDump.cpp:
1002         (JSC::FunctionExecutableDump::dump):
1003         * runtime/Structure.h:
1004         (Structure):
1005         (JSC::Structure::isValidOffset):
1006
1007 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1008
1009         fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
1010         https://bugs.webkit.org/show_bug.cgi?id=118880
1011
1012         Reviewed by Sam Weinig.
1013         
1014         It should be possible to have an AbstractState that is backed by a HashMap. But to
1015         do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
1016         the map, since otherwise the idiom of getting a reference to the AbstractValue
1017         returned by forNode() would cause really subtle memory corruption bugs.
1018
1019         * dfg/DFGAbstractInterpreterInlines.h:
1020         (JSC::DFG::::executeEffects):
1021         * dfg/DFGInPlaceAbstractState.h:
1022         (JSC::DFG::InPlaceAbstractState::createValueForNode):
1023         (InPlaceAbstractState):
1024
1025 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1026
1027         fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
1028         https://bugs.webkit.org/show_bug.cgi?id=118835
1029
1030         Reviewed by Oliver Hunt.
1031         
1032         This separates AbstractState into two things:
1033         
1034         - InPlaceAbstractState, which can tell you the abstract state of anything you
1035           might care about, and uses the old AbstractState's algorithms and data
1036           structures for doing so.
1037         
1038         - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
1039           respect to an AbstractStateType. Currently we always use
1040           AbstractStateType = InPlaceAbstractState. But we could drop in an other
1041           class that supports basic primitives like forNode() and variables().
1042         
1043         This is important because:
1044         
1045         - We want to hoist things out of loops.
1046
1047         - We don't know what things rely on what type checks.
1048
1049         - We only want to hoist type checks out of loops if they aren't clobbered.
1050
1051         - We may want to still hoist things that depended on those type checks, if it's
1052           safe to do those things based on the CFA state at the tail of the loop
1053           pre-header.
1054
1055         - We don't want things to rely on their type checks by way of a token, because
1056           that's just weird.
1057
1058         So, we want to be able to have a special form of the CFA that can
1059         incrementally update a basic block's state-at-tail, and we want to be able to
1060         do this for multiple blocks simultaneously. This requires *not* storing the
1061         per-node state in the nodes themselves, but instead using the at-tail HashMap
1062         directly.
1063
1064         Hence we need to have a way of making the abstract interpreter (i.e.
1065         AbstractState::execute) polymorphic with respect to state representation. Put
1066         another way, we need to separate the way that abstract state is represented
1067         from the way DFG IR is abstractly interpreted.
1068
1069         * JavaScriptCore.xcodeproj/project.pbxproj:
1070         * dfg/DFGAbstractInterpreter.h: Added.
1071         (DFG):
1072         (AbstractInterpreter):
1073         (JSC::DFG::AbstractInterpreter::forNode):
1074         (JSC::DFG::AbstractInterpreter::variables):
1075         (JSC::DFG::AbstractInterpreter::needsTypeCheck):
1076         (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
1077         (JSC::DFG::AbstractInterpreter::filter):
1078         (JSC::DFG::AbstractInterpreter::filterArrayModes):
1079         (JSC::DFG::AbstractInterpreter::filterByValue):
1080         (JSC::DFG::AbstractInterpreter::trySetConstant):
1081         (JSC::DFG::AbstractInterpreter::filterByType):
1082         * dfg/DFGAbstractInterpreterInlines.h: Added.
1083         (DFG):
1084         (JSC::DFG::::AbstractInterpreter):
1085         (JSC::DFG::::~AbstractInterpreter):
1086         (JSC::DFG::::booleanResult):
1087         (JSC::DFG::::startExecuting):
1088         (JSC::DFG::::executeEdges):
1089         (JSC::DFG::::verifyEdge):
1090         (JSC::DFG::::verifyEdges):
1091         (JSC::DFG::::executeEffects):
1092         (JSC::DFG::::execute):
1093         (JSC::DFG::::clobberWorld):
1094         (JSC::DFG::::clobberCapturedVars):
1095         (JSC::DFG::::clobberStructures):
1096         (JSC::DFG::::dump):
1097         (JSC::DFG::::filter):
1098         (JSC::DFG::::filterArrayModes):
1099         (JSC::DFG::::filterByValue):
1100         * dfg/DFGAbstractState.cpp: Removed.
1101         * dfg/DFGAbstractState.h: Removed.
1102         * dfg/DFGArgumentsSimplificationPhase.cpp:
1103         * dfg/DFGCFAPhase.cpp:
1104         (JSC::DFG::CFAPhase::CFAPhase):
1105         (JSC::DFG::CFAPhase::performBlockCFA):
1106         (CFAPhase):
1107         * dfg/DFGCFGSimplificationPhase.cpp:
1108         * dfg/DFGConstantFoldingPhase.cpp:
1109         (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
1110         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1111         (ConstantFoldingPhase):
1112         * dfg/DFGInPlaceAbstractState.cpp: Added.
1113         (DFG):
1114         (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1115         (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
1116         (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1117         (JSC::DFG::setLiveValues):
1118         (JSC::DFG::InPlaceAbstractState::initialize):
1119         (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1120         (JSC::DFG::InPlaceAbstractState::reset):
1121         (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1122         (JSC::DFG::InPlaceAbstractState::merge):
1123         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1124         (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
1125         * dfg/DFGInPlaceAbstractState.h: Added.
1126         (DFG):
1127         (InPlaceAbstractState):
1128         (JSC::DFG::InPlaceAbstractState::forNode):
1129         (JSC::DFG::InPlaceAbstractState::variables):
1130         (JSC::DFG::InPlaceAbstractState::block):
1131         (JSC::DFG::InPlaceAbstractState::didClobber):
1132         (JSC::DFG::InPlaceAbstractState::isValid):
1133         (JSC::DFG::InPlaceAbstractState::setDidClobber):
1134         (JSC::DFG::InPlaceAbstractState::setIsValid):
1135         (JSC::DFG::InPlaceAbstractState::setBranchDirection):
1136         (JSC::DFG::InPlaceAbstractState::setFoundConstants):
1137         (JSC::DFG::InPlaceAbstractState::haveStructures):
1138         (JSC::DFG::InPlaceAbstractState::setHaveStructures):
1139         * dfg/DFGMergeMode.h: Added.
1140         (DFG):
1141         * dfg/DFGSpeculativeJIT.cpp:
1142         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1143         (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
1144         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1145         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1146         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1147         (JSC::DFG::SpeculativeJIT::speculateStringObject):
1148         (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1149         * dfg/DFGSpeculativeJIT.h:
1150         (JSC::DFG::SpeculativeJIT::needsTypeCheck):
1151         (SpeculativeJIT):
1152         * dfg/DFGSpeculativeJIT32_64.cpp:
1153         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1154         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1155         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1156         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1157         * dfg/DFGSpeculativeJIT64.cpp:
1158         (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1159         (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1160         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1161         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1162         * ftl/FTLLowerDFGToLLVM.cpp:
1163         (FTL):
1164         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1165         (JSC::FTL::LowerDFGToLLVM::compileNode):
1166         (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
1167         (JSC::FTL::LowerDFGToLLVM::speculate):
1168         (JSC::FTL::LowerDFGToLLVM::speculateNumber):
1169         (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
1170         (LowerDFGToLLVM):
1171
1172 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1173
1174         fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
1175         https://bugs.webkit.org/show_bug.cgi?id=118867
1176
1177         Reviewed by Mark Hahnenberg.
1178         
1179         This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
1180         ArrayProfile.
1181
1182         It also makes it easier to ask any array-using node how to create its type check.
1183         
1184         Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
1185         an array profile, thinking that it was storing into a value profile. Reshuffling the
1186         fields in ArrayProfile revealed this.
1187
1188         * bytecode/ArrayProfile.cpp:
1189         (JSC::ArrayProfile::computeUpdatedPrediction):
1190         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1191         * bytecode/ArrayProfile.h:
1192         (JSC::ArrayProfile::ArrayProfile):
1193         (ArrayProfile):
1194         * bytecode/CodeBlock.cpp:
1195         (JSC::CodeBlock::updateAllArrayPredictions):
1196         (JSC::CodeBlock::updateAllPredictions):
1197         * bytecode/CodeBlock.h:
1198         (CodeBlock):
1199         (JSC::CodeBlock::updateAllArrayPredictions):
1200         * dfg/DFGArrayMode.h:
1201         (ArrayMode):
1202         * dfg/DFGByteCodeParser.cpp:
1203         (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
1204         (JSC::DFG::ByteCodeParser::parseBlock):
1205         * dfg/DFGFixupPhase.cpp:
1206         (JSC::DFG::FixupPhase::fixupNode):
1207         (FixupPhase):
1208         (JSC::DFG::FixupPhase::checkArray):
1209         (JSC::DFG::FixupPhase::blessArrayOperation):
1210         * llint/LowLevelInterpreter64.asm:
1211
1212 2013-07-18  Filip Pizlo  <fpizlo@apple.com>
1213
1214         fourthTier: CFA should consider live-at-head for clobbering and dumping
1215         https://bugs.webkit.org/show_bug.cgi?id=118857
1216
1217         Reviewed by Mark Hahnenberg.
1218         
1219         - clobberStructures() was not considering nodes live-at-head when in SSA
1220           form. This means it would fail to clobber some structures.
1221         
1222         - dump() was not considering nodes live-at-head when in SSA form. This
1223           means it wouldn't dump everything that you might be interested in.
1224         
1225         - AbstractState::m_currentNode is a useless variable and we should get
1226           rid of it.
1227
1228         * dfg/DFGAbstractState.cpp:
1229         (JSC::DFG::AbstractState::AbstractState):
1230         (JSC::DFG::AbstractState::beginBasicBlock):
1231         (JSC::DFG::AbstractState::reset):
1232         (JSC::DFG::AbstractState::startExecuting):
1233         (JSC::DFG::AbstractState::clobberStructures):
1234         (JSC::DFG::AbstractState::dump):
1235         * dfg/DFGAbstractState.h:
1236         (AbstractState):
1237
1238 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1239
1240         fourthTier: Add a phase to create loop pre-headers
1241         https://bugs.webkit.org/show_bug.cgi?id=118778
1242
1243         Reviewed by Oliver Hunt.
1244         
1245         Add a loop pre-header creation phase. Any loop that doesn't already have
1246         just one predecessor that isn't part of the loop has a pre-header
1247         prepended. All non-loop predecessors then jump to that pre-header.
1248         
1249         Also fix a handful of bugs:
1250         
1251         - DFG::Analysis should set m_valid before running the analysis, since that
1252           makes it easier to use ASSERT(m_valid) in the analysis' methods, which
1253           may be called by the analysis before the analysis completes. NaturalLoops
1254           does this with loopsOf().
1255         
1256         - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
1257           returning 0, since that'll happen if the block isn't in any loop.
1258         
1259         - Change BlockInsertionSet to dethread the graph, since anyone using it
1260           will want to do so.
1261         
1262         - Change dethreading to ignore SSA form graphs.
1263         
1264         This also adds NaturalLoops::belongsTo(), which I always used in the
1265         pre-header creation phase. I didn't end up using it but I'll probably use
1266         it in the near future.
1267         
1268         * JavaScriptCore.xcodeproj/project.pbxproj:
1269         * dfg/DFGAnalysis.h:
1270         (JSC::DFG::Analysis::computeIfNecessary):
1271         * dfg/DFGBlockInsertionSet.cpp:
1272         (JSC::DFG::BlockInsertionSet::execute):
1273         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1274         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1275         * dfg/DFGGraph.cpp:
1276         (JSC::DFG::Graph::dethread):
1277         * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
1278         (DFG):
1279         (LoopPreHeaderCreationPhase):
1280         (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
1281         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1282         (JSC::DFG::performLoopPreHeaderCreation):
1283         * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
1284         (DFG):
1285         * dfg/DFGNaturalLoops.h:
1286         (NaturalLoop):
1287         (JSC::DFG::NaturalLoops::headerOf):
1288         (JSC::DFG::NaturalLoops::innerMostLoopOf):
1289         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1290         (JSC::DFG::NaturalLoops::belongsTo):
1291         (NaturalLoops):
1292         * dfg/DFGPlan.cpp:
1293         (JSC::DFG::Plan::compileInThreadImpl):
1294
1295 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1296
1297         fourthTier: Rationalize Node::replacement
1298         https://bugs.webkit.org/show_bug.cgi?id=118774
1299
1300         Reviewed by Oliver Hunt.
1301         
1302         - Clearing of replacements is now done in Graph::clearReplacements().
1303         
1304         - New nodes now have replacement set to 0.
1305         
1306         - Node::replacement is now part of a 'misc' union. I'll be putting at least
1307           one other field into that union as part of LICM work (see
1308           https://bugs.webkit.org/show_bug.cgi?id=118749).
