WebKit-https.git
7 years agoMore 32bit build fixes
oliver@apple.com [Thu, 25 Jul 2013 17:10:51 +0000 (17:10 +0000)]
More 32bit build fixes

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153334 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoRemove lastModifiedDate from ResourceResponse
andersca@apple.com [Thu, 25 Jul 2013 17:10:34 +0000 (17:10 +0000)]
Remove lastModifiedDate from ResourceResponse
https://bugs.webkit.org/show_bug.cgi?id=119092

Reviewed by Andreas Kling.

Source/WebCore:

Computing m_lastResponseDate is costly on some platforms and we already have a better way to
get the last response time, so convert the two call sites that used to call ResourceresponseBase::lastModifiedDate()
over to using lastModified() instead.

* platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseBase::ResourceResponseBase):
(WebCore::ResourceResponseBase::adopt):
(WebCore::ResourceResponseBase::copyData):
* platform/network/ResourceResponseBase.h:
* platform/network/cf/ResourceResponseCFNet.cpp:
(WebCore::ResourceResponse::platformLazyInit):
* plugins/PluginStream.cpp:
(WebCore::lastModifiedDate):
(WebCore::PluginStream::startStream):

Source/WebKit2:

Update for WebCore changes.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::lastModifiedDate):
Use ResourceResponse::lastModified() to get the last modified date.

(WebKit::PluginView::Stream::didReceiveResponse):
Call the static lastModified function.

(WebKit::PluginView::manualLoadDidReceiveResponse):
Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153333 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed EFL build fix after r153315.
ch.dumez@sisa.samsung.com [Thu, 25 Jul 2013 17:10:19 +0000 (17:10 +0000)]
Unreviewed EFL build fix after r153315.

Use -std=gnu++0x instead of -std=c++0x as we rely on GNU extensions such as
typeof().

* Source/cmake/WebKitHelpers.cmake:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153332 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoOptimize the thread locks for API Shims
commit-queue@webkit.org [Thu, 25 Jul 2013 17:01:56 +0000 (17:01 +0000)]
Optimize the thread locks for API Shims
https://bugs.webkit.org/show_bug.cgi?id=118573

Patch by Yi Shen <max.hong.shen@gmail.com> on 2013-07-25
Reviewed by Geoffrey Garen.

Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM
only used by WebCore's main thread).

Source/JavaScriptCore:

* API/APIShims.h:
(JSC::APIEntryShim::APIEntryShim):
(JSC::APICallbackShim::APICallbackShim):
* runtime/JSLock.cpp:
(JSC::JSLockHolder::JSLockHolder):
(JSC::JSLockHolder::init):
(JSC::JSLockHolder::~JSLockHolder):
(JSC::JSLock::DropAllLocks::DropAllLocks):
(JSC::JSLock::DropAllLocks::~DropAllLocks):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:

Source/WebCore:

No new tests required since no functionality changed.

* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::commonVM):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153331 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[CSS Shapes] Shape methods and member variables should be guarded with the CSS_SHAPES...
betravis@adobe.com [Thu, 25 Jul 2013 16:40:40 +0000 (16:40 +0000)]
[CSS Shapes] Shape methods and member variables should be guarded with the CSS_SHAPES flag
https://bugs.webkit.org/show_bug.cgi?id=117277

Reviewed by Alexandru Chiculita.

This patch adds some compile guards that were missing from the RenderStyle and
StyleRareNonInheritedData files. When the compile guard caused parameters to
not be used, the parameters were marked using UNUSED_PARAM.

* css/CSSPropertyNames.in: Inserting a line to trigger build.
* rendering/RenderBlock.cpp:
(WebCore::shapeInfoRequiresRelayout):
(WebCore::RenderBlock::updateRegionsAndShapesBeforeChildLayout):
(WebCore::RenderBlock::logicalRightFloatOffsetForLine):
* rendering/RenderBox.cpp:
(WebCore::isCandidateForOpaquenessTest):
* rendering/RenderBox.h:
* rendering/RenderObject.h:
* rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::changeRequiresLayout):
(WebCore::RenderStyle::changeRequiresRepaint):
* rendering/style/RenderStyle.h:
* rendering/style/StyleRareNonInheritedData.cpp:
(WebCore::StyleRareNonInheritedData::StyleRareNonInheritedData):
(WebCore::StyleRareNonInheritedData::operator==):
* rendering/style/StyleRareNonInheritedData.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153330 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed build fix after r153218.
ch.dumez@sisa.samsung.com [Thu, 25 Jul 2013 16:38:37 +0000 (16:38 +0000)]
Unreviewed build fix after r153218.

Broke the EFL port build with gcc 4.7.

* interpreter/StackIterator.cpp:
(JSC::printif):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153329 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoBuild fix: add missing #include.
commit-queue@webkit.org [Thu, 25 Jul 2013 16:24:07 +0000 (16:24 +0000)]
Build fix: add missing #include.
https://bugs.webkit.org/show_bug.cgi?id=119087

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* bytecode/ArrayProfile.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153328 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[GTK] Add support for running unit tests in the web process
carlosgc@webkit.org [Thu, 25 Jul 2013 16:13:30 +0000 (16:13 +0000)]
[GTK] Add support for running unit tests in the web process
https://bugs.webkit.org/show_bug.cgi?id=118427

Reviewed by Gustavo Noronha Silva.

Some tests, like GObject DOM bindings API tests, run entirely in
the WebProcess, so we just need to start the test from the UI
process and wait until the test finishes running in the
WebProcess. Tests are split in two files, one containing the
actual test that runs in the WebProcess and another one to add the
tests to the glib test system that works as a
proxy. WebProcessTestRunner class starts a private DBus session
bus and starts the tests sending a message to the WebExtension
waiting until it finishes or fails. WebProcess tests are created
by defining a class derived from WebProcessTest class and
implementing the static create method and the virtual runTest
method. The macro REGISTER_TEST is used by the web process tests
to register their test cases. This patch includes the migration
of the WebKitDOMNode test, all other GObject DOM bindings tests
will be migrated in the same way in follow up patches.

* UIProcess/API/gtk/tests/DOMNodeTest.cpp: Added.
(WebKitDOMNodeTest::create): Create a new WebKitDOMNodeTest.
(WebKitDOMNodeTest::webPageFromArgs): Get the pageID parameter
from the arguments dictionary.
(WebKitDOMNodeTest::testHierarchyNavigation):
(WebKitDOMNodeTest::testInsertion):
(WebKitDOMNodeTest::runTest): Run the given test.
(registerTests): Register test cases.
* UIProcess/API/gtk/tests/GNUmakefile.am: Add new files to
compilation.
* UIProcess/API/gtk/tests/TestDOMNode.cpp: Added.
(testWebKitDOMNodeHierarchyNavigation):
(testWebKitDOMNodeInsertion):
(beforeAll):
(afterAll):
* UIProcess/API/gtk/tests/TestMain.cpp:
(main): Unset DBUS_SESSION_BUS_ADDRESS environment variable to
make sure that the GLib bus singleton is initialized by the
private DBus session bus created by the tests.
* UIProcess/API/gtk/tests/WebProcessTest.cpp: Added.
(testsMap): Initialize and get the global map of tests.
(WebProcessTest::add): Add a new test to the map, keeping a
function to create the test.
(WebProcessTest::create): Create a test for the given name.
(methodCallCallback): Handle RunTest DBus method. It creates and
runs the given test.
(webkit_web_extension_initialize):Register the DBus service for
this WebExtension.
* UIProcess/API/gtk/tests/WebProcessTest.h: Added.
* UIProcess/API/gtk/tests/WebProcessTestRunner.cpp: Added.
(WebProcessTestRunner::WebProcessTestRunner): Start a private DBus
session bus and get a connection to it.
(WebProcessTestRunner::~WebProcessTestRunner): Stop the private
DBus session bus.
(WebProcessTestRunner::proxyCreatedCallback):
(WebProcessTestRunner::proxy): Create a new proxy to send messages
to the WebExtension if it doesn't exists.
(WebProcessTestRunner::onNameAppeared): Called when the DBus
service has been registered in the WebExtension and it's safe to
create a proxy.
(WebProcessTestRunner::onNameVanished): Called when the DBus
service is unregistered. This happens when the web process crash,
so we just exit here, because the g_asserts in the web process
have already registered the error message.
(WebProcessTestRunner::testFinishedCallback): Called when the
WebProcess tests has finished.
(WebProcessTestRunner::runTest): Send a message to the
WebExtension to start the given test and monitor the service.
(WebProcessTestRunner::finishTest): Save the test result and
finish the main loop.
* UIProcess/API/gtk/tests/WebProcessTestRunner.h: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153327 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoFix windows build after FTL upstream
allan.jensen@digia.com [Thu, 25 Jul 2013 14:26:42 +0000 (14:26 +0000)]
Fix windows build after FTL upstream

Unreviewed build fix.

* wtf/Atomics.h:
(WTF::weakCompareAndSwap):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153326 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed, build fix on the EFL port.
ryuan.choi@samsung.com [Thu, 25 Jul 2013 13:53:40 +0000 (13:53 +0000)]
Unreviewed, build fix on the EFL port.

* CMakeLists.txt: Added JSCTestRunnerUtils.cpp.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153325 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
commit-queue@webkit.org [Thu, 25 Jul 2013 13:50:10 +0000 (13:50 +0000)]
[sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
https://bugs.webkit.org/show_bug.cgi?id=119083

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::store8):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153324 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[Qt] Fix test build after FTL upstream
allan.jensen@digia.com [Thu, 25 Jul 2013 13:23:08 +0000 (13:23 +0000)]
[Qt] Fix test build after FTL upstream

Unreviewed build fix.

* Target.pri:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153323 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[Qt] Build fix after FTL.
allan.jensen@digia.com [Thu, 25 Jul 2013 13:11:16 +0000 (13:11 +0000)]
[Qt] Build fix after FTL.

Un Reviewed build fix.

* Target.pri:
* interpreter/StackIterator.cpp:
(JSC::StackIterator::Frame::print):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153322 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed build fix after FTL upstream.
rgabor@webkit.org [Thu, 25 Jul 2013 13:07:55 +0000 (13:07 +0000)]
Unreviewed build fix after FTL upstream.

* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::~Worklist):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153321 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[l10n] [mr] Updated WebKitGTK+ Translation(s) in Marathi [mr] language
kov@webkit.org [Thu, 25 Jul 2013 12:49:18 +0000 (12:49 +0000)]
[l10n] [mr] Updated WebKitGTK+ Translation(s) in Marathi [mr] language
https://bugs.webkit.org/show_bug.cgi?id=117282

Patch by Sandeep Shedmake <sandeep.shedmake@gmail.com> on 2013-07-25
Reviewed by Gustavo Noronha.

* mr.po: Updated.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153320 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed, build fix on the EFL port.
ryuan.choi@samsung.com [Thu, 25 Jul 2013 12:35:06 +0000 (12:35 +0000)]
Unreviewed, build fix on the EFL port.

Source/JavaScriptCore:

* CMakeLists.txt:
Added SourceCode.cpp and removed BlackBerry file.
* jit/JITCode.h:
(JSC::JITCode::nextTierJIT):
Fixed to build break because of -Werror=return-type
* parser/Lexer.cpp: Includes JSFunctionInlines.h
* runtime/JSScope.h:
(JSC::makeType):
Fixed to build break because of -Werror=return-type

Source/WTF:

* wtf/CMakeLists.txt: Added SixCharacterHash.cpp

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153319 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed build fixing after FTL upstream.
kadam@inf.u-szeged.hu [Thu, 25 Jul 2013 12:31:45 +0000 (12:31 +0000)]
Unreviewed build fixing after FTL upstream.

* runtime/Executable.cpp:
(JSC::FunctionExecutable::produceCodeBlockFor):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153318 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoAdd missing implementation of bxxxnz in sh4 LLINT.
commit-queue@webkit.org [Thu, 25 Jul 2013 12:29:26 +0000 (12:29 +0000)]
Add missing implementation of bxxxnz in sh4 LLINT.
https://bugs.webkit.org/show_bug.cgi?id=119079

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* offlineasm/sh4.rb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153317 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed, build fix on the Qt port.
rgabor@webkit.org [Thu, 25 Jul 2013 12:18:47 +0000 (12:18 +0000)]
Unreviewed, build fix on the Qt port.

Source/JavaScriptCore:

* Target.pri: Add additional build files for the FTL.

Source/WTF:

* WTF.pro: Add additional build files for the FTL.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153316 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[CMAKE] Enforce c++0x for cmake based ports
ryuan.choi@samsung.com [Thu, 25 Jul 2013 12:09:30 +0000 (12:09 +0000)]
[CMAKE] Enforce c++0x for cmake based ports
https://bugs.webkit.org/show_bug.cgi?id=119081

Reviewed by Gyuyoung Kim.

* Source/cmake/WebKitHelpers.cmake:
Enforce c++0x for all cmake based ports to fix build break.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed buildfix after FTL upstream..
kadam@inf.u-szeged.hu [Thu, 25 Jul 2013 12:04:15 +0000 (12:04 +0000)]
Unreviewed buildfix after FTL upstream..

* interpreter/StackIterator.cpp:
(JSC::StackIterator::Frame::codeType):
(JSC::StackIterator::Frame::functionName):
(JSC::StackIterator::Frame::sourceURL):
(JSC::StackIterator::Frame::logicalFrame):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153314 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed.
zandobersek@gmail.com [Thu, 25 Jul 2013 11:23:57 +0000 (11:23 +0000)]
Unreviewed.

* heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
method is not left undefined, causing build failures on (at least) the GTK port.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153313 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoSource/JavaScriptCore: Unreviewed, further build fixing on the GTK port.
zandobersek@gmail.com [Thu, 25 Jul 2013 11:19:53 +0000 (11:19 +0000)]
Source/JavaScriptCore: Unreviewed, further build fixing on the GTK port.

