1 2015-05-05 Myles C. Maxfield <mmaxfield@apple.com>
3 Revert "Introducing the Platform Abstraction Layer (PAL)"
4 https://bugs.webkit.org/show_bug.cgi?id=144751
8 PAL should be a new target inside WebCore, rather than a top-level folder.
10 * Configurations/FeatureDefines.xcconfig: Updated
12 2015-05-07 Basile Clement <basile_clement@apple.com>
14 Dumping OSR ExitValue should expand materializations only once
15 https://bugs.webkit.org/show_bug.cgi?id=144694
17 Reviewed by Filip Pizlo.
19 Currently, dumping OSR exit values will print the full materialization
20 information each time it is encountered. We change it to print only a
21 brief description (only the materialization's address), and print the
22 whole set of materializations later on.
24 This makes the dump less confusing (less likely to think that two
25 instances of the same materialization are different), and will be a
26 necessary change if/when we support materialization cycles.
29 (JSC::FTL::mmAllocateDataSection):
30 * ftl/FTLExitValue.cpp:
31 (JSC::FTL::ExitValue::dumpInContext):
32 * ftl/FTLLowerDFGToLLVM.cpp:
33 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
35 2015-05-07 Andreas Kling <akling@apple.com>
37 Worker threads leak WeakBlocks (as seen on leaks bot)
38 <https://webkit.org/b/144721>
39 <rdar://problem/20848288>
41 Reviewed by Darin Adler.
43 Nuke any remaining empty WeakBlocks when the Heap is being torn down.
44 Trying to peek into these blocks after the VM is dead would be a bug anyway.
46 This fixes a ~750 KB leak seen on the leaks bot.
51 2015-05-05 Geoffrey Garen <ggaren@apple.com>
53 Don't branch when accessing the callee
54 https://bugs.webkit.org/show_bug.cgi?id=144645
56 Reviewed by Michael Saboff.
58 The branch was added in <http://trac.webkit.org/changeset/81040> without
61 kling found it to be a performance problem. See <https://webkit.org/b/144586>.
63 Our theory of access to Registers is that it's up to the client to access
64 them in the right way. So, let's do that.
66 * interpreter/CallFrame.h:
67 (JSC::ExecState::callee):
68 (JSC::ExecState::setCallee): Call the field object instead of function
69 because nothing guarantees that it's a function.
70 * interpreter/ProtoCallFrame.h:
71 (JSC::ProtoCallFrame::callee):
72 (JSC::ProtoCallFrame::setCallee):
73 * interpreter/Register.h:
75 (JSC::Register::object): Just do a cast like our other accessors do.
76 (JSC::Register::operator=):
77 (JSC::Register::function): Deleted.
78 (JSC::Register::withCallee): Deleted.
80 2015-05-07 Dan Bernstein <mitz@apple.com>
82 <rdar://problem/19317140> [Xcode] Remove usage of AspenFamily.xcconfig in Source/
83 https://bugs.webkit.org/show_bug.cgi?id=144727
85 Reviewed by Darin Adler.
87 * Configurations/Base.xcconfig: Don’t include AspenFamily.xcconfig, and define
88 INSTALL_PATH_PREFIX and LD_DYLIB_INSTALL_NAME for the iOS 8.x Simulator.
90 2015-05-07 Andreas Kling <akling@apple.com>
92 Special-case Int32 values in JSON.stringify().
93 <https://webkit.org/b/144731>
95 Reviewed by Michael Saboff.
97 Add a fast path for serializing Int32 values to JSON. This is far faster than dragging
98 simple integers through the full-blown dtoa() machinery.
100 ~50% speedup on Kraken/json-stringify-tinderbox.
102 * runtime/JSONObject.cpp:
103 (JSC::Stringifier::appendStringifiedValue):
105 2015-05-06 Ryosuke Niwa <rniwa@webkit.org>
107 ToT WebKit crashes while loading ES6 compatibility table
108 https://bugs.webkit.org/show_bug.cgi?id=144726
110 Reviewed by Filip Pizlo.
112 The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.
114 Always build the identifier here as it could be a method name.
117 (JSC::Parser<LexerType>::parseClass):
119 2015-05-05 Filip Pizlo <fpizlo@apple.com>
121 Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase
122 https://bugs.webkit.org/show_bug.cgi?id=144665
124 Reviewed by Michael Saboff.
126 This is a step towards getting rid of WatchpointCollectionPhase. It's also a step towards
127 extending SaneChain to all indexing shapes.
129 * dfg/DFGFixupPhase.cpp:
130 (JSC::DFG::FixupPhase::fixupNode): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
131 (JSC::DFG::FixupPhase::checkArray): Clarify the need for checking the structure. We often forget why we do this instead of always using CheckArray.
132 * dfg/DFGSpeculativeJIT.cpp:
133 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
134 * dfg/DFGWatchpointCollectionPhase.cpp:
135 (JSC::DFG::WatchpointCollectionPhase::handle): Remove some code.
136 (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): Deleted.
137 * ftl/FTLLowerDFGToLLVM.cpp:
138 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
140 2015-04-02 Myles C. Maxfield <mmaxfield@apple.com>
142 Introducing the Platform Abstraction Layer (PAL)
143 https://bugs.webkit.org/show_bug.cgi?id=143358
145 Reviewed by Simon Fraser.
147 * Configurations/FeatureDefines.xcconfig: Updated
149 2015-05-06 Andreas Kling <akling@apple.com>
151 Don't allocate a StringImpl for every Number JSValue in JSON.stringify().
152 <https://webkit.org/b/144676>
154 Reviewed by Darin Adler.
156 We were creating a new String for every number JSValue passing through the JSON stringifier.
157 These StringImpl allocations were dominating one of the Kraken JSON benchmarks.
158 Optimize this by using StringBuilder::appendECMAScriptNumber() which uses a stack buffer
159 for the conversion instead.
161 13% progression on Kraken/json-stringify-tinderbox.
163 * runtime/JSONObject.cpp:
164 (JSC::Stringifier::appendStringifiedValue):
166 2015-05-06 Commit Queue <commit-queue@webkit.org>
168 Unreviewed, rolling out r183847.
169 https://bugs.webkit.org/show_bug.cgi?id=144691
171 Caused many assertion failures (Requested by ap on #webkit).
175 "GC has trouble with pathologically large array allocations"
176 https://bugs.webkit.org/show_bug.cgi?id=144609
177 http://trac.webkit.org/changeset/183847
179 2015-05-05 Filip Pizlo <fpizlo@apple.com>
181 PutGlobalVar shouldn't have an unconditional store barrier
182 https://bugs.webkit.org/show_bug.cgi?id=133104
184 Reviewed by Benjamin Poulain.
186 We don't need a store barrier on PutGlobalVar if the value being stored can be
187 speculated to not be a cell.
189 * dfg/DFGFixupPhase.cpp:
190 (JSC::DFG::FixupPhase::fixupNode):
192 2015-05-05 Filip Pizlo <fpizlo@apple.com>
194 CopiedBlock::reportLiveBytes() should be totally cool with oversize blocks
195 https://bugs.webkit.org/show_bug.cgi?id=144667
197 Reviewed by Andreas Kling.
199 We are now calling this method for oversize blocks. It had an assertion that indirectly
200 implied that the block is not oversize, because it was claiming that the number of live
201 bytes should be smaller than the non-oversize-block size.
203 * heap/CopiedBlockInlines.h:
204 (JSC::CopiedBlock::reportLiveBytes):
206 2015-05-05 Filip Pizlo <fpizlo@apple.com>
208 GC has trouble with pathologically large array allocations
209 https://bugs.webkit.org/show_bug.cgi?id=144609
211 Reviewed by Mark Lam.
214 (JSC::Heap::updateObjectCounts): Make this code less confusing.
215 * heap/SlotVisitorInlines.h:
216 (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory.
217 * jsc.cpp: Add size measuring hooks to write the largeish test.
218 (GlobalObject::finishCreation):
219 (functionGCAndSweep):
223 * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test.
224 * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory.
228 2015-05-05 Filip Pizlo <fpizlo@apple.com>
230 FTL SwitchString slow case creates duplicate switch cases
231 https://bugs.webkit.org/show_bug.cgi?id=144634
233 Reviewed by Geoffrey Garen.
235 The problem of duplicate switches is sufficiently annoying that I fixed the issue and also
236 added mostly-debug-only asserts to catch such issues earlier.
238 * bytecode/CallVariant.cpp:
239 (JSC::variantListWithVariant): Assertion to prevent similar bugs.
240 * ftl/FTLLowerDFGToLLVM.cpp:
241 (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs.
242 (JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug.
243 * jit/BinarySwitch.cpp:
244 (JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs.
246 (JSC::linkPolymorphicCall): Assertion to prevent similar bugs.
247 * tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time.
251 2015-05-05 Basile Clement <basile_clement@apple.com>
253 Fix debug builds after r183812
254 https://bugs.webkit.org/show_bug.cgi?id=144300
256 Rubber stamped by Andreas Kling and Filip Pizlo.
258 hasObjectMaterializationData() didn't treat MaterializeCreateActivation
259 as having materialization data, which was causing an assertion failure when
260 sinking CreateActivations on debug builds.
263 (JSC::DFG::Node::hasObjectMaterializationData):
265 2015-05-04 Basile Clement <basile_clement@apple.com>
267 Allow CreateActivation sinking
268 https://bugs.webkit.org/show_bug.cgi?id=144300
270 Reviewed by Filip Pizlo.
272 This pursues the work started in
273 https://bugs.webkit.org/show_bug.cgi?id=144016 to expand the set of
274 allocations we are able to sink by allowing sinking of CreateActivation
277 This is achieved by following closely the way NewObject is currently
278 sunk: we add a new PhantomCreateActivation node to record the initial
279 position of the CreateActivation node, new ClosureVarPLoc promoted heap
280 locations to keep track of the variables put in the activation, and a
281 new MaterializeCreateActivation node to allocate and populate the sunk
284 * dfg/DFGAbstractInterpreterInlines.h:
285 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
286 * dfg/DFGClobberize.h:
287 (JSC::DFG::clobberize):
290 * dfg/DFGFixupPhase.cpp:
291 (JSC::DFG::FixupPhase::fixupNode):
293 (JSC::DFG::Node::convertToPutClosureVarHint):
295 (JSC::DFG::Node::convertToPhantomCreateActivation):
296 (JSC::DFG::Node::isActivationAllocation):
297 (JSC::DFG::Node::isPhantomActivationAllocation):
298 (JSC::DFG::Node::isPhantomAllocation):
300 * dfg/DFGObjectAllocationSinkingPhase.cpp:
301 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
302 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
303 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
304 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
305 * dfg/DFGPredictionPropagationPhase.cpp:
306 (JSC::DFG::PredictionPropagationPhase::propagate):
307 * dfg/DFGPromotedHeapLocation.cpp:
308 (WTF::printInternal):
309 * dfg/DFGPromotedHeapLocation.h:
310 * dfg/DFGSafeToExecute.h:
311 (JSC::DFG::safeToExecute):
312 * dfg/DFGSpeculativeJIT32_64.cpp:
313 (JSC::DFG::SpeculativeJIT::compile):
314 * dfg/DFGSpeculativeJIT64.cpp:
315 (JSC::DFG::SpeculativeJIT::compile):
316 * dfg/DFGValidate.cpp:
317 (JSC::DFG::Validate::validateCPS):
318 * ftl/FTLCapabilities.cpp:
319 (JSC::FTL::canCompile):
320 * ftl/FTLLowerDFGToLLVM.cpp:
321 (JSC::FTL::LowerDFGToLLVM::compileNode):
322 (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation):
323 * ftl/FTLOperations.cpp:
324 (JSC::FTL::operationMaterializeObjectInOSR):
325 * tests/stress/activation-sink-osrexit.js: Added.
328 * tests/stress/activation-sink.js: Added.
331 2015-05-04 Filip Pizlo <fpizlo@apple.com>
333 Unreviewed, fix stale comment.
335 * tests/mozilla/js1_5/Array/regress-101964.js:
337 2015-05-04 Filip Pizlo <fpizlo@apple.com>
339 Large array shouldn't be slow
340 https://bugs.webkit.org/show_bug.cgi?id=144617
342 Rubber stamped by Mark Lam.
344 * tests/mozilla/js1_5/Array/regress-101964.js: 500ms isn't enough in debug mode. We don't care how long this takes so long as we run it to completion. I've raised the limit much higher.
346 2015-05-04 Filip Pizlo <fpizlo@apple.com>
348 Large array shouldn't be slow
349 https://bugs.webkit.org/show_bug.cgi?id=144617
351 Rubber stamped by Mark Lam.
353 * tests/mozilla/js1_5/Array/regress-101964.js: Mozilla may have cared about this being fast a decade ago (or more), but we don't care. We've consistently found that an array implementation that punishes this case to get speed on common-case array accesses is better. This should fix some test failures on the bots.
355 2015-05-04 Commit Queue <commit-queue@webkit.org>
357 Unreviewed, rolling out r183789.
358 https://bugs.webkit.org/show_bug.cgi?id=144620
360 Causing flakiness on exceptionFuzz tests locally on 32-bit
361 build (Requested by saamyjoon on #webkit).
365 "Global functions should be initialized as JSFunctions in byte
367 https://bugs.webkit.org/show_bug.cgi?id=144178
368 http://trac.webkit.org/changeset/183789
370 2015-05-04 Saam Barati <saambarati1@gmail.com>
372 Global functions should be initialized as JSFunctions in byte code
373 https://bugs.webkit.org/show_bug.cgi?id=144178
375 Reviewed by Geoffrey Garen.
377 This patch makes the initialization of global functions more explicit by
378 moving initialization into bytecode. It also prepares JSC for having ES6
379 style lexical scoping because initializing global functions in bytecode
380 easily allows global functions to be initialized with the proper scope that
381 will have access to global lexical variables. Global lexical variables
382 should be visible to global functions but don't live on the global object.