1309
1310         * dfg/DFGCPSRethreadingPhase.cpp:
1311         (JSC::DFG::CPSRethreadingPhase::run):
1312         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1313         (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1314         * dfg/DFGCSEPhase.cpp:
1315         (JSC::DFG::CSEPhase::run):
1316         (JSC::DFG::CSEPhase::setReplacement):
1317         (JSC::DFG::CSEPhase::performBlockCSE):
1318         * dfg/DFGGraph.cpp:
1319         (DFG):
1320         (JSC::DFG::Graph::clearReplacements):
1321         * dfg/DFGGraph.h:
1322         (JSC::DFG::Graph::performSubstitutionForEdge):
1323         (Graph):
1324         * dfg/DFGNode.h:
1325         (JSC::DFG::Node::Node):
1326         * dfg/DFGSSAConversionPhase.cpp:
1327         (JSC::DFG::SSAConversionPhase::run):
1328
1329 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1330
1331         fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
1332         https://bugs.webkit.org/show_bug.cgi?id=118750
1333
1334         Reviewed by Mark Hahnenberg.
1335
1336         * dfg/DFGBasicBlock.h:
1337         (BasicBlock):
1338         * dfg/DFGNaturalLoops.cpp:
1339         (JSC::DFG::NaturalLoops::compute):
1340         (JSC::DFG::NaturalLoops::loopsOf):
1341         * dfg/DFGNaturalLoops.h:
1342         (DFG):
1343         (JSC::DFG::NaturalLoop::NaturalLoop):
1344         (NaturalLoop):
1345         (JSC::DFG::NaturalLoop::index):
1346         (JSC::DFG::NaturalLoop::isOuterMostLoop):
1347         (JSC::DFG::NaturalLoop::addBlock):
1348         (JSC::DFG::NaturalLoops::headerOf):
1349         (JSC::DFG::NaturalLoops::innerMostLoopOf):
1350         (NaturalLoops):
1351         (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1352         * dfg/DFGPlan.cpp:
1353         (JSC::DFG::Plan::compileInThreadImpl):
1354
1355 2013-07-16  Filip Pizlo  <fpizlo@apple.com>
1356
1357         fourthTier: don't GC when shutting down the VM
1358         https://bugs.webkit.org/show_bug.cgi?id=118751
1359
1360         Reviewed by Mark Hahnenberg.
1361
1362         * heap/Heap.h:
1363         (Heap):
1364         * runtime/VM.cpp:
1365         (JSC::VM::~VM):
1366
1367 2013-07-12  Filip Pizlo  <fpizlo@apple.com>
1368
1369         fourthTier: DFG should have an SSA form for use by FTL
1370         https://bugs.webkit.org/show_bug.cgi?id=118338
1371
1372         Reviewed by Mark Hahnenberg.
1373         
1374         Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
1375         after breaking critical edges. The conversion algorithm follows Aycock and
1376         Horspool, and the SSA form itself follows something I've done before, where
1377         instead of having Phi functions specify input nodes corresponding to block
1378         predecessors, we instead have Upsilon functions in the predecessors that
1379         specify which value in that block goes into which subsequent Phi. Upsilons
1380         don't have to dominate Phis (usually they don't) and they correspond to a
1381         non-SSA "mov" into the Phi's "variable". This gives all of the good
1382         properties of SSA, while ensuring that a bunch of CFG transformations don't
1383         have to be SSA-aware.
1384         
1385         So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
1386         simplification is probably SSA-aware by default, though I haven't tried it.
1387         Constant folding probably needs a few tweaks, but is likely ready. Ditto
1388         for CSE, though it's not clear that we'd want to use block-local CSE when
1389         we could be doing GVN.
1390         
1391         Currently only the FTL can generate code from the SSA form, and there is no
1392         way to convert from SSA to ThreadedCPS or LoadStore. There probably will
1393         never be such a capability.
1394         
1395         In order to handle OSR exit state in the SSA, we place MovHints at Phi
1396         points. Other than that, you can reconstruct state-at-exit by forward
1397         propagating MovHints. Note that MovHint is the new SetLocal in SSA.
1398         SetLocal and GetLocal only survive into SSA if they are on captured
1399         variables, or in the case of flushes. A "live SetLocal" will be
1400         NodeMustGenerate and will always correspond to a flush. Computing the
1401         state-at-exit requires running SSA liveness analysis, OSR availability
1402         analysis, and flush liveness analysis. The FTL runs all of these prior to
1403         generating code. While OSR exit continues to be tricky, much of the logic
1404         is now factored into separate phases and the backend has to do less work
1405         to reason about what happened outside of the basic block that is being
1406         lowered.
1407         
1408         Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
1409         code in depth-first order, thus guaranteeing that a node will always be
1410         lowered (and hence have a LValue) before any of the blocks dominated by
1411         that node's block have code generated. For Upsilon/Phi, we just use
1412         alloca's. We could do something more clever there, but it's probably not
1413         worth it, at least not now.
1414         
1415         Finally, while the SSA form is currently only being converted to LLVM IR,
1416         there is nothing that prevents us from considering other backends in the
1417         future - with the caveat that this form is designed to be first lowered to
1418         a lower-level SSA before actual machine code generation commences. So we
1419         ought to either use LLVM (the intended path) or we will have to write our
1420         own SSA low-level backend.
1421         
1422         This runs all of the code that the FTL was known to run previously. No
1423         change in performance for now. But it does open some exciting
1424         possibilities!
1425
1426         * JavaScriptCore.xcodeproj/project.pbxproj:
1427         * bytecode/Operands.h:
1428         (JSC::OperandValueTraits::dump):
1429         (JSC::Operands::fill):
1430         (Operands):
1431         (JSC::Operands::clear):
1432         (JSC::Operands::operator==):
1433         * dfg/DFGAbstractState.cpp:
1434         (JSC::DFG::AbstractState::beginBasicBlock):
1435         (JSC::DFG::setLiveValues):
1436         (DFG):
1437         (JSC::DFG::AbstractState::initialize):
1438         (JSC::DFG::AbstractState::endBasicBlock):
1439         (JSC::DFG::AbstractState::executeEffects):
1440         (JSC::DFG::AbstractState::mergeStateAtTail):
1441         (JSC::DFG::AbstractState::merge):
1442         * dfg/DFGAbstractState.h:
1443         (AbstractState):
1444         * dfg/DFGAdjacencyList.h:
1445         (JSC::DFG::AdjacencyList::justOneChild):
1446         (AdjacencyList):
1447         * dfg/DFGBasicBlock.cpp: Added.
1448         (DFG):
1449         (JSC::DFG::BasicBlock::BasicBlock):
1450         (JSC::DFG::BasicBlock::~BasicBlock):
1451         (JSC::DFG::BasicBlock::ensureLocals):
1452         (JSC::DFG::BasicBlock::isInPhis):
1453         (JSC::DFG::BasicBlock::isInBlock):
1454         (JSC::DFG::BasicBlock::removePredecessor):
1455         (JSC::DFG::BasicBlock::replacePredecessor):
1456         (JSC::DFG::BasicBlock::dump):
1457         (JSC::DFG::BasicBlock::SSAData::SSAData):
1458         (JSC::DFG::BasicBlock::SSAData::~SSAData):
1459         * dfg/DFGBasicBlock.h:
1460         (BasicBlock):
1461         (JSC::DFG::BasicBlock::operator[]):
1462         (JSC::DFG::BasicBlock::successor):
1463         (JSC::DFG::BasicBlock::successorForCondition):
1464         (SSAData):
1465         * dfg/DFGBasicBlockInlines.h:
1466         (DFG):
1467         * dfg/DFGBlockInsertionSet.cpp: Added.
1468         (DFG):
1469         (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
1470         (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
1471         (JSC::DFG::BlockInsertionSet::insert):
1472         (JSC::DFG::BlockInsertionSet::insertBefore):
1473         (JSC::DFG::BlockInsertionSet::execute):
1474         * dfg/DFGBlockInsertionSet.h: Added.
1475         (DFG):
1476         (BlockInsertionSet):
1477         * dfg/DFGCFAPhase.cpp:
1478         (JSC::DFG::CFAPhase::run):
1479         * dfg/DFGCFGSimplificationPhase.cpp:
1480         * dfg/DFGCPSRethreadingPhase.cpp:
1481         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1482         * dfg/DFGCommon.cpp:
1483         (WTF::printInternal):
1484         * dfg/DFGCommon.h:
1485         (JSC::DFG::doesKill):
1486         (DFG):
1487         (JSC::DFG::killStatusForDoesKill):
1488         * dfg/DFGConstantFoldingPhase.cpp:
1489         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1490         (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1491         * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
1492         (DFG):
1493         (CriticalEdgeBreakingPhase):
1494         (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
1495         (JSC::DFG::CriticalEdgeBreakingPhase::run):
1496         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1497         (JSC::DFG::performCriticalEdgeBreaking):
1498         * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
1499         (DFG):
1500         * dfg/DFGDCEPhase.cpp:
1501         (JSC::DFG::DCEPhase::run):
1502         (JSC::DFG::DCEPhase::findTypeCheckRoot):
1503         (JSC::DFG::DCEPhase::countNode):
1504         (DCEPhase):
1505         (JSC::DFG::DCEPhase::countEdge):
1506         (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1507         * dfg/DFGDriver.cpp:
1508         (JSC::DFG::compile):
1509         * dfg/DFGEdge.cpp:
1510         (JSC::DFG::Edge::dump):
1511         * dfg/DFGEdge.h:
1512         (JSC::DFG::Edge::Edge):
1513         (JSC::DFG::Edge::setNode):
1514         (JSC::DFG::Edge::useKindUnchecked):
1515         (JSC::DFG::Edge::setUseKind):
1516         (JSC::DFG::Edge::setProofStatus):
1517         (JSC::DFG::Edge::willNotHaveCheck):
1518         (JSC::DFG::Edge::willHaveCheck):
1519         (Edge):
1520         (JSC::DFG::Edge::killStatusUnchecked):
1521         (JSC::DFG::Edge::killStatus):
1522         (JSC::DFG::Edge::setKillStatus):
1523         (JSC::DFG::Edge::doesKill):
1524         (JSC::DFG::Edge::doesNotKill):
1525         (JSC::DFG::Edge::shift):
1526         (JSC::DFG::Edge::makeWord):
1527         * dfg/DFGFixupPhase.cpp:
1528         (JSC::DFG::FixupPhase::fixupNode):
1529         * dfg/DFGFlushFormat.cpp: Added.
1530         (WTF):
1531         (WTF::printInternal):
1532         * dfg/DFGFlushFormat.h: Added.
1533         (DFG):
1534         (JSC::DFG::resultFor):
1535         (JSC::DFG::useKindFor):
1536         (WTF):
1537         * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
1538         (DFG):
1539         (FlushLivenessAnalysisPhase):
1540         (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
1541         (JSC::DFG::FlushLivenessAnalysisPhase::run):
1542         (JSC::DFG::FlushLivenessAnalysisPhase::process):
1543         (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
1544         (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
1545         (JSC::DFG::performFlushLivenessAnalysis):
1546         * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
1547         (DFG):
1548         * dfg/DFGGraph.cpp:
1549         (JSC::DFG::Graph::dump):
1550         (JSC::DFG::Graph::dumpBlockHeader):
1551         (DFG):
1552         (JSC::DFG::Graph::addForDepthFirstSort):
1553         (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
1554         * dfg/DFGGraph.h:
1555         (JSC::DFG::Graph::convertToConstant):
1556         (JSC::DFG::Graph::valueProfileFor):
1557         (Graph):
1558         * dfg/DFGInsertionSet.h:
1559         (DFG):
1560         (JSC::DFG::InsertionSet::execute):
1561         * dfg/DFGLivenessAnalysisPhase.cpp: Added.
1562         (DFG):
1563         (LivenessAnalysisPhase):
1564         (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
1565         (JSC::DFG::LivenessAnalysisPhase::run):
1566         (JSC::DFG::LivenessAnalysisPhase::process):
1567         (JSC::DFG::LivenessAnalysisPhase::addChildUse):
1568         (JSC::DFG::performLivenessAnalysis):
1569         * dfg/DFGLivenessAnalysisPhase.h: Added.