* GNUmakefile.list.am: Add CompilationResult source files to the build.

Source/WTF: Unreviewed, further GTK build fixing.

* GNUmakefile.am: Make libWTF.la depend on any changes made to the build targets list.
* GNUmakefile.list.am: Add SixCharacterHash source files to the build.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153312 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed GTK build fixing.
zandobersek@gmail.com [Thu, 25 Jul 2013 10:54:38 +0000 (10:54 +0000)]
Unreviewed GTK build fixing.

* GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
* GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153311 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoBuildfix after this error:
ossy@webkit.org [Thu, 25 Jul 2013 10:51:41 +0000 (10:51 +0000)]
Buildfix after this error:
error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]

* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153310 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years ago[GTK] Similar fix to r153304.
ossy@webkit.org [Thu, 25 Jul 2013 10:46:43 +0000 (10:46 +0000)]
[GTK] Similar fix to r153304.

* GNUmakefile.list.am:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153309 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoOne more buildfix after FTL upstream.
ossy@webkit.org [Thu, 25 Jul 2013 10:42:21 +0000 (10:42 +0000)]
One more buildfix after FTL upstream.

Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.

* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::getValue):
(JSC::DFG::LazyJSValue::strictEqual):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153308 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoFix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
commit-queue@webkit.org [Thu, 25 Jul 2013 10:24:20 +0000 (10:24 +0000)]
Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
https://bugs.webkit.org/show_bug.cgi?id=119076

Patch by Julien Brianceau <jbrianceau@nds.com> on 2013-07-25
Reviewed by Allan Sandfeld Jensen.

* offlineasm/mips.rb:
* offlineasm/sh4.rb:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153307 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed GTK build fix.
zandobersek@gmail.com [Thu, 25 Jul 2013 09:51:42 +0000 (09:51 +0000)]
Unreviewed GTK build fix.

* GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153306 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed. Further build fixing for the GTK port. Adding the forwarding header
zandobersek@gmail.com [Thu, 25 Jul 2013 09:29:43 +0000 (09:29 +0000)]
Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.

* ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153305 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoBuild break in debug after r153134: StringImpl.h:640: undefined reference to `WTF...
g.czajkowski@samsung.com [Thu, 25 Jul 2013 09:27:52 +0000 (09:27 +0000)]
Build break in debug after r153134: StringImpl.h:640: undefined reference to `WTF::isCompilationThread()
https://bugs.webkit.org/show_bug.cgi?id=119077

Reviewed by Christophe Dumez.

* wtf/CMakeLists.txt:
Added CompilationThread.{h/cpp}.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153304 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed. Fixing the GTK build after the FTL merging by updating the build targets...
zandobersek@gmail.com [Thu, 25 Jul 2013 09:08:27 +0000 (09:08 +0000)]
Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.

* GNUmakefile.am:
* GNUmakefile.list.am:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153303 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed buildfix after FTL upstream.
kadam@inf.u-szeged.hu [Thu, 25 Jul 2013 08:34:49 +0000 (08:34 +0000)]
Unreviewed buildfix after FTL upstream.

* runtime/JSScope.h:
(JSC::needsVarInjectionChecks):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153302 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoOne more fix after FTL upstream.
ossy@webkit.org [Thu, 25 Jul 2013 07:53:01 +0000 (07:53 +0000)]
One more fix after FTL upstream.

* Target.pri:
* bytecode/CodeBlock.h:
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::GetByIdStatus):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153301 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed buildfix after FTL upstream.
ossy@webkit.org [Thu, 25 Jul 2013 06:09:39 +0000 (06:09 +0000)]
Unreviewed buildfix after FTL upstream.

Add ftl directory as include path.

* CMakeLists.txt:
* JavaScriptCore.pri:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153300 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoUnreviewed buildfix after FTL upstream for non C++11 builds.
ossy@webkit.org [Thu, 25 Jul 2013 05:59:09 +0000 (05:59 +0000)]
Unreviewed buildfix after FTL upstream for non C++11 builds.

* interpreter/CallFrame.h:
* interpreter/StackIteratorPrivate.h:
(JSC::StackIterator::end):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153299 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoEndeavour to fix CMakelist builds
oliver@apple.com [Thu, 25 Jul 2013 05:02:45 +0000 (05:02 +0000)]
Endeavour to fix CMakelist builds

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153298 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agoIntroduce toSVGPatternElement(), use it
gyuyoung.kim@samsung.com [Thu, 25 Jul 2013 04:36:13 +0000 (04:36 +0000)]
Introduce toSVGPatternElement(), use it
https://bugs.webkit.org/show_bug.cgi?id=119013

Reviewed by Andreas Kling.

As a step to change static_cast with toSVGXXX, static_cast<SVGPatternElement*> can
be changed with toSVGPatternElement().

Merge from https://src.chromium.org/viewvc/blink?view=rev&revision=154734

* rendering/svg/RenderSVGResourcePattern.cpp:
(WebCore::RenderSVGResourcePattern::buildPattern):
* rendering/svg/SVGRenderTreeAsText.cpp:
(WebCore::writeSVGResourceContainer):
* rendering/svg/SVGResources.cpp:
(WebCore::targetReferenceFromResource):
* svg/SVGPatternElement.h:
(WebCore::toSVGPatternElement):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153297 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG IR dumps should be easier to read
oliver@apple.com [Thu, 25 Jul 2013 04:05:36 +0000 (04:05 +0000)]
fourthTier: DFG IR dumps should be easier to read
https://bugs.webkit.org/show_bug.cgi?id=119050

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Added a DumpContext that includes support for printing an endnote
that describes all structures in full, while the main flow of the
dump just uses made-up names for the structures. This is helpful
since Structure::dump() may print a lot. The stuff it prints is
useful, but if it's all inline with the surrounding thing you're
dumping (often, a node in the DFG), then you get a ridiculously
long print-out. All classes that dump structures (including
Structure itself) now have dumpInContext() methods that use
inContext() for dumping anything that might transitively print a
structure. If Structure::dumpInContext() is called with a NULL
context, it just uses dump() like before. Hence you don't have to
know anything about DumpContext unless you want to.

inContext(*structure, context) dumps something like %B4:Array,
and the endnote will have something like:

    %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]

where B4 is the inferred name that StringHashDumpContext came up
with.

Also shortened a bunch of other dumps, removing information that
isn't so important.

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ArrayProfile.cpp:
(JSC::dumpArrayModes):
* bytecode/CodeBlockHash.cpp:
(JSC):
(JSC::CodeBlockHash::CodeBlockHash):
(JSC::CodeBlockHash::dump):
* bytecode/CodeOrigin.cpp:
(JSC::CodeOrigin::dumpInContext):
(JSC):
(JSC::InlineCallFrame::dumpInContext):
(JSC::InlineCallFrame::dump):
* bytecode/CodeOrigin.h:
(CodeOrigin):
(InlineCallFrame):
* bytecode/Operands.h:
(JSC::OperandValueTraits::isEmptyForDump):
(Operands):
(JSC::Operands::dump):
(JSC):
* bytecode/OperandsInlines.h: Added.
(JSC):
(JSC::::dumpInContext):
* bytecode/StructureSet.h:
(JSC::StructureSet::dumpInContext):
(JSC::StructureSet::dump):
(StructureSet):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::dump):
(DFG):
(JSC::DFG::AbstractValue::dumpInContext):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::operator!):
(AbstractValue):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGCommon.cpp:
* dfg/DFGCommon.h:
(JSC::DFG::NodePointerTraits::isEmptyForDump):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::createDumpList):
* dfg/DFGDisassembler.h:
(Disassembler):
* dfg/DFGFlushFormat.h:
(WTF::inContext):
(WTF):
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpCodeOrigin):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::dumpInContext):
(JSC::DFG::LazyJSValue::dump):
(DFG):
* dfg/DFGLazyJSValue.h:
(LazyJSValue):
* dfg/DFGNode.h:
(JSC::DFG::nodeMapDump):
(WTF::inContext):
(WTF):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::dumpInContext):
(JSC::DFG::StructureAbstractValue::dump):
(StructureAbstractValue):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
(JSC::FTL::ExitValue::dump):
(FTL):
* ftl/FTLExitValue.h:
(ExitValue):
* ftl/FTLLowerDFGToLLVM.cpp:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dumpInContext):
(FTL):
* ftl/FTLValueSource.h:
(ValueSource):
* runtime/DumpContext.cpp: Added.
(JSC):
(JSC::DumpContext::DumpContext):
(JSC::DumpContext::~DumpContext):
(JSC::DumpContext::isEmpty):
(JSC::DumpContext::dump):
* runtime/DumpContext.h: Added.
(JSC):
(DumpContext):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dump):
(JSC):
(JSC::JSValue::dumpInContext):
* runtime/JSCJSValue.h:
(JSC):
(JSValue):
* runtime/Structure.cpp:
(JSC::Structure::dumpInContext):
(JSC):
(JSC::Structure::dumpBrief):
(JSC::Structure::dumpContextHeader):
* runtime/Structure.h:
(JSC):
(Structure):

Source/WTF:

Reviewed by Mark Hahnenberg.

Added support for dumping values within a context. By default, if you say
print(inContext(value, context)) it calls value.dumpInContext(out, context)
instead of value.dump(out).

Hoisted the support for six-character hashes out of JSC::CodeBlockHash into
WTF, in the form of SixCharacterHash.h.

Added a helper for creating dump contexts where the inContext() dump will
just use a short string hash to "name" the object being dumped, and then
will print out the full dumps in an endnote to your dump.

Added support for using CString as a hashtable key.

* WTF.xcodeproj/project.pbxproj:
* wtf/PrintStream.h:
(WTF):
(ValueInContext):
(WTF::ValueInContext::ValueInContext):
(WTF::ValueInContext::dump):
(WTF::inContext):
* wtf/SixCharacterHash.cpp: Added.
(WTF):
(WTF::sixCharacterHashStringToInteger):
(WTF::integerToSixCharacterHashString):
* wtf/SixCharacterHash.h: Added.
(WTF):
* wtf/StringHashDumpContext.h: Added.
(WTF):
(StringHashDumpContext):
(WTF::StringHashDumpContext::StringHashDumpContext):
(WTF::StringHashDumpContext::getID):
(WTF::StringHashDumpContext::dumpBrief):
(WTF::StringHashDumpContext::brief):
(WTF::StringHashDumpContext::isEmpty):
(WTF::StringHashDumpContext::dump):
* wtf/text/CString.cpp:
(WTF::CString::hash):
(WTF):
(WTF::operator<):
(WTF::CStringHash::equal):
* wtf/text/CString.h:
(WTF::CString::CString):
(CString):
(WTF::CString::isHashTableDeletedValue):
(WTF):
(WTF::CStringHash::hash):
(CStringHash):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153296 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should do a high-level LICM before going to FTL
oliver@apple.com [Thu, 25 Jul 2013 04:05:31 +0000 (04:05 +0000)]
fourthTier: DFG should do a high-level LICM before going to FTL
https://bugs.webkit.org/show_bug.cgi?id=118749

Reviewed by Oliver Hunt.

Implements LICM hoisting for nodes that never write anything and never read
things that are clobbered by the loop. There are some other preconditions for
hoisting, see DFGLICMPhase.cpp.

Also did a few fixes:

- ClobberSet::add was failing to switch Super entries to Direct entries in
  some cases.

- DFGClobberize.cpp needed to #include "Operations.h".

- DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.

- AbstractInterpreter can now execute a Node without knowing its indexInBlock.
  Knowing the indexInBlock is an optional optimization that all other clients
  of AI still opt into, but LICM doesn't.

This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreter.h:
(AbstractInterpreter):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
(JSC::DFG::::execute):
(DFG):
(JSC::DFG::::clobberWorld):
(JSC::DFG::::clobberStructures):
* dfg/DFGAtTailAbstractState.cpp: Added.
(DFG):
(JSC::DFG::AtTailAbstractState::AtTailAbstractState):
(JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
(JSC::DFG::AtTailAbstractState::createValueForNode):
(JSC::DFG::AtTailAbstractState::forNode):
* dfg/DFGAtTailAbstractState.h: Added.
(DFG):
(AtTailAbstractState):
(JSC::DFG::AtTailAbstractState::initializeTo):
(JSC::DFG::AtTailAbstractState::forNode):
(JSC::DFG::AtTailAbstractState::variables):
(JSC::DFG::AtTailAbstractState::block):
(JSC::DFG::AtTailAbstractState::isValid):
(JSC::DFG::AtTailAbstractState::setDidClobber):
(JSC::DFG::AtTailAbstractState::setIsValid):
(JSC::DFG::AtTailAbstractState::setBranchDirection):
(JSC::DFG::AtTailAbstractState::setFoundConstants):
(JSC::DFG::AtTailAbstractState::haveStructures):
(JSC::DFG::AtTailAbstractState::setHaveStructures):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::insertBeforeLast):
* dfg/DFGBasicBlockInlines.h:
(DFG):
* dfg/DFGClobberSet.cpp:
(JSC::DFG::ClobberSet::add):
(JSC::DFG::ClobberSet::addAll):
* dfg/DFGClobberize.cpp:
(JSC::DFG::doesWrites):
* dfg/DFGClobberize.h:
(DFG):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::DCEPhase):
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::fixupBlock):
(DCEPhase):
* dfg/DFGEdgeDominates.h: Added.
(DFG):
(EdgeDominates):
(JSC::DFG::EdgeDominates::EdgeDominates):
(JSC::DFG::EdgeDominates::operator()):
(JSC::DFG::EdgeDominates::result):
(JSC::DFG::edgesDominate):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGLICMPhase.cpp: Added.
(LICMPhase):
(JSC::DFG::LICMPhase::LICMPhase):
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
(DFG):
(JSC::DFG::performLICM):
* dfg/DFGLICMPhase.h: Added.
(DFG):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153295 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG Nodes should be able to abstractly tell you what they read and what...
oliver@apple.com [Thu, 25 Jul 2013 04:05:29 +0000 (04:05 +0000)]
fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
https://bugs.webkit.org/show_bug.cgi?id=118910

Source/JavaScriptCore:

Reviewed by Sam Weinig.

Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
be inexpensive to use (they just give you a TBAA node) but expensive to create (you
create them all up front). FTL AbstractHeaps also don't actually give you the
ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
They also give you aliasing machinery. The DFG AbstractHeaps are represented
internally by a int64_t. Many comparisons between them are just integer comaprisons.
AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
payload is the direct subtype of its corresponding TOP Kind).

Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
clobbered. It represents the set that results from unifying a bunch of
AbstractHeaps, and is intended to quickly answer overlap questions: does the given
AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
its ancestors. An AbstractHeap is said to overlap a set if any direct or super
member is equal to it, or if any of its ancestors are equal to a direct member.

Example #1:

    - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
      is a subtype of Variables, which is a subtype of World.
    - You query Variables. I.e. Variables with a TOP payload, which is the
      supertype of Variables(X) for any X, and a subtype of World.

    The set will have Variables(5) as a direct member, and Variables and World as
    super members. The Variables query will immediately return true, because
    Variables is indeed a super member.

Example #2:

    - I add Variables(5)
    - You query NamedProperties

    NamedProperties is not a member at all (neither direct or super). We next
    query World. World is a member, but it's a super member, so we return false.

Example #3:

    - I add Variables
    - You query Variables(5)

    The set will have Variables as a direct member, and World as a super member.
    The Variables(5) query will not find Variables(5) in the set, but then it
    will query Variables. Variables is a direct member, so we return true.

Example #4:

    - I add Variables
    - You query NamedProperties(5)

    Neither NamedProperties nor NamedProperties(5) are members. We next query
    World. World is a member, but it's a super member, so we return false.

Overlap queries require that either the heap being queried is in the set (either
direct or super), or that one of its ancestors is a direct member. Another way to
think about how this works is that two heaps A and B are said to overlap if
A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
single-inheritance heirarchy. Consider that we wanted to implement a set that holds
heaps and answers the question, "is any member in the set an ancestor (i.e.
supertype) of some other heap". We would have the set contain the heaps themselves,
and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
chain of A, and repeatedly querying its membership in the set. This is what the
"direct" members of our set do. Now consider the other part, where we want to ask if
any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
would implement this by implementing set.add(B) as adding not just B but also all of
B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
in the set. With two such sets - one that answers isSubtypeOfAny() and another that
answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
heap" question. ClobberSet does this, but combines the two sets into a single
HashMap. The HashMap's value, "direct", means that the key is a member of both the
supertype set and the subtype set; if it's false then it's only a member of one of
them.

Finally, this adds a functorized clobberize() method that adds the read and write
clobbers of a DFG::Node to read and write functors. Common functors for adding to
ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
are also provided. This allows you to say things like:

    ClobberSet set;
    addWrites(graph, node1, set);
    if (readsOverlap(graph, node2, set))
        // We know that node1 may write to something that node2 may read from.

Currently this facility is only used to improve graph dumping, but it will be
instrumental in both LICM and GVN. In the future, I want to completely kill the
NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
of accomplishing almost exactly what AbstractHeap gives you.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractHeap.cpp: Added.
(DFG):
(JSC::DFG::AbstractHeap::Payload::dump):
(JSC::DFG::AbstractHeap::dump):
(WTF):
(WTF::printInternal):
* dfg/DFGAbstractHeap.h: Added.
(DFG):
(AbstractHeap):
(Payload):
(JSC::DFG::AbstractHeap::Payload::Payload):
(JSC::DFG::AbstractHeap::Payload::top):
(JSC::DFG::AbstractHeap::Payload::isTop):
(JSC::DFG::AbstractHeap::Payload::value):
(JSC::DFG::AbstractHeap::Payload::valueImpl):
(JSC::DFG::AbstractHeap::Payload::operator==):
(JSC::DFG::AbstractHeap::Payload::operator!=):
(JSC::DFG::AbstractHeap::Payload::operator<):
(JSC::DFG::AbstractHeap::Payload::isDisjoint):
(JSC::DFG::AbstractHeap::Payload::overlaps):
(JSC::DFG::AbstractHeap::AbstractHeap):
(JSC::DFG::AbstractHeap::operator!):
(JSC::DFG::AbstractHeap::kind):
(JSC::DFG::AbstractHeap::payload):
(JSC::DFG::AbstractHeap::isDisjoint):
(JSC::DFG::AbstractHeap::overlaps):
(JSC::DFG::AbstractHeap::supertype):
(JSC::DFG::AbstractHeap::hash):
(JSC::DFG::AbstractHeap::operator==):
(JSC::DFG::AbstractHeap::operator!=):
(JSC::DFG::AbstractHeap::operator<):
(JSC::DFG::AbstractHeap::isHashTableDeletedValue):
(JSC::DFG::AbstractHeap::payloadImpl):
(JSC::DFG::AbstractHeap::encode):
(JSC::DFG::AbstractHeapHash::hash):
(JSC::DFG::AbstractHeapHash::equal):
(AbstractHeapHash):
(WTF):
* dfg/DFGClobberSet.cpp: Added.
(DFG):
(JSC::DFG::ClobberSet::ClobberSet):
(JSC::DFG::ClobberSet::~ClobberSet):
(JSC::DFG::ClobberSet::add):
(JSC::DFG::ClobberSet::addAll):
(JSC::DFG::ClobberSet::contains):
(JSC::DFG::ClobberSet::overlaps):
(JSC::DFG::ClobberSet::clear):
(JSC::DFG::ClobberSet::direct):
(JSC::DFG::ClobberSet::super):
(JSC::DFG::ClobberSet::dump):
(JSC::DFG::ClobberSet::setOf):
(JSC::DFG::addReads):
(JSC::DFG::addWrites):
(JSC::DFG::addReadsAndWrites):
(JSC::DFG::readsOverlap):
(JSC::DFG::writesOverlap):
* dfg/DFGClobberSet.h: Added.
(DFG):
(ClobberSet):
(JSC::DFG::ClobberSet::isEmpty):
(ClobberSetAdd):
(JSC::DFG::ClobberSetAdd::ClobberSetAdd):
(JSC::DFG::ClobberSetAdd::operator()):
(ClobberSetOverlaps):
(JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
(JSC::DFG::ClobberSetOverlaps::operator()):
(JSC::DFG::ClobberSetOverlaps::result):
* dfg/DFGClobberize.cpp: Added.
(DFG):
(JSC::DFG::didWrites):
* dfg/DFGClobberize.h: Added.
(DFG):
(JSC::DFG::clobberize):
(NoOpClobberize):
(JSC::DFG::NoOpClobberize::NoOpClobberize):
(JSC::DFG::NoOpClobberize::operator()):
(CheckClobberize):
(JSC::DFG::CheckClobberize::CheckClobberize):
(JSC::DFG::CheckClobberize::operator()):
(JSC::DFG::CheckClobberize::result):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):

Source/WTF:

Reviewed by Sam Weinig.

Fix compile goof in sortedListDump().

* wtf/ListDump.h:
(WTF::sortedListDump):

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153294 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: It should be easy to figure out which blocks nodes belong to
oliver@apple.com [Thu, 25 Jul 2013 04:05:26 +0000 (04:05 +0000)]
fourthTier: It should be easy to figure out which blocks nodes belong to
https://bugs.webkit.org/show_bug.cgi?id=118957

Reviewed by Sam Weinig.

* dfg/DFGGraph.cpp:
(DFG):
(JSC::DFG::Graph::initializeNodeOwners):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGNode.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153293 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: NodeExitsForward shouldn't be duplicated in NodeType
oliver@apple.com [Thu, 25 Jul 2013 04:05:25 +0000 (04:05 +0000)]
fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
https://bugs.webkit.org/show_bug.cgi?id=118956

Reviewed by Sam Weinig.

We had two way of expressing that something exits forward: the NodeExitsForward
flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
makes it just be a flag.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::int32ToDoubleCSE):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(JSC::DFG::Node::hasStructureSet):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
(JSC::DFG::needsOSRForwardRewiring):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::run):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153292 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin...
oliver@apple.com [Thu, 25 Jul 2013 04:05:22 +0000 (04:05 +0000)]
fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
https://bugs.webkit.org/show_bug.cgi?id=118946

Reviewed by Geoffrey Garen.

We want to decouple the exit target code origin of a node from the code origin
for all other purposes. The purposes of code origins are:

- Where the node will exit, if it exits. The exit target should be consistent with
  the surrounding nodes, in that if you just looked at the code origins of nodes in
  the graph, they would be consistent with the code origins in bytecode. This is
  necessary for live-at-bytecode analyses to work, and to preserve the original
  bytecode semantics when exiting.

- What kind of code the node came from, for semantics thingies. For example, we
  might use the code origin to find the node's global object for doing an original
  array check. Or we might use it to determine if the code is in strict mode. Or
  other similar things. When we use the code origin in this way, we're basically
  using it as a way of describing the node's meta-data without putting it into the
  node directly, to save space. In the absurd extreme you could imagine nodes not
  even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
  what bytecode the node originated from. We won't do that, but you can think of
  this use of code origins as just a way of compressing meta-data.

- What code origin we should supply profiling to, if we exit. This is closely
  related to the semantics thingies, in that the exit profiling is a persistent
  kind of semantic meta-data that survives between recompiles, and the only way to
  do that is to ascribe it to the original bytecode via the code origin.

If we hoist a node, we need to change the exit target code origin, but we must not
change the code origin for other purposes. The best way to do this is to decouple
the two kinds of code origin.

OSR exit data structures already do this, because they may edit the exit target
code origin while keeping the code origin for profiling intact. This happens for
forward exits. So, we just need to thread separation all the way back to DFG::Node.
That's what this patch does.

* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
(Node):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::OSRExit):
* dfg/DFGOSRExitBase.h:
(JSC::DFG::OSRExitBase::OSRExitBase):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(LowerDFGToLLVM):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::OSRExit):
* ftl/FTLOSRExit.h:
(OSRExit):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153291 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: each DFG node that relies on other nodes to do their type checks should...
oliver@apple.com [Thu, 25 Jul 2013 04:05:20 +0000 (04:05 +0000)]
fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
https://bugs.webkit.org/show_bug.cgi?id=118866

Reviewed by Sam Weinig.

Adds a safeToExecute() method that takes a node and an abstract state and tells you
if the node will run without crashing under that state.

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* dfg/DFGCFAPhase.cpp:
(CFAPhase):
(JSC::DFG::CFAPhase::CFAPhase):
(JSC::DFG::CFAPhase::run):
(JSC::DFG::CFAPhase::performBlockCFA):
(JSC::DFG::CFAPhase::performForwardCFA):
* dfg/DFGSafeToExecute.h: Added.
(DFG):
(SafeToExecuteEdge):
(JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::SafeToExecuteEdge::result):
(JSC::DFG::safeToExecute):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::isValidOffset):
(StructureAbstractValue):
* runtime/Options.h:
(JSC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153290 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR...
oliver@apple.com [Thu, 25 Jul 2013 04:05:18 +0000 (04:05 +0000)]
fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
https://bugs.webkit.org/show_bug.cgi?id=118948

Source/JavaScriptCore:

Reviewed by Sam Weinig.

- Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
  This allows doing "what if" experiments with IR generation, even if the generated IR
  can't yet execute.

- Add an OSR exit path that just calls an intrinsic that combines the branch and the
  off-ramp.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* ftl/FTLFail.cpp: Added.
(FTL):
(JSC::FTL::fail):
* ftl/FTLFail.h: Added.
(FTL):
* ftl/FTLIntrinsicRepository.h:
(FTL):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
* runtime/Options.h:
(JSC):

Tools:

Reviewed by Sam Weinig.

- Make ReducedFTL capable of dealing with code that uses the fake OSR exit intrinsic,
  by exporting it as a function.

- Make combineModules.rb idempotent. Sometimes it's convenient to run a file through
  it even if you know that you've already done so. See processIRDump.sh.

- Add a script, processIRDump.sh, that takes the output of --dumpLLVMIR=true and
  runs it through ReducedFTL automatically. You typically want to say something like:

  jsc --dumpLLVMIR=true <program(s)> > jsc-output.txt
  ./processIRDump.sh --timing < jsc-output.txt

* ReducedFTL/ReducedFTL.c:
(webkit_osr_exit):
* ReducedFTL/combineModules.rb:
* ReducedFTL/processIRDump.sh: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153289 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: We should use the no-asserts build of LLVM if that's what the user configured
oliver@apple.com [Thu, 25 Jul 2013 04:05:15 +0000 (04:05 +0000)]
fourthTier: We should use the no-asserts build of LLVM if that's what the user configured
https://bugs.webkit.org/show_bug.cgi?id=118947

Reviewed by Dan Bernstein.

* Scripts/copy-webkitlibraries-to-product-directory:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153288 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: StringObjectUse uses structures, and CSE should know that
oliver@apple.com [Thu, 25 Jul 2013 04:05:13 +0000 (04:05 +0000)]
fourthTier: StringObjectUse uses structures, and CSE should know that
https://bugs.webkit.org/show_bug.cgi?id=118940

Reviewed by Geoffrey Garen.