384 * bytecode/UnlinkedCodeBlock.cpp:
385 (JSC::UnlinkedProgramCodeBlock::visitChildren):
386 * bytecode/UnlinkedCodeBlock.h:
387 * bytecompiler/BytecodeGenerator.cpp:
388 (JSC::BytecodeGenerator::generate):
389 (JSC::BytecodeGenerator::BytecodeGenerator):
390 * bytecompiler/BytecodeGenerator.h:
391 * runtime/Executable.cpp:
392 (JSC::ProgramExecutable::initializeGlobalProperties):
393 * runtime/JSGlobalObject.cpp:
394 (JSC::JSGlobalObject::addGlobalVar):
395 (JSC::JSGlobalObject::addFunction):
396 * runtime/JSGlobalObject.h:
398 2015-05-04 Filip Pizlo <fpizlo@apple.com>
400 Large array shouldn't be slow
401 https://bugs.webkit.org/show_bug.cgi?id=144617
403 Reviewed by Geoffrey Garen.
405 Decouple MIN_SPARSE_ARRAY_INDEX, which is the threshold for storing to the sparse map when
406 you're already using ArrayStorage mode, from the minimul array length required to use
407 ArrayStorage in a new Array(length) allocation.
409 Lift the array allocation length threshold to something very high. If this works, we'll
410 probably remove that threshold entirely.
412 This is a 27% speed-up on JetStream/hash-map. Because run-jsc-benchmarks still can't run
413 JetStream as a discrete suite, this adds hash-map to LongSpider so that we run it somewhere
416 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
417 * dfg/DFGSpeculativeJIT32_64.cpp:
418 (JSC::DFG::SpeculativeJIT::compile):
419 * dfg/DFGSpeculativeJIT64.cpp:
420 (JSC::DFG::SpeculativeJIT::compile):
421 * ftl/FTLLowerDFGToLLVM.cpp:
422 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
423 * runtime/ArrayConventions.h:
425 (JSC::JSArray::create):
426 * runtime/JSGlobalObject.h:
427 (JSC::constructEmptyArray):
428 * tests/stress/new-array-storage-array-with-size.js: Skip this test until we fix https://bugs.webkit.org/show_bug.cgi?id=144609.
430 2015-05-03 Yusuke Suzuki <utatane.tea@gmail.com>
432 Add backed intrinsics to private functions exposed with private symbols in global object
433 https://bugs.webkit.org/show_bug.cgi?id=144545
435 Reviewed by Darin Adler.
437 Math.abs and Math.floor have ASM intrinsics And it is further accelerated in DFG/FTL layers.
438 This patch adds intrinsic to private functions exposed with private symbols in global object,
441 * runtime/JSGlobalObject.cpp:
442 (JSC::JSGlobalObject::init):
443 * runtime/JSGlobalObjectFunctions.cpp:
444 (JSC::globalPrivateFuncAbs): Deleted.
445 (JSC::globalPrivateFuncFloor): Deleted.
446 * runtime/MathObject.cpp:
447 * runtime/MathObject.h:
448 * tests/stress/array-from-abs-and-floor.js: Added.
453 2015-05-04 Csaba Osztrogonác <ossy@webkit.org>
455 [cmake] ARM related build system cleanup
456 https://bugs.webkit.org/show_bug.cgi?id=144566
458 Reviewed by Darin Adler.
462 2015-05-04 Andreas Kling <akling@apple.com>
464 Optimize WeakBlock's "reap" and "visit" operations.
465 <https://webkit.org/b/144585>
467 Reviewed by Geoffrey Garen.
469 WeakBlock was using Heap::isLive(void*) to determine the liveness of weak pointees.
470 That function was really written with conservative roots marking in mind, and will do a bunch
471 of sanity and bounds checks.
473 For weaks, we know that the pointer will have been a valid cell pointer into a block
474 of appropriate cell size, so we can skip a lot of the checks.
476 We now keep a pointer to the MarkedBlock in each WeakBlock. That way we no longer have to do
477 MarkedBlock::blockFor() for every single cell when iterating.
479 Note that a WeakBlock's MarkedBlock pointer becomes null when we detach a logically empty
480 WeakBlock from its WeakSet and transfer ownership to Heap. At that point, the block will never
481 be pointing to any live cells, and the only operation that will run on the block is sweep().
483 Finally, MarkedBlock allows liveness queries in three states: Marked, Retired, and Allocated.
484 In Allocated state, all cells are reported as live. This state will reset to Marked on next GC.
485 This patch uses that knowledge to avoid branching on the MarkedBlock's state for every cell.
487 This is a ~3x speedup of visit() and a ~2x speedup of reap() on Dromaeo/dom-modify, netting
488 what looks like a 1% speedup locally.
490 * heap/MarkedBlock.cpp:
491 (JSC::MarkedBlock::MarkedBlock): Pass *this to the WeakSet's ctor.
493 * heap/MarkedBlock.h:
494 (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Added, stripped-down version of isLive() when the
495 block's state is known to be either Marked or Retired.
497 (JSC::MarkedBlock::isAllocated): Added, tells WeakBlock it's okay to skip reap/visit since isLive()
498 would report that all cells are live anyway.
500 * heap/WeakBlock.cpp:
501 (JSC::WeakBlock::create):
502 (JSC::WeakBlock::WeakBlock): Stash a MarkedBlock* on each WeakBlock.
504 (JSC::WeakBlock::visit):
505 (JSC::WeakBlock::reap): Optimized these two to avoid a bunch of pointer arithmetic and branches.
508 (JSC::WeakBlock::disconnectMarkedBlock): Added.
510 (JSC::WeakSet::sweep): Call the above when removing a WeakBlock from WeakSet and transferring
511 ownership to Heap until it can die peacefully.
513 (JSC::WeakSet::addAllocator):
515 (JSC::WeakSet::WeakSet): Give WeakSet a MarkedBlock& for passing on to WeakBlocks.
517 2015-05-04 Basile Clement <basile_clement@apple.com>
519 Allocation sinking is prohibiting the creation of phis between a Phantom object and its materialization
520 https://bugs.webkit.org/show_bug.cgi?id=144587
522 Rubber stamped by Filip Pizlo.
524 When sinking object allocations, we ensure in
525 determineMaterializationPoints that whenever an allocation is
526 materialized on a path to a block, it is materialized in all such
527 paths. Thus when running the SSA calculator to place Phis in
528 placeMaterializationPoints, we can't encounter a situation where some
529 Upsilons are referring to a materialization while others are referring
530 to the phantom object.
532 This replaces the code that was adding a materialization late in
533 placeMaterializationPoints to handle that case by an assertion that it
534 does not happen, which will make
535 https://bugs.webkit.org/show_bug.cgi?id=143073 easier to implement.
537 * dfg/DFGObjectAllocationSinkingPhase.cpp:
538 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
540 2015-05-04 Ryosuke Niwa <rniwa@webkit.org>
542 Extending undefined in class syntax should throw a TypeError
543 https://bugs.webkit.org/show_bug.cgi?id=144284
545 Reviewed by Darin Adler.
547 The bug was caused by op_eq_null evaluating to true when compared to undefined.
548 Explicitly check op_eq_undefined first to detect the case where we're extending undefined.
550 We also had bogus test cases checked in class-syntax-extends.html. This patch also fixes them.
552 * bytecompiler/NodesCodegen.cpp:
553 (JSC::ClassExprNode::emitBytecode):
555 2015-05-04 Ryosuke Niwa <rniwa@webkit.org>
557 new super should be a syntax error
558 https://bugs.webkit.org/show_bug.cgi?id=144282
560 Reviewed by Joseph Pecoraro.
562 Disallow "new super" as ES6 spec doesn't allow this.
565 (JSC::Parser<LexerType>::parseMemberExpression):
567 2015-05-04 Saam Barati <saambarati1@gmail.com>
569 JSCallbackObject does not maintain symmetry between accesses for getOwnPropertySlot and put
570 https://bugs.webkit.org/show_bug.cgi?id=144265
572 Reviewed by Geoffrey Garen.
574 JSCallbackObject will defer to a parent's implementation of getOwnPropertySlot
575 for a static function if the parent has that property slot. JSCallbackObject::put
576 did not maintain this symmetry of also calling ::put on the parent if the parent
577 has the property. We should ensure that this symmetry exists.
579 * API/JSCallbackObjectFunctions.h:
580 (JSC::JSCallbackObject<Parent>::put):
581 * API/tests/testapi.c:
582 * API/tests/testapi.js:
583 (globalStaticFunction2):
584 (this.globalStaticFunction2):
585 (iAmNotAStaticFunction):
586 (this.iAmNotAStaticFunction):
588 2015-05-04 Andreas Kling <akling@apple.com>
590 Make ExecState::vm() branchless in release builds.
591 <https://webkit.org/b/144586>
593 Reviewed by Geoffrey Garen.
595 Avoid null checking the ExecState's callee() before getting the
596 VM from it. The code was already dereferencing it anyway, since we
597 know it's not gonna be null.
599 * runtime/JSCellInlines.h:
600 (JSC::ExecState::vm):
602 2015-05-04 Basile Clement <basile_clement@apple.com>
604 Object allocation not sinking properly through CheckStructure
605 https://bugs.webkit.org/show_bug.cgi?id=144465
607 Reviewed by Filip Pizlo.
609 Currently, sinking an allocation through a CheckStructure will
610 completely ignore all structure checking, which is obviously wrong.
612 A CheckStructureImmediate node type was present for that purpose, but
613 the CheckStructures were not properly replaced. This ensures that
614 CheckStructure nodes are replaced by CheckStructureImmediate nodes when
615 sunk through, and that structure checking happens correctly.
618 (JSC::DFG::Node::convertToCheckStructureImmediate): Added.
619 (JSC::DFG::Node::hasStructureSet):
620 * dfg/DFGObjectAllocationSinkingPhase.cpp:
621 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
622 * ftl/FTLLowerDFGToLLVM.cpp:
623 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
624 (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
625 (JSC::FTL::LowerDFGToLLVM::checkStructure):
626 * tests/stress/sink_checkstructure.js: Added.
629 2015-05-01 Geoffrey Garen <ggaren@apple.com>
631 REGRESSION(r183570): jslib-traverse-jquery is 22% slower
632 https://bugs.webkit.org/show_bug.cgi?id=144476
634 Reviewed by Sam Weinig.
636 jslib-traverse-jquery is now 31% faster than its unregressed baseline.
638 The jQuery algorithm for sorting DOM nodes is so pathologically slow that,
639 to my knowledge, the topic of how to optimize it is not covered in any
640 literature about sorting.
642 On the slowest jQuery sorting test -- prevAll -- our new
643 Array.prototype.sort, compared to its predecessor, performed 12% fewer
644 comparisons and requireed 10X less overhead per comparison. Yet, it was
647 It was slower because it inadvertantly increased the average cost of the
648 comparison function by 2X. jQuery uses compareDocumentPosition to compare
649 DOM nodes, and compareDocumentPosition(a, b) is O(N) in the distance
650 required to traverse backwards from b to a. In prevAll, we encounter the
651 worst case for merge sort of compareDocumentPosition: A long list of DOM
652 nodes in mostly reverse order. In this case, merge sort will sequentially
653 compareDocumentPosition(a, b), where a is not reachable backwards from
654 b, and therefore compareDocumentPosition will traverse the whole sibling
657 The solution is simple enough: Call compareDocumentPosition(b, a) instead.
659 This is a pretty silly thing to do, but it is harmless, and jQuery is
660 popular, so let's do it.
662 We do not risk suffering the same problem in reverse when sorting a long
663 list of DOM nodes in forward order. (We still have a 37% speedup on the
664 nextAll benchmark.) The reason is that merge sort performs 2X fewer
665 comparisons when the list is already sorted, so we can worry less about
666 the cost of each comparison.
668 A fully principled soultion to this problem would probably do something
669 like Python's timsort, which special-cases ordered ranges to perform
670 only O(n) comparisons. But that would contradict our original
671 goal of just having something simple that works.
673 Another option is for elements to keep a compareDocumentPosition cache,
674 like a node list cache, which allows you to determine the absolute
675 position of a node using a hash lookup. I will leave this as an exercise
678 * builtins/Array.prototype.js:
679 (sort.merge): Compare in an order that is favorable to a comparator
680 that calls compareDocumentPosition.
682 2015-05-04 Csaba Osztrogonác <ossy@webkit.org>
684 [cmake] Fix generate-js-builtins related incremental build issue
685 https://bugs.webkit.org/show_bug.cgi?id=144094
687 Reviewed by Michael Saboff.
689 * CMakeLists.txt: Generated JSCBuiltins.<cpp|h> should depend on Source/JavaScriptCore/builtins directory.
690 Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js.
691 * DerivedSources.make:
692 Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js.
693 * generate-js-builtins: Accept input files and input directory too.