1570         (DFG):
1571         * dfg/DFGNode.cpp:
1572         (JSC::DFG::Node::hasVariableAccessData):
1573         (DFG):
1574         * dfg/DFGNode.h:
1575         (DFG):
1576         (Node):
1577         (JSC::DFG::Node::hasLocal):
1578         (JSC::DFG::Node::variableAccessData):
1579         (JSC::DFG::Node::hasPhi):
1580         (JSC::DFG::Node::phi):
1581         (JSC::DFG::Node::takenBlock):
1582         (JSC::DFG::Node::notTakenBlock):
1583         (JSC::DFG::Node::successor):
1584         (JSC::DFG::Node::successorForCondition):
1585         (JSC::DFG::nodeComparator):
1586         (JSC::DFG::nodeListDump):
1587         (JSC::DFG::nodeMapDump):
1588         * dfg/DFGNodeFlags.cpp:
1589         (JSC::DFG::dumpNodeFlags):
1590         * dfg/DFGNodeType.h:
1591         (DFG):
1592         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
1593         (DFG):
1594         (OSRAvailabilityAnalysisPhase):
1595         (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
1596         (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1597         (JSC::DFG::performOSRAvailabilityAnalysis):
1598         * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
1599         (DFG):
1600         * dfg/DFGPlan.cpp:
1601         (JSC::DFG::Plan::compileInThreadImpl):
1602         * dfg/DFGPredictionInjectionPhase.cpp:
1603         (JSC::DFG::PredictionInjectionPhase::run):
1604         * dfg/DFGPredictionPropagationPhase.cpp:
1605         (JSC::DFG::PredictionPropagationPhase::propagate):
1606         * dfg/DFGSSAConversionPhase.cpp: Added.
1607         (DFG):
1608         (SSAConversionPhase):
1609         (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
1610         (JSC::DFG::SSAConversionPhase::run):
1611         (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
1612         (JSC::DFG::SSAConversionPhase::forwardPhi):
1613         (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
1614         (JSC::DFG::SSAConversionPhase::deduplicateChildren):
1615         (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
1616         (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
1617         (JSC::DFG::performSSAConversion):
1618         * dfg/DFGSSAConversionPhase.h: Added.
1619         (DFG):
1620         * dfg/DFGSpeculativeJIT32_64.cpp:
1621         (JSC::DFG::SpeculativeJIT::compile):
1622         * dfg/DFGSpeculativeJIT64.cpp:
1623         (JSC::DFG::SpeculativeJIT::compile):
1624         * dfg/DFGValidate.cpp:
1625         (JSC::DFG::Validate::validate):
1626         (Validate):
1627         (JSC::DFG::Validate::validateCPS):
1628         * dfg/DFGVariableAccessData.h:
1629         (JSC::DFG::VariableAccessData::flushFormat):
1630         (VariableAccessData):
1631         * ftl/FTLCapabilities.cpp:
1632         (JSC::FTL::canCompile):
1633         * ftl/FTLLowerDFGToLLVM.cpp:
1634         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1635         (JSC::FTL::LowerDFGToLLVM::lower):
1636         (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1637         (JSC::FTL::LowerDFGToLLVM::compileBlock):
1638         (JSC::FTL::LowerDFGToLLVM::compileNode):
1639         (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1640         (LowerDFGToLLVM):
1641         (JSC::FTL::LowerDFGToLLVM::compilePhi):
1642         (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
1643         (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
1644         (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1645         (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
1646         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1647         (JSC::FTL::LowerDFGToLLVM::compileAdd):
1648         (JSC::FTL::LowerDFGToLLVM::compileArithSub):
1649         (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1650         (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1651         (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1652         (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1653         (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1654         (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1655         (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
1656         (JSC::FTL::LowerDFGToLLVM::compileBitOr):
1657         (JSC::FTL::LowerDFGToLLVM::compileBitXor):
1658         (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
1659         (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
1660         (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
1661         (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1662         (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
1663         (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
1664         (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1665         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1666         (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1667         (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1668         (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
1669         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1670         (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
1671         (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
1672         (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
1673         (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
1674         (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
1675         (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1676         (JSC::FTL::LowerDFGToLLVM::speculateBackward):
1677         (JSC::FTL::LowerDFGToLLVM::lowInt32):
1678         (JSC::FTL::LowerDFGToLLVM::lowCell):
1679         (JSC::FTL::LowerDFGToLLVM::lowBoolean):
1680         (JSC::FTL::LowerDFGToLLVM::lowDouble):
1681         (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1682         (JSC::FTL::LowerDFGToLLVM::lowStorage):
1683         (JSC::FTL::LowerDFGToLLVM::speculate):
1684         (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
1685         (JSC::FTL::LowerDFGToLLVM::isLive):
1686         (JSC::FTL::LowerDFGToLLVM::use):
1687         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
1688         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1689         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1690         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1691         (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
1692         (JSC::FTL::LowerDFGToLLVM::setInt32):
1693         (JSC::FTL::LowerDFGToLLVM::setJSValue):
1694         (JSC::FTL::LowerDFGToLLVM::setBoolean):
1695         (JSC::FTL::LowerDFGToLLVM::setStorage):
1696         (JSC::FTL::LowerDFGToLLVM::setDouble):
1697         (JSC::FTL::LowerDFGToLLVM::isValid):
1698         * ftl/FTLLoweredNodeValue.h: Added.
1699         (FTL):
1700         (LoweredNodeValue):
1701         (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
1702         (JSC::FTL::LoweredNodeValue::isSet):
1703         (JSC::FTL::LoweredNodeValue::operator!):
1704         (JSC::FTL::LoweredNodeValue::value):
1705         (JSC::FTL::LoweredNodeValue::block):
1706         * ftl/FTLValueFromBlock.h:
1707         (JSC::FTL::ValueFromBlock::ValueFromBlock):
1708         (ValueFromBlock):
1709         * ftl/FTLValueSource.cpp:
1710         (JSC::FTL::ValueSource::dump):
1711         * ftl/FTLValueSource.h:
1712
1713 2013-07-11  Mark Lam  <mark.lam@apple.com>
1714
1715         Resurrect the CLoop LLINT on the FTL branch.
1716         https://bugs.webkit.org/show_bug.cgi?id=118144.
1717
1718         Reviewed by Mark Hahnenberg.
1719
1720         * bytecode/CodeBlock.h:
1721         (JSC::CodeBlock::jitType):
1722           - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
1723         * bytecode/JumpTable.h:
1724         (JSC::SimpleJumpTable::clear):
1725         * interpreter/StackIterator.cpp:
1726         (JSC::StackIterator::Frame::bytecodeOffset):
1727         (JSC::StackIterator::Frame::print):
1728         * jit/JITCode.cpp:
1729         (JSC):
1730         * jit/JITExceptions.cpp:
1731         (JSC::getExceptionLocation):
1732         * llint/LowLevelInterpreter.cpp:
1733         * offlineasm/cloop.rb:
1734         * runtime/Structure.cpp:
1735
1736 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
1737
1738         NaturalLoops + Profiler = Crash
1739         https://bugs.webkit.org/show_bug.cgi?id=118486
1740
1741         Reviewed by Geoffrey Garen.
1742         
1743         I borked dominators in:
1744         http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
1745         
1746         This patch also adds some debug support, and fixes the loop that adds a block to
1747         an already-existing natural loop. Note that we currently don't take that path in
1748         most programs, but it will arise, for example if you use 'continue' - though you'd
1749         have to use it rather cleverly since the bytecode will not jump to the loop header
1750         in most uses of 'continue'.
1751
1752         * dfg/DFGDominators.cpp:
1753         (JSC::DFG::Dominators::dump):
1754         (DFG):
1755         * dfg/DFGDominators.h:
1756         (JSC::DFG::Dominators::dominates):
1757         (Dominators):
1758         * dfg/DFGNaturalLoops.cpp:
1759         (JSC::DFG::NaturalLoops::compute):
1760
1761 2013-07-08  Filip Pizlo  <fpizlo@apple.com>
1762
1763         fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
1764         https://bugs.webkit.org/show_bug.cgi?id=118489
1765
1766         Reviewed by Mark Hahnenberg.
1767
1768         * bytecode/ArrayProfile.h:
1769         (JSC::arrayModesAreClearOrTop):
1770         (JSC):
1771         * dfg/DFGAbstractState.cpp:
1772         (JSC::DFG::AbstractState::beginBasicBlock):
1773         * dfg/DFGAbstractValue.h:
1774         (JSC::DFG::AbstractValue::hasClobberableState):
1775         (AbstractValue):
1776
1777 2013-07-08  Mark Hahnenberg  <mhahnenberg@apple.com>
1778
1779         CheckArray should call the right version of filterArrayModes
1780         https://bugs.webkit.org/show_bug.cgi?id=118488
1781
1782         Reviewed by Filip Pizlo.
1783
1784         Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 
1785         the CFA to ignore when it sees a contradiction.
1786
1787         * dfg/DFGAbstractState.cpp:
1788         (JSC::DFG::AbstractState::executeEffects):
1789
1790 2013-07-07  Filip Pizlo  <fpizlo@apple.com>
1791
1792         fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
1793         https://bugs.webkit.org/show_bug.cgi?id=118452
1794
1795         Reviewed by Sam Weinig.
1796         
1797         Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
1798         resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
1799         holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
1800         clearAndDerefChild() was necessary back when we did eager reference counting. We
1801         don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
1802         any reference counting, so it was badly named to begin with.
1803
1804         * dfg/DFGAbstractState.cpp:
1805         (JSC::DFG::AbstractState::executeEffects):
1806         * dfg/DFGArgumentsSimplificationPhase.cpp:
1807         (JSC::DFG::ArgumentsSimplificationPhase::run):
1808         * dfg/DFGCPSRethreadingPhase.cpp:
1809         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1810         * dfg/DFGCSEPhase.cpp:
1811         (JSC::DFG::CSEPhase::performNodeCSE):
1812         * dfg/DFGFixupPhase.cpp:
1813         (JSC::DFG::FixupPhase::fixupNode):
1814         * dfg/DFGGraph.h:
1815         (Graph):
1816         * dfg/DFGNode.h:
1817         (JSC::DFG::Node::willHaveCodeGenOrOSR):
1818         * dfg/DFGNodeType.h:
1819         (DFG):
1820         * dfg/DFGPredictionPropagationPhase.cpp:
1821         (JSC::DFG::PredictionPropagationPhase::propagate):
1822         * dfg/DFGSpeculativeJIT32_64.cpp:
1823         (JSC::DFG::SpeculativeJIT::compile):
1824         * dfg/DFGSpeculativeJIT64.cpp:
1825         (JSC::DFG::SpeculativeJIT::compile):
1826
1827 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
1828
1829         fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
1830         https://bugs.webkit.org/show_bug.cgi?id=118401
1831
1832         Reviewed by Sam Weinig.
1833         
1834         Add two new OSR exit modes, which are useful only for playing with compile times:
1835         
1836         - All OSR exits are llvm.trap().
1837         
1838         - OSR exits don't take arguments and have no exit value marshaling.
1839
1840         * dfg/DFGPlan.cpp:
1841         (JSC::DFG::Plan::compileInThread):
1842         (JSC::DFG::Plan::compileInThreadImpl):
1843         * dfg/DFGPlan.h:
1844         (Plan):
1845         * ftl/FTLIntrinsicRepository.h:
1846         (FTL):
1847         * ftl/FTLLowerDFGToLLVM.cpp:
1848         (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1849         (LowerDFGToLLVM):
1850         (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1851         * ftl/FTLOutput.h:
1852         (JSC::FTL::Output::trap):
1853         * runtime/Options.h:
1854         (JSC):
1855
1856 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
1857
1858         fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
1859         https://bugs.webkit.org/show_bug.cgi?id=118339
1860
1861         Reviewed by Michael Saboff.
1862         
1863         This accomplishes two goals:
1864
1865         1) Simplifies a bunch of code. You can now much more directly get to a successor
1866            or predecessor, since you just get the pointer directly. The backend(s) always
1867            hold onto a pointer to the block they're on, so you don't have to do work to
1868            get the block from the index.
1869         
1870         2) It allows for the possibility of inserting blocks into the program.
1871            Previously, if you did that, you'd have to edit all references to blocks since
1872            those references would have outdated indexing after an insertion. Now, if you
1873            change the indexing, you just have to invalidate some analyses and make sure
1874            that you change each block's BasicBlock::index accordingly.