This is asymptomatic right now, but we should fix it.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGEdgeUsesStructure.h: Added.
(DFG):
(EdgeUsesStructure):
(JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
(JSC::DFG::EdgeUsesStructure::operator()):
(JSC::DFG::EdgeUsesStructure::result):
(JSC::DFG::edgesUseStructure):
* dfg/DFGUseKind.h:
(DFG):
(JSC::DFG::usesStructure):

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153287 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: String GetByVal out-of-bounds handling is so wrong
oliver@apple.com [Thu, 25 Jul 2013 04:05:12 +0000 (04:05 +0000)]
fourthTier: String GetByVal out-of-bounds handling is so wrong
https://bugs.webkit.org/show_bug.cgi?id=118935

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Bunch of String GetByVal out-of-bounds fixes:

- Even if the string proto chain is sane, we need to watch out for negative
  indices. They may get values or call getters in the prototypes, since proto
  sanity doesn't check for negative indexed properties, as they are not
  technically indexed properties.

- GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
  given this information.

- GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
  given this information.

Also fixed some other things:

- If the DFG is disabled, the testRunner should pretend that we've done a
  bunch of DFG compiles. That's necessary to prevent the tests from timing
  out.

- Disassembler shouldn't try to dump source code since it's not safe in the
  concurrent JIT.

* API/JSCTestRunnerUtils.cpp:
(JSC::numberOfDFGCompiles):
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::dumpHeader):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::byValIsPure):
* dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
(DFG):
(SaneStringGetByValSlowPathGenerator):
(JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
(JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):

LayoutTests:

Reviewed by Geoffrey Garen.

* fast/js/dfg-string-out-of-bounds-check-structure-expected.txt: Added.
* fast/js/dfg-string-out-of-bounds-check-structure.html: Added.
* fast/js/dfg-string-out-of-bounds-cse-expected.txt: Added.
* fast/js/dfg-string-out-of-bounds-cse.html: Added.
* fast/js/dfg-string-out-of-bounds-negative-check-structure-expected.txt: Added.
* fast/js/dfg-string-out-of-bounds-negative-check-structure.html: Added.
* fast/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Added.
* fast/js/dfg-string-out-of-bounds-negative-proto-value.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-string-out-of-bounds-check-structure.js: Added.
(foo):
* fast/js/script-tests/dfg-string-out-of-bounds-cse.js: Added.
(foo):
* fast/js/script-tests/dfg-string-out-of-bounds-negative-check-structure.js: Added.
(foo):
(while):
* fast/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153286 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Structure::isValidOffset() should be able to tell you if you're loading...
oliver@apple.com [Thu, 25 Jul 2013 04:05:08 +0000 (04:05 +0000)]
fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
https://bugs.webkit.org/show_bug.cgi?id=118911

Reviewed by Geoffrey Garen.

We could also have a separate method like "willNotCrash(offset)", but that's not
what isValidOffset() is intended to mean.

* runtime/Structure.h:
(JSC::Structure::isValidOffset):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153285 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Structure should be able to tell you if it's valid to load at a given...
oliver@apple.com [Thu, 25 Jul 2013 04:05:07 +0000 (04:05 +0000)]
fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
https://bugs.webkit.org/show_bug.cgi?id=118878

Reviewed by Oliver Hunt.

- Change Structure::isValidOffset() to actually answer the question "If I attempted
  to load from an object of this structure, at this offset, would I commit suicide
  or would I get back some kind of value?"

- Change StorageAccessData::offset to use a PropertyOffset. It should have been that
  way from the start.

- Fix PutStructure so that it sets haveStructures in all of the cases that it should.

- Make GetByOffset also reference the base object in addition to the butterfly.

The future use of this power will be to answer questions like "If I hoisted this
GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
fine?"

I don't currently plan to use this power to perform validation, since the CSE has
the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
remove - both in the case of StructureSets where size >= 2 and in the case of
CheckStructures that match across PutStructures. At first I tried to write a
validator that was aware of this, but the validation code got way too complicated
and I started having nightmares of spurious assertion bugs being filed against me.

This also changes some of the code for how we hash FunctionExecutable's for debug
dumps, since that code still had some thread-safety issues. Basically, the
concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
that could transitively try to compute the hash from the source code. The source
code is a string that may be lazily computed, and that involves all manner of thread
unsafe things.

* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::hash):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(StorageAccessData):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetByOffset):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
* runtime/FunctionExecutableDump.cpp:
(JSC::FunctionExecutableDump::dump):
* runtime/Structure.h:
(Structure):
(JSC::Structure::isValidOffset):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153284 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: AbstractInterpreter should explicitly ask AbstractState to create new...
oliver@apple.com [Thu, 25 Jul 2013 04:05:04 +0000 (04:05 +0000)]
fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
https://bugs.webkit.org/show_bug.cgi?id=118880

Reviewed by Sam Weinig.

It should be possible to have an AbstractState that is backed by a HashMap. But to
do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
the map, since otherwise the idiom of getting a reference to the AbstractValue
returned by forNode() would cause really subtle memory corruption bugs.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createValueForNode):
(InPlaceAbstractState):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153283 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Decouple the way that CFA stores its state from the way it does abstract...
oliver@apple.com [Thu, 25 Jul 2013 04:05:03 +0000 (04:05 +0000)]
fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
https://bugs.webkit.org/show_bug.cgi?id=118835

Reviewed by Oliver Hunt.

This separates AbstractState into two things:

- InPlaceAbstractState, which can tell you the abstract state of anything you
  might care about, and uses the old AbstractState's algorithms and data
  structures for doing so.

- AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
  respect to an AbstractStateType. Currently we always use
  AbstractStateType = InPlaceAbstractState. But we could drop in an other
  class that supports basic primitives like forNode() and variables().

This is important because:

- We want to hoist things out of loops.

- We don't know what things rely on what type checks.

- We only want to hoist type checks out of loops if they aren't clobbered.

- We may want to still hoist things that depended on those type checks, if it's
  safe to do those things based on the CFA state at the tail of the loop
  pre-header.

- We don't want things to rely on their type checks by way of a token, because
  that's just weird.

So, we want to be able to have a special form of the CFA that can
incrementally update a basic block's state-at-tail, and we want to be able to
do this for multiple blocks simultaneously. This requires *not* storing the
per-node state in the nodes themselves, but instead using the at-tail HashMap
directly.

Hence we need to have a way of making the abstract interpreter (i.e.
AbstractState::execute) polymorphic with respect to state representation. Put
another way, we need to separate the way that abstract state is represented
from the way DFG IR is abstractly interpreted.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreter.h: Added.
(DFG):
(AbstractInterpreter):
(JSC::DFG::AbstractInterpreter::forNode):
(JSC::DFG::AbstractInterpreter::variables):
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterEdgeByUse):
(JSC::DFG::AbstractInterpreter::filter):
(JSC::DFG::AbstractInterpreter::filterArrayModes):
(JSC::DFG::AbstractInterpreter::filterByValue):
(JSC::DFG::AbstractInterpreter::trySetConstant):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h: Added.
(DFG):
(JSC::DFG::::AbstractInterpreter):
(JSC::DFG::::~AbstractInterpreter):
(JSC::DFG::::booleanResult):
(JSC::DFG::::startExecuting):
(JSC::DFG::::executeEdges):
(JSC::DFG::::verifyEdge):
(JSC::DFG::::verifyEdges):
(JSC::DFG::::executeEffects):
(JSC::DFG::::execute):
(JSC::DFG::::clobberWorld):
(JSC::DFG::::clobberCapturedVars):
(JSC::DFG::::clobberStructures):
(JSC::DFG::::dump):
(JSC::DFG::::filter):
(JSC::DFG::::filterArrayModes):
(JSC::DFG::::filterByValue):
* dfg/DFGAbstractState.cpp: Removed.
* dfg/DFGAbstractState.h: Removed.
* dfg/DFGArgumentsSimplificationPhase.cpp:
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::CFAPhase):
(JSC::DFG::CFAPhase::performBlockCFA):
(CFAPhase):
* dfg/DFGCFGSimplificationPhase.cpp:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(ConstantFoldingPhase):
* dfg/DFGInPlaceAbstractState.cpp: Added.
(DFG):
(JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
(JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::setLiveValues):
(JSC::DFG::InPlaceAbstractState::initialize):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::reset):
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
(JSC::DFG::InPlaceAbstractState::merge):
(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
(JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
* dfg/DFGInPlaceAbstractState.h: Added.
(DFG):
(InPlaceAbstractState):
(JSC::DFG::InPlaceAbstractState::forNode):
(JSC::DFG::InPlaceAbstractState::variables):
(JSC::DFG::InPlaceAbstractState::block):
(JSC::DFG::InPlaceAbstractState::didClobber):
(JSC::DFG::InPlaceAbstractState::isValid):
(JSC::DFG::InPlaceAbstractState::setDidClobber):
(JSC::DFG::InPlaceAbstractState::setIsValid):
(JSC::DFG::InPlaceAbstractState::setBranchDirection):
(JSC::DFG::InPlaceAbstractState::setFoundConstants):
(JSC::DFG::InPlaceAbstractState::haveStructures):
(JSC::DFG::InPlaceAbstractState::setHaveStructures):
* dfg/DFGMergeMode.h: Added.
(DFG):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::backwardTypeCheck):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
(JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::needsTypeCheck):
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* ftl/FTLLowerDFGToLLVM.cpp:
(FTL):
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateNumber):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(LowerDFGToLLVM):

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153282 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG shouldn't create CheckStructures for array accesses except if the...
oliver@apple.com [Thu, 25 Jul 2013 04:04:59 +0000 (04:04 +0000)]
fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
https://bugs.webkit.org/show_bug.cgi?id=118867

Reviewed by Mark Hahnenberg.

This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
ArrayProfile.

It also makes it easier to ask any array-using node how to create its type check.

Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
an array profile, thinking that it was storing into a value profile. Reshuffling the
fields in ArrayProfile revealed this.

* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::ArrayProfile):
(ArrayProfile):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::updateAllArrayPredictions):
(JSC::CodeBlock::updateAllPredictions):
* bytecode/CodeBlock.h:
(CodeBlock):
(JSC::CodeBlock::updateAllArrayPredictions):
* dfg/DFGArrayMode.h:
(ArrayMode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(FixupPhase):
(JSC::DFG::FixupPhase::checkArray):
(JSC::DFG::FixupPhase::blessArrayOperation):
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153281 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: CFA should consider live-at-head for clobbering and dumping
oliver@apple.com [Thu, 25 Jul 2013 04:04:57 +0000 (04:04 +0000)]
fourthTier: CFA should consider live-at-head for clobbering and dumping
https://bugs.webkit.org/show_bug.cgi?id=118857

Reviewed by Mark Hahnenberg.

- clobberStructures() was not considering nodes live-at-head when in SSA
  form. This means it would fail to clobber some structures.

- dump() was not considering nodes live-at-head when in SSA form. This
  means it wouldn't dump everything that you might be interested in.

- AbstractState::m_currentNode is a useless variable and we should get
  rid of it.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::AbstractState):
(JSC::DFG::AbstractState::beginBasicBlock):
(JSC::DFG::AbstractState::reset):
(JSC::DFG::AbstractState::startExecuting):
(JSC::DFG::AbstractState::clobberStructures):
(JSC::DFG::AbstractState::dump):
* dfg/DFGAbstractState.h:
(AbstractState):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153280 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Add a phase to create loop pre-headers
oliver@apple.com [Thu, 25 Jul 2013 04:04:55 +0000 (04:04 +0000)]
fourthTier: Add a phase to create loop pre-headers
https://bugs.webkit.org/show_bug.cgi?id=118778

Reviewed by Oliver Hunt.

Add a loop pre-header creation phase. Any loop that doesn't already have
just one predecessor that isn't part of the loop has a pre-header
prepended. All non-loop predecessors then jump to that pre-header.

Also fix a handful of bugs:

- DFG::Analysis should set m_valid before running the analysis, since that
  makes it easier to use ASSERT(m_valid) in the analysis' methods, which
  may be called by the analysis before the analysis completes. NaturalLoops
  does this with loopsOf().

- NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
  returning 0, since that'll happen if the block isn't in any loop.

- Change BlockInsertionSet to dethread the graph, since anyone using it
  will want to do so.

- Change dethreading to ignore SSA form graphs.

This also adds NaturalLoops::belongsTo(), which I always used in the
pre-header creation phase. I didn't end up using it but I'll probably use
it in the near future.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAnalysis.h:
(JSC::DFG::Analysis::computeIfNecessary):
* dfg/DFGBlockInsertionSet.cpp:
(JSC::DFG::BlockInsertionSet::execute):
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dethread):
* dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
(DFG):
(LoopPreHeaderCreationPhase):
(JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
(JSC::DFG::LoopPreHeaderCreationPhase::run):
(JSC::DFG::performLoopPreHeaderCreation):
* dfg/DFGLoopPreHeaderCreationPhase.h: Added.
(DFG):
* dfg/DFGNaturalLoops.h:
(NaturalLoop):
(JSC::DFG::NaturalLoops::headerOf):
(JSC::DFG::NaturalLoops::innerMostLoopOf):
(JSC::DFG::NaturalLoops::innerMostOuterLoop):
(JSC::DFG::NaturalLoops::belongsTo):
(NaturalLoops):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153279 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Rationalize Node::replacement
oliver@apple.com [Thu, 25 Jul 2013 04:04:53 +0000 (04:04 +0000)]
fourthTier: Rationalize Node::replacement
https://bugs.webkit.org/show_bug.cgi?id=118774

Reviewed by Oliver Hunt.

- Clearing of replacements is now done in Graph::clearReplacements().

- New nodes now have replacement set to 0.

- Node::replacement is now part of a 'misc' union. I'll be putting at least
  one other field into that union as part of LICM work (see
  https://bugs.webkit.org/show_bug.cgi?id=118749).

* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::run):
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::performBlockCSE):
* dfg/DFGGraph.cpp:
(DFG):
(JSC::DFG::Graph::clearReplacements):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::performSubstitutionForEdge):
(Graph):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153278 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: NaturalLoops should be able to quickly answer questions like "what loops...
oliver@apple.com [Thu, 25 Jul 2013 04:04:51 +0000 (04:04 +0000)]
fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
https://bugs.webkit.org/show_bug.cgi?id=118750

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

* dfg/DFGBasicBlock.h:
(BasicBlock):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoops::compute):
(JSC::DFG::NaturalLoops::loopsOf):
* dfg/DFGNaturalLoops.h:
(DFG):
(JSC::DFG::NaturalLoop::NaturalLoop):
(NaturalLoop):
(JSC::DFG::NaturalLoop::index):
(JSC::DFG::NaturalLoop::isOuterMostLoop):
(JSC::DFG::NaturalLoop::addBlock):
(JSC::DFG::NaturalLoops::headerOf):
(JSC::DFG::NaturalLoops::innerMostLoopOf):
(NaturalLoops):
(JSC::DFG::NaturalLoops::innerMostOuterLoop):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):

Source/WTF:

Reviewed by Mark Hahnenberg.

Add a utility function for inserting an element into a vector that has bounded size,
and where the insertion causes things to drop off the end.

* wtf/StdLibExtras.h:
(WTF):
(WTF::insertIntoBoundedVector):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153277 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: don't GC when shutting down the VM
oliver@apple.com [Thu, 25 Jul 2013 04:04:49 +0000 (04:04 +0000)]
fourthTier: don't GC when shutting down the VM
https://bugs.webkit.org/show_bug.cgi?id=118751

Reviewed by Mark Hahnenberg.

* heap/Heap.h:
(Heap):
* runtime/VM.cpp:
(JSC::VM::~VM):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153276 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: We should have a reduced FTL LLVM pipeline tool in the repository
oliver@apple.com [Thu, 25 Jul 2013 04:04:47 +0000 (04:04 +0000)]
fourthTier: We should have a reduced FTL LLVM pipeline tool in the repository
https://bugs.webkit.org/show_bug.cgi?id=118647

Rubber stamped by Geoffrey Garen and Mark Hahnenberg.

Add a tool that takes in an LLVM bitcode file and JITs it in exactly the same
way that the FTL would.

Also add a tool that combines multiple LLVM modules generated by FTL into a
single module.

* ReducedFTL: Added.
* ReducedFTL/ReducedFTL.c: Added.
(usage):
(currentTime):
(MemorySection):
(mmAllocateCodeSection):
(mmAllocateDataSection):
(mmApplyPermissions):
(mmDestroy):
(symbolLookupCallback):
(main):
* ReducedFTL/build.sh: Added.
* ReducedFTL/combineModules.rb: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153275 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should have an SSA form for use by FTL
oliver@apple.com [Thu, 25 Jul 2013 04:04:45 +0000 (04:04 +0000)]
fourthTier: DFG should have an SSA form for use by FTL
https://bugs.webkit.org/show_bug.cgi?id=118338

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
after breaking critical edges. The conversion algorithm follows Aycock and
Horspool, and the SSA form itself follows something I've done before, where
instead of having Phi functions specify input nodes corresponding to block
predecessors, we instead have Upsilon functions in the predecessors that
specify which value in that block goes into which subsequent Phi. Upsilons
don't have to dominate Phis (usually they don't) and they correspond to a
non-SSA "mov" into the Phi's "variable". This gives all of the good
properties of SSA, while ensuring that a bunch of CFG transformations don't
have to be SSA-aware.

So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
simplification is probably SSA-aware by default, though I haven't tried it.
Constant folding probably needs a few tweaks, but is likely ready. Ditto
for CSE, though it's not clear that we'd want to use block-local CSE when
we could be doing GVN.

Currently only the FTL can generate code from the SSA form, and there is no
way to convert from SSA to ThreadedCPS or LoadStore. There probably will
never be such a capability.

In order to handle OSR exit state in the SSA, we place MovHints at Phi
points. Other than that, you can reconstruct state-at-exit by forward
propagating MovHints. Note that MovHint is the new SetLocal in SSA.
SetLocal and GetLocal only survive into SSA if they are on captured
variables, or in the case of flushes. A "live SetLocal" will be
NodeMustGenerate and will always correspond to a flush. Computing the
state-at-exit requires running SSA liveness analysis, OSR availability
analysis, and flush liveness analysis. The FTL runs all of these prior to
generating code. While OSR exit continues to be tricky, much of the logic
is now factored into separate phases and the backend has to do less work
to reason about what happened outside of the basic block that is being
lowered.

Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
code in depth-first order, thus guaranteeing that a node will always be
lowered (and hence have a LValue) before any of the blocks dominated by
that node's block have code generated. For Upsilon/Phi, we just use
alloca's. We could do something more clever there, but it's probably not
worth it, at least not now.

Finally, while the SSA form is currently only being converted to LLVM IR,
there is nothing that prevents us from considering other backends in the
future - with the caveat that this form is designed to be first lowered to
a lower-level SSA before actual machine code generation commences. So we
ought to either use LLVM (the intended path) or we will have to write our
own SSA low-level backend.

This runs all of the code that the FTL was known to run previously. No
change in performance for now. But it does open some exciting
possibilities!

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/Operands.h:
(JSC::OperandValueTraits::dump):
(JSC::Operands::fill):
(Operands):
(JSC::Operands::clear):
(JSC::Operands::operator==):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::beginBasicBlock):
(JSC::DFG::setLiveValues):
(DFG):
(JSC::DFG::AbstractState::initialize):
(JSC::DFG::AbstractState::endBasicBlock):
(JSC::DFG::AbstractState::executeEffects):
(JSC::DFG::AbstractState::mergeStateAtTail):
(JSC::DFG::AbstractState::merge):
* dfg/DFGAbstractState.h:
(AbstractState):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::justOneChild):
(AdjacencyList):
* dfg/DFGBasicBlock.cpp: Added.
(DFG):
(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::~BasicBlock):
(JSC::DFG::BasicBlock::ensureLocals):
(JSC::DFG::BasicBlock::isInPhis):
(JSC::DFG::BasicBlock::isInBlock):
(JSC::DFG::BasicBlock::removePredecessor):
(JSC::DFG::BasicBlock::replacePredecessor):
(JSC::DFG::BasicBlock::dump):
(JSC::DFG::BasicBlock::SSAData::SSAData):
(JSC::DFG::BasicBlock::SSAData::~SSAData):
* dfg/DFGBasicBlock.h:
(BasicBlock):
(JSC::DFG::BasicBlock::operator[]):
(JSC::DFG::BasicBlock::successor):
(JSC::DFG::BasicBlock::successorForCondition):
(SSAData):
* dfg/DFGBasicBlockInlines.h:
(DFG):
* dfg/DFGBlockInsertionSet.cpp: Added.
(DFG):
(JSC::DFG::BlockInsertionSet::BlockInsertionSet):
(JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
(JSC::DFG::BlockInsertionSet::insert):
(JSC::DFG::BlockInsertionSet::insertBefore):
(JSC::DFG::BlockInsertionSet::execute):
* dfg/DFGBlockInsertionSet.h: Added.
(DFG):
(BlockInsertionSet):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCFGSimplificationPhase.cpp:
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
* dfg/DFGCommon.cpp:
(WTF::printInternal):
* dfg/DFGCommon.h:
(JSC::DFG::doesKill):
(DFG):
(JSC::DFG::killStatusForDoesKill):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
* dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
(DFG):
(CriticalEdgeBreakingPhase):
(JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
(JSC::DFG::CriticalEdgeBreakingPhase::run):
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
(JSC::DFG::performCriticalEdgeBreaking):
* dfg/DFGCriticalEdgeBreakingPhase.h: Added.
(DFG):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::findTypeCheckRoot):
(JSC::DFG::DCEPhase::countNode):
(DCEPhase):
(JSC::DFG::DCEPhase::countEdge):
(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGEdge.cpp:
(JSC::DFG::Edge::dump):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::Edge):
(JSC::DFG::Edge::setNode):
(JSC::DFG::Edge::useKindUnchecked):
(JSC::DFG::Edge::setUseKind):
(JSC::DFG::Edge::setProofStatus):
(JSC::DFG::Edge::willNotHaveCheck):
(JSC::DFG::Edge::willHaveCheck):
(Edge):
(JSC::DFG::Edge::killStatusUnchecked):
(JSC::DFG::Edge::killStatus):
(JSC::DFG::Edge::setKillStatus):
(JSC::DFG::Edge::doesKill):
(JSC::DFG::Edge::doesNotKill):
(JSC::DFG::Edge::shift):
(JSC::DFG::Edge::makeWord):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGFlushFormat.cpp: Added.
(WTF):
(WTF::printInternal):
* dfg/DFGFlushFormat.h: Added.
(DFG):
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
(WTF):
* dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
(DFG):
(FlushLivenessAnalysisPhase):
(JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
(JSC::DFG::FlushLivenessAnalysisPhase::run):
(JSC::DFG::FlushLivenessAnalysisPhase::process):
(JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
(JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
(JSC::DFG::performFlushLivenessAnalysis):
* dfg/DFGFlushLivenessAnalysisPhase.h: Added.
(DFG):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(DFG):
(JSC::DFG::Graph::addForDepthFirstSort):
(JSC::DFG::Graph::getBlocksInDepthFirstOrder):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::valueProfileFor):
(Graph):
* dfg/DFGInsertionSet.h:
(DFG):
(JSC::DFG::InsertionSet::execute):
* dfg/DFGLivenessAnalysisPhase.cpp: Added.
(DFG):
(LivenessAnalysisPhase):
(JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
(JSC::DFG::LivenessAnalysisPhase::run):
(JSC::DFG::LivenessAnalysisPhase::process):
(JSC::DFG::LivenessAnalysisPhase::addChildUse):
(JSC::DFG::performLivenessAnalysis):
* dfg/DFGLivenessAnalysisPhase.h: Added.
(DFG):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::hasVariableAccessData):
(DFG):
* dfg/DFGNode.h:
(DFG):
(Node):
(JSC::DFG::Node::hasLocal):
(JSC::DFG::Node::variableAccessData):
(JSC::DFG::Node::hasPhi):
(JSC::DFG::Node::phi):
(JSC::DFG::Node::takenBlock):
(JSC::DFG::Node::notTakenBlock):
(JSC::DFG::Node::successor):
(JSC::DFG::Node::successorForCondition):
(JSC::DFG::nodeComparator):
(JSC::DFG::nodeListDump):
(JSC::DFG::nodeMapDump):
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
(DFG):
(OSRAvailabilityAnalysisPhase):
(JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
(JSC::DFG::performOSRAvailabilityAnalysis):
* dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
(DFG):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSSAConversionPhase.cpp: Added.
(DFG):
(SSAConversionPhase):
(JSC::DFG::SSAConversionPhase::SSAConversionPhase):
(JSC::DFG::SSAConversionPhase::run):
(JSC::DFG::SSAConversionPhase::forwardPhiChildren):
(JSC::DFG::SSAConversionPhase::forwardPhi):
(JSC::DFG::SSAConversionPhase::forwardPhiEdge):
(JSC::DFG::SSAConversionPhase::deduplicateChildren):
(JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
(JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
(JSC::DFG::performSSAConversion):
* dfg/DFGSSAConversionPhase.h: Added.
(DFG):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(Validate):
(JSC::DFG::Validate::validateCPS):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::flushFormat):
(VariableAccessData):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileJSConstant):
(JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
(JSC::FTL::LowerDFGToLLVM::compileGetArgument):
(JSC::FTL::LowerDFGToLLVM::compileGetLocal):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithDiv):
(JSC::FTL::LowerDFGToLLVM::compileArithMod):
(JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
(JSC::FTL::LowerDFGToLLVM::compileArithAbs):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compileBitAnd):
(JSC::FTL::LowerDFGToLLVM::compileBitOr):
(JSC::FTL::LowerDFGToLLVM::compileBitXor):
(JSC::FTL::LowerDFGToLLVM::compileBitRShift):
(JSC::FTL::LowerDFGToLLVM::compileBitLShift):
(JSC::FTL::LowerDFGToLLVM::compileBitURShift):
(JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
(JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
(JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
(JSC::FTL::LowerDFGToLLVM::speculateBackward):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::lowStorage):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateBoolean):
(JSC::FTL::LowerDFGToLLVM::isLive):
(JSC::FTL::LowerDFGToLLVM::use):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
(JSC::FTL::LowerDFGToLLVM::setInt32):
(JSC::FTL::LowerDFGToLLVM::setJSValue):
(JSC::FTL::LowerDFGToLLVM::setBoolean):
(JSC::FTL::LowerDFGToLLVM::setStorage):
(JSC::FTL::LowerDFGToLLVM::setDouble):
(JSC::FTL::LowerDFGToLLVM::isValid):
* ftl/FTLLoweredNodeValue.h: Added.
(FTL):
(LoweredNodeValue):
(JSC::FTL::LoweredNodeValue::LoweredNodeValue):
(JSC::FTL::LoweredNodeValue::isSet):
(JSC::FTL::LoweredNodeValue::operator!):
(JSC::FTL::LoweredNodeValue::value):
(JSC::FTL::LoweredNodeValue::block):
* ftl/FTLValueFromBlock.h:
(JSC::FTL::ValueFromBlock::ValueFromBlock):
(ValueFromBlock):
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:

Source/WTF:

Reviewed by Mark Hahnenberg.

- Extend variadicity of PrintStream and dataLog.

- Give HashSet the ability to add a span of things.

- Give HashSet the ability to == another HashSet.

- Note FIXME's in HashTable concerning copying performance, that affects
  the way that the DFG now uses HashSets and HashMaps.

- Factor out the bulk-insertion logic of JSC::DFG::InsertionSet into
  WTF::Insertion, so that it can be used in more places.

- Create a dumper for lists and maps.