695 2015-05-03 Simon Fraser <simon.fraser@apple.com>
697 Make some static data const
698 https://bugs.webkit.org/show_bug.cgi?id=144552
700 Reviewed by Andreas Kling.
702 Turn characterSetInfo into const data.
704 * yarr/YarrCanonicalizeUCS2.cpp:
705 * yarr/YarrCanonicalizeUCS2.h:
707 2015-05-01 Filip Pizlo <fpizlo@apple.com>
709 TypeOf should be fast
710 https://bugs.webkit.org/show_bug.cgi?id=144396
712 Reviewed by Geoffrey Garen.
714 Adds comprehensive support for fast typeof to the optimizing JITs. Calls into the runtime
715 are only used for very exotic objects - they must have either the MasqueradesAsUndefined or
716 TypeOfShouldCallGetCallData type flags set. All other cases are handled inline.
718 This means optimizing IsObjectOrNull, IsFunction, and TypeOf - all node types that used to
719 rely heavily on C++ calls to fulfill their function.
721 Because TypeOf is now so fast, we no longer need to do any speculations on this node.
723 In the FTL, we take this further by querying AI for each branch in the TypeOf decision tree.
724 This means that if the TypeOf is dominated by any type checks, we will automatically prune
725 out cases that are redundant.
727 This patch anticipates the addition of SwitchTypeOf or something like that. So, the TypeOf
728 code generation is designed to be reusable.
730 This is a speed-up on most typeof benchmarks. But, it is a slow-down on benchmarks that take
731 the exotic call trap hook. That hook is now in a deeper slow path than before.
734 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
735 * JavaScriptCore.xcodeproj/project.pbxproj:
736 * dfg/DFGClobberize.h:
737 (JSC::DFG::clobberize): TypeOf was pure all along, but we failed to realize this.
738 * dfg/DFGFixupPhase.cpp:
739 (JSC::DFG::FixupPhase::fixupNode):
740 * dfg/DFGHeapLocation.cpp:
741 (WTF::printInternal):
742 * dfg/DFGHeapLocation.h:
743 * dfg/DFGOperations.cpp:
744 * dfg/DFGOperations.h:
745 * dfg/DFGSpeculativeJIT.cpp:
746 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
747 (JSC::DFG::SpeculativeJIT::compileIsFunction):
748 (JSC::DFG::SpeculativeJIT::compileTypeOf):
749 * dfg/DFGSpeculativeJIT.h:
750 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
751 (JSC::DFG::SpeculativeJIT::callOperation):
752 * dfg/DFGSpeculativeJIT32_64.cpp:
753 (JSC::DFG::SpeculativeJIT::compile):
754 * dfg/DFGSpeculativeJIT64.cpp:
755 (JSC::DFG::SpeculativeJIT::compile):
756 * ftl/FTLCapabilities.cpp:
757 (JSC::FTL::canCompile):
758 * ftl/FTLIntrinsicRepository.h:
759 * ftl/FTLLowerDFGToLLVM.cpp:
760 (JSC::FTL::LowerDFGToLLVM::compileNode):
761 (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
762 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
763 (JSC::FTL::LowerDFGToLLVM::compileTypeOf):
764 (JSC::FTL::LowerDFGToLLVM::buildTypeOf): Reusable TypeOf building for the FTL.
765 (JSC::FTL::LowerDFGToLLVM::isExoticForTypeof):
766 * ftl/FTLSwitchCase.h:
767 (JSC::FTL::SwitchCase::SwitchCase):
768 * jit/AssemblyHelpers.h:
769 (JSC::AssemblyHelpers::branchIfNotEqual):
770 (JSC::AssemblyHelpers::branchIfEqual):
771 (JSC::AssemblyHelpers::branchIfNumber):
772 (JSC::AssemblyHelpers::branchIfNotNumber):
773 (JSC::AssemblyHelpers::branchIfBoolean):
774 (JSC::AssemblyHelpers::branchIfNotBoolean):
775 (JSC::AssemblyHelpers::boxBooleanPayload):
776 (JSC::AssemblyHelpers::boxBoolean):
777 (JSC::AssemblyHelpers::emitTypeOf): Reusable TypeOf building for assembly JITs.
778 * jit/JITOperations.h:
779 * runtime/SmallStrings.h:
780 (JSC::SmallStrings::typeString):
781 * runtime/TypeofType.cpp: Added.
782 (WTF::printInternal):
783 * runtime/TypeofType.h: Added.
784 * tests/stress/type-of-functions-and-objects.js: Modified this test to give more comprehensive feedback.
786 2015-05-02 Filip Pizlo <fpizlo@apple.com>
788 Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=144527.
790 * dfg/DFGLICMPhase.cpp:
791 (JSC::DFG::LICMPhase::attemptHoist):
793 2015-05-02 Filip Pizlo <fpizlo@apple.com>
795 Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=144524 and
796 https://bugs.webkit.org/show_bug.cgi?id=144525.
798 * dfg/DFGLICMPhase.cpp:
799 (JSC::DFG::LICMPhase::attemptHoist):
800 * dfg/DFGPhantomInsertionPhase.cpp:
802 2015-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
804 Static property hashtable should only lookup with non-symbol key
805 https://bugs.webkit.org/show_bug.cgi?id=144438
807 Reviewed by Darin Adler.
809 Static property hashtable compares the Identifier's uid
810 with the normal C string without interning it.
811 So this comparison is performed in their contents.
812 As the result, in this comparison, symbol-ness is not considered.
814 So if accidentally the hash collision occur with the symbol and the string
815 and they have the same contents, the hash table entry is looked up incorrectly.
818 (JSC::HashTable::entry):
820 2015-05-01 Ryosuke Niwa <rniwa@webkit.org>
822 Class syntax should allow string and numeric identifiers for method names
823 https://bugs.webkit.org/show_bug.cgi?id=144254
825 Reviewed by Darin Adler.
827 Added the support for string and numeric identifiers in class syntax.
830 (JSC::Parser<LexerType>::parseFunctionInfo): Instead of using ConstructorKind to indicate whether we're
831 inside a class or not, use the newly added SuperBinding argument instead. ConstructorKind is now None
832 outside a class constructor as it should be.
833 (JSC::Parser<LexerType>::parseFunctionDeclaration):
834 (JSC::Parser<LexerType>::parseClass): No longer expects an identifier at the beginning of every class
835 element to allow numeric and string method names. For both of those method names, parse it here instead
836 of parseFunctionInfo since it doesn't support either type. Also pass in SuperBinding::Needed.
837 (JSC::Parser<LexerType>::parsePropertyMethod): Call parseFunctionInfo with SuperBinding::NotNeeded since
838 this function is never used to parse a class method.
839 (JSC::Parser<LexerType>::parseGetterSetter): Pass in superBinding argument to parseFunctionInfo.
840 (JSC::Parser<LexerType>::parsePrimaryExpression): Call parseFunctionInfo with SuperBinding::NotNeeded.
842 * parser/SyntaxChecker.h:
843 (JSC::SyntaxChecker::createProperty):
845 2015-05-01 Filip Pizlo <fpizlo@apple.com>
847 FTL should use AI more
848 https://bugs.webkit.org/show_bug.cgi?id=144500
850 Reviewed by Oliver Hunt.
852 This makes our type check folding even more comprehensive by ensuring that even if the FTL
853 decides to emit some checks, it will still do another query to the abstract interpreter to
854 see if the check is necessary. This helps with cases where we decided early on to speculate
855 one way, but later proved a more specific type of the value in question, and the constant
856 folder didn't catch it.
858 This also makes it more natural to query the abstract interpreter. For example, if you just
859 want the proven type, you can now say provenType(node) or provenType(edge).
861 * dfg/DFGArrayMode.cpp:
862 (JSC::DFG::ArrayMode::alreadyChecked):
863 * dfg/DFGArrayMode.h:
864 * ftl/FTLLowerDFGToLLVM.cpp:
865 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
866 (JSC::FTL::LowerDFGToLLVM::compileToThis):
867 (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
868 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
869 (JSC::FTL::LowerDFGToLLVM::compileArithPow):
870 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
871 (JSC::FTL::LowerDFGToLLVM::compileGetById):
872 (JSC::FTL::LowerDFGToLLVM::compileCheckArray):
873 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
874 (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
875 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
876 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
877 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
878 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
879 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
880 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
881 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
882 (JSC::FTL::LowerDFGToLLVM::compileIsString):
883 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
884 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
885 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
886 (JSC::FTL::LowerDFGToLLVM::baseIndex):
887 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
888 (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
889 (JSC::FTL::LowerDFGToLLVM::boolify):
890 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
891 (JSC::FTL::LowerDFGToLLVM::lowInt32):
892 (JSC::FTL::LowerDFGToLLVM::lowInt52):
893 (JSC::FTL::LowerDFGToLLVM::lowCell):
894 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
895 (JSC::FTL::LowerDFGToLLVM::lowDouble):
896 (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
897 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
898 (JSC::FTL::LowerDFGToLLVM::isNumber):
899 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
900 (JSC::FTL::LowerDFGToLLVM::isNotCell):
901 (JSC::FTL::LowerDFGToLLVM::isCell):
902 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
903 (JSC::FTL::LowerDFGToLLVM::isMisc):
904 (JSC::FTL::LowerDFGToLLVM::isNotBoolean):
905 (JSC::FTL::LowerDFGToLLVM::isBoolean):
906 (JSC::FTL::LowerDFGToLLVM::isNotOther):
907 (JSC::FTL::LowerDFGToLLVM::isOther):
908 (JSC::FTL::LowerDFGToLLVM::isProvenValue):
909 (JSC::FTL::LowerDFGToLLVM::isObject):
910 (JSC::FTL::LowerDFGToLLVM::isNotObject):
911 (JSC::FTL::LowerDFGToLLVM::isNotString):
912 (JSC::FTL::LowerDFGToLLVM::isString):
913 (JSC::FTL::LowerDFGToLLVM::isFunction):
914 (JSC::FTL::LowerDFGToLLVM::isNotFunction):
915 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
916 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
917 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
918 (JSC::FTL::LowerDFGToLLVM::abstractValue):
919 (JSC::FTL::LowerDFGToLLVM::provenType):
920 (JSC::FTL::LowerDFGToLLVM::provenValue):
921 (JSC::FTL::LowerDFGToLLVM::abstractStructure):
923 2015-05-01 Martin Robinson <mrobinson@igalia.com>
925 USE(...) macro should expect unprefixed variables
926 https://bugs.webkit.org/show_bug.cgi?id=144454
928 Reviewed by Daniel Bates.
930 * CMakeLists.txt: Replace all occurrences WTF_USE with USE.
932 2015-05-01 Jordan Harband <ljharb@gmail.com>
934 String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly
935 https://bugs.webkit.org/show_bug.cgi?id=144314
937 Reviewed by Darin Adler.
939 Fixing handling of Infinity position args, per
940 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
941 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
942 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
944 * runtime/StringPrototype.cpp:
946 (JSC::stringProtoFuncStartsWith):
947 (JSC::stringProtoFuncEndsWith):
948 (JSC::stringProtoFuncIncludes):
950 2015-05-01 Basile Clement <basile_clement@apple.com>
952 Math.abs() returns negative
953 https://bugs.webkit.org/show_bug.cgi?id=137827
955 Reviewed by Michael Saboff.
957 Math.abs() on doubles was mistakenly assumed by the DFG AI to be the
960 * dfg/DFGAbstractInterpreterInlines.h:
961 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
962 * tests/stress/math-abs-positive.js: Added, was previously failing.
965 2015-05-01 Basile Clement <basile_clement@apple.com>
967 Function allocation sinking shouldn't be performed on singleton functions
968 https://bugs.webkit.org/show_bug.cgi?id=144166
970 Reviewed by Geoffrey Garen.
972 Function allocations usually are free of any other side effects, but
973 this is not the case for allocations performed while the underlying
974 FunctionExecutable is still a singleton (as this allogation will fire
975 watchpoints invalidating code that depends on it being a singleton).
976 As the object allocation sinking phase assumes object allocation is
977 free of side-effects, sinking these allocations is not correct.
979 This also means that when materializing a function allocation on OSR
980 exit, that function's executable will never be a singleton, and we don't have
981 to worry about its watchpoint, allowing us to use
982 JSFunction::createWithInvalidatedRellocationWatchpoint instead of
985 * dfg/DFGObjectAllocationSinkingPhase.cpp:
986 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
987 * ftl/FTLOperations.cpp:
988 (JSC::FTL::operationMaterializeObjectInOSR):
990 2015-04-30 Jon Davis <jond@apple.com>
992 Web Inspector: console should show an icon for console.info() messages
993 https://bugs.webkit.org/show_bug.cgi?id=18530
995 Reviewed by Timothy Hatcher.
997 * inspector/ConsoleMessage.cpp:
998 (Inspector::messageLevelValue):
999 * inspector/protocol/Console.json:
1000 * runtime/ConsoleClient.cpp:
1001 (JSC::appendMessagePrefix):
1002 * runtime/ConsolePrototype.cpp:
1003 (JSC::ConsolePrototype::finishCreation):
1004 (JSC::consoleProtoFuncInfo):
1005 * runtime/ConsoleTypes.h:
1007 2015-04-30 Filip Pizlo <fpizlo@apple.com>
1009 Move all of the branchIs<type> helpers from SpeculativeJIT into AssemblyHelpers
1010 https://bugs.webkit.org/show_bug.cgi?id=144462
1012 Reviewed by Geoffrey Garen and Mark Lam.
1014 At some point we started adding representation-agnostic helpers for doing common type tests.
1015 We added some in SpeculativeJIT, and then some in AssemblyHelpers. Prior to this change,
1016 they had overlapping powers, though SpeculativeJIT was a bit better.
1018 This removes SpeculativeJIT's helpers and strengthens AssemblyHelpers' helpers. This is
1019 better because now all of these helpers can be used in all of the assembly-based JITs, not
1020 just the DFG. It also settles on what I find to be a slightly better naming convention.
1021 For example where we previously would have said branchIsString, now we say
1022 branchIfString. Similarly, branchNotString becomes branchIfNotString.