1875
1876         * dfg/DFGAbstractState.cpp:
1877         (JSC::DFG::AbstractState::initialize):
1878         (JSC::DFG::AbstractState::endBasicBlock):
1879         (JSC::DFG::AbstractState::mergeToSuccessors):
1880         * dfg/DFGAbstractState.h:
1881         (AbstractState):
1882         * dfg/DFGArgumentsSimplificationPhase.cpp:
1883         (JSC::DFG::ArgumentsSimplificationPhase::run):
1884         * dfg/DFGBackwardsPropagationPhase.cpp:
1885         (JSC::DFG::BackwardsPropagationPhase::run):
1886         * dfg/DFGBasicBlock.h:
1887         (DFG):
1888         (JSC::DFG::BasicBlock::BasicBlock):
1889         (JSC::DFG::BasicBlock::size):
1890         (JSC::DFG::BasicBlock::isEmpty):
1891         (JSC::DFG::BasicBlock::at):
1892         (JSC::DFG::BasicBlock::operator[]):
1893         (JSC::DFG::BasicBlock::last):
1894         (JSC::DFG::BasicBlock::resize):
1895         (JSC::DFG::BasicBlock::grow):
1896         (BasicBlock):
1897         (JSC::DFG::BasicBlock::append):
1898         (JSC::DFG::BasicBlock::numSuccessors):
1899         (JSC::DFG::BasicBlock::successor):
1900         (JSC::DFG::BasicBlock::successorForCondition):
1901         (JSC::DFG::BasicBlock::dump):
1902         (UnlinkedBlock):
1903         (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
1904         (JSC::DFG::getBytecodeBeginForBlock):
1905         (JSC::DFG::blockForBytecodeOffset):
1906         * dfg/DFGByteCodeParser.cpp:
1907         (ByteCodeParser):
1908         (InlineStackEntry):
1909         (JSC::DFG::ByteCodeParser::handleInlining):
1910         (JSC::DFG::ByteCodeParser::parseBlock):
1911         (JSC::DFG::ByteCodeParser::linkBlock):
1912         (JSC::DFG::ByteCodeParser::linkBlocks):
1913         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1914         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1915         (JSC::DFG::ByteCodeParser::parse):
1916         * dfg/DFGCFAPhase.cpp:
1917         (JSC::DFG::CFAPhase::performBlockCFA):
1918         (JSC::DFG::CFAPhase::performForwardCFA):
1919         * dfg/DFGCFGSimplificationPhase.cpp:
1920         (JSC::DFG::CFGSimplificationPhase::run):
1921         (JSC::DFG::CFGSimplificationPhase::convertToJump):
1922         * dfg/DFGCPSRethreadingPhase.cpp:
1923         (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1924         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
1925         (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1926         (CPSRethreadingPhase):
1927         * dfg/DFGCSEPhase.cpp:
1928         (JSC::DFG::CSEPhase::run):
1929         * dfg/DFGConstantFoldingPhase.cpp:
1930         (JSC::DFG::ConstantFoldingPhase::run):
1931         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1932         * dfg/DFGDCEPhase.cpp:
1933         (JSC::DFG::DCEPhase::run):
1934         * dfg/DFGDisassembler.cpp:
1935         (JSC::DFG::Disassembler::Disassembler):
1936         (JSC::DFG::Disassembler::createDumpList):
1937         * dfg/DFGDisassembler.h:
1938         (JSC::DFG::Disassembler::setForBlockIndex):
1939         * dfg/DFGDominators.cpp:
1940         (JSC::DFG::Dominators::compute):
1941         (JSC::DFG::Dominators::iterateForBlock):
1942         * dfg/DFGDominators.h:
1943         (JSC::DFG::Dominators::dominates):
1944         * dfg/DFGFixupPhase.cpp:
1945         (JSC::DFG::FixupPhase::run):
1946         (JSC::DFG::FixupPhase::fixupNode):
1947         * dfg/DFGGraph.cpp:
1948         (JSC::DFG::Graph::dump):
1949         (JSC::DFG::Graph::dumpBlockHeader):
1950         (JSC::DFG::Graph::handleSuccessor):
1951         (JSC::DFG::Graph::determineReachability):
1952         (JSC::DFG::Graph::resetReachability):
1953         * dfg/DFGGraph.h:
1954         (JSC::DFG::Graph::numBlocks):
1955         (JSC::DFG::Graph::block):
1956         (JSC::DFG::Graph::lastBlock):
1957         (Graph):
1958         (JSC::DFG::Graph::appendBlock):
1959         (JSC::DFG::Graph::killBlock):
1960         (DFG):
1961         * dfg/DFGJITCompiler.cpp:
1962         (JSC::DFG::JITCompiler::JITCompiler):
1963         (JSC::DFG::JITCompiler::link):
1964         * dfg/DFGJITCompiler.h:
1965         (JSC::DFG::JITCompiler::setForBlockIndex):
1966         * dfg/DFGNaturalLoops.cpp:
1967         (JSC::DFG::NaturalLoop::dump):
1968         (JSC::DFG::NaturalLoops::compute):
1969         (JSC::DFG::NaturalLoops::loopsOf):
1970         * dfg/DFGNaturalLoops.h:
1971         (JSC::DFG::NaturalLoop::NaturalLoop):
1972         (JSC::DFG::NaturalLoop::addBlock):
1973         (JSC::DFG::NaturalLoop::header):
1974         (JSC::DFG::NaturalLoop::at):
1975         (JSC::DFG::NaturalLoop::operator[]):
1976         (JSC::DFG::NaturalLoop::contains):
1977         (NaturalLoop):
1978         (JSC::DFG::NaturalLoops::headerOf):
1979         (NaturalLoops):
1980         * dfg/DFGNode.h:
1981         (DFG):
1982         (JSC::DFG::SwitchCase::SwitchCase):
1983         (JSC::DFG::SwitchCase::withBytecodeIndex):
1984         (SwitchCase):
1985         (JSC::DFG::SwitchCase::targetBytecodeIndex):
1986         (JSC::DFG::SwitchData::SwitchData):
1987         (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
1988         (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
1989         (SwitchData):
1990         (JSC::DFG::Node::setTakenBlock):
1991         (JSC::DFG::Node::setNotTakenBlock):
1992         (JSC::DFG::Node::takenBlock):
1993         (JSC::DFG::Node::notTakenBlock):
1994         (JSC::DFG::Node::successor):
1995         (JSC::DFG::Node::successorForCondition):
1996         * dfg/DFGPredictionInjectionPhase.cpp:
1997         (JSC::DFG::PredictionInjectionPhase::run):
1998         * dfg/DFGPredictionPropagationPhase.cpp:
1999         (JSC::DFG::PredictionPropagationPhase::propagateForward):
2000         (JSC::DFG::PredictionPropagationPhase::propagateBackward):
2001         (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
2002         * dfg/DFGSpeculativeJIT.cpp:
2003         (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
2004         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
2005         (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
2006         (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
2007         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
2008         (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
2009         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2010         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2011         (JSC::DFG::SpeculativeJIT::compile):
2012         (JSC::DFG::SpeculativeJIT::createOSREntries):
2013         (JSC::DFG::SpeculativeJIT::linkOSREntries):
2014         (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
2015         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2016         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
2017         (JSC::DFG::SpeculativeJIT::addBranch):
2018         (JSC::DFG::SpeculativeJIT::linkBranches):
2019         * dfg/DFGSpeculativeJIT.h:
2020         (JSC::DFG::SpeculativeJIT::nextBlock):
2021         (SpeculativeJIT):
2022         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
2023         (JSC::DFG::SpeculativeJIT::branchDouble):
2024         (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
2025         (JSC::DFG::SpeculativeJIT::branch32):
2026         (JSC::DFG::SpeculativeJIT::branchTest32):
2027         (JSC::DFG::SpeculativeJIT::branch64):
2028         (JSC::DFG::SpeculativeJIT::branch8):
2029         (JSC::DFG::SpeculativeJIT::branchPtr):
2030         (JSC::DFG::SpeculativeJIT::branchTestPtr):
2031         (JSC::DFG::SpeculativeJIT::branchTest8):
2032         (JSC::DFG::SpeculativeJIT::jump):
2033         (JSC::DFG::SpeculativeJIT::addBranch):
2034         (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
2035         (StringSwitchCase):
2036         (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
2037         (BranchRecord):
2038         * dfg/DFGSpeculativeJIT32_64.cpp:
2039         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2040         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2041         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2042         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2043         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2044         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2045         (JSC::DFG::SpeculativeJIT::emitBranch):
2046         (JSC::DFG::SpeculativeJIT::compile):
2047         * dfg/DFGSpeculativeJIT64.cpp:
2048         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2049         (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2050         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2051         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
2052         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2053         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2054         (JSC::DFG::SpeculativeJIT::emitBranch):
2055         (JSC::DFG::SpeculativeJIT::compile):
2056         * dfg/DFGTypeCheckHoistingPhase.cpp:
2057         (JSC::DFG::TypeCheckHoistingPhase::run):
2058         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2059         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2060         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2061         * dfg/DFGUnificationPhase.cpp:
2062         (JSC::DFG::UnificationPhase::run):
2063         * dfg/DFGValidate.cpp:
2064         (JSC::DFG::Validate::validate):
2065         (JSC::DFG::Validate::checkOperand):
2066         (JSC::DFG::Validate::reportValidationContext):
2067         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2068         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2069         * ftl/FTLCapabilities.cpp:
2070         (JSC::FTL::canCompile):
2071         * ftl/FTLLowerDFGToLLVM.cpp:
2072         (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2073         (JSC::FTL::LowerDFGToLLVM::lower):
2074         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2075         (JSC::FTL::LowerDFGToLLVM::compileJump):
2076         (JSC::FTL::LowerDFGToLLVM::compileBranch):
2077         (JSC::FTL::LowerDFGToLLVM::lowBlock):
2078
2079 2013-07-04  Filip Pizlo  <fpizlo@apple.com>
2080
2081         Unreviewed, add a helpful comment for why DCE is needed in the FTL.
2082
2083         I believe I've now twice down the experiment of disabling DCE in the FTL,
2084         only to realize that this can't work, and that DCE is needed. I'd kind of
2085         like to not make that mistake again.
2086
2087         * dfg/DFGPlan.cpp:
2088         (JSC::DFG::Plan::compileInThreadImpl):
2089
2090 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2091
2092         fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
2093         https://bugs.webkit.org/show_bug.cgi?id=118340
2094
2095         Reviewed by Sam Weinig.
2096
2097         * dfg/DFGNode.h:
2098         (JSC::DFG::Node::Node):
2099
2100 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2101
2102         Unreviewed, fix 32-bit build.
2103
2104         * assembler/MacroAssembler.h:
2105         (JSC::MacroAssembler::comparePtr):
2106         (MacroAssembler):
2107         * dfg/DFGBinarySwitch.cpp:
2108         (JSC::DFG::BinarySwitch::advance):
2109         * dfg/DFGBinarySwitch.h:
2110         (JSC::DFG::BinarySwitch::caseValue):
2111
2112 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2113
2114         fourthTier: Have fewer Arrayify's
2115         https://bugs.webkit.org/show_bug.cgi?id=118335
2116
2117         Reviewed by Mark Hahnenberg.
2118         
2119         A lot of Arrayify's arise because some program saw Int32 arrays early on in
2120         execution, but then they all got converted to Double arrays and the program
2121         will never see Int32 arrays ever again. Prior to this change you would always
2122         have an Arrayify in this case. But with this change, the first time that an
2123         ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
2124         instead forcibly monomorphises itself to the latest-seen structure.
2125         Thereafter it will never again perform this monomorphisation. This is
2126         controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
2127         speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
2128         unblocks a bunch of stuff we want to do in the future because it makes a
2129         bunch of loops effect-free.
2130         
2131         We will still want to implement Arrayify hoisting in the future, but this is
2132         great anyway because it's better to not have Arrayifications than it is to
2133         have hoisted Arrayifications.
2134
2135         * bytecode/ArrayProfile.cpp:
2136         (JSC::ArrayProfile::computeUpdatedPrediction):
2137         (JSC::ArrayProfile::briefDescription):
2138         (JSC):
2139         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2140         * bytecode/ArrayProfile.h:
2141         (JSC::ArrayProfile::ArrayProfile):
2142         (ArrayProfile):
2143
2144 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2145
2146         fourthTier: add option to disable OSR entry in loops
2147         https://bugs.webkit.org/show_bug.cgi?id=118329
2148
2149         Reviewed by Mark Hahnenberg.
2150         
2151         This adds that option, and also makes the OSR exit reoptimization trigger rely less on
2152         OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
2153         high after a small number of OSR exits, we will recompile.
2154
2155         * dfg/DFGOSRExitCompilerCommon.cpp:
2156         (JSC::DFG::handleExitCounts):
2157         * dfg/DFGOperations.cpp:
2158         * jit/JITOpcodes.cpp:
2159         (JSC::JIT::emit_op_loop_hint):
2160         (JSC::JIT::emitSlow_op_loop_hint):
2161         * runtime/Options.h:
2162         (JSC):
2163
2164 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2165
2166         fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
2167         https://bugs.webkit.org/show_bug.cgi?id=118313
2168
2169         Reviewed by Mark Hahnenberg.
2170         
2171         Give it a mode where we can still crash on unrecognized reference types, so that we might
2172         implement them in the future, but by default just print some stuff and keep going.