* WTF.xcodeproj/project.pbxproj:
* wtf/DataLog.h:
(WTF):
(WTF::dataLog):
* wtf/HashSet.h:
(HashSet):
(WTF):
(WTF::::add):
(WTF::=):
* wtf/HashTable.h:
(WTF::::HashTable):
(WTF::=):
* wtf/Insertion.h: Added.
(WTF):
(Insertion):
(WTF::Insertion::Insertion):
(WTF::Insertion::index):
(WTF::Insertion::element):
(WTF::Insertion::operator<):
(WTF::executeInsertions):
* wtf/ListDump.h: Added.
(WTF):
(ListDump):
(WTF::ListDump::ListDump):
(WTF::ListDump::dump):
(MapDump):
(WTF::MapDump::MapDump):
(WTF::MapDump::dump):
(WTF::listDump):
(WTF::sortedListDump):
(WTF::lessThan):
(WTF::mapDump):
(WTF::sortedMapDump):
* wtf/PrintStream.h:
(PrintStream):
(WTF::PrintStream::print):

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153274 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Resurrect the CLoop LLINT on the FTL branch.
oliver@apple.com [Thu, 25 Jul 2013 04:04:39 +0000 (04:04 +0000)]
fourthTier: Resurrect the CLoop LLINT on the FTL branch.
https://bugs.webkit.org/show_bug.cgi?id=118144.

Reviewed by Mark Hahnenberg.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::jitType):
  - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::clear):
* interpreter/StackIterator.cpp:
(JSC::StackIterator::Frame::bytecodeOffset):
(JSC::StackIterator::Frame::print):
* jit/JITCode.cpp:
(JSC):
* jit/JITExceptions.cpp:
(JSC::getExceptionLocation):
* llint/LowLevelInterpreter.cpp:
* offlineasm/cloop.rb:
* runtime/Structure.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153273 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: NaturalLoops + Profiler = Crash
oliver@apple.com [Thu, 25 Jul 2013 04:04:37 +0000 (04:04 +0000)]
fourthTier: NaturalLoops + Profiler = Crash
https://bugs.webkit.org/show_bug.cgi?id=118486

Reviewed by Geoffrey Garen.

I borked dominators in:
http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h

This patch also adds some debug support, and fixes the loop that adds a block to
an already-existing natural loop. Note that we currently don't take that path in
most programs, but it will arise, for example if you use 'continue' - though you'd
have to use it rather cleverly since the bytecode will not jump to the loop header
in most uses of 'continue'.

* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::dump):
(DFG):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::dominates):
(Dominators):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoops::compute):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153272 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if...
oliver@apple.com [Thu, 25 Jul 2013 04:04:35 +0000 (04:04 +0000)]
fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
https://bugs.webkit.org/show_bug.cgi?id=118489

Reviewed by Mark Hahnenberg.

* bytecode/ArrayProfile.h:
(JSC::arrayModesAreClearOrTop):
(JSC):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::beginBasicBlock):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::hasClobberableState):
(AbstractValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153271 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: CheckArray should call the right version of filterArrayModes
oliver@apple.com [Thu, 25 Jul 2013 04:04:33 +0000 (04:04 +0000)]
fourthTier: CheckArray should call the right version of filterArrayModes
https://bugs.webkit.org/show_bug.cgi?id=118488

Reviewed by Filip Pizlo.

Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause
the CFA to ignore when it sees a contradiction.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153270 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
oliver@apple.com [Thu, 25 Jul 2013 04:04:32 +0000 (04:04 +0000)]
fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
https://bugs.webkit.org/show_bug.cgi?id=118452

Reviewed by Sam Weinig.

Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
clearAndDerefChild() was necessary back when we did eager reference counting. We
don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
any reference counting, so it was badly named to begin with.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGNode.h:
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153269 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should better report its compile-times and it should be able to run...
oliver@apple.com [Thu, 25 Jul 2013 04:04:29 +0000 (04:04 +0000)]
fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
https://bugs.webkit.org/show_bug.cgi?id=118401

Reviewed by Sam Weinig.

Add two new OSR exit modes, which are useful only for playing with compile times:

- All OSR exits are llvm.trap().

- OSR exits don't take arguments and have no exit value marshaling.

* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPlan.h:
(Plan):
* ftl/FTLIntrinsicRepository.h:
(FTL):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
* ftl/FTLOutput.h:
(JSC::FTL::Output::trap):
* runtime/Options.h:
(JSC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153268 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
oliver@apple.com [Thu, 25 Jul 2013 04:04:27 +0000 (04:04 +0000)]
fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
https://bugs.webkit.org/show_bug.cgi?id=118339

Reviewed by Michael Saboff.

This accomplishes two goals:

1) Simplifies a bunch of code. You can now much more directly get to a successor
   or predecessor, since you just get the pointer directly. The backend(s) always
   hold onto a pointer to the block they're on, so you don't have to do work to
   get the block from the index.

2) It allows for the possibility of inserting blocks into the program.
   Previously, if you did that, you'd have to edit all references to blocks since
   those references would have outdated indexing after an insertion. Now, if you
   change the indexing, you just have to invalidate some analyses and make sure
   that you change each block's BasicBlock::index accordingly.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::initialize):
(JSC::DFG::AbstractState::endBasicBlock):
(JSC::DFG::AbstractState::mergeToSuccessors):
* dfg/DFGAbstractState.h:
(AbstractState):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::run):
* dfg/DFGBasicBlock.h:
(DFG):
(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::size):
(JSC::DFG::BasicBlock::isEmpty):
(JSC::DFG::BasicBlock::at):
(JSC::DFG::BasicBlock::operator[]):
(JSC::DFG::BasicBlock::last):
(JSC::DFG::BasicBlock::resize):
(JSC::DFG::BasicBlock::grow):
(BasicBlock):
(JSC::DFG::BasicBlock::append):
(JSC::DFG::BasicBlock::numSuccessors):
(JSC::DFG::BasicBlock::successor):
(JSC::DFG::BasicBlock::successorForCondition):
(JSC::DFG::BasicBlock::dump):
(UnlinkedBlock):
(JSC::DFG::UnlinkedBlock::UnlinkedBlock):
(JSC::DFG::getBytecodeBeginForBlock):
(JSC::DFG::blockForBytecodeOffset):
* dfg/DFGByteCodeParser.cpp:
(ByteCodeParser):
(InlineStackEntry):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
(JSC::DFG::CFAPhase::performForwardCFA):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::convertToJump):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
(JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
(JSC::DFG::CPSRethreadingPhase::propagatePhis):
(CPSRethreadingPhase):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::Disassembler):
(JSC::DFG::Disassembler::createDumpList):
* dfg/DFGDisassembler.h:
(JSC::DFG::Disassembler::setForBlockIndex):
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::compute):
(JSC::DFG::Dominators::iterateForBlock):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::dominates):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::handleSuccessor):
(JSC::DFG::Graph::determineReachability):
(JSC::DFG::Graph::resetReachability):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::numBlocks):
(JSC::DFG::Graph::block):
(JSC::DFG::Graph::lastBlock):
(Graph):
(JSC::DFG::Graph::appendBlock):
(JSC::DFG::Graph::killBlock):
(DFG):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::JITCompiler):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::setForBlockIndex):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoop::dump):
(JSC::DFG::NaturalLoops::compute):
(JSC::DFG::NaturalLoops::loopsOf):
* dfg/DFGNaturalLoops.h:
(JSC::DFG::NaturalLoop::NaturalLoop):
(JSC::DFG::NaturalLoop::addBlock):
(JSC::DFG::NaturalLoop::header):
(JSC::DFG::NaturalLoop::at):
(JSC::DFG::NaturalLoop::operator[]):
(JSC::DFG::NaturalLoop::contains):
(NaturalLoop):
(JSC::DFG::NaturalLoops::headerOf):
(NaturalLoops):
* dfg/DFGNode.h:
(DFG):
(JSC::DFG::SwitchCase::SwitchCase):
(JSC::DFG::SwitchCase::withBytecodeIndex):
(SwitchCase):
(JSC::DFG::SwitchCase::targetBytecodeIndex):
(JSC::DFG::SwitchData::SwitchData):
(JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
(JSC::DFG::SwitchData::fallThroughBytecodeIndex):
(SwitchData):
(JSC::DFG::Node::setTakenBlock):
(JSC::DFG::Node::setNotTakenBlock):
(JSC::DFG::Node::takenBlock):
(JSC::DFG::Node::notTakenBlock):
(JSC::DFG::Node::successor):
(JSC::DFG::Node::successorForCondition):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagateForward):
(JSC::DFG::PredictionPropagationPhase::propagateBackward):
(JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::createOSREntries):
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::compileRegExpExec):
(JSC::DFG::SpeculativeJIT::addBranch):
(JSC::DFG::SpeculativeJIT::linkBranches):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::nextBlock):
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
(JSC::DFG::SpeculativeJIT::branchDouble):
(JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
(JSC::DFG::SpeculativeJIT::branch32):
(JSC::DFG::SpeculativeJIT::branchTest32):
(JSC::DFG::SpeculativeJIT::branch64):
(JSC::DFG::SpeculativeJIT::branch8):
(JSC::DFG::SpeculativeJIT::branchPtr):
(JSC::DFG::SpeculativeJIT::branchTestPtr):
(JSC::DFG::SpeculativeJIT::branchTest8):
(JSC::DFG::SpeculativeJIT::jump):
(JSC::DFG::SpeculativeJIT::addBranch):
(JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
(StringSwitchCase):
(JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
(BranchRecord):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::run):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
(JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
* dfg/DFGUnificationPhase.cpp:
(JSC::DFG::UnificationPhase::run):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::checkOperand):
(JSC::DFG::Validate::reportValidationContext):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileJump):
(JSC::FTL::LowerDFGToLLVM::compileBranch):
(JSC::FTL::LowerDFGToLLVM::lowBlock):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153267 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Unreviewed, add a helpful comment for why DCE is needed in the FTL.
oliver@apple.com [Thu, 25 Jul 2013 04:04:23 +0000 (04:04 +0000)]
fourthTier: Unreviewed, add a helpful comment for why DCE is needed in the FTL.

I believe I've now twice down the experiment of disabling DCE in the FTL,
only to realize that this can't work, and that DCE is needed. I'd kind of
like to not make that mistake again.

* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153266 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
oliver@apple.com [Thu, 25 Jul 2013 04:04:21 +0000 (04:04 +0000)]
fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
https://bugs.webkit.org/show_bug.cgi?id=118340

Reviewed by Sam Weinig.

* dfg/DFGNode.h:
(JSC::DFG::Node::Node):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153265 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Have fewer Arrayify's
oliver@apple.com [Thu, 25 Jul 2013 04:04:20 +0000 (04:04 +0000)]
fourthTier: Have fewer Arrayify's
https://bugs.webkit.org/show_bug.cgi?id=118335

Reviewed by Mark Hahnenberg.

A lot of Arrayify's arise because some program saw Int32 arrays early on in
execution, but then they all got converted to Double arrays and the program
will never see Int32 arrays ever again. Prior to this change you would always
have an Arrayify in this case. But with this change, the first time that an
ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
instead forcibly monomorphises itself to the latest-seen structure.
Thereafter it will never again perform this monomorphisation. This is
controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
unblocks a bunch of stuff we want to do in the future because it makes a
bunch of loops effect-free.

We will still want to implement Arrayify hoisting in the future, but this is
great anyway because it's better to not have Arrayifications than it is to
have hoisted Arrayifications.

* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
(JSC::ArrayProfile::briefDescription):
(JSC):
(JSC::ArrayProfile::briefDescriptionWithoutUpdating):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::ArrayProfile):
(ArrayProfile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153264 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: add option to disable OSR entry in loops
oliver@apple.com [Thu, 25 Jul 2013 04:04:18 +0000 (04:04 +0000)]
fourthTier: add option to disable OSR entry in loops
https://bugs.webkit.org/show_bug.cgi?id=118329

Reviewed by Mark Hahnenberg.

This adds that option, and also makes the OSR exit reoptimization trigger rely less on
OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
high after a small number of OSR exits, we will recompile.

* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
* dfg/DFGOperations.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_loop_hint):
* runtime/Options.h:
(JSC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153263 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: since the FTL disassembly hacks cannot distinguish between code and data...
oliver@apple.com [Thu, 25 Jul 2013 04:04:16 +0000 (04:04 +0000)]
fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
https://bugs.webkit.org/show_bug.cgi?id=118313

Reviewed by Mark Hahnenberg.

Give it a mode where we can still crash on unrecognized reference types, so that we might
implement them in the future, but by default just print some stuff and keep going.

* disassembler/LLVMDisassembler.cpp:
(JSC):
(JSC::symbolLookupCallback):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153262 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should use the equivalent of llvm opt -O2 by default
oliver@apple.com [Thu, 25 Jul 2013 04:04:14 +0000 (04:04 +0000)]
fourthTier: FTL should use the equivalent of llvm opt -O2 by default
https://bugs.webkit.org/show_bug.cgi?id=118311

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Use a PassManagerBuilder instead of rolling our own.

This boosts our speed-up by another 5% or so.

* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* runtime/Options.h:
(JSC):

Source/WTF:

Reviewed by Mark Hahnenberg.

* wtf/LLVMHeaders.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153261 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should run LICM after AA setup
oliver@apple.com [Thu, 25 Jul 2013 04:04:12 +0000 (04:04 +0000)]
fourthTier: FTL should run LICM after AA setup
https://bugs.webkit.org/show_bug.cgi?id=118277

Reviewed by Maciej Stachowiak.

LICM queries alias analysis. Hence, just like GVN, it should run after
we have set up the alias analysis.

* ftl/FTLCompile.cpp:
(JSC::FTL::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153260 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should run AA passes before GVN
oliver@apple.com [Thu, 25 Jul 2013 04:04:11 +0000 (04:04 +0000)]
fourthTier: FTL should run AA passes before GVN
https://bugs.webkit.org/show_bug.cgi?id=118276

Rubber stamped by Geoffrey Garen.