1024 * dfg/DFGSpeculativeJIT.cpp:
1025 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1026 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1027 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1028 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1029 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
1030 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
1031 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1032 (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
1033 (JSC::DFG::SpeculativeJIT::speculateObject):
1034 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
1035 (JSC::DFG::SpeculativeJIT::speculateString):
1036 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
1037 (JSC::DFG::SpeculativeJIT::speculateNotCell):
1038 (JSC::DFG::SpeculativeJIT::speculateOther):
1039 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
1040 (JSC::DFG::SpeculativeJIT::emitSwitchString):
1041 (JSC::DFG::SpeculativeJIT::branchIsObject): Deleted.
1042 (JSC::DFG::SpeculativeJIT::branchNotObject): Deleted.
1043 (JSC::DFG::SpeculativeJIT::branchIsString): Deleted.
1044 (JSC::DFG::SpeculativeJIT::branchNotString): Deleted.
1045 * dfg/DFGSpeculativeJIT.h:
1046 * dfg/DFGSpeculativeJIT32_64.cpp:
1047 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1048 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1049 (JSC::DFG::SpeculativeJIT::emitCall):
1050 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1051 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1052 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1053 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1054 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1055 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1056 (JSC::DFG::SpeculativeJIT::compile):
1057 (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted.
1058 (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted.
1059 (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted.
1060 (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted.
1061 * dfg/DFGSpeculativeJIT64.cpp:
1062 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1063 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1064 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1065 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1066 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1067 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1068 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
1069 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1070 (JSC::DFG::SpeculativeJIT::compile):
1071 (JSC::DFG::SpeculativeJIT::writeBarrier):
1072 (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted.
1073 (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted.
1074 (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted.
1075 (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted.
1076 * jit/AssemblyHelpers.h:
1077 (JSC::AssemblyHelpers::branchIfCell):
1078 (JSC::AssemblyHelpers::branchIfOther):
1079 (JSC::AssemblyHelpers::branchIfNotOther):
1080 (JSC::AssemblyHelpers::branchIfObject):
1081 (JSC::AssemblyHelpers::branchIfNotObject):
1082 (JSC::AssemblyHelpers::branchIfType):
1083 (JSC::AssemblyHelpers::branchIfNotType):
1084 (JSC::AssemblyHelpers::branchIfString):
1085 (JSC::AssemblyHelpers::branchIfNotString):
1086 (JSC::AssemblyHelpers::branchIfSymbol):
1087 (JSC::AssemblyHelpers::branchIfNotSymbol):
1088 (JSC::AssemblyHelpers::branchIfFunction):
1089 (JSC::AssemblyHelpers::branchIfNotFunction):
1090 (JSC::AssemblyHelpers::branchIfEmpty):
1091 (JSC::AssemblyHelpers::branchIsEmpty): Deleted.
1092 (JSC::AssemblyHelpers::branchIfCellNotObject): Deleted.
1093 * jit/JITPropertyAccess.cpp:
1094 (JSC::JIT::emitScopedArgumentsGetByVal):
1096 2015-04-30 Filip Pizlo <fpizlo@apple.com>
1098 js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing
1099 https://bugs.webkit.org/show_bug.cgi?id=144463
1101 Reviewed by Benjamin Poulain.
1103 Fixup phase was super cleverly folding an IsString(@x) when @x is predicted SpecString
1104 into a Check(String:@x) followed by JSConstant(true). Then in these tests the
1105 ValueAdd(IsString(@x), @stuff) would try to turn this into an integer add by cleverly
1106 converting the boolean into an integer. But as part of doing that, it would try to
1107 short-circuit any profiling by leveraging the fact that the IsString is now a constant,
1108 and it would try to figure out if the addition might overflow. Part of that logic
1109 involved checking if the immediate is either a boolean or a sufficiently small integer.
1110 But: it would check if it's a sufficiently small integer before checking if it was a
1111 boolean, so it would try to call asNumber() on the boolean.
1113 All of this cleverness was very deliberate, but apparently the @stuff + booleanConstant
1114 case was previously never hit until I wrote these tests, and so we never knew that
1115 calling asNumber() on a boolean was wrong.
1117 The fix is super simple: the expression should just check for boolean first.
1119 This bug was benign in release builds. JSValue::asNumber() on a boolean would return
1120 garbage, and that's OK, since we'd take the boolean case anyway.
1123 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
1125 2015-04-30 Filip Pizlo <fpizlo@apple.com>
1127 Unreviewed, add a FIXME comment referencing https://bugs.webkit.org/show_bug.cgi?id=144458.
1129 * jit/JITOperations.cpp:
1131 2015-04-30 Filip Pizlo <fpizlo@apple.com>
1133 Add a comment clarifying the behavior and semantics of getCallData/getConstructData, in
1134 particular that they cannot change their minds and may be called from compiler threads.
1136 Rubber stamped by Geoffrey Garen.
1140 2015-04-29 Filip Pizlo <fpizlo@apple.com>
1142 DFG Is<Blah> versions of TypeOf should fold based on proven input type
1143 https://bugs.webkit.org/show_bug.cgi?id=144409
1145 Reviewed by Geoffrey Garen.
1147 We were missing some obvious folding opportunities here. I don't know how this affects real
1148 code, but in general, we like to ensure that our constant folding is comprehensive. So this
1149 is more about placating my static analysis OCD than anything else.
1151 I added a bunch of speed/correctness tests for this in LayoutTests/js/regress.
1153 * dfg/DFGAbstractInterpreterInlines.h:
1154 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1156 2015-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
1158 Use the default hash value for Symbolized StringImpl
1159 https://bugs.webkit.org/show_bug.cgi?id=144347
1161 Reviewed by Darin Adler.
1163 Before this patch, symbolized StringImpl* has a special hash value
1164 to avoid the hash collision with the other normal StringImpl*.
1165 I guess that it is introduced when private symbols are introduced.
1166 However, it prevents using symbolized StringImpl* in the other place
1167 For example, using it as WTFString cause a problem because of its special hash value.
1169 When only using private symbols, they are not exposed to the outside of JSC,
1170 so we can handle it carefully. But now, it's extended to symbols.
1171 So I think storing a special hash value in StringImpl* causes an error.
1173 To avoid this, I propose using the usual hash value in symbolized StringImpl*.
1174 And to provide significantly different hash value when using it as symbol,
1175 store the additional hash value in symbolized StringImpl*. It is used when
1176 the hash value is required by IdentifierRepHash.
1178 * runtime/Identifier.h:
1179 (JSC::IdentifierRepHash::hash):
1181 (JSC::HashTable::entry):
1182 * runtime/PropertyMapHashTable.h:
1183 (JSC::PropertyTable::find):
1184 (JSC::PropertyTable::get):
1185 * runtime/Structure.cpp:
1186 (JSC::PropertyTable::checkConsistency):
1188 2015-04-29 Benjamin Poulain <bpoulain@apple.com>
1190 [JSC] Remove RageConvert array conversion
1191 https://bugs.webkit.org/show_bug.cgi?id=144433
1193 Reviewed by Filip Pizlo.
1195 RageConvert was causing a subtle bug that was hitting the Kraken crypto tests
1197 -The indexing types shows that the array access varies between Int32 and DoubleArray.
1198 -ArrayMode::fromObserved() decided to use the most generic type: DoubleArray.
1199 An Arrayify node would convert the Int32 to that type.
1200 -Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That
1201 node would use RageConvert instead of Convert.
1202 -The Arrayify for that GetByVal with RageConvert would not convert the array to
1204 -All the following array access that do not have the flag NodeBytecodeUsesAsInt would
1205 now expect a DoubleArray and always get a Contiguous Array. The CheckStructure
1206 fail systematically and we never get to run the later code.
1208 Getting rid of RageConvert fixes the problem and does not seems to have any
1209 negative side effect on other benchmarks.
1211 The improvments on Kraken are:
1212 -stanford-crypto-aes: definitely 1.0915x faster.
1213 -stanford-crypto-pbkdf2: definitely 1.2446x faster.
1214 -stanford-crypto-sha256-iterative: definitely 1.0544x faster.
1216 * dfg/DFGAbstractInterpreterInlines.h:
1217 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1218 * dfg/DFGArrayMode.cpp:
1219 (JSC::DFG::ArrayMode::refine):
1220 (JSC::DFG::arrayConversionToString):
1221 * dfg/DFGArrayMode.h:
1222 * dfg/DFGArrayifySlowPathGenerator.h:
1223 * dfg/DFGFixupPhase.cpp:
1224 (JSC::DFG::FixupPhase::fixupNode):
1225 * dfg/DFGOperations.cpp:
1226 * dfg/DFGOperations.h:
1227 * dfg/DFGPredictionPropagationPhase.cpp:
1228 (JSC::DFG::PredictionPropagationPhase::propagate):
1229 * dfg/DFGTypeCheckHoistingPhase.cpp:
1230 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1231 * ftl/FTLLowerDFGToLLVM.cpp:
1232 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1233 * runtime/JSObject.cpp:
1234 (JSC::JSObject::convertDoubleToContiguous):
1235 (JSC::JSObject::ensureContiguousSlow):
1236 (JSC::JSObject::genericConvertDoubleToContiguous): Deleted.
1237 (JSC::JSObject::rageConvertDoubleToContiguous): Deleted.
1238 (JSC::JSObject::rageEnsureContiguousSlow): Deleted.
1239 * runtime/JSObject.h:
1240 (JSC::JSObject::rageEnsureContiguous): Deleted.
1242 2015-04-29 Joseph Pecoraro <pecoraro@apple.com>
1244 Gracefully handle missing auto pause key on remote inspector setup
1245 https://bugs.webkit.org/show_bug.cgi?id=144411
1247 Reviewed by Timothy Hatcher.
1249 * inspector/remote/RemoteInspector.mm:
1250 (Inspector::RemoteInspector::receivedSetupMessage):
1252 2015-04-29 Joseph Pecoraro <pecoraro@apple.com>
1254 NodeList has issues with Symbol and empty string
1255 https://bugs.webkit.org/show_bug.cgi?id=144310
1257 Reviewed by Darin Adler.
1259 * runtime/PropertyName.h:
1260 (JSC::PropertyName::isSymbol):
1261 Helper to check if the PropertyName is a string or symbol property.
1263 2015-04-29 Alex Christensen <achristensen@webkit.org>
1265 Fix non-cygwin incremental builds on Windows.
1266 https://bugs.webkit.org/show_bug.cgi?id=143264
1268 Reviewed by Brent Fulgham.
1270 * generate-js-builtins:
1271 Remove stale headers before calling os.rename to replace them.
1273 2015-04-29 Filip Pizlo <fpizlo@apple.com>
1275 JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden
1276 https://bugs.webkit.org/show_bug.cgi?id=144397
1278 Reviewed by Andreas Kling.
1280 Add the flag to JSTypeInfo. It's an inline flag so that it's fast to query. Slap the flag on
1281 callback objects and internal functions. Modify the TypeOf operation to use this flag to avoid
1282 making a getCallData() call if it isn't necessary.
1284 * API/JSCallbackObject.h:
1285 * runtime/InternalFunction.h:
1286 * runtime/JSTypeInfo.h:
1287 (JSC::TypeInfo::typeOfShouldCallGetCallData):
1288 * runtime/Operations.cpp:
1289 (JSC::jsTypeStringForValue):
1290 * tests/stress/type-of-functions-and-objects.js: Added.
1298 2015-04-28 Geoffrey Garen <ggaren@apple.com>
1300 It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
1301 https://bugs.webkit.org/show_bug.cgi?id=144013
1303 Reviewed by Mark Lam.
1305 This patch implements Array.prototype.sort in JavaScript, removing the
1306 C++ implementations. It is simpler and less error-prone to express our
1307 operations in JavaScript, which provides memory safety, exception safety,
1308 and recursion safety.
1310 The performance result is mixed, but net positive in my opinion. It's
1311 difficult to enumerate all the results, since we used to have so many
1312 different sorting modes, and there are lots of different data patterns
1313 across which you might want to measure sorting. Suffice it to say:
1315 (*) The benchmarks we track are faster or unchanged.
1317 (*) Sorting random input using a comparator -- which we think is
1318 common -- is 3X faster.
1320 (*) Sorting random input in a non-array object -- which jQuery does
1323 (*) Sorting random input in a compact array of integers using a
1324 trivial pattern-matchable comparator is 2X *slower*.
1326 * builtins/Array.prototype.js:
1328 (sort.stringComparator):
1329 (sort.compactSparse): Special case compaction for sparse arrays because
1330 we don't want to hang when sorting new Array(BIG).
1334 (sort.mergeSort): Use merge sort because it's a reasonably efficient
1335 stable sort. We have evidence that some sites depend on stable sort,
1336 even though the ES6 spec does not mandate it. (See
1337 <http://trac.webkit.org/changeset/33967>.)
1339 This is a textbook implementation of merge sort with three optimizations:
1341 (1) Use iteration instead of recursion;
1343 (2) Use array subscripting instead of array copying in order to
1344 create logical sub-lists without creating physical sub-lists;
1346 (3) Swap src and dst at each iteration instead of copying src into
1347 dst, and only copy src into the subject array at the end if src is
1348 not the subject array.
1351 (sort.comparatorSort):
1352 (sort): Sort in JavaScript for the win.
1354 * builtins/BuiltinExecutables.cpp:
1355 (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
1356 names so we can use helper functions.
1358 * bytecode/CodeBlock.h:
1359 (JSC::CodeBlock::isNumericCompareFunction): Deleted.