2173
2174         * disassembler/LLVMDisassembler.cpp:
2175         (JSC):
2176         (JSC::symbolLookupCallback):
2177
2178 2013-07-02  Filip Pizlo  <fpizlo@apple.com>
2179
2180         fourthTier: FTL should use the equivalent of llvm opt -O2 by default
2181         https://bugs.webkit.org/show_bug.cgi?id=118311
2182
2183         Reviewed by Mark Hahnenberg.
2184         
2185         Use a PassManagerBuilder instead of rolling our own.
2186         
2187         This boosts our speed-up by another 5% or so.
2188
2189         * ftl/FTLCompile.cpp:
2190         (JSC::FTL::compile):
2191         * runtime/Options.h:
2192         (JSC):
2193
2194 2013-07-01  Filip Pizlo  <fpizlo@apple.com>
2195
2196         fourthTier: FTL should run LICM after AA setup
2197         https://bugs.webkit.org/show_bug.cgi?id=118277
2198
2199         Reviewed by Maciej Stachowiak.
2200         
2201         LICM queries alias analysis. Hence, just like GVN, it should run after
2202         we have set up the alias analysis.
2203
2204         * ftl/FTLCompile.cpp:
2205         (JSC::FTL::compile):
2206
2207 2013-07-01  Filip Pizlo  <fpizlo@apple.com>
2208
2209         fourthTier: FTL should run AA passes before GVN
2210         https://bugs.webkit.org/show_bug.cgi?id=118276
2211
2212         Rubber stamped by Geoffrey Garen.
2213         
2214         These enable load elimination in GVN.
2215         
2216         Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
2217         properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
2218         warning: the stock version of that benchmark won't see speed-ups -
2219         probably slow-downs instead - because the FTL can't do OSR entry yet.)
2220         Another example is the findGraphNode function, which now sees a 7%
2221         speed-up, and that's without even doing LICM or other good things.
2222
2223         * ftl/FTLCompile.cpp:
2224         (JSC::FTL::compile):
2225
2226 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2227
2228         Make Graph::substituteGetLocal() out-of-line
2229
2230         Rubber stamped by Geoffrey Garen.
2231
2232         * dfg/DFGGraph.cpp:
2233         (JSC::DFG::Graph::substituteGetLocal):
2234         (DFG):
2235         * dfg/DFGGraph.h:
2236         (Graph):
2237
2238 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2239
2240         fourthTier: DFG should know how to find natural loops
2241         https://bugs.webkit.org/show_bug.cgi?id=118152
2242
2243         Reviewed by Mark Hahnenberg.
2244         
2245         There are a bunch of things we can do when we know where the loops are.
2246         Previously we didn't. With this patch, we do.
2247         
2248         This patch adds the classic dominator based natural loop finder.
2249         
2250         The only client of this right now is the DFG::Disassembler. It prints out
2251         a summary of the analysis for each block.
2252         
2253         This will become more important when I do
2254         https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
2255         this kind of analysis, at least if we want to do the optimization over
2256         DFG IR (and I'm pretty sure we do).
2257
2258         * JavaScriptCore.xcodeproj/project.pbxproj:
2259         * dfg/DFGAnalysis.h: Added.
2260         (DFG):
2261         (Analysis):
2262         (JSC::DFG::Analysis::Analysis):
2263         (JSC::DFG::Analysis::invalidate):
2264         (JSC::DFG::Analysis::computeIfNecessary):
2265         (JSC::DFG::Analysis::isValid):
2266         * dfg/DFGCFGSimplificationPhase.cpp:
2267         (JSC::DFG::CFGSimplificationPhase::run):
2268         * dfg/DFGDisassembler.cpp:
2269         (JSC::DFG::Disassembler::createDumpList):
2270         * dfg/DFGDominators.cpp:
2271         (JSC::DFG::Dominators::Dominators):
2272         (JSC::DFG::Dominators::compute):
2273         * dfg/DFGDominators.h:
2274         (Dominators):
2275         * dfg/DFGGraph.cpp:
2276         (JSC::DFG::Graph::dumpBlockHeader):
2277         (JSC::DFG::Graph::invalidateCFG):
2278         (DFG):
2279         * dfg/DFGGraph.h:
2280         (Graph):
2281         * dfg/DFGNaturalLoops.cpp: Added.
2282         (DFG):
2283         (JSC::DFG::NaturalLoop::dump):
2284         (JSC::DFG::NaturalLoops::NaturalLoops):
2285         (JSC::DFG::NaturalLoops::~NaturalLoops):
2286         (JSC::DFG::NaturalLoops::compute):
2287         (JSC::DFG::NaturalLoops::loopsOf):
2288         (JSC::DFG::NaturalLoops::dump):
2289         * dfg/DFGNaturalLoops.h: Added.
2290         (DFG):
2291         (NaturalLoop):
2292         (JSC::DFG::NaturalLoop::NaturalLoop):
2293         (JSC::DFG::NaturalLoop::addBlock):
2294         (JSC::DFG::NaturalLoop::header):
2295         (JSC::DFG::NaturalLoop::size):
2296         (JSC::DFG::NaturalLoop::at):
2297         (JSC::DFG::NaturalLoop::operator[]):
2298         (JSC::DFG::NaturalLoop::contains):
2299         (NaturalLoops):
2300         (JSC::DFG::NaturalLoops::numLoops):
2301         (JSC::DFG::NaturalLoops::loop):
2302         (JSC::DFG::NaturalLoops::headerOf):
2303
2304 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2305
2306         fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
2307         https://bugs.webkit.org/show_bug.cgi?id=118148
2308
2309         Reviewed by Anders Carlsson.
2310         
2311         Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
2312         that LLVM generates for floating point. So the right decision is to
2313         switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
2314         cannot disassemble the load-from-absolute-address-into-%rax instructions
2315         that our JIT generates quite a lot of.
2316         
2317         So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
2318         and requires the caller of disassemble() to hint which one is likely to
2319         be less wrong for the given code.
2320         
2321         Maybe in the future LLVM will catch up to UDis86, but it's definitely not
2322         there right now.
2323         
2324         This now allows us to disassemble all of the code that LLVM generates.
2325
2326         * JavaScriptCore.xcodeproj/project.pbxproj:
2327         * disassembler/Disassembler.cpp:
2328         (JSC::disassemble):
2329         * disassembler/Disassembler.h:
2330         (JSC::tryToDisassemble):
2331         (JSC):
2332         * disassembler/LLVMDisassembler.cpp: Added.
2333         (JSC):
2334         (JSC::symbolLookupCallback):
2335         (JSC::tryToDisassembleWithLLVM):
2336         * disassembler/LLVMDisassembler.h: Added.
2337         (JSC):
2338         (JSC::tryToDisassembleWithLLVM):
2339         * disassembler/UDis86Disassembler.cpp:
2340         (JSC::tryToDisassembleWithUDis86):
2341         * disassembler/UDis86Disassembler.h: Added.
2342         (JSC):
2343         (JSC::tryToDisassembleWithUDis86):
2344         * disassembler/X86Disassembler.cpp: Added.
2345         (JSC):
2346         (JSC::tryToDisassemble):
2347         * ftl/FTLAbbreviatedTypes.h:
2348         * ftl/FTLCompile.cpp:
2349         (JSC::FTL::compile):
2350         * ftl/FTLJITCode.h:
2351         * ftl/FTLJITFinalizer.h:
2352         * ftl/FTLLLVMHeaders.h: Removed.
2353         * ftl/FTLLink.cpp:
2354         * runtime/InitializeThreading.cpp:
2355         (JSC::initializeThreadingOnce):
2356         * runtime/Options.h:
2357         (JSC):
2358
2359 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2360
2361         fourthTier: FTL should be able to dump disassembly
2362         https://bugs.webkit.org/show_bug.cgi?id=118141
2363
2364         Reviewed by Geoffrey Garen.
2365
2366         * ftl/FTLCompile.cpp:
2367         (JSC::FTL::compile):
2368
2369 2013-06-27  Filip Pizlo  <fpizlo@apple.com>
2370
2371         Unreviewed, fix build for LLVM ToT.
2372
2373         This doesn't affect those using the binary drops, but if you're building from
2374         LLVM ToT you'll get link errors. These arise because we expect there to be a
2375         libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
2376         to fall back on the system's libLLVMArchive, which is incompatible with the
2377         other LLVM libs we pull in.
2378         
2379         Also, we didn't need that library anyway and shouldn't have been linking
2380         against it.
2381
2382         * Configurations/JavaScriptCore.xcconfig:
2383
2384 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2385
2386         fourthTier: FTL should support hole/OOB PutByVal's
2387         https://bugs.webkit.org/show_bug.cgi?id=118112
2388
2389         Reviewed by Geoffrey Garen.
2390         
2391         Added a common code generator for the out-of-bounds case that is reused by
2392         all contiguous-like arrays (Int32, Double, Contiguous).
2393         
2394         This is relatively straight-forward, except that it's the first time that
2395         the FTL has to call DFG operations that take more than two arguments.
2396
2397         * ftl/FTLAbbreviations.h:
2398         (JSC::FTL::functionType):
2399         (JSC::FTL::buildCall):
2400         * ftl/FTLAbstractHeapRepository.h:
2401         (FTL):
2402         * ftl/FTLCapabilities.cpp:
2403         (JSC::FTL::canCompile):
2404         * ftl/FTLIntrinsicRepository.h:
2405         (FTL):
2406         * ftl/FTLLowerDFGToLLVM.cpp:
2407         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2408         (LowerDFGToLLVM):
2409         (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2410         (JSC::FTL::LowerDFGToLLVM::vmCall):
2411         * ftl/FTLOutput.h:
2412         (JSC::FTL::Output::call):
2413
2414 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2415
2416         fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
2417         https://bugs.webkit.org/show_bug.cgi?id=118097
2418
2419         Reviewed by Mark Hahnenberg.
2420         
2421         This increases coverage to include programs that have unprofiled paths. Those paths will
2422         often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
2423         support those; except that it doesn't matter since the reason why they were untyped is
2424         that they were unprofiled and anyway we won't run them because we'll exit before them.
2425
2426         * ftl/FTLCapabilities.cpp:
2427         (JSC::FTL::canCompile):
2428
2429 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2430
2431         fourthTier: FTL should support ArrayifyToStructure
2432         https://bugs.webkit.org/show_bug.cgi?id=118095
2433
2434         Reviewed by Mark Hahnenberg.
2435
2436         * ftl/FTLCapabilities.cpp:
2437         (JSC::FTL::canCompile):
2438         * ftl/FTLIntrinsicRepository.h:
2439         (FTL):
2440         * ftl/FTLLowerDFGToLLVM.cpp:
2441         (JSC::FTL::LowerDFGToLLVM::compileNode):
2442         (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2443         (LowerDFGToLLVM):
2444
2445 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2446
2447         fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
2448         https://bugs.webkit.org/show_bug.cgi?id=118091
2449
2450         Reviewed by Mark Hahnenberg.
2451         
2452         I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
2453         which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
2454         the FTL. I then fixed those bugs, also:
2455         
2456         - The FTL should not attempt to compile a block that is not reachable according to the CFA.
2457           This is analogous to terminating basic block compilation if the CFA becomes !isValid().
2458           Attempting to compile such a block means that you're running on broken CFA state, and the
2459           CFA will become inconsistent with the code you're generating, leading to some
2460           strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
2461           a node and hence don't have LValue's for that node (by virtue of us giving up due to
2462           !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
2463           weren't visited by the CFA at all, and the CFA expects you to know this because it
2464           expects that you already checked BasicBlock::cfaHasVisited.
2465         
2466         - SetLocal needs to change the ValueSource of the operand to indicate that its value has
2467           been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
2468           speak). This is because although OSR exit already knows that the value of the operand is
2469           stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
2470           will also assume that if the Node dies then the value-at-exit for that operand should be
2471           Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
2472           things; in particular the local always outlives the Node in the case of a SetLocal. So,
2473           we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
2474           to ensure that OSR exit knows that the darn thing is really live until the end of the
2475           basic block, as opposed to until whenever the Node dies (which could be at any time).
2476         
2477         - PutByOffset was erroneously storing to an offset from the base object, rather than an
2478           offset from the storage. Note that the storage will be the base object (exactly - i.e.
2479           same node, same value) for inline stores, but will be a distinct thing for out-of-line
2480           stores.
2481         
2482         - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
2483           when it should have been using DoubleInLocals.
2484
2485         * ftl/FTLCapabilities.cpp:
2486         (JSC::FTL::canCompile):
2487         * ftl/FTLLowerDFGToLLVM.cpp:
2488         (JSC::FTL::LowerDFGToLLVM::compileBlock):
2489         (JSC::FTL::LowerDFGToLLVM::compileNode):
2490         (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2491         (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2492         (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
2493         (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2494
2495 2013-06-26  Filip Pizlo  <fpizlo@apple.com>
2496
2497         fourthTier: FTL should support PutByVal
2498         https://bugs.webkit.org/show_bug.cgi?id=118075
2499
2500         Reviewed by Mark Hahnenberg.
2501
2502         * ftl/FTLCapabilities.cpp:
2503         (JSC::FTL::canCompile):
2504         * ftl/FTLLowerDFGToLLVM.cpp:
2505         (JSC::FTL::LowerDFGToLLVM::lower):
2506         (JSC::FTL::LowerDFGToLLVM::compileNode):
2507         (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2508         (LowerDFGToLLVM):
2509         (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2510
2511 2013-06-25  Filip Pizlo  <fpizlo@apple.com>
2512
2513         fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
2514         https://bugs.webkit.org/show_bug.cgi?id=118028
2515
2516         Reviewed by Sam Weinig.
2517         
2518         The SaneChain optimization allows us to get rid of the NaN check on loading from
2519         a double array, if the result is used in an arithmetic op that wouldn't
2520         distinguish between NaN and undefined. Normally the NaN check would be needed
2521         because NaN is the hole marker.