These enable load elimination in GVN.

Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
warning: the stock version of that benchmark won't see speed-ups -
probably slow-downs instead - because the FTL can't do OSR entry yet.)
Another example is the findGraphNode function, which now sees a 7%
speed-up, and that's without even doing LICM or other good things.

* ftl/FTLCompile.cpp:
(JSC::FTL::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153259 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Make Graph::substituteGetLocal() out-of-line
oliver@apple.com [Thu, 25 Jul 2013 04:04:09 +0000 (04:04 +0000)]
fourthTier: Make Graph::substituteGetLocal() out-of-line

Rubber stamped by Geoffrey Garen.

* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::substituteGetLocal):
(DFG):
* dfg/DFGGraph.h:
(Graph):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153258 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should know how to find natural loops
oliver@apple.com [Thu, 25 Jul 2013 04:04:08 +0000 (04:04 +0000)]
fourthTier: DFG should know how to find natural loops
https://bugs.webkit.org/show_bug.cgi?id=118152

Reviewed by Mark Hahnenberg.

There are a bunch of things we can do when we know where the loops are.
Previously we didn't. With this patch, we do.

This patch adds the classic dominator based natural loop finder.

The only client of this right now is the DFG::Disassembler. It prints out
a summary of the analysis for each block.

This will become more important when I do
https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
this kind of analysis, at least if we want to do the optimization over
DFG IR (and I'm pretty sure we do).

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAnalysis.h: Added.
(DFG):
(Analysis):
(JSC::DFG::Analysis::Analysis):
(JSC::DFG::Analysis::invalidate):
(JSC::DFG::Analysis::computeIfNecessary):
(JSC::DFG::Analysis::isValid):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::createDumpList):
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::Dominators):
(JSC::DFG::Dominators::compute):
* dfg/DFGDominators.h:
(Dominators):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::invalidateCFG):
(DFG):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGNaturalLoops.cpp: Added.
(DFG):
(JSC::DFG::NaturalLoop::dump):
(JSC::DFG::NaturalLoops::NaturalLoops):
(JSC::DFG::NaturalLoops::~NaturalLoops):
(JSC::DFG::NaturalLoops::compute):
(JSC::DFG::NaturalLoops::loopsOf):
(JSC::DFG::NaturalLoops::dump):
* dfg/DFGNaturalLoops.h: Added.
(DFG):
(NaturalLoop):
(JSC::DFG::NaturalLoop::NaturalLoop):
(JSC::DFG::NaturalLoop::addBlock):
(JSC::DFG::NaturalLoop::header):
(JSC::DFG::NaturalLoop::size):
(JSC::DFG::NaturalLoop::at):
(JSC::DFG::NaturalLoop::operator[]):
(JSC::DFG::NaturalLoop::contains):
(NaturalLoops):
(JSC::DFG::NaturalLoops::numLoops):
(JSC::DFG::NaturalLoops::loop):
(JSC::DFG::NaturalLoops::headerOf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153257 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: JSC's disassembly infrastructure should be able to disassemble the code...
oliver@apple.com [Thu, 25 Jul 2013 04:04:05 +0000 (04:04 +0000)]
fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
https://bugs.webkit.org/show_bug.cgi?id=118148

Source/JavaScriptCore:

Reviewed by Anders Carlsson.

Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
that LLVM generates for floating point. So the right decision is to
switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
cannot disassemble the load-from-absolute-address-into-%rax instructions
that our JIT generates quite a lot of.

So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
and requires the caller of disassemble() to hint which one is likely to
be less wrong for the given code.

Maybe in the future LLVM will catch up to UDis86, but it's definitely not
there right now.

This now allows us to disassemble all of the code that LLVM generates.

* JavaScriptCore.xcodeproj/project.pbxproj:
* disassembler/Disassembler.cpp:
(JSC::disassemble):
* disassembler/Disassembler.h:
(JSC::tryToDisassemble):
(JSC):
* disassembler/LLVMDisassembler.cpp: Added.
(JSC):
(JSC::symbolLookupCallback):
(JSC::tryToDisassembleWithLLVM):
* disassembler/LLVMDisassembler.h: Added.
(JSC):
(JSC::tryToDisassembleWithLLVM):
* disassembler/UDis86Disassembler.cpp:
(JSC::tryToDisassembleWithUDis86):
* disassembler/UDis86Disassembler.h: Added.
(JSC):
(JSC::tryToDisassembleWithUDis86):
* disassembler/X86Disassembler.cpp: Added.
(JSC):
(JSC::tryToDisassemble):
* ftl/FTLAbbreviatedTypes.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLJITCode.h:
* ftl/FTLJITFinalizer.h:
* ftl/FTLLLVMHeaders.h: Removed.
* ftl/FTLLink.cpp:
* runtime/InitializeThreading.cpp:
(JSC::initializeThreadingOnce):
* runtime/Options.h:
(JSC):

Source/WTF:

Reviewed by Anders Carlsson.

We now use LLVM for two things: disassembler and FTL. Separate out the question
of whether we have LLVM (HAVE(LLVM)) from whether we want to use the LLVM
disassembler (USE(LLVM_DISASSEMBLER)) and whether we enable the FTL
(ENABLE(FTL_JIT)).

Also move the cruft for including LLVM headers into WTF since now we use it in
a bunch of places, not all related to FTL. There's no obvious place to put that
file in JSC so I put it in WTF.

* WTF.xcodeproj/project.pbxproj:
* wtf/LLVMHeaders.h: Copied from Source/JavaScriptCore/ftl/FTLLLVMHeaders.h.
* wtf/Platform.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153256 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should be able to dump disassembly
oliver@apple.com [Thu, 25 Jul 2013 04:04:02 +0000 (04:04 +0000)]
fourthTier: FTL should be able to dump disassembly
https://bugs.webkit.org/show_bug.cgi?id=118141

Reviewed by Geoffrey Garen.

* ftl/FTLCompile.cpp:
(JSC::FTL::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153255 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should support hole/OOB PutByVal's
oliver@apple.com [Thu, 25 Jul 2013 04:04:01 +0000 (04:04 +0000)]
fourthTier: FTL should support hole/OOB PutByVal's
https://bugs.webkit.org/show_bug.cgi?id=118112

Reviewed by Geoffrey Garen.

Added a common code generator for the out-of-bounds case that is reused by
all contiguous-like arrays (Int32, Double, Contiguous).

This is relatively straight-forward, except that it's the first time that
the FTL has to call DFG operations that take more than two arguments.

* ftl/FTLAbbreviations.h:
(JSC::FTL::functionType):
(JSC::FTL::buildCall):
* ftl/FTLAbstractHeapRepository.h:
(FTL):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
(FTL):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
(JSC::FTL::LowerDFGToLLVM::vmCall):
* ftl/FTLOutput.h:
(JSC::FTL::Output::call):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153254 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
oliver@apple.com [Thu, 25 Jul 2013 04:03:59 +0000 (04:03 +0000)]
fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
https://bugs.webkit.org/show_bug.cgi?id=118097

Reviewed by Mark Hahnenberg.

This increases coverage to include programs that have unprofiled paths. Those paths will
often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
support those; except that it doesn't matter since the reason why they were untyped is
that they were unprofiled and anyway we won't run them because we'll exit before them.

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153253 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should support ArrayifyToStructure
oliver@apple.com [Thu, 25 Jul 2013 04:03:57 +0000 (04:03 +0000)]
fourthTier: FTL should support ArrayifyToStructure
https://bugs.webkit.org/show_bug.cgi?id=118095

Reviewed by Mark Hahnenberg.

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
(FTL):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(LowerDFGToLLVM):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153252 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchp...
oliver@apple.com [Thu, 25 Jul 2013 04:03:56 +0000 (04:03 +0000)]
fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
https://bugs.webkit.org/show_bug.cgi?id=118091

Reviewed by Mark Hahnenberg.

I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
the FTL. I then fixed those bugs, also:

- The FTL should not attempt to compile a block that is not reachable according to the CFA.
  This is analogous to terminating basic block compilation if the CFA becomes !isValid().
  Attempting to compile such a block means that you're running on broken CFA state, and the
  CFA will become inconsistent with the code you're generating, leading to some
  strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
  a node and hence don't have LValue's for that node (by virtue of us giving up due to
  !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
  weren't visited by the CFA at all, and the CFA expects you to know this because it
  expects that you already checked BasicBlock::cfaHasVisited.

- SetLocal needs to change the ValueSource of the operand to indicate that its value has
  been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
  speak). This is because although OSR exit already knows that the value of the operand is
  stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
  will also assume that if the Node dies then the value-at-exit for that operand should be
  Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
  things; in particular the local always outlives the Node in the case of a SetLocal. So,
  we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
  to ensure that OSR exit knows that the darn thing is really live until the end of the
  basic block, as opposed to until whenever the Node dies (which could be at any time).

- PutByOffset was erroneously storing to an offset from the base object, rather than an
  offset from the storage. Note that the storage will be the base object (exactly - i.e.
  same node, same value) for inline stores, but will be a distinct thing for out-of-line
  stores.

- At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
  when it should have been using DoubleInLocals.

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153251 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should support PutByVal
oliver@apple.com [Thu, 25 Jul 2013 04:03:54 +0000 (04:03 +0000)]
fourthTier: FTL should support PutByVal
https://bugs.webkit.org/show_bug.cgi?id=118075

Reviewed by Mark Hahnenberg.

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153250 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneC...
oliver@apple.com [Thu, 25 Jul 2013 04:03:52 +0000 (04:03 +0000)]
fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
https://bugs.webkit.org/show_bug.cgi?id=118028

Reviewed by Sam Weinig.

The SaneChain optimization allows us to get rid of the NaN check on loading from
a double array, if the result is used in an arithmetic op that wouldn't
distinguish between NaN and undefined. Normally the NaN check would be needed
because NaN is the hole marker.

The SaneChain optimization definitely requires that you're an Original array,
since we need to watchpoint the array prototype chain. And so it also needs to
be a JSArray, and not an object that has indexed double properties. We also
require an in-bounds access, since the backend is only capable of the
optimization in the in-bounds case (though we could extend it to OOB in the
future). But whether the array is being converted or is as-is isn't relevant.
Either way, if it's a double original array in-bounds access by the time that
the array check (or conversion!) completes, we can do the optimization.

Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153249 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should support switch_string
oliver@apple.com [Thu, 25 Jul 2013 04:03:51 +0000 (04:03 +0000)]
fourthTier: DFG should support switch_string
https://bugs.webkit.org/show_bug.cgi?id=117967

Source/JavaScriptCore:

Reviewed by Sam Weinig.

Add a reusable binary switch creator.

Implement switch on string using three modes:

- Binary switch on StringImpl* in the case of identifiers.

- Trie of binary switches on characters in the case of a not-too-big
  switch over not-too-big 8-bit strings.

- Hash lookup if all else fails.

Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
pdfjs.

* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/JumpTable.h:
(StringJumpTable):
(JSC::StringJumpTable::clear):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBinarySwitch.cpp: Added.
(DFG):
(JSC::DFG::BinarySwitch::BinarySwitch):
(JSC::DFG::BinarySwitch::advance):
(JSC::DFG::BinarySwitch::build):
* dfg/DFGBinarySwitch.h: Added.
(DFG):
(BinarySwitch):
(JSC::DFG::BinarySwitch::caseIndex):
(JSC::DFG::BinarySwitch::caseValue):
(JSC::DFG::BinarySwitch::fallThrough):
(JSC::DFG::BinarySwitch::Case::Case):
(Case):
(JSC::DFG::BinarySwitch::Case::operator<):
(JSC::DFG::BinarySwitch::BranchCode::BranchCode):
(BranchCode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::getValue):
(JSC::DFG::equalToStringImpl):
(DFG):
(JSC::DFG::LazyJSValue::strictEqual):
(JSC::DFG::LazyJSValue::dump):
* dfg/DFGLazyJSValue.h:
(JSC::DFG::LazyJSValue::knownStringImpl):
(LazyJSValue):
(JSC::DFG::LazyJSValue::stringImpl):
(JSC::DFG::LazyJSValue::switchLookupValue):
* dfg/DFGNode.cpp:
(WTF::printInternal):
* dfg/DFGNode.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
(JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
(DFG):
(JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
(JSC::DFG::SpeculativeJIT::emitSwitchString):
(JSC::DFG::SpeculativeJIT::emitSwitch):
(JSC::DFG::SpeculativeJIT::addBranch):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::branch8):
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
(StringSwitchCase):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
* runtime/Options.h:
(JSC):

Source/WTF:

Reviewed by Sam Weinig.

Make it possible to compare a RefPtr<StringImpl> and a StringImpl* without
having to ref the StringImpl.

* wtf/text/StringHash.h:
(WTF::StringHash::equal):

LayoutTests:

Reviewed by Sam Weinig.

* fast/js/regress/script-tests/switch-string-basic-big-var.js: Added.
(foo):
(make):
* fast/js/regress/script-tests/switch-string-basic-big.js: Added.
(foo):
(make):
* fast/js/regress/script-tests/switch-string-basic-var.js: Added.
(foo):
(make):
* fast/js/regress/script-tests/switch-string-basic.js: Added.
(foo):
* fast/js/regress/script-tests/switch-string-big-length-tower-var.js: Added.
(foo):
* fast/js/regress/script-tests/switch-string-length-tower-var.js: Added.
(foo):
* fast/js/regress/script-tests/switch-string-length-tower.js: Added.
(foo):
* fast/js/regress/script-tests/switch-string-short.js: Added.
(foo):
* fast/js/regress/switch-string-basic-big-expected.txt: Added.
* fast/js/regress/switch-string-basic-big-var-expected.txt: Added.
* fast/js/regress/switch-string-basic-big-var.html: Added.
* fast/js/regress/switch-string-basic-big.html: Added.
* fast/js/regress/switch-string-basic-expected.txt: Added.
* fast/js/regress/switch-string-basic-var-expected.txt: Added.
* fast/js/regress/switch-string-basic-var.html: Added.
* fast/js/regress/switch-string-basic.html: Added.
* fast/js/regress/switch-string-big-length-tower-var-expected.txt: Added.
* fast/js/regress/switch-string-big-length-tower-var.html: Added.
* fast/js/regress/switch-string-length-tower-expected.txt: Added.
* fast/js/regress/switch-string-length-tower-var-expected.txt: Added.
* fast/js/regress/switch-string-length-tower-var.html: Added.
* fast/js/regress/switch-string-length-tower.html: Added.
* fast/js/regress/switch-string-short-expected.txt: Added.
* fast/js/regress/switch-string-short.html: Added.