1360 * bytecode/UnlinkedCodeBlock.cpp:
1361 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1362 * bytecode/UnlinkedCodeBlock.h:
1363 (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
1364 (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
1365 * bytecompiler/BytecodeGenerator.cpp:
1366 (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
1367 * bytecompiler/BytecodeGenerator.h:
1368 * bytecompiler/NodesCodegen.cpp:
1369 (JSC::FunctionNode::emitBytecode): We don't do this special casing based
1370 on pattern matching anymore. This was mainly an optimization to avoid
1371 the overhead of calling from C++ to JS, which we now avoid by
1375 (JSC::Heap::markRoots):
1376 (JSC::Heap::pushTempSortVector): Deleted.
1377 (JSC::Heap::popTempSortVector): Deleted.
1378 (JSC::Heap::visitTempSortVectors): Deleted.
1379 * heap/Heap.h: We don't have temp sort vectors anymore because we sort
1380 in JavaScript using a normal JavaScript array for our temporary storage.
1382 * parser/Parser.cpp:
1383 (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
1386 * runtime/ArrayPrototype.cpp:
1387 (JSC::isNumericCompareFunction): Deleted.
1388 (JSC::attemptFastSort): Deleted.
1389 (JSC::performSlowSort): Deleted.
1390 (JSC::arrayProtoFuncSort): Deleted.
1392 * runtime/CommonIdentifiers.h: New strings used by sort.
1394 * runtime/JSArray.cpp:
1395 (JSC::compareNumbersForQSortWithInt32): Deleted.
1396 (JSC::compareNumbersForQSortWithDouble): Deleted.
1397 (JSC::compareNumbersForQSort): Deleted.
1398 (JSC::compareByStringPairForQSort): Deleted.
1399 (JSC::JSArray::sortNumericVector): Deleted.
1400 (JSC::JSArray::sortNumeric): Deleted.
1401 (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
1402 (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
1403 (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
1404 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
1405 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
1406 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
1407 (JSC::JSArray::sortCompactedVector): Deleted.
1408 (JSC::JSArray::sort): Deleted.
1409 (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
1410 (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
1411 (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
1412 (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
1413 (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
1414 (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
1415 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
1416 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
1417 (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
1418 (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
1419 (JSC::JSArray::sortVector): Deleted.
1420 (JSC::JSArray::compactForSorting): Deleted.
1421 * runtime/JSArray.h:
1423 * runtime/JSGlobalObject.cpp:
1424 (JSC::JSGlobalObject::init):
1425 * runtime/ObjectConstructor.cpp:
1426 (JSC::ObjectConstructor::finishCreation): Provide some builtins used
1429 2015-04-29 Mark Lam <mark.lam@apple.com>
1431 Safari WebKit crash when loading Google Spreadsheet.
1432 https://bugs.webkit.org/show_bug.cgi?id=144020
1434 Reviewed by Filip Pizlo.
1436 The bug is that the object allocation sinking phase did not account for a case
1437 where a property of a sunken object is only initialized on one path and not
1438 another. As a result, on the path where the property is not initialized, we'll
1439 encounter an Upsilon with a BottomValue (which is not allowed by definition).
1441 The fix is to use a JSConstant(undefined) as the bottom value instead (of
1442 BottomValue). If the property is uninitialized, it should still be accessible
1443 and have the value undefined.
1445 * dfg/DFGObjectAllocationSinkingPhase.cpp:
1446 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1447 * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added.
1451 2015-04-29 Yusuke Suzuki <utatane.tea@gmail.com>
1453 REGRESSION (r183373): ASSERT failed in wtf/SHA1.h
1454 https://bugs.webkit.org/show_bug.cgi?id=144257
1456 Reviewed by Darin Adler.
1458 SHA1 is used to calculate CodeBlockHash.
1459 To calculate hash value, we pass the source code UTF-8 CString to SHA1::addBytes.
1460 However, the source code can contain null character.
1461 So when performing `strlen` on the source code's CString, it returns the incorrect length.
1462 In SHA1::addBytes, there's assertion `input.length() == strlen(string)` and it fails.
1464 In the template-literal-syntax.js, we perform `eval` with the script contains "\0".
1465 As the result, `strlen(string)` accidentally shortened by the contained "\0", and assertion fails.
1467 CString will be changed not to contain a null-character[1]. However, inserting the assertion here
1468 is not correct. Because
1470 1. If CString should not contain a null character, this should be asserted in CString side instead of SHA1::addBytes.
1471 2. If CString can contain a null character, this assertion becomes incorrect.
1473 So this patch just drops the assertion.
1475 In the current implementation, we once convert the entire source code to the newly allocated
1476 UTF-8 string and pass it to the SHA1 processing. However, this is memory consuming.
1477 Ideally, we should stream the decoded bytes into the SHA1 processing iteratively.
1478 We'll implement it in the separate patch[2].
1480 [1]: https://bugs.webkit.org/show_bug.cgi?id=144339
1481 [2]: https://bugs.webkit.org/show_bug.cgi?id=144263
1483 * tests/stress/eval-script-contains-null-character.js: Added.
1486 * tests/stress/template-literal-line-terminators.js:
1487 * tests/stress/template-literal-syntax.js:
1488 * tests/stress/template-literal.js:
1490 2015-04-29 Filip Pizlo <fpizlo@apple.com>
1492 Evict IsEnvironmentRecord from inline type flags
1493 https://bugs.webkit.org/show_bug.cgi?id=144398
1495 Reviewed by Mark Lam and Michael Saboff.
1497 In https://bugs.webkit.org/show_bug.cgi?id=144397, we'll need an extra bit in the inline
1498 type flags. This change picks the least important inline type flag - IsEnvironmentRecord -
1499 and evicts it into the out-of-line type flags. This change has no performance implications
1500 because we never even accessed IsEnvironmentRecord via the StructureIDBlob. The only place
1501 where we access it at all is in String.prototype.repeat, and there we already load the
1504 * runtime/JSTypeInfo.h:
1505 (JSC::TypeInfo::implementsHasInstance):
1506 (JSC::TypeInfo::structureIsImmortal):
1507 (JSC::TypeInfo::isEnvironmentRecord):
1509 2015-04-29 Darin Adler <darin@apple.com>
1511 [ES6] Implement Unicode code point escapes
1512 https://bugs.webkit.org/show_bug.cgi?id=144377
1514 Reviewed by Antti Koivisto.
1516 * parser/Lexer.cpp: Moved the UnicodeHexValue class in here from
1517 the header. Made it a non-member class so it doesn't need to be part
1518 of a template. Made it use UChar32 instead of int for the value to
1519 make it clearer what goes into this class.
1520 (JSC::ParsedUnicodeEscapeValue::isIncomplete): Added. Replaces the
1521 old type() function.
1522 (JSC::Lexer<CharacterType>::parseUnicodeEscape): Renamed from
1523 parseFourDigitUnicodeHex and added support for code point escapes.
1524 (JSC::isLatin1): Added an overload for UChar32.
1525 (JSC::isIdentStart): Changed this to take UChar32; no caller tries
1526 to call it with a UChar, so no need to overload for that type for now.
1527 (JSC::isNonLatin1IdentPart): Changed argument type to UChar32 for clarity.
1528 Also added FIXME about a subtle ES6 change that we might want to make later.
1529 (JSC::isIdentPart): Changed this to take UChar32; no caller tries
1530 to call it with a UChar, so no need to overload for that type for now.
1531 (JSC::isIdentPartIncludingEscapeTemplate): Made this a template so that we
1532 don't need to repeat the code twice. Added code to handle code point escapes.
1533 (JSC::isIdentPartIncludingEscape): Call the template instead of having the
1535 (JSC::Lexer<CharacterType>::recordUnicodeCodePoint): Added.
1536 (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): Made small tweaks and
1537 updated to call parseUnicodeEscape instead of parseFourDigitUnicodeHex.
1538 (JSC::Lexer<CharacterType>::parseComplexEscape): Call parseUnicodeEscape
1539 instead of parseFourDigitUnicodeHex. Move the code to handle "\u" before
1540 the code that handles the escapes, since the code point escape code now
1541 consumes characters while parsing rather than peeking ahead. Test case
1542 covers this: Symptom would be that "\u{" would evaluate to "u" instead of
1543 giving a syntax error.
1545 * parser/Lexer.h: Updated for above changes.
1547 * runtime/StringConstructor.cpp:
1548 (JSC::stringFromCodePoint): Use ICU's UCHAR_MAX_VALUE instead of writing
1549 out 0x10FFFF; clearer this way.
1551 2015-04-29 Martin Robinson <mrobinson@igalia.com>
1553 [CMake] [GTK] Organize and clean up unused CMake variables
1554 https://bugs.webkit.org/show_bug.cgi?id=144364
1556 Reviewed by Gyuyoung Kim.
1558 * PlatformGTK.cmake: Add variables specific to this project.
1560 2015-04-28 Filip Pizlo <fpizlo@apple.com>
1562 TypeOf should return SpecStringIdent and the DFG should know this
1563 https://bugs.webkit.org/show_bug.cgi?id=144376
1565 Reviewed by Andreas Kling.
1567 Make TypeOf return atomic strings. That's a simple change in SmallStrings.
1569 Make the DFG know this and use it for optimization. This makes Switch(TypeOf) a bit less
1572 * dfg/DFGAbstractInterpreterInlines.h:
1573 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1574 * dfg/DFGAbstractValue.cpp:
1575 (JSC::DFG::AbstractValue::setType):
1576 * dfg/DFGAbstractValue.h:
1577 (JSC::DFG::AbstractValue::setType):
1578 * dfg/DFGInPlaceAbstractState.cpp:
1579 (JSC::DFG::InPlaceAbstractState::initialize):
1580 * dfg/DFGPredictionPropagationPhase.cpp:
1581 (JSC::DFG::PredictionPropagationPhase::propagate):
1582 * runtime/SmallStrings.cpp:
1583 (JSC::SmallStrings::initialize):
1584 * tests/stress/switch-typeof-indirect.js: Added.
1588 * tests/stress/switch-typeof-slightly-indirect.js: Added.
1591 * tests/stress/switch-typeof.js: Added.
1595 2015-04-29 Joseph Pecoraro <pecoraro@apple.com>
1597 REGRESSION(181868): Windows Live SkyDrive cannot open an excel file
1598 https://bugs.webkit.org/show_bug.cgi?id=144373
1600 Reviewed by Darin Adler.
1602 Revert r181868 as it caused a failure on live.com. We can try
1603 re-enabling this exception after we make idl attributes configurable,
1604 which may have prevented this particular failure.
1606 * runtime/ObjectPrototype.cpp:
1607 (JSC::objectProtoFuncDefineGetter):
1608 (JSC::objectProtoFuncDefineSetter):
1610 2015-04-28 Joseph Pecoraro <pecoraro@apple.com>
1612 Deadlock on applications using JSContext on non-main thread
1613 https://bugs.webkit.org/show_bug.cgi?id=144370
1615 Reviewed by Timothy Hatcher.
1617 * inspector/remote/RemoteInspector.mm:
1618 (Inspector::RemoteInspector::singleton):
1619 Prevent a possible deadlock by assuming we can synchronously
1620 run something on the main queue at this time.
1622 2015-04-28 Filip Pizlo <fpizlo@apple.com>
1624 FTL should fully support Switch (it currently lacks the SwitchString variant)
1625 https://bugs.webkit.org/show_bug.cgi?id=144348
1627 Reviewed by Benjamin Poulain.
1629 This adds SwitchString support to the FTL. This is already tested by switch microbenchmarks
1630 in LayoutTests/js/regress.
1632 * dfg/DFGCommon.cpp:
1633 (JSC::DFG::stringLessThan):
1635 * dfg/DFGOperations.cpp:
1636 * dfg/DFGOperations.h:
1637 * dfg/DFGSpeculativeJIT.cpp:
1638 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): Deleted.
1639 * dfg/DFGSpeculativeJIT.h:
1640 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
1641 * ftl/FTLCapabilities.cpp:
1642 (JSC::FTL::canCompile):
1643 * ftl/FTLIntrinsicRepository.h:
1644 * ftl/FTLLowerDFGToLLVM.cpp:
1645 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
1646 (JSC::FTL::LowerDFGToLLVM::switchString):
1647 (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::StringSwitchCase):
1648 (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::operator<):
1649 (JSC::FTL::LowerDFGToLLVM::CharacterCase::CharacterCase):
1650 (JSC::FTL::LowerDFGToLLVM::CharacterCase::operator<):
1651 (JSC::FTL::LowerDFGToLLVM::switchStringRecurse):
1652 (JSC::FTL::LowerDFGToLLVM::switchStringSlow):
1653 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1654 * ftl/FTLOutput.cpp:
1655 (JSC::FTL::Output::check):
1658 (JSC::FTL::Weight::inverse):
1659 * jit/JITOperations.h:
1661 2015-04-28 Michael Catanzaro <mcatanzaro@igalia.com>
1663 Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT
1664 https://bugs.webkit.org/show_bug.cgi?id=144304
1666 Reviewed by Geoffrey Garen.
1668 * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of
1669 ENABLE_LLINT_C_LOOP, disabled by default.
1670 * llint/LLIntSlowPaths.cpp:
1671 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP.
1673 2015-04-28 Commit Queue <commit-queue@webkit.org>
1675 Unreviewed, rolling out r183514.
1676 https://bugs.webkit.org/show_bug.cgi?id=144359
1678 It broke cloop test bots (Requested by mcatanzaro on #webkit).
1682 "Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT"
1683 https://bugs.webkit.org/show_bug.cgi?id=144304
1684 http://trac.webkit.org/changeset/183514
1686 2015-04-28 Michael Catanzaro <mcatanzaro@igalia.com>
1688 Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT
1689 https://bugs.webkit.org/show_bug.cgi?id=144304
1691 Reviewed by Geoffrey Garen.
1693 * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of
1694 ENABLE_LLINT_C_LOOP, disabled by default.
1695 * llint/LLIntSlowPaths.cpp:
1696 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP.