2522         
2523         The SaneChain optimization definitely requires that you're an Original array,
2524         since we need to watchpoint the array prototype chain. And so it also needs to
2525         be a JSArray, and not an object that has indexed double properties. We also
2526         require an in-bounds access, since the backend is only capable of the
2527         optimization in the in-bounds case (though we could extend it to OOB in the
2528         future). But whether the array is being converted or is as-is isn't relevant.
2529         Either way, if it's a double original array in-bounds access by the time that
2530         the array check (or conversion!) completes, we can do the optimization.
2531         
2532         Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.
2533
2534         * dfg/DFGFixupPhase.cpp:
2535         (JSC::DFG::FixupPhase::fixupNode):
2536
2537 2013-06-25  Filip Pizlo  <fpizlo@apple.com>
2538
2539         fourthTier: DFG should support switch_string
2540         https://bugs.webkit.org/show_bug.cgi?id=117967
2541
2542         Reviewed by Sam Weinig.
2543         
2544         Add a reusable binary switch creator.
2545         
2546         Implement switch on string using three modes:
2547         
2548         - Binary switch on StringImpl* in the case of identifiers.
2549         
2550         - Trie of binary switches on characters in the case of a not-too-big
2551           switch over not-too-big 8-bit strings.
2552         
2553         - Hash lookup if all else fails.
2554         
2555         Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
2556         string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
2557         pdfjs.
2558
2559         * JavaScriptCore.xcodeproj/project.pbxproj:
2560         * bytecode/JumpTable.h:
2561         (StringJumpTable):
2562         (JSC::StringJumpTable::clear):
2563         * dfg/DFGBackwardsPropagationPhase.cpp:
2564         (JSC::DFG::BackwardsPropagationPhase::propagate):
2565         * dfg/DFGBinarySwitch.cpp: Added.
2566         (DFG):
2567         (JSC::DFG::BinarySwitch::BinarySwitch):
2568         (JSC::DFG::BinarySwitch::advance):
2569         (JSC::DFG::BinarySwitch::build):
2570         * dfg/DFGBinarySwitch.h: Added.
2571         (DFG):
2572         (BinarySwitch):
2573         (JSC::DFG::BinarySwitch::caseIndex):
2574         (JSC::DFG::BinarySwitch::caseValue):
2575         (JSC::DFG::BinarySwitch::fallThrough):
2576         (JSC::DFG::BinarySwitch::Case::Case):
2577         (Case):
2578         (JSC::DFG::BinarySwitch::Case::operator<):
2579         (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
2580         (BranchCode):
2581         * dfg/DFGByteCodeParser.cpp:
2582         (JSC::DFG::ByteCodeParser::parseBlock):
2583         * dfg/DFGCapabilities.cpp:
2584         (JSC::DFG::capabilityLevel):
2585         * dfg/DFGFixupPhase.cpp:
2586         (JSC::DFG::FixupPhase::fixupNode):
2587         * dfg/DFGJITCompiler.cpp:
2588         (JSC::DFG::JITCompiler::link):
2589         * dfg/DFGLazyJSValue.cpp:
2590         (JSC::DFG::LazyJSValue::getValue):
2591         (JSC::DFG::equalToStringImpl):
2592         (DFG):
2593         (JSC::DFG::LazyJSValue::strictEqual):
2594         (JSC::DFG::LazyJSValue::dump):
2595         * dfg/DFGLazyJSValue.h:
2596         (JSC::DFG::LazyJSValue::knownStringImpl):
2597         (LazyJSValue):
2598         (JSC::DFG::LazyJSValue::stringImpl):
2599         (JSC::DFG::LazyJSValue::switchLookupValue):
2600         * dfg/DFGNode.cpp:
2601         (WTF::printInternal):
2602         * dfg/DFGNode.h:
2603         * dfg/DFGOperations.cpp:
2604         * dfg/DFGOperations.h:
2605         * dfg/DFGSpeculativeJIT.cpp:
2606         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2607         (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
2608         (DFG):
2609         (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
2610         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2611         (JSC::DFG::SpeculativeJIT::emitSwitchString):
2612         (JSC::DFG::SpeculativeJIT::emitSwitch):
2613         (JSC::DFG::SpeculativeJIT::addBranch):
2614         * dfg/DFGSpeculativeJIT.h:
2615         (JSC::DFG::SpeculativeJIT::callOperation):
2616         (JSC::DFG::SpeculativeJIT::branch8):
2617         (SpeculativeJIT):
2618         (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
2619         (StringSwitchCase):
2620         * ftl/FTLLowerDFGToLLVM.cpp:
2621         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2622         * runtime/Options.h:
2623         (JSC):
2624
2625 2013-06-24  Filip Pizlo  <fpizlo@apple.com>
2626
2627         fourthTier: Count external memory usage towards heap footprint
2628         https://bugs.webkit.org/show_bug.cgi?id=117948
2629
2630         Reviewed by Geoffrey Garen.
2631
2632         Currently just count strings. Strings get counted in such a way that we won't re-count strings
2633         that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
2634         the collector to appropriately amortize itself.
2635
2636         * heap/Heap.cpp:
2637         (JSC::Heap::Heap):
2638         (JSC::Heap::size):
2639         (JSC::Heap::collect):
2640         * heap/Heap.h:
2641         (Heap):
2642         * heap/SlotVisitor.h:
2643         * heap/SlotVisitorInlines.h:
2644         (JSC::SlotVisitor::reportExtraMemoryUsage):
2645         (JSC):
2646         * runtime/JSString.cpp:
2647         (JSC::JSString::visitChildren):
2648
2649 2013-06-23  Filip Pizlo  <fpizlo@apple.com>
2650
2651         fourthTier: DFG should optimize identifier string equality
2652         https://bugs.webkit.org/show_bug.cgi?id=117920
2653
2654         Reviewed by Sam Weinig.
2655         
2656         This is a 20% speed-up for string equality comparisons when both strings are
2657         identifiers.
2658         
2659         This is important for two reasons:
2660         
2661         1) Using strings as enumerations is an idiom. A great example is typeof. It
2662            would be great if this performed better.
2663         
2664         2) When I implement switch_string in the DFG, it would be great to optimize
2665            the case where the switched-on value is an identifier. That would involve
2666            a simple binary switch rather than a more complicated trie-switch over
2667            characters.
2668
2669         * bytecode/SpeculatedType.cpp:
2670         (JSC::dumpSpeculation):
2671         (JSC::speculationToAbbreviatedString):
2672         (JSC::speculationFromCell):
2673         * bytecode/SpeculatedType.h:
2674         (JSC):
2675         (JSC::isStringIdentSpeculation):
2676         (JSC::isStringSpeculation):
2677         * dfg/DFGAbstractState.cpp:
2678         (JSC::DFG::AbstractState::executeEffects):
2679         * dfg/DFGFixupPhase.cpp:
2680         (JSC::DFG::FixupPhase::fixupNode):
2681         * dfg/DFGNode.h:
2682         (JSC::DFG::Node::shouldSpeculateStringIdent):
2683         (Node):
2684         * dfg/DFGSpeculativeJIT.cpp:
2685         (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2686         (JSC::DFG::SpeculativeJIT::compare):
2687         (JSC::DFG::SpeculativeJIT::compileStrictEq):
2688         (JSC::DFG::SpeculativeJIT::compileStringEquality):
2689         (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
2690         (DFG):
2691         (JSC::DFG::SpeculativeJIT::speculateString):
2692         (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
2693         (JSC::DFG::SpeculativeJIT::speculateStringIdent):
2694         (JSC::DFG::SpeculativeJIT::speculate):
2695         * dfg/DFGSpeculativeJIT.h:
2696         (SpeculativeJIT):
2697         * dfg/DFGUseKind.cpp:
2698         (WTF::printInternal):
2699         * dfg/DFGUseKind.h:
2700         (JSC::DFG::typeFilterFor):
2701         (JSC::DFG::isCell):
2702
2703 2013-06-22  Filip Pizlo  <fpizlo@apple.com>
2704
2705         fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
2706         https://bugs.webkit.org/show_bug.cgi?id=117906
2707
2708         Reviewed by Mark Hahnenberg.
2709         
2710         This does the obvious thing, but also makes sure that out-of-bounds accesses
2711         don't fall off into a C call, but try to do the fast thing if the prototype
2712         chain is sane. We ought to probably do this for other array accesses in the
2713         future, as well, since it's so darn easy.
2714
2715         * dfg/DFGAbstractState.cpp:
2716         (JSC::DFG::AbstractState::executeEffects):
2717         * dfg/DFGFixupPhase.cpp:
2718         (JSC::DFG::FixupPhase::fixupNode):
2719         * dfg/DFGOperations.cpp:
2720         * dfg/DFGOperations.h:
2721         * dfg/DFGSpeculativeJIT.cpp:
2722         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2723         * dfg/DFGSpeculativeJIT.h:
2724         (JSC::DFG::SpeculativeJIT::callOperation):
2725         * runtime/JSGlobalObject.cpp:
2726         (JSC::JSGlobalObject::objectPrototypeIsSane):
2727         (JSC):
2728         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2729         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2730         * runtime/JSGlobalObject.h:
2731         (JSGlobalObject):
2732
2733 2013-06-22  Filip Pizlo  <fpizlo@apple.com>
2734
2735         fourthTier: GC's put_by_id transition fixpoint should converge more quickly
2736         https://bugs.webkit.org/show_bug.cgi?id=117912
2737
2738         Reviewed by Mark Hahnenberg.
2739
2740         This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
2741         iterate the program in program order, or at least something close to program order. Because I enjoy reverse
2742         loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
2743         pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.
2744
2745         Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.
2746
2747         * bytecode/CodeBlock.cpp:
2748         (JSC::CodeBlock::propagateTransitions):
2749
2750 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2751
2752         fourthTier: DFG should CSE MakeRope
2753         https://bugs.webkit.org/show_bug.cgi?id=117905
2754
2755         Reviewed by Geoffrey Garen.
2756         
2757         Adds MakeRope to the CSE phase and removes the comment that says that
2758         we could do it but aren't doing it.
2759         
2760         Also fixed SpeculatedType dumping so that if you have a Cell type then
2761         it just prints "Cell" and if you just have Object then it just prints
2762         "Object", instead of printing the long list of types.
2763
2764         * bytecode/SpeculatedType.cpp:
2765         (JSC::dumpSpeculation):
2766         * dfg/DFGCSEPhase.cpp:
2767         (JSC::DFG::CSEPhase::performNodeCSE):
2768
2769 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2770
2771         fourthTier: DFG should't exit just because it GetByVal'd a big character
2772         https://bugs.webkit.org/show_bug.cgi?id=117899
2773
2774         Reviewed by Mark Hahnenberg.
2775         
2776         Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
2777         Previously it would fail due to canExit() but now we can also fail because
2778         GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
2779         a very explicit way.