Conflicts:
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153248 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Count external memory usage towards heap footprint
oliver@apple.com [Thu, 25 Jul 2013 04:03:46 +0000 (04:03 +0000)]
fourthTier: Count external memory usage towards heap footprint
https://bugs.webkit.org/show_bug.cgi?id=117948

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Currently just count strings. Strings get counted in such a way that we won't re-count strings
that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
the collector to appropriately amortize itself.

* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::size):
(JSC::Heap::collect):
* heap/Heap.h:
(Heap):
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryUsage):
(JSC):
* runtime/JSString.cpp:
(JSC::JSString::visitChildren):

Source/WTF:

Expose some functionality needed for properly measuring StringImpl footprint.

* wtf/Atomics.h:
(WTF::weakCompareAndSwapSize):
(WTF):
* wtf/MathExtras.h:
(divideRoundedUp):
* wtf/text/StringImpl.h:
(WTF::StringImpl::cost):
(StringImpl):
(WTF::StringImpl::costDuringGC):
(WTF::StringImpl::refCount):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153247 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should optimize identifier string equality
oliver@apple.com [Thu, 25 Jul 2013 04:03:44 +0000 (04:03 +0000)]
fourthTier: DFG should optimize identifier string equality
https://bugs.webkit.org/show_bug.cgi?id=117920

Reviewed by Sam Weinig.

Note that this ChangeLog was supposed to be committed in r151890.

Expose the IsIdentifier bit to the JIT.

* wtf/text/StringImpl.h:
(WTF::StringImpl::flagIsIdentifier):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153246 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should optimize identifier string equality
oliver@apple.com [Thu, 25 Jul 2013 04:03:42 +0000 (04:03 +0000)]
fourthTier: DFG should optimize identifier string equality
https://bugs.webkit.org/show_bug.cgi?id=117920

Source/JavaScriptCore:

Reviewed by Sam Weinig.

This is a 20% speed-up for string equality comparisons when both strings are
identifiers.

This is important for two reasons:

1) Using strings as enumerations is an idiom. A great example is typeof. It
   would be great if this performed better.

2) When I implement switch_string in the DFG, it would be great to optimize
   the case where the switched-on value is an identifier. That would involve
   a simple binary switch rather than a more complicated trie-switch over
   characters.

* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromCell):
* bytecode/SpeculatedType.h:
(JSC):
(JSC::isStringIdentSpeculation):
(JSC::isStringSpeculation):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateStringIdent):
(Node):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::compileStringEquality):
(JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
(DFG):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
(JSC::DFG::SpeculativeJIT::speculateStringIdent):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):

LayoutTests:

Reviewed by Sam Weinig.

Add a benchmark for string equality where there is a long identifier, and
also add a benchmark for non-identifier string equality (since the previous
test for string equality was really identifier equality).

* fast/js/regress/script-tests/string-long-ident-equality.js: Added.
(foo):
* fast/js/regress/script-tests/string-var-equality.js: Added.
(addFoo):
(foo):
* fast/js/regress/string-long-ident-equality-expected.txt: Added.
* fast/js/regress/string-long-ident-equality.html: Added.
* fast/js/regress/string-var-equality-expected.txt: Added.
* fast/js/regress/string-var-equality.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153245 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
oliver@apple.com [Thu, 25 Jul 2013 04:03:39 +0000 (04:03 +0000)]
fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
https://bugs.webkit.org/show_bug.cgi?id=117906

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

This does the obvious thing, but also makes sure that out-of-bounds accesses
don't fall off into a C call, but try to do the fast thing if the prototype
chain is sane. We ought to probably do this for other array accesses in the
future, as well, since it's so darn easy.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):
* runtime/JSGlobalObject.h:
(JSGlobalObject):

LayoutTests:

Reviewed by Mark Hahnenberg.

The out-of-bounds benchmark that isn't insane speeds up by 22x in this
patch.

* fast/js/regress/script-tests/string-get-by-val-out-of-bounds-insane.js: Added.
(foo):
* fast/js/regress/script-tests/string-get-by-val-out-of-bounds.js: Added.
(foo):
* fast/js/regress/string-get-by-val-out-of-bounds-expected.txt: Added.
* fast/js/regress/string-get-by-val-out-of-bounds-insane-expected.txt: Added.
* fast/js/regress/string-get-by-val-out-of-bounds-insane.html: Added.
* fast/js/regress/string-get-by-val-out-of-bounds.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153244 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: GC's put_by_id transition fixpoint should converge more quickly
oliver@apple.com [Thu, 25 Jul 2013 04:03:36 +0000 (04:03 +0000)]
fourthTier: GC's put_by_id transition fixpoint should converge more quickly
https://bugs.webkit.org/show_bug.cgi?id=117912

Reviewed by Mark Hahnenberg.

This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
iterate the program in program order, or at least something close to program order. Because I enjoy reverse
loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.

Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::propagateTransitions):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153243 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should CSE MakeRope
oliver@apple.com [Thu, 25 Jul 2013 04:03:35 +0000 (04:03 +0000)]
fourthTier: DFG should CSE MakeRope
https://bugs.webkit.org/show_bug.cgi?id=117905

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Adds MakeRope to the CSE phase and removes the comment that says that
we could do it but aren't doing it.

Also fixed SpeculatedType dumping so that if you have a Cell type then
it just prints "Cell" and if you just have Object then it just prints
"Object", instead of printing the long list of types.

* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):

LayoutTests:

Reviewed by Geoffrey Garen.

This benchmark speeds up by 50%.

* fast/js/regress/make-rope-cse-expected.txt: Added.
* fast/js/regress/make-rope-cse.html: Added.
* fast/js/regress/script-tests/make-rope-cse.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153242 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: DFG should't exit just because it GetByVal'd a big character
oliver@apple.com [Thu, 25 Jul 2013 04:03:33 +0000 (04:03 +0000)]
fourthTier: DFG should't exit just because it GetByVal'd a big character
https://bugs.webkit.org/show_bug.cgi?id=117899

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
Previously it would fail due to canExit() but now we can also fail because
GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
a very explicit way.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):

LayoutTests:

Reviewed by Mark Hahnenberg.

This benchmark speeds up by 3x.

* fast/js/regress/script-tests/string-get-by-val-big-char.js: Added.
(foo):
* fast/js/regress/string-get-by-val-big-char-expected.txt: Added.
* fast/js/regress/string-get-by-val-big-char.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Small strings shouldn't get GC'd
oliver@apple.com [Thu, 25 Jul 2013 04:03:30 +0000 (04:03 +0000)]
fourthTier: Small strings shouldn't get GC'd
https://bugs.webkit.org/show_bug.cgi?id=117897

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Kill off the code needed to allocate them lazily and finalize them.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* heap/Heap.cpp:
(JSC::Heap::collect):
* runtime/JSString.h:
(JSC::jsSingleCharacterString):
(JSC::jsSingleCharacterSubstring):
(JSC::jsString):
(JSC::jsSubstring8):
(JSC::jsSubstring):
(JSC::jsOwnedString):
* runtime/NumberPrototype.cpp:
(JSC::integerValueToString):
* runtime/SmallStrings.cpp:
(JSC):
(JSC::SmallStrings::initializeCommonStrings):
(JSC::SmallStrings::visitStrongReferences):
* runtime/SmallStrings.h:
(JSC::SmallStrings::singleCharacterString):
(SmallStrings):

LayoutTests:

Reviewed by Mark Hahnenberg.

This test speeds up by 5%.

* fast/js/regress/script-tests/string-get-by-val.js: Added.
(foo):
* fast/js/regress/string-get-by-val-expected.txt: Added.
* fast/js/regress/string-get-by-val.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153240 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Re-indent JSString.h to aid mhe merging of the FTL branch
oliver@apple.com [Thu, 25 Jul 2013 04:03:27 +0000 (04:03 +0000)]
fourthTier: Re-indent JSString.h to aid mhe merging of the FTL branch

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153239 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: Structure should have a dump()
oliver@apple.com [Thu, 25 Jul 2013 04:03:25 +0000 (04:03 +0000)]
fourthTier: Structure should have a dump()
https://bugs.webkit.org/show_bug.cgi?id=117859

Reviewed by Geoffrey Garen.

This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
we now print a bunch of other info as well. For example, for an object literal
like "{f:42, g:64, h:24}", when we print the structure we'll now get:

    0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]

This also changes a bunch of places to use the dump method.

* bytecode/StructureSet.h:
(JSC::StructureSet::dump):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::dump):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dump):
* runtime/Structure.cpp:
(JSC::Structure::dump):
(JSC):
* runtime/Structure.h:
(Structure):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153238 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: There should only be one table of SimpleJumpTables
oliver@apple.com [Thu, 25 Jul 2013 04:03:23 +0000 (04:03 +0000)]
fourthTier: There should only be one table of SimpleJumpTables
https://bugs.webkit.org/show_bug.cgi?id=117856

Reviewed by Geoffrey Garen.

Having multiple tables of SimpleJumpTables just means we have to duplicate a
ton of code. This patch deduplicates all of it.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::shrinkToFit):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numberOfSwitchJumpTables):
(JSC::CodeBlock::addSwitchJumpTable):
(JSC::CodeBlock::switchJumpTable):
(JSC::CodeBlock::clearSwitchJumpTables):
(RareData):
* bytecode/PreciseJumpTargets.cpp:
(JSC):
(JSC::computePreciseJumpTargets):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::shrinkToFit):
(JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
(JSC::UnlinkedCodeBlock::addSwitchJumpTable):
(JSC::UnlinkedCodeBlock::switchJumpTable):
(RareData):
* bytecompiler/BytecodeGenerator.cpp:
(JSC):
(JSC::prepareJumpTableForSwitch):
(JSC::BytecodeGenerator::endSwitch):
* dfg/DFGByteCodeParser.cpp:
(InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JITCompiler):
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(DFG):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153237 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should clear character switch jump tables
oliver@apple.com [Thu, 25 Jul 2013 04:03:20 +0000 (04:03 +0000)]
fourthTier: FTL should clear character switch jump tables
https://bugs.webkit.org/show_bug.cgi?id=117852

Reviewed by Sam Weinig.

The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
jump tables as needed.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::clearCharacterSwitchJumpTables):
* ftl/FTLLink.cpp:
(JSC::FTL::link):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153236 268f45cc-cd09-0410-ab3c-d52691b4dbfc

7 years agofourthTier: FTL should support SwitchChar
oliver@apple.com [Thu, 25 Jul 2013 04:03:18 +0000 (04:03 +0000)]
fourthTier: FTL should support SwitchChar
https://bugs.webkit.org/show_bug.cgi?id=117849

Reviewed by Geoffrey Garen.

This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
support for calling slow paths, and we avoided adding coverage that would require
that. Well, this patch adds the ability to call slow paths and just uses that for
resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
so I did that, too.

* bytecode/CodeBlock.h:
(CodeBlock):
(JSC::CodeBlock::addCodeOrigin):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.cpp:
(WTF):
(WTF::printInternal):
* dfg/DFGNode.h:
(WTF):
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* ftl/FTLAbbreviations.h:
(JSC::FTL::int16Type):
(JSC::FTL::constInt):
* ftl/FTLAbstractHeapRepository.h:
(FTL):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLCommonValues.cpp:
(JSC::FTL::CommonValues::CommonValues):
* ftl/FTLCommonValues.h:
(CommonValues):
* ftl/FTLIntrinsicRepository.cpp:
(JSC::FTL::IntrinsicRepository::IntrinsicRepository):
(FTL):
* ftl/FTLIntrinsicRepository.h:
(FTL):
(IntrinsicRepository):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
(JSC::FTL::LowerDFGToLLVM::compileJump):
(JSC::FTL::LowerDFGToLLVM::compileBranch):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::buildSwitch):
(LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::lowString):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::isObject):
(JSC::FTL::LowerDFGToLLVM::isNotString):
(JSC::FTL::LowerDFGToLLVM::isString):
(JSC::FTL::LowerDFGToLLVM::isNotObject):
(JSC::FTL::LowerDFGToLLVM::speculateObject):
(JSC::FTL::LowerDFGToLLVM::speculateString):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
(JSC::FTL::LowerDFGToLLVM::vmCall):
(JSC::FTL::LowerDFGToLLVM::callPreflight):
(JSC::FTL::LowerDFGToLLVM::callCheck):
(JSC::FTL::LowerDFGToLLVM::lowBlock):
* ftl/FTLOutput.h:
(JSC::FTL::Output::constBool):
(JSC::FTL::Output::constInt8):
(JSC::FTL::Output::constInt32):
(JSC::FTL::Output::constIntPtr):
(JSC::FTL::Output::constInt64):
(JSC::FTL::Output::load16):
(JSC::FTL::Output::isNull):
(JSC::FTL::Output::notNull):
(JSC::FTL::Output::testIsZero32):
(JSC::FTL::Output::testNonZero32):
(Output):
(JSC::FTL::Output::operation):
(JSC::FTL::Output::crash):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153235 268f45cc-cd09-0410-ab3c-d52691b4dbfc