1698 2015-04-28 Joseph Pecoraro <pecoraro@apple.com>
1700 Fix common typo "targetting" => "targeting"
1701 https://bugs.webkit.org/show_bug.cgi?id=144349
1703 Reviewed by Daniel Bates.
1705 * bytecode/ExecutionCounter.h:
1707 2015-04-28 Yusuke Suzuki <utatane.tea@gmail.com>
1709 Update the features.json for WeakSet, WeakMap, Template literals, Tagged templates
1710 https://bugs.webkit.org/show_bug.cgi?id=144328
1712 Reviewed by Andreas Kling.
1714 Update the status of ES6 features.
1718 2015-04-28 Filip Pizlo <fpizlo@apple.com>
1720 DFG should not use or preserve Phantoms during transformations
1721 https://bugs.webkit.org/show_bug.cgi?id=143736
1723 Reviewed by Geoffrey Garen.
1725 Since http://trac.webkit.org/changeset/183207 and http://trac.webkit.org/changeset/183406, it is
1726 no longer necessary to preserve Phantoms during transformations. They are still useful just
1727 before FixupPhase to support backwards propagation analyses. They are still inserted late in the
1728 game in the DFG backend. But transformations don't need to worry about them. Inside a basic
1729 block, we can be sure that so long as the IR pinpoints the place where the value becomes
1730 available in a bytecode register (using MovHint) and so long as there is a SetLocal anytime some
1731 other block would need the value (either for OSR or for DFG execution), then we don't need any
1734 So, this removes any places where we inserted Phantoms just for liveness during transformation
1735 and it replaces convertToPhantom() with remove(), which just converts the node to a Check. A
1736 Check node only keeps its children so long as those children have checks.
1738 The fact that we no longer convertToPhantom() means that we have to be more careful when
1739 constant-folding GetLocal. Previously we would convertToPhantom() and use the fact that
1740 Phantom(Phi) was a valid construct. It's not valid anymore. So, when constant folding encounters
1741 a GetLocal it needs to insert a PhantomLocal directly. This allows us to simplify
1742 Graph::convertToConstant() a bit. Luckily, none of the other users of this method would see
1745 The only Phantom-like cruft left over after this patch is:
1747 - Phantoms before FixupPhase. I kind of like these. It means that before FixupPhase, we can do
1748 backwards analyses and rely on the fact that the users of a node in DFG IR are a superset of
1749 the users of the original local's live range in bytecode. This is essential for supporting our
1750 BackwardsPropagationPhase, which is an important optimization for things like asm.js.
1752 - PhantomLocals and GetLocals being NodeMustGenerate. See discussion in
1753 https://bugs.webkit.org/show_bug.cgi?id=144086. It appears that this is not as evil as the
1754 alternatives. The best long-term plan is to simply ditch the ThreadedCPS IR entirely and have
1755 the DFG use SSA. For now, so long as any new DFG optimizations we add are block-local and
1756 treat GetLocal/SetLocal conservatively, this should all be sound.
1758 This change should be perf-neutral although it does reduce the total work that the compiler
1762 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1763 * JavaScriptCore.xcodeproj/project.pbxproj:
1764 * dfg/DFGAdjacencyList.h:
1765 (JSC::DFG::AdjacencyList::justChecks):
1766 * dfg/DFGArgumentsEliminationPhase.cpp:
1767 * dfg/DFGBasicBlock.cpp:
1768 (JSC::DFG::BasicBlock::replaceTerminal):
1769 * dfg/DFGBasicBlock.h:
1770 (JSC::DFG::BasicBlock::findTerminal):
1771 * dfg/DFGCFGSimplificationPhase.cpp:
1772 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1773 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1774 * dfg/DFGCPSRethreadingPhase.cpp:
1775 (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
1776 (JSC::DFG::CPSRethreadingPhase::clearVariables):
1777 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
1778 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1779 * dfg/DFGCSEPhase.cpp:
1780 * dfg/DFGCleanUpPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp.
1781 (JSC::DFG::CleanUpPhase::CleanUpPhase):
1782 (JSC::DFG::CleanUpPhase::run):
1783 (JSC::DFG::performCleanUp):
1784 (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): Deleted.
1785 (JSC::DFG::PhantomRemovalPhase::run): Deleted.
1786 (JSC::DFG::performPhantomRemoval): Deleted.
1787 * dfg/DFGCleanUpPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h.
1788 * dfg/DFGConstantFoldingPhase.cpp:
1789 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1790 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
1791 (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
1792 * dfg/DFGDCEPhase.cpp:
1793 (JSC::DFG::DCEPhase::run):
1794 (JSC::DFG::DCEPhase::fixupBlock):
1795 (JSC::DFG::DCEPhase::cleanVariables):
1796 * dfg/DFGFixupPhase.cpp:
1797 (JSC::DFG::FixupPhase::fixupBlock):
1798 (JSC::DFG::FixupPhase::fixupNode):
1799 (JSC::DFG::FixupPhase::convertStringAddUse):
1800 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1801 (JSC::DFG::FixupPhase::checkArray):
1802 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
1803 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
1804 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
1805 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
1806 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
1807 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1808 (JSC::DFG::FixupPhase::addRequiredPhantom): Deleted.
1809 (JSC::DFG::FixupPhase::addPhantomsIfNecessary): Deleted.
1811 (JSC::DFG::Graph::convertToConstant):
1812 (JSC::DFG::Graph::mergeRelevantToOSR): Deleted.
1814 * dfg/DFGInsertionSet.h:
1815 (JSC::DFG::InsertionSet::insertCheck):
1816 * dfg/DFGIntegerCheckCombiningPhase.cpp:
1817 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1818 * dfg/DFGLICMPhase.cpp:
1819 (JSC::DFG::LICMPhase::attemptHoist):
1821 (JSC::DFG::Node::remove):
1823 (JSC::DFG::Node::replaceWith):
1824 (JSC::DFG::Node::convertToPhantom): Deleted.
1825 (JSC::DFG::Node::convertToCheck): Deleted.
1826 (JSC::DFG::Node::willHaveCodeGenOrOSR): Deleted.
1827 * dfg/DFGNodeFlags.h:
1828 * dfg/DFGNodeType.h:
1829 * dfg/DFGObjectAllocationSinkingPhase.cpp:
1830 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
1831 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1832 * dfg/DFGPhantomCanonicalizationPhase.cpp: Removed.
1833 * dfg/DFGPhantomCanonicalizationPhase.h: Removed.
1834 * dfg/DFGPhantomRemovalPhase.cpp: Removed.
1835 * dfg/DFGPhantomRemovalPhase.h: Removed.
1837 (JSC::DFG::Plan::compileInThreadImpl):
1838 * dfg/DFGPutStackSinkingPhase.cpp:
1839 * dfg/DFGResurrectionForValidationPhase.cpp: Removed.
1840 * dfg/DFGResurrectionForValidationPhase.h: Removed.
1841 * dfg/DFGSSAConversionPhase.cpp:
1842 (JSC::DFG::SSAConversionPhase::run):
1843 * dfg/DFGSpeculativeJIT64.cpp:
1844 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1845 * dfg/DFGStoreBarrierElisionPhase.cpp:
1846 (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
1847 * dfg/DFGStrengthReductionPhase.cpp:
1848 (JSC::DFG::StrengthReductionPhase::handleNode):
1849 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
1850 * dfg/DFGValidate.cpp:
1851 (JSC::DFG::Validate::validate):
1852 (JSC::DFG::Validate::validateCPS):
1853 (JSC::DFG::Validate::validateSSA):
1854 * dfg/DFGVarargsForwardingPhase.cpp:
1857 * ftl/FTLLowerDFGToLLVM.cpp:
1858 (JSC::FTL::LowerDFGToLLVM::compileNode):
1859 (JSC::FTL::LowerDFGToLLVM::compileNoOp):
1860 (JSC::FTL::LowerDFGToLLVM::compilePhantom): Deleted.
1862 2015-04-28 Andreas Kling <akling@apple.com>
1864 DFG+FTL should generate efficient code for branching on a string's boolean value.
1865 <https://webkit.org/b/144317>
1867 Reviewed by Geoff Garen & Filip Pizlo
1869 Teach Branch nodes about StringUse and have them generate an efficient zero-length string check
1870 instead of dropping out to C++ whenever we branch on a string.
1872 The FTL JIT already handled Branch nodes with StringUse through its use of boolify(), so only
1873 the DFG JIT gets some new codegen logic in this patch.
1875 Test: js/regress/branch-on-string-as-boolean.js (~4.5x speedup)
1877 * dfg/DFGFixupPhase.cpp:
1878 (JSC::DFG::FixupPhase::fixupNode):
1879 * dfg/DFGSpeculativeJIT.cpp:
1880 (JSC::DFG::SpeculativeJIT::emitStringBranch):
1881 * dfg/DFGSpeculativeJIT.h:
1882 * dfg/DFGSpeculativeJIT32_64.cpp:
1883 (JSC::DFG::SpeculativeJIT::emitBranch):
1884 * dfg/DFGSpeculativeJIT64.cpp:
1885 (JSC::DFG::SpeculativeJIT::emitBranch):
1887 2015-04-28 Filip Pizlo <fpizlo@apple.com>
1889 VarargsForwardingPhase should only consider MovHints that have the candidate as a child
1890 https://bugs.webkit.org/show_bug.cgi?id=144340
1892 Reviewed by Michael Saboff and Mark Lam.
1894 Since we were considering all MovHints, we'd assume that the CreateDirectArguments or
1895 CreateClosedArguments node was live so long as any MovHinted bytecode variable was alive.
1896 Basically, we'd keep it alive until the end of the block. This maximized the chances of
1897 there being an interfering operation, which would prevent elimination.
1899 The fix is to only consider MovHints that have the arguments candidate as a child. We only
1900 care to track the liveness of those bytecode locals that would need an arguments object
1901 recovery on OSR exit.
1903 This is a speed-up on V8Spider/raytrace and Octane/raytrace because it undoes the regression
1904 introduced in http://trac.webkit.org/changeset/183406.
1906 * dfg/DFGVarargsForwardingPhase.cpp:
1908 2015-04-28 Csaba Osztrogonác <ossy@webkit.org>
1910 Remove WinCE cruft from cmake build system
1911 https://bugs.webkit.org/show_bug.cgi?id=144325
1913 Reviewed by Gyuyoung Kim.
1916 * create_jit_stubs: Removed.
1918 2015-04-27 Andreas Kling <akling@apple.com>
1920 RegExp matches arrays should use contiguous indexing.
1921 <https://webkit.org/b/144286>
1923 Reviewed by Geoffrey Garen.
1925 We had a custom Structure being used for RegExp matches arrays that would
1926 put the arrays into SlowPutArrayStorageShape mode. This was just left
1927 from when matches arrays were custom, lazily initialized objects.
1929 This change removes that Structure and switches the matches arrays to
1930 using the default ContiguousShape Structure. This allows the FTL JIT
1931 to compile the inner loop of the Octane/regexp benchmark.
1933 Also made a version of initializeIndex() [inline] that takes the indexing
1934 type in an argument, allowing createRegExpMatchesArray() to initialize
1935 the entire array without branching on the indexing type for each entry.
1937 ~3% progression on Octane/regexp.
1939 * runtime/JSGlobalObject.cpp:
1940 (JSC::JSGlobalObject::init):
1941 (JSC::JSGlobalObject::visitChildren):
1942 * runtime/JSGlobalObject.h:
1943 (JSC::JSGlobalObject::mapStructure):
1944 (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted.
1945 * runtime/JSObject.h:
1946 (JSC::JSObject::initializeIndex):
1947 * runtime/RegExpMatchesArray.cpp:
1948 (JSC::createRegExpMatchesArray):
1950 2015-04-27 Filip Pizlo <fpizlo@apple.com>
1952 FTL failed to initialize arguments.callee on the slow path as well as the fast path
1953 https://bugs.webkit.org/show_bug.cgi?id=144293
1955 Reviewed by Mark Lam.
1957 The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need
1958 to initialize the callee on the common path after the fast and slow path.
1960 * ftl/FTLLowerDFGToLLVM.cpp:
1961 (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
1962 * tests/stress/arguments-callee-uninitialized.js: Added.
1965 2015-04-27 Benjamin Poulain <bpoulain@apple.com>
1967 [JSC] Add support for typed arrays to the Array profiling
1968 https://bugs.webkit.org/show_bug.cgi?id=143913
1970 Reviewed by Filip Pizlo.
1972 This patch adds ArrayModes for every typed arrays. Having that information
1973 let us generate better GetByVal and PutByVal when the type speculation
1974 are not good enough.
1976 A typical case where this is useful is any basic block for which the type
1977 of the object is always more restrictive than the speculation (for example,
1978 a basic block gated by a branch only taken for on type).
1980 * bytecode/ArrayProfile.cpp:
1981 (JSC::dumpArrayModes):
1982 * bytecode/ArrayProfile.h:
1983 (JSC::arrayModeFromStructure):
1984 * dfg/DFGArrayMode.cpp:
1985 (JSC::DFG::ArrayMode::fromObserved):
1986 (JSC::DFG::ArrayMode::refine):
1987 Maintain the refine() semantic. We do not support OutOfBounds access
1988 for GetByVal on typed array.
1990 * runtime/IndexingType.h:
1991 * tests/stress/typed-array-get-by-val-profiling.js: Added.