2780
2781         * dfg/DFGCSEPhase.cpp:
2782         (JSC::DFG::CSEPhase::putStructureStoreElimination):
2783         * dfg/DFGOperations.cpp:
2784         * dfg/DFGOperations.h:
2785         * dfg/DFGSpeculativeJIT.cpp:
2786         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2787         * dfg/DFGSpeculativeJIT.h:
2788         (JSC::DFG::SpeculativeJIT::callOperation):
2789         (SpeculativeJIT):
2790
2791 2013-06-21  Filip Pizlo  <fpizlo@apple.com>
2792
2793         fourthTier: Small strings shouldn't get GC'd
2794         https://bugs.webkit.org/show_bug.cgi?id=117897
2795
2796         Reviewed by Mark Hahnenberg.
2797         
2798         Kill off the code needed to allocate them lazily and finalize them.
2799
2800         * dfg/DFGSpeculativeJIT.cpp:
2801         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2802         * heap/Heap.cpp:
2803         (JSC::Heap::collect):
2804         * runtime/JSString.h:
2805         (JSC::jsSingleCharacterString):
2806         (JSC::jsSingleCharacterSubstring):
2807         (JSC::jsString):
2808         (JSC::jsSubstring8):
2809         (JSC::jsSubstring):
2810         (JSC::jsOwnedString):
2811         * runtime/NumberPrototype.cpp:
2812         (JSC::integerValueToString):
2813         * runtime/SmallStrings.cpp:
2814         (JSC):
2815         (JSC::SmallStrings::initializeCommonStrings):
2816         (JSC::SmallStrings::visitStrongReferences):
2817         * runtime/SmallStrings.h:
2818         (JSC::SmallStrings::singleCharacterString):
2819         (SmallStrings):
2820
2821 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2822
2823         fourthTier: Structure should have a dump()
2824         https://bugs.webkit.org/show_bug.cgi?id=117859
2825
2826         Reviewed by Geoffrey Garen.
2827         
2828         This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
2829         we now print a bunch of other info as well. For example, for an object literal
2830         like "{f:42, g:64, h:24}", when we print the structure we'll now get:
2831
2832             0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
2833         
2834         This also changes a bunch of places to use the dump method.
2835
2836         * bytecode/StructureSet.h:
2837         (JSC::StructureSet::dump):
2838         * dfg/DFGGraph.cpp:
2839         (JSC::DFG::Graph::dump):
2840         * dfg/DFGStructureAbstractValue.h:
2841         (JSC::DFG::StructureAbstractValue::dump):
2842         * runtime/JSCJSValue.cpp:
2843         (JSC::JSValue::dump):
2844         * runtime/Structure.cpp:
2845         (JSC::Structure::dump):
2846         (JSC):
2847         * runtime/Structure.h:
2848         (Structure):
2849
2850 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2851
2852         fourthTier: There should only be one table of SimpleJumpTables
2853         https://bugs.webkit.org/show_bug.cgi?id=117856
2854
2855         Reviewed by Geoffrey Garen.
2856         
2857         Having multiple tables of SimpleJumpTables just means we have to duplicate a
2858         ton of code. This patch deduplicates all of it.
2859
2860         * bytecode/CodeBlock.cpp:
2861         (JSC::CodeBlock::dumpBytecode):
2862         (JSC):
2863         (JSC::CodeBlock::CodeBlock):
2864         (JSC::CodeBlock::shrinkToFit):
2865         * bytecode/CodeBlock.h:
2866         (JSC::CodeBlock::numberOfSwitchJumpTables):
2867         (JSC::CodeBlock::addSwitchJumpTable):
2868         (JSC::CodeBlock::switchJumpTable):
2869         (JSC::CodeBlock::clearSwitchJumpTables):
2870         (RareData):
2871         * bytecode/PreciseJumpTargets.cpp:
2872         (JSC):
2873         (JSC::computePreciseJumpTargets):
2874         * bytecode/UnlinkedCodeBlock.h:
2875         (JSC::UnlinkedCodeBlock::shrinkToFit):
2876         (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
2877         (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
2878         (JSC::UnlinkedCodeBlock::switchJumpTable):
2879         (RareData):
2880         * bytecompiler/BytecodeGenerator.cpp:
2881         (JSC):
2882         (JSC::prepareJumpTableForSwitch):
2883         (JSC::BytecodeGenerator::endSwitch):
2884         * dfg/DFGByteCodeParser.cpp:
2885         (InlineStackEntry):
2886         (JSC::DFG::ByteCodeParser::parseBlock):
2887         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2888         * dfg/DFGJITCompiler.cpp:
2889         (JSC::DFG::JITCompiler::link):
2890         * dfg/DFGJITCompiler.h:
2891         (JITCompiler):
2892         * dfg/DFGOperations.cpp:
2893         * dfg/DFGSpeculativeJIT.cpp:
2894         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2895         (DFG):
2896         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2897         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2898         * dfg/DFGSpeculativeJIT.h:
2899         (SpeculativeJIT):
2900         * ftl/FTLLink.cpp:
2901         (JSC::FTL::link):
2902         * jit/JITOpcodes.cpp:
2903         (JSC::JIT::emit_op_switch_imm):
2904         (JSC::JIT::emit_op_switch_char):
2905         * jit/JITOpcodes32_64.cpp:
2906         (JSC::JIT::emit_op_switch_imm):
2907         (JSC::JIT::emit_op_switch_char):
2908         * jit/JITStubs.cpp:
2909         (JSC::DEFINE_STUB_FUNCTION):
2910         * llint/LLIntSlowPaths.cpp:
2911         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2912         * llint/LowLevelInterpreter32_64.asm:
2913         * llint/LowLevelInterpreter64.asm:
2914
2915 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2916
2917         fourthTier: FTL should clear character switch jump tables
2918         https://bugs.webkit.org/show_bug.cgi?id=117852
2919
2920         Reviewed by Sam Weinig.
2921         
2922         The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
2923         jump tables as needed.
2924
2925         * bytecode/CodeBlock.h:
2926         (JSC::CodeBlock::clearCharacterSwitchJumpTables):
2927         * ftl/FTLLink.cpp:
2928         (JSC::FTL::link):
2929
2930 2013-06-20  Filip Pizlo  <fpizlo@apple.com>
2931
2932         fourthTier: FTL should support SwitchChar
2933         https://bugs.webkit.org/show_bug.cgi?id=117849
2934
2935         Reviewed by Geoffrey Garen.
2936         
2937         This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
2938         SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
2939         support for calling slow paths, and we avoided adding coverage that would require
2940         that. Well, this patch adds the ability to call slow paths and just uses that for
2941         resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
2942         so I did that, too.
2943
2944         * bytecode/CodeBlock.h:
2945         (CodeBlock):
2946         (JSC::CodeBlock::addCodeOrigin):
2947         * dfg/DFGBackwardsPropagationPhase.cpp:
2948         (JSC::DFG::BackwardsPropagationPhase::propagate):
2949         * dfg/DFGGraph.cpp:
2950         (JSC::DFG::Graph::dump):
2951         * dfg/DFGNode.cpp:
2952         (WTF):
2953         (WTF::printInternal):
2954         * dfg/DFGNode.h:
2955         (WTF):
2956         * dfg/DFGOperations.h:
2957         * dfg/DFGSpeculativeJIT.h:
2958         (JSC::DFG::SpeculativeJIT::callOperation):
2959         * ftl/FTLAbbreviations.h:
2960         (JSC::FTL::int16Type):
2961         (JSC::FTL::constInt):
2962         * ftl/FTLAbstractHeapRepository.h:
2963         (FTL):
2964         * ftl/FTLCapabilities.cpp:
2965         (JSC::FTL::canCompile):
2966         * ftl/FTLCommonValues.cpp:
2967         (JSC::FTL::CommonValues::CommonValues):
2968         * ftl/FTLCommonValues.h:
2969         (CommonValues):
2970         * ftl/FTLIntrinsicRepository.cpp:
2971         (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
2972         (FTL):
2973         * ftl/FTLIntrinsicRepository.h:
2974         (FTL):
2975         (IntrinsicRepository):
2976         * ftl/FTLLowerDFGToLLVM.cpp:
2977         (JSC::FTL::LowerDFGToLLVM::lower):
2978         (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
2979         (JSC::FTL::LowerDFGToLLVM::compileJump):
2980         (JSC::FTL::LowerDFGToLLVM::compileBranch):
2981         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2982         (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2983         (LowerDFGToLLVM):
2984         (JSC::FTL::LowerDFGToLLVM::lowString):
2985         (JSC::FTL::LowerDFGToLLVM::speculate):
2986         (JSC::FTL::LowerDFGToLLVM::isObject):
2987         (JSC::FTL::LowerDFGToLLVM::isNotString):
2988         (JSC::FTL::LowerDFGToLLVM::isString):
2989         (JSC::FTL::LowerDFGToLLVM::isNotObject):
2990         (JSC::FTL::LowerDFGToLLVM::speculateObject):
2991         (JSC::FTL::LowerDFGToLLVM::speculateString):
2992         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2993         (JSC::FTL::LowerDFGToLLVM::vmCall):
2994         (JSC::FTL::LowerDFGToLLVM::callPreflight):
2995         (JSC::FTL::LowerDFGToLLVM::callCheck):
2996         (JSC::FTL::LowerDFGToLLVM::lowBlock):
2997         * ftl/FTLOutput.h:
2998         (JSC::FTL::Output::constBool):
2999         (JSC::FTL::Output::constInt8):
3000         (JSC::FTL::Output::constInt32):
3001         (JSC::FTL::Output::constIntPtr):
3002         (JSC::FTL::Output::constInt64):
3003         (JSC::FTL::Output::load16):
3004         (JSC::FTL::Output::isNull):
3005         (JSC::FTL::Output::notNull):
3006         (JSC::FTL::Output::testIsZero32):
3007         (JSC::FTL::Output::testNonZero32):
3008         (Output):
3009         (JSC::FTL::Output::operation):
3010         (JSC::FTL::Output::crash):
3011
3012 2013-06-18  Filip Pizlo  <fpizlo@apple.com>
3013
3014         fourthTier: DFG should have switch_char
3015         https://bugs.webkit.org/show_bug.cgi?id=117710
3016
3017         Reviewed by Michael Saboff.
3018         
3019         Add op_switch_char. Most of this is fairly simple, except for the whole
3020         LazyJSValue thing.
3021         
3022         It's long been the case that anytime you wanted the DFG to speak of a string
3023         that didn't appear in the constant pool, you would have a hard time since
3024         the DFG isn't allowed to allocate in the GC heap. For example, if you know
3025         that you want to speak of a single character string, you might find that
3026         the one you wanted to speak of had been GC'd. Another example is if you
3027         wanted to add constant folding for string concatenation - something we don't
3028         have yet but will want eventually.
3029         
3030         I solve this by finally adding the notion of LazyJSValue. In the future I
3031         anticipate using this for a variety of string-related things. The idea here
3032         is that the DFG can either say that it already knows what the value is, or
3033         it can describe the value. For example, in this patch I needed to be able to
3034         describe single-character strings.
3035
3036         * JavaScriptCore.xcodeproj/project.pbxproj:
3037         * bytecode/CodeBlock.cpp:
3038         (JSC::CodeBlock::dumpBytecode):
3039         (JSC::CodeBlock::CodeBlock):
3040         * bytecode/JumpTable.h:
3041         * dfg/DFGBackwardsPropagationPhase.cpp:
3042         (JSC::DFG::BackwardsPropagationPhase::propagate):
3043         * dfg/DFGByteCodeParser.cpp:
3044         (InlineStackEntry):
3045         (JSC::DFG::ByteCodeParser::parseBlock):
3046         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3047         * dfg/DFGCFGSimplificationPhase.cpp:
3048         (JSC::DFG::CFGSimplificationPhase::run):
3049         * dfg/DFGCapabilities.cpp:
3050         (JSC::DFG::capabilityLevel):
3051         * dfg/DFGDriver.cpp:
3052         (JSC::DFG::compile):
3053         * dfg/DFGFixupPhase.cpp:
3054         (JSC::DFG::FixupPhase::fixupNode):
3055         * dfg/DFGGPRInfo.h:
3056         (JSC::DFG::JSValueRegs::payloadGPR):
3057         * dfg/DFGJITCompiler.cpp:
3058         (JSC::DFG::JITCompiler::jumpTable):
3059         (DFG):
3060         (JSC::DFG::JITCompiler::numberOfJumpTables):
3061         (JSC::DFG::JITCompiler::linkSwitches):
3062         (JSC::DFG::JITCompiler::link):
3063         * dfg/DFGJITCompiler.h:
3064         (JITCompiler):
3065         * dfg/DFGLazyJSValue.cpp: Added.
3066         (DFG):
3067         (JSC::DFG::LazyJSValue::getValue):
3068         (JSC::DFG::equalToSingleCharacter):
3069         (JSC::DFG::LazyJSValue::strictEqual):
3070         (JSC::DFG::LazyJSValue::dump):
3071         * dfg/DFGLazyJSValue.h: Added.
3072         (DFG):
3073         (LazyJSValue):
3074         (JSC::DFG::LazyJSValue::LazyJSValue):
3075         (JSC::DFG::LazyJSValue::singleCharacterString):
3076         (JSC::DFG::LazyJSValue::tryGetValue):
3077         (JSC::DFG::LazyJSValue::value):
3078         (JSC::DFG::LazyJSValue::character):
3079         (JSC::DFG::LazyJSValue::switchLookupValue):
3080         * dfg/DFGNode.h:
3081         (JSC::DFG::SwitchCase::SwitchCase):
3082         (SwitchCase):
3083         * dfg/DFGSpeculativeJIT.cpp:
3084         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
3085         (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
3086         (DFG):
3087         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3088         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
3089         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3090         (JSC::DFG::SpeculativeJIT::emitSwitch):
3091         * dfg/DFGSpeculativeJIT.h:
3092         (SpeculativeJIT):
3093
3094 2013-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>
3095
3096         Refactor ObjCCallbackFunction to inherit directly from InternalFunction
3097         https://bugs.webkit.org/show_bug.cgi?id=117595
3098
3099         Reviewed by Geoffrey Garen.
3100
3101         * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and 
3102         ObjCCallbackFunction to share their host call() implementation through the magic of 
3103         templates.
3104         (JSC::APICallbackFunction::call):
3105         * API/JSCallbackFunction.cpp:
3106         (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of 
3107         the host function.
3108         * API/JSCallbackFunction.h:
3109         * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
3110         * API/ObjCCallbackFunction.mm:
3111         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3112         (JSC::ObjCCallbackFunction::getCallData): Ditto.
3113         * GNUmakefile.list.am: Build files!
3114         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3115         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3116         * JavaScriptCore.xcodeproj/project.pbxproj:
3117
3118 2013-06-19  Michael Saboff  <msaboff@apple.com>
3119
3120         fourthTier: Arity fixup should be done while on same stack
3121         https://bugs.webkit.org/show_bug.cgi?id=117102
3122
3123         Reviewed by Oliver Hunt.
3124
3125         Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
3126         a thunk for the JITs and as assembly for the llint.  This patch provides the plumbing needed to
3127         move to the C stack for JS execution.  The fixup thunk and llint code would need to be change to
3128         work with a stack that grows down when we do move to the C stack.
3129         
3130         Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
3131         and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm.  The problem is that a const defined in
3132         one file that are used in a macro doesn't resolve the const if the macro is used in another file.  This
3133         seemed like the quickest path.
3134
3135         * dfg/DFGJITCompiler.cpp:
3136         (JSC::DFG::JITCompiler::compileFunction):
3137         (JSC::DFG::JITCompiler::linkFunction):
3138         * dfg/DFGJITCompiler.h:
3139         (JITCompiler):
3140         * ftl/FTLLink.cpp:
3141         (JSC::FTL::link):
3142         * jit/JIT.cpp:
3143         (JSC::JIT::privateCompile):
3144         * jit/JITStubs.cpp:
3145         (JSC::DEFINE_STUB_FUNCTION):
3146         * jit/JITStubs.h:
3147         * jit/ThunkGenerators.cpp:
3148         (JSC::arityFixup):
3149         * jit/ThunkGenerators.h:
3150         * llint/LowLevelInterpreter.asm:
3151         * llint/LowLevelInterpreter32_64.asm:
3152         * llint/LowLevelInterpreter64.asm:
3153         * runtime/CommonSlowPaths.cpp:
3154         (JSC::SLOW_PATH_DECL):
3155         * runtime/CommonSlowPaths.h:
3156         (JSC::CommonSlowPaths::arityCheckFor):
3157
3158 2013-06-19  Michael Saboff  <msaboff@apple.com>
3159
3160         FTL: arm build is broken in ToT
3161         https://bugs.webkit.org/show_bug.cgi?id=117800
3162
3163         Unreviewed build fixes.
3164
3165         * assembler/ARMv7Assembler.h:
3166         (ARMv7Assembler): Merge of r147941
3167         * jit/JITArithmetic32_64.cpp:
3168         (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.
3169
3170 2013-06-17  Michael Saboff  <msaboff@apple.com>
3171
3172         FTL: Add another temp register regT4 to JSInterfaceJIT
3173         https://bugs.webkit.org/show_bug.cgi?id=117719
3174
3175         Reviewed by Geoffrey Garen.
3176
3177         Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
3178         bucketCounterRegister had been used.  Since it is masked whenever it is used and
3179         we are looking for some randomness in the register anyway, we can use it without
3180         any issues.
3181
3182         * jit/JIT.cpp:
3183         (JSC::JIT::privateCompile):
3184         * jit/JIT.h:
3185         (JSC::JIT::emitValueProfilingSite):
3186         * jit/JITCall.cpp:
3187         (JSC::JIT::emitPutCallResult):
3188         * jit/JITCall32_64.cpp:
3189         (JSC::JIT::emitPutCallResult):
3190         * jit/JITInlines.h:
3191         (JSC::JIT::emitValueProfilingSite):
3192         * jit/JITOpcodes.cpp:
3193         (JSC::JIT::emit_op_to_this):
3194         (JSC::JIT::emit_op_get_callee):
3195         (JSC::JIT::emit_op_get_argument_by_val):
3196         * jit/JITOpcodes32_64.cpp:
3197         (JSC::JIT::emit_op_get_callee):
3198         (JSC::JIT::emit_op_to_this):
3199         (JSC::JIT::emit_op_get_argument_by_val):
3200         * jit/JITPropertyAccess.cpp:
3201         (JSC::JIT::emit_op_get_by_val):
3202         (JSC::JIT::emitSlow_op_get_by_val):
3203         (JSC::JIT::emit_op_get_by_id):
3204         (JSC::JIT::emitSlow_op_get_by_id):
3205         (JSC::JIT::emit_op_get_from_scope):
3206         (JSC::JIT::emitSlow_op_get_from_scope):
3207         * jit/JITPropertyAccess32_64.cpp:
3208         (JSC::JIT::emit_op_get_by_val):
3209         (JSC::JIT::emitSlow_op_get_by_val):
3210         (JSC::JIT::emit_op_get_by_id):
3211         (JSC::JIT::emitSlow_op_get_by_id):
3212         (JSC::JIT::emit_op_get_from_scope):
3213         (JSC::JIT::emitSlow_op_get_from_scope):
3214         * jit/JITStubCall.h:
3215         (JSC::JITStubCall::callWithValueProfiling):
3216         * jit/JSInterfaceJIT.h:
3217         (JSInterfaceJIT):
3218
3219 2013-06-17  Filip Pizlo  <fpizlo@apple.com>
3220
3221         fourthTier: FTL should support Switch
3222         https://bugs.webkit.org/show_bug.cgi?id=117704
3223
3224         Reviewed by Oliver Hunt.
3225
3226         * bytecode/CodeBlock.h:
3227         (JSC::CodeBlock::clearImmediateSwitchJumpTables):
3228         * ftl/FTLAbbreviations.h:
3229         (JSC::FTL::buildFPToSI):
3230         (JSC::FTL::buildSwitch):
3231         (JSC::FTL::addCase):
3232         (FTL):
3233         * ftl/FTLCapabilities.cpp:
3234         (JSC::FTL::canCompile):
3235         * ftl/FTLLink.cpp:
3236         (JSC::FTL::link):
3237         * ftl/FTLLowerDFGToLLVM.cpp:
3238         (JSC::FTL::LowerDFGToLLVM::compileNode):
3239         (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3240         (LowerDFGToLLVM):
3241         * ftl/FTLOutput.h:
3242         (JSC::FTL::Output::fpToInt):
3243         (JSC::FTL::Output::fpToInt32):
3244         (Output):
3245         (JSC::FTL::Output::switchInstruction):
3246         * ftl/FTLSwitchCase.h: Added.
3247         (FTL):
3248         (SwitchCase):
3249         (JSC::FTL::SwitchCase::SwitchCase):
3250         (JSC::FTL::SwitchCase::value):
3251         (JSC::FTL::SwitchCase::target):
3252
3253 2013-06-15  Filip Pizlo  <fpizlo@apple.com>
3254
3255         fourthTier: Add CFG simplification for Switch
3256         https://bugs.webkit.org/show_bug.cgi?id=117677
3257
3258         Reviewed by Mark Hahnenberg.
3259         
3260         This is for completeness. It only speeds up a microbenchmark at this point.
3261         Broadly, we want all control constructs to be known to the CFG simplifier.
3262
3263         * dfg/DFGCFGSimplificationPhase.cpp:
3264         (JSC::DFG::CFGSimplificationPhase::run):
3265         (JSC::DFG::CFGSimplificationPhase::convertToJump):
3266         (CFGSimplificationPhase):
3267         (JSC::DFG::CFGSimplificationPhase::noBlocks):
3268         (JSC::DFG::CFGSimplificationPhase::oneBlock):
3269         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3270         * runtime/JSCJSValue.h:
3271         (JSValue):
3272         * runtime/JSCJSValueInlines.h:
3273         (JSC::JSValue::pureStrictEqual):
3274         (JSC):
3275
3276 2013-06-13  Filip Pizlo  <fpizlo@apple.com>
3277
3278         fourthTier: DFG should support op_switch_imm
3279         https://bugs.webkit.org/show_bug.cgi?id=117559
3280
3281         Reviewed by Oliver Hunt.
3282         
3283         Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
3284         threshold for using op_switch.
3285         
3286         Also get rid of edge code support, since we haven't used it in the year since
3287         I introduced it. It was supposed to allow us to break critical edges late in
3288         the backend, thus enabling global register allocation from an SSA-form graph.
3289         But we aren't doing that so I figure we should just kill the code for now. It
3290         would have made implementing switch harder.
3291
3292         * assembler/AbstractMacroAssembler.h:
3293         (JSC::AbstractMacroAssembler::timesPtr):
3294         * assembler/MacroAssemblerCodeRef.h:
3295         (JSC::MacroAssemblerCodePtr::dumpWithName):
3296         (MacroAssemblerCodePtr):
3297         (JSC::MacroAssemblerCodePtr::dump):
3298         (MacroAssemblerCodeRef):
3299         (JSC::MacroAssemblerCodeRef::dump):
3300         * bytecode/CodeBlock.cpp:
3301         (JSC::CodeBlock::shrinkToFit):
3302         * bytecode/JumpTable.h:
3303         (SimpleJumpTable):
3304         (JSC::SimpleJumpTable::clear):
3305         * dfg/DFGAbstractState.cpp:
3306         (JSC::DFG::AbstractState::executeEffects):
3307         (JSC::DFG::AbstractState::mergeToSuccessors):
3308         * dfg/DFGBackwardsPropagationPhase.cpp:
3309         (JSC::DFG::BackwardsPropagationPhase::propagate):
3310         * dfg/DFGByteCodeParser.cpp:
3311         (InlineStackEntry):
3312         (JSC::DFG::ByteCodeParser::parseBlock):
3313         (JSC::DFG::ByteCodeParser::linkBlock):
3314         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3315         * dfg/DFGCapabilities.cpp:
3316         (JSC::DFG::capabilityLevel):
3317         * dfg/DFGCommon.h:
3318         * dfg/DFGFixupPhase.cpp:
3319         (JSC::DFG::FixupPhase::fixupNode):
3320         * dfg/DFGGraph.cpp:
3321         (JSC::DFG::Graph::dump):
3322         (JSC::DFG::Graph::determineReachability):
3323         * dfg/DFGGraph.h:
3324         (Graph):
3325         * dfg/DFGJITCompiler.cpp:
3326         (JSC::DFG::JITCompiler::JITCompiler):
3327         (JSC::DFG::JITCompiler::link):
3328         * dfg/DFGJITCompiler.h:
3329         (JITCompiler):
3330         (JSC::DFG::JITCompiler::blockHeads):
3331         * dfg/DFGNode.h:
3332         (DFG):
3333         (JSC::DFG::SwitchCase::SwitchCase):
3334         (SwitchCase):
3335         (SwitchData):
3336         (JSC::DFG::SwitchData::SwitchData):
3337         (Node):
3338         (JSC::DFG::Node::isSwitch):
3339         (JSC::DFG::Node::isTerminal):
3340         (JSC::DFG::Node::switchData):
3341         (JSC::DFG::Node::numSuccessors):
3342         (JSC::DFG::Node::successor):
3343         * dfg/DFGNodeType.h:
3344         (DFG):
3345         * dfg/DFGOperations.cpp:
3346         * dfg/DFGOperations.h:
3347         * dfg/DFGPredictionPropagationPhase.cpp:
3348         (JSC::DFG::PredictionPropagationPhase::propagate):
3349         * dfg/DFGSpeculativeJIT.cpp:
3350         (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3351         (JSC::DFG::SpeculativeJIT::compile):
3352         (JSC::DFG::SpeculativeJIT::createOSREntries):
3353         (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
3354         (DFG):
3355         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3356         (JSC::DFG::SpeculativeJIT::emitSwitch):
3357         (JSC::DFG::SpeculativeJIT::linkBranches):
3358         * dfg/DFGSpeculativeJIT.h:
3359         (JSC::DFG::SpeculativeJIT::callOperation):
3360         (SpeculativeJIT):
3361         (JSC::DFG::SpeculativeJIT::branchDouble):
3362         (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
3363         (JSC::DFG::SpeculativeJIT::branch32):
3364         (JSC::DFG::SpeculativeJIT::branchTest32):
3365         (JSC::DFG::SpeculativeJIT::branch64):
3366         (JSC::DFG::SpeculativeJIT::branchPtr):
3367         (JSC::DFG::SpeculativeJIT::branchTestPtr):
3368         (JSC::DFG::SpeculativeJIT::branchTest8):
3369         (JSC::DFG::SpeculativeJIT::jump):
3370         * dfg/DFGSpeculativeJIT32_64.cpp:
3371         (JSC::DFG::SpeculativeJIT::compile):