1992 (testArray.testCode):
1994 * tests/stress/typed-array-put-by-val-profiling.js: Added.
1995 (testArray.testCode):
1998 2015-04-27 Filip Pizlo <fpizlo@apple.com>
2000 Unreviewed, roll out r183438 "RegExp matches arrays should use contiguous indexing". It
2001 causes many debug test failures.
2003 * runtime/JSGlobalObject.cpp:
2004 (JSC::JSGlobalObject::init):
2005 (JSC::JSGlobalObject::visitChildren):
2006 * runtime/JSGlobalObject.h:
2007 (JSC::JSGlobalObject::regExpMatchesArrayStructure):
2008 * runtime/JSObject.h:
2009 (JSC::JSObject::initializeIndex):
2010 * runtime/RegExpMatchesArray.cpp:
2011 (JSC::createRegExpMatchesArray):
2013 2015-04-27 Andreas Kling <akling@apple.com>
2015 RegExp matches arrays should use contiguous indexing.
2016 <https://webkit.org/b/144286>
2018 Reviewed by Geoffrey Garen.
2020 We had a custom Structure being used for RegExp matches arrays that would
2021 put the arrays into SlowPutArrayStorageShape mode. This was just left
2022 from when matches arrays were custom, lazily initialized objects.
2024 This change removes that Structure and switches the matches arrays to
2025 using the default ContiguousShape Structure. This allows the FTL JIT
2026 to compile the inner loop of the Octane/regexp benchmark.
2028 Also made a version of initializeIndex() [inline] that takes the indexing
2029 type in an argument, allowing createRegExpMatchesArray() to initialize
2030 the entire array without branching on the indexing type for each entry.
2032 ~3% progression on Octane/regexp.
2034 * runtime/JSGlobalObject.cpp:
2035 (JSC::JSGlobalObject::init):
2036 (JSC::JSGlobalObject::visitChildren):
2037 * runtime/JSGlobalObject.h:
2038 (JSC::JSGlobalObject::mapStructure):
2039 (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted.
2040 * runtime/JSObject.h:
2041 (JSC::JSObject::initializeIndex):
2042 * runtime/RegExpMatchesArray.cpp:
2043 (JSC::createRegExpMatchesArray):
2045 2015-04-27 Ryosuke Niwa <rniwa@webkit.org>
2047 REGRESSION (r183373): ASSERT failed in wtf/SHA1.h
2048 https://bugs.webkit.org/show_bug.cgi?id=144257
2050 Temporarily disable skip these tests.
2052 * tests/stress/template-literal-line-terminators.js:
2053 * tests/stress/template-literal-syntax.js:
2054 * tests/stress/template-literal.js:
2056 2015-04-27 Basile Clement <basile_clement@apple.com>
2058 Function allocations shouldn't sink through Put operations
2059 https://bugs.webkit.org/show_bug.cgi?id=144176
2061 Reviewed by Filip Pizlo.
2063 By design, we don't support function allocation sinking through any
2064 related operation ; however object allocation can sink through PutByOffset et
2067 Currently, the checks to prevent function allocation to sink through
2068 these are misguided and do not prevent anything ; function allocation sinking
2069 through these operations is prevented as a side effect of requiring an
2070 AllocatePropertyStorage through which the function allocation is seen as
2073 This changes it so that ObjectAllocationSinkingPhase::handleNode()
2074 checks properly that only object allocations sink through related write
2077 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2078 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
2079 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2081 2015-04-25 Filip Pizlo <fpizlo@apple.com>
2083 VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used
2084 https://bugs.webkit.org/show_bug.cgi?id=143843
2086 Reviewed by Geoffrey Garen.
2088 It will soon come to pass that Phantom isn't available at the time that
2089 VarargsForwardingPhase runs. So, it needs to use some other mechanism for discovering when
2090 a value dies for OSR.
2092 This is simplified by two things:
2094 1) The bytecode kill analysis is now reusable. This patch makes it even more reusable than
2095 before by polishing the API.
2097 2) This phase already operates on one node at a time and allows itself to do a full search
2098 of the enclosing basic block for that node. This is fine because CreateDirectArguments
2099 and friends is a rarely occurring node. The fact that it operates on one node at a time
2100 makes it even easier to reason about OSR liveness - we just track the list of locals in
2103 This change has no effect right now but it is a necessary prerequisite to implementing
2104 https://bugs.webkit.org/show_bug.cgi?id=143736.
2106 * dfg/DFGBasicBlock.h:
2107 (JSC::DFG::BasicBlock::tryAt):
2108 * dfg/DFGForAllKills.h:
2109 (JSC::DFG::forAllKilledOperands):
2110 * dfg/DFGPhantomInsertionPhase.cpp:
2111 * dfg/DFGVarargsForwardingPhase.cpp:
2113 2015-04-27 Jordan Harband <ljharb@gmail.com>
2115 Map#entries and Map#keys error for non-Maps is swapped
2116 https://bugs.webkit.org/show_bug.cgi?id=144253
2118 Reviewed by Simon Fraser.
2120 Correcting error messages on Set/Map methods when called on
2121 incompatible objects.
2123 * runtime/MapPrototype.cpp:
2124 (JSC::mapProtoFuncEntries):
2125 (JSC::mapProtoFuncKeys):
2126 * runtime/SetPrototype.cpp:
2127 (JSC::setProtoFuncEntries):
2129 2015-04-24 Filip Pizlo <fpizlo@apple.com>
2131 Rationalize DFG DCE handling of nodes that perform checks that propagate through AI
2132 https://bugs.webkit.org/show_bug.cgi?id=144186
2134 Reviewed by Geoffrey Garen.
2136 If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns
2137 Int32. We may later perform code simplifications based on the proof that this is Int32, and
2138 we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at
2139 which the ArithAdd is live. This seems like it is sufficient to then kill the ArithAdd,
2140 except that we still need the overflow check!
2142 Previously we mishandled this:
2144 - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack
2145 to keep it alive. That's dirty and it's just indicative of a deeper issue.
2147 - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it
2148 powerless. This was sort of hiding the bug.
2150 - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill
2151 something that you are relying on for subsequent simplifications.
2153 This fixes MovHint removal to also canonicalize Phantoms. This also adds ModeMustGenerate to
2154 nodes that may perform checks that are used by AI to guarantee the result type. As a result,
2155 we no longer need the weird MustGenerate node.
2157 * dfg/DFGAbstractInterpreterInlines.h:
2158 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2159 * dfg/DFGArgumentsEliminationPhase.cpp:
2160 * dfg/DFGClobberize.h:
2161 (JSC::DFG::clobberize):
2162 * dfg/DFGDCEPhase.cpp:
2163 (JSC::DFG::DCEPhase::run):
2164 * dfg/DFGDoesGC.cpp:
2166 * dfg/DFGFixupPhase.cpp:
2167 (JSC::DFG::FixupPhase::fixupNode):
2168 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
2169 * dfg/DFGIntegerCheckCombiningPhase.cpp:
2170 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
2171 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): Deleted.
2172 * dfg/DFGMayExit.cpp:
2173 (JSC::DFG::mayExit):
2175 (JSC::DFG::Node::willHaveCodeGenOrOSR):
2176 * dfg/DFGNodeType.h:
2177 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2178 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2179 * dfg/DFGPhantomCanonicalizationPhase.cpp:
2180 (JSC::DFG::PhantomCanonicalizationPhase::run):
2181 * dfg/DFGPhantomRemovalPhase.cpp:
2182 (JSC::DFG::PhantomRemovalPhase::run):
2184 (JSC::DFG::Plan::compileInThreadImpl):
2185 * dfg/DFGPredictionPropagationPhase.cpp:
2186 (JSC::DFG::PredictionPropagationPhase::propagate):
2187 * dfg/DFGSafeToExecute.h:
2188 (JSC::DFG::safeToExecute):
2189 * dfg/DFGSpeculativeJIT32_64.cpp:
2190 (JSC::DFG::SpeculativeJIT::compile):
2191 * dfg/DFGSpeculativeJIT64.cpp:
2192 (JSC::DFG::SpeculativeJIT::compile):
2193 * dfg/DFGTypeCheckHoistingPhase.cpp:
2194 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2195 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2196 * dfg/DFGVarargsForwardingPhase.cpp:
2197 * ftl/FTLCapabilities.cpp:
2198 (JSC::FTL::canCompile):
2199 * ftl/FTLLowerDFGToLLVM.cpp:
2200 (JSC::FTL::LowerDFGToLLVM::compileNode):
2201 * tests/stress/fold-based-on-int32-proof-mul-branch.js: Added.
2203 * tests/stress/fold-based-on-int32-proof-mul.js: Added.
2205 * tests/stress/fold-based-on-int32-proof-or-zero.js: Added.
2207 * tests/stress/fold-based-on-int32-proof.js: Added.
2210 2015-04-26 Ryosuke Niwa <rniwa@webkit.org>
2212 Class body ending with a semicolon throws a SyntaxError
2213 https://bugs.webkit.org/show_bug.cgi?id=144244
2215 Reviewed by Darin Adler.
2217 The bug was caused by parseClass's inner loop for method definitions not moving onto the next iteration
2218 it encounters a semicolon. As a result, we always expected a method to appear after a semicolon. Fixed
2219 it by continue'ing when it encounters a semicolon.
2221 * parser/Parser.cpp:
2222 (JSC::Parser<LexerType>::parseClass):
2224 2015-04-26 Ryosuke Niwa <rniwa@webkit.org>
2226 Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError
2227 https://bugs.webkit.org/show_bug.cgi?id=144243
2229 Reviewed by Darin Adler.
2231 Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods.
2233 * parser/Parser.cpp:
2234 (JSC::Parser<LexerType>::parseGetterSetter):
2236 2015-04-26 Jordan Harband <ljharb@gmail.com>
2238 Map#forEach does not pass "map" argument to callback.
2239 https://bugs.webkit.org/show_bug.cgi?id=144187
2241 Reviewed by Darin Adler.
2243 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach
2244 step 7.a.i., the callback should be called with three arguments.
2246 * runtime/MapPrototype.cpp:
2247 (JSC::mapProtoFuncForEach):
2249 2015-04-26 Yusuke Suzuki <utatane.tea@gmail.com>
2251 [ES6] Implement ES6 template literals
2252 https://bugs.webkit.org/show_bug.cgi?id=142691
2254 Reviewed by Darin Adler.
2256 This patch implements TemplateLiteral.
2257 Since TaggedTemplate requires some global states and
2258 primitive operations like GetTemplateObject,
2259 we separate the patch. It will be implemented in a subsequent patch.
2261 Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag.
2262 By disabling it, we can disable Template Literal support.
2264 To implement template literals, in this patch,
2265 we newly introduces bytecode op_to_string.
2266 In template literals, we alternately evaluate the expression and
2267 perform ToString onto the result of evaluation.
2272 In this template literal, execution order is the following,
2274 2. ToString(the result of f1())
2276 4. ToString(the result of f2())
2278 op_strcat also performs ToString. However, performing ToString
2279 onto expressions are batched in op_strcat, it's not the same to the
2280 template literal spec. In the above example,
2281 ToString(f1()) should be called before calling f2().
2283 * Configurations/FeatureDefines.xcconfig:
2284 * bytecode/BytecodeList.json:
2285 * bytecode/BytecodeUseDef.h:
2286 (JSC::computeUsesForBytecodeOffset):
2287 (JSC::computeDefsForBytecodeOffset):
2288 * bytecode/CodeBlock.cpp:
2289 (JSC::CodeBlock::dumpBytecode):
2290 * bytecompiler/BytecodeGenerator.h:
2291 (JSC::BytecodeGenerator::emitToString):
2292 (JSC::BytecodeGenerator::emitToNumber): Deleted.
2293 * bytecompiler/NodesCodegen.cpp:
2294 (JSC::TemplateStringNode::emitBytecode):
2295 (JSC::TemplateLiteralNode::emitBytecode):
2296 * dfg/DFGByteCodeParser.cpp:
2297 (JSC::DFG::ByteCodeParser::parseBlock):
2298 * dfg/DFGCapabilities.cpp:
2299 (JSC::DFG::capabilityLevel):
2301 (JSC::JIT::privateCompileMainPass):
2302 (JSC::JIT::privateCompileSlowCases):
2304 * jit/JITOpcodes.cpp:
2305 (JSC::JIT::emit_op_to_string):
2306 (JSC::JIT::emitSlow_op_to_string):
2307 * jit/JITOpcodes32_64.cpp:
2308 (JSC::JIT::emit_op_to_string):
2309 (JSC::JIT::emitSlow_op_to_string):
2310 * llint/LowLevelInterpreter32_64.asm:
2311 * llint/LowLevelInterpreter64.asm:
2312 * parser/ASTBuilder.h:
2313 (JSC::ASTBuilder::createTemplateString):
2314 (JSC::ASTBuilder::createTemplateStringList):
2315 (JSC::ASTBuilder::createTemplateExpressionList):
2316 (JSC::ASTBuilder::createTemplateLiteral):
2318 (JSC::Lexer<T>::Lexer):
2319 (JSC::Lexer<T>::parseIdentifierSlowCase):
2320 (JSC::Lexer<T>::parseString):
2321 (JSC::LineNumberAdder::LineNumberAdder):
2322 (JSC::LineNumberAdder::clear):
2323 (JSC::LineNumberAdder::add):
2324 (JSC::Lexer<T>::parseTemplateLiteral):
2325 (JSC::Lexer<T>::lex):
2326 (JSC::Lexer<T>::scanRegExp):
2327 (JSC::Lexer<T>::scanTrailingTemplateString):
2328 (JSC::Lexer<T>::parseStringSlowCase): Deleted.
2330 * parser/NodeConstructors.h:
2331 (JSC::TemplateExpressionListNode::TemplateExpressionListNode):
2332 (JSC::TemplateStringNode::TemplateStringNode):
2333 (JSC::TemplateStringListNode::TemplateStringListNode):
2334 (JSC::TemplateLiteralNode::TemplateLiteralNode):
2336 (JSC::TemplateExpressionListNode::value):
2337 (JSC::TemplateExpressionListNode::next):
2338 (JSC::TemplateStringNode::cooked):
2339 (JSC::TemplateStringNode::raw):
2340 (JSC::TemplateStringListNode::value):
2341 (JSC::TemplateStringListNode::next):
2342 * parser/Parser.cpp:
2343 (JSC::Parser<LexerType>::parseTemplateString):
2344 (JSC::Parser<LexerType>::parseTemplateLiteral):
2345 (JSC::Parser<LexerType>::parsePrimaryExpression):
2347 * parser/ParserTokens.h:
2348 * parser/SyntaxChecker.h:
2349 (JSC::SyntaxChecker::createTemplateString):
2350 (JSC::SyntaxChecker::createTemplateStringList):
2351 (JSC::SyntaxChecker::createTemplateExpressionList):
2352 (JSC::SyntaxChecker::createTemplateLiteral):
2353 (JSC::SyntaxChecker::createSpreadExpression): Deleted.
2354 * runtime/CommonSlowPaths.cpp:
2355 (JSC::SLOW_PATH_DECL):
2356 * runtime/CommonSlowPaths.h:
2357 * tests/stress/template-literal-line-terminators.js: Added.
2360 (testEvalLineNumber):
2361 * tests/stress/template-literal-syntax.js: Added.
2364 * tests/stress/template-literal.js: Added.
2369 2015-04-26 Jordan Harband <ljharb@gmail.com>
2371 Set#forEach does not pass "key" or "set" arguments to callback.
2372 https://bugs.webkit.org/show_bug.cgi?id=144188
2374 Reviewed by Darin Adler.
2376 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach
2377 Set#forEach should pass 3 arguments to the callback.
2379 * runtime/SetPrototype.cpp:
2380 (JSC::setProtoFuncForEach):
2382 2015-04-26 Benjamin Poulain <benjamin@webkit.org>
2384 [JSC] Implement Math.clz32(), remove Number.clz()
2385 https://bugs.webkit.org/show_bug.cgi?id=144205
2387 Reviewed by Michael Saboff.
2389 This patch adds the ES6 function Math.clz32(), and remove the non-standard
2390 Number.clz(). Number.clz() probably came from an older draft.
2392 The new function has a corresponding instrinsic: Clz32Intrinsic,
2393 and a corresponding DFG node: ArithClz32, optimized all the way to LLVM.
2395 * assembler/MacroAssemblerX86Common.h:
2396 (JSC::MacroAssemblerX86Common::countLeadingZeros32):
2397 * assembler/X86Assembler.h:
2398 (JSC::X86Assembler::bsr_rr):
2399 The x86 assembler did not have countLeadingZeros32() because there is
2400 no native CLZ instruction on that architecture.
2402 I have added the version with bsr + branches for the case of zero.
2403 An other popular version uses cmov to handle the case of zero. I kept
2404 it simple since the Assembler has no support for cmov.
2406 It is unlikely to matter much. If the code is hot enough, LLVM picks
2407 something good based on the surrounding code.
2409 * dfg/DFGAbstractInterpreterInlines.h:
2410 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2411 Constant handling + effect propagation. The node only produces integer (between 0 and 32).
2413 * dfg/DFGBackwardsPropagationPhase.cpp:
2414 (JSC::DFG::BackwardsPropagationPhase::propagate):
2415 Thanks to the definition of toUint32(), we can ignore plenty of details
2418 * dfg/DFGByteCodeParser.cpp:
2419 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2420 * dfg/DFGClobberize.h:
2421 (JSC::DFG::clobberize):
2422 * dfg/DFGDoesGC.cpp:
2424 * dfg/DFGFixupPhase.cpp:
2425 (JSC::DFG::FixupPhase::fixupNode):
2426 * dfg/DFGNodeType.h:
2427 * dfg/DFGPredictionPropagationPhase.cpp:
2428 (JSC::DFG::PredictionPropagationPhase::propagate):
2429 * dfg/DFGSafeToExecute.h:
2430 (JSC::DFG::safeToExecute):
2431 * dfg/DFGSpeculativeJIT.cpp:
2432 (JSC::DFG::SpeculativeJIT::compileArithClz32):
2433 * dfg/DFGSpeculativeJIT.h:
2434 * dfg/DFGSpeculativeJIT32_64.cpp:
2435 (JSC::DFG::SpeculativeJIT::compile):
2436 * dfg/DFGSpeculativeJIT64.cpp:
2437 (JSC::DFG::SpeculativeJIT::compile):
2438 * ftl/FTLCapabilities.cpp:
2439 (JSC::FTL::canCompile):
2440 * ftl/FTLIntrinsicRepository.h:
2441 * ftl/FTLLowerDFGToLLVM.cpp:
2442 (JSC::FTL::LowerDFGToLLVM::compileNode):
2443 (JSC::FTL::LowerDFGToLLVM::compileArithClz32):
2445 (JSC::FTL::Output::ctlz32):
2446 * jit/ThunkGenerators.cpp:
2447 (JSC::clz32ThunkGenerator):
2448 * jit/ThunkGenerators.h:
2449 * runtime/Intrinsic.h:
2450 * runtime/MathCommon.h:
2452 Fun fact: InstCombine does not recognize this pattern to eliminate
2453 the branch which makes our FTL version better than the C version.
2455 * runtime/MathObject.cpp:
2456 (JSC::MathObject::finishCreation):
2457 (JSC::mathProtoFuncClz32):
2458 * runtime/NumberPrototype.cpp:
2459 (JSC::clz): Deleted.
2460 (JSC::numberProtoFuncClz): Deleted.
2462 (JSC::thunkGeneratorForIntrinsic):
2463 * tests/stress/math-clz32-basics.js: Added.
2464 (mathClz32OnInteger):
2465 (testMathClz32OnIntegers):
2466 (verifyMathClz32OnIntegerWithOtherTypes):
2467 (mathClz32OnDouble):
2468 (testMathClz32OnDoubles):
2469 (verifyMathClz32OnDoublesWithOtherTypes):
2470 (mathClz32NoArguments):
2471 (mathClz32TooManyArguments):
2472 (testMathClz32OnConstants):
2473 (mathClz32StructTransition):
2476 2015-04-26 Yusuke Suzuki <utatane.tea@gmail.com>
2478 [ES6] Array.from need to accept iterables
2479 https://bugs.webkit.org/show_bug.cgi?id=141055
2481 Reviewed by Darin Adler.
2483 ES6 spec requires that Array.from accepts iterable objects.
2484 This patch introduces this functionality, Array.from accepting iterable objects.
2486 Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used.
2487 However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`,
2488 `typeof thisObj === "function"` queries the given object has `[[Call]]`.
2489 This will be fixed in the subsequent patch[1].
2491 [1]: https://bugs.webkit.org/show_bug.cgi?id=144093
2493 * builtins/ArrayConstructor.js:
2495 * parser/Parser.cpp:
2496 (JSC::Parser<LexerType>::parseInner):
2497 * runtime/CommonIdentifiers.h:
2498 * runtime/JSGlobalObject.cpp:
2499 (JSC::JSGlobalObject::init):
2500 * tests/stress/array-from-with-iterable.js: Added.
2505 (argumentsGenerators):
2508 * tests/stress/array-from-with-iterator.js: Added.
2511 (createIterator.iterator.return):
2515 2015-04-25 Jordan Harband <ljharb@gmail.com>
2517 Set#keys !== Set#values
2518 https://bugs.webkit.org/show_bug.cgi?id=144190
2520 Reviewed by Darin Adler.
2522 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys
2523 Set#keys should === Set#values
2525 * runtime/SetPrototype.cpp:
2526 (JSC::SetPrototype::finishCreation):
2527 (JSC::setProtoFuncValues):
2528 (JSC::setProtoFuncEntries):
2529 (JSC::setProtoFuncKeys): Deleted.
2531 2015-04-25 Joseph Pecoraro <pecoraro@apple.com>
2533 Allow for pausing a JSContext when opening a Web Inspector
2534 <rdar://problem/20564788>
2536 Reviewed by Timothy Hatcher.
2538 * inspector/remote/RemoteInspector.mm:
2539 (Inspector::RemoteInspector::receivedSetupMessage):
2540 * inspector/remote/RemoteInspectorConstants.h:
2541 * inspector/remote/RemoteInspectorDebuggable.h:
2542 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2543 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2544 (Inspector::RemoteInspectorDebuggableConnection::setup):
2545 On any incoming setup message, we may want to automatically
2546 pause the debuggable. If requested, pause the debuggable
2547 after we have setup the frontend connection.
2549 * runtime/JSGlobalObjectDebuggable.h:
2550 * runtime/JSGlobalObjectDebuggable.cpp:
2551 (JSC::JSGlobalObjectDebuggable::pause):
2552 Pass through to the inspector controller.
2554 * inspector/JSGlobalObjectInspectorController.h:
2555 * inspector/JSGlobalObjectInspectorController.cpp:
2556 (Inspector::JSGlobalObjectInspectorController::pause):
2557 Enable pause on next statement.
2559 2015-04-23 Ryosuke Niwa <rniwa@webkit.org>
2561 class methods should be non-enumerable
2562 https://bugs.webkit.org/show_bug.cgi?id=143181
2564 Reviewed by Darin Adler.
2566 Fixed the bug by using Object.defineProperty to define methods.
2568 This patch adds the concept of link time constants and uses it to resolve Object.defineProperty
2569 inside CodeBlock's constructor since bytecode can be linked against multiple global objects.
2571 * bytecode/CodeBlock.cpp:
2572 (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register
2574 * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains
2575 exactly one entry for Object.defineProperty.
2576 * bytecode/UnlinkedCodeBlock.h:
2577 (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new
2578 constant register for the link time constant we're adding.
2579 (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added.
2580 * bytecompiler/BytecodeGenerator.cpp:
2581 (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new
2582 register for the specified link time constant and notify UnlinkedCodeBlock about it.
2583 (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call
2584 Object.defineProperty with it.
2585 * bytecompiler/BytecodeGenerator.h:
2586 * bytecompiler/NodesCodegen.cpp:
2587 (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes
2588 non-enumerable by using emitCallDefineProperty to define them.
2589 (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties.
2590 (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype
2591 property on the class non-writable, non-configurable, and non-enumerable by using defineProperty.
2592 * runtime/CommonIdentifiers.h:
2593 * runtime/JSGlobalObject.cpp:
2594 (JSC::JSGlobalObject::init): Set m_definePropertyFunction.
2595 (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction.
2596 * runtime/JSGlobalObject.h:
2597 (JSC::JSGlobalObject::definePropertyFunction): Added.
2598 (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant.
2599 (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and
2600 returns a JSCell; e.g. Object.defineProperty.
2601 * runtime/ObjectConstructor.cpp:
2602 (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty.
2603 * runtime/ObjectConstructor.h:
2605 2015-04-25 Yusuke Suzuki <utatane.tea@gmail.com>
2607 [ES6] Implement String.fromCodePoint
2608 https://bugs.webkit.org/show_bug.cgi?id=144160
2610 Reviewed by Darin Adler.
2612 This patch implements String.fromCodePoint.
2613 It accepts multiple code points and generates a string that consists of given code points.
2614 The range [0x0000 - 0x10FFFF] is valid for code points.
2615 If the given value is out of range, throw a range error.
2617 When a 0xFFFF <= valid code point is given,
2618 String.fromCodePoint generates a string that contains surrogate pairs.
2620 * runtime/StringConstructor.cpp:
2621 (JSC::stringFromCodePoint):
2622 (JSC::constructWithStringConstructor):
2623 * tests/stress/string-from-code-point.js: Added.
2629 2015-04-25 Martin Robinson <mrobinson@igalia.com>
2631 Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS
2632 https://bugs.webkit.org/show_bug.cgi?id=144182
2634 Reviewed by Simon Fraser.
2636 * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS.
2638 2015-04-25 Mark Lam <mark.lam@apple.com>
2640 mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit.
2641 https://bugs.webkit.org/show_bug.cgi?id=144152
2643 Reviewed by Filip Pizlo.
2645 Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse,
2646 StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering
2647 OSR exits. This was overlooked in the original code.
2649 While only the ObjectOrOtherUse kind is relevant for manifesting this bug with
2650 the Branch node, the other 3 may also trigger the same bug for other nodes.
2651 To prevent this bug from manifesting with other nodes (and future ones that
2652 are yet to be added to mayExits()'s "potential won't exit" set), we fix the
2653 EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse).
2655 Also added a test to exercise a code path that will trigger this bug with
2656 the Branch node before the fix is applied.
2658 * dfg/DFGMayExit.cpp:
2659 * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added.
2663 2015-04-24 Commit Queue <commit-queue@webkit.org>
2665 Unreviewed, rolling out r183288.
2666 https://bugs.webkit.org/show_bug.cgi?id=144189
2668 Made js/sort-with-side-effecting-comparisons.html time out in
2669 debug builds (Requested by ap on #webkit).
2673 "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an
2675 https://bugs.webkit.org/show_bug.cgi?id=144013
2676 http://trac.webkit.org/changeset/183288
2678 2015-04-24 Filip Pizlo <fpizlo@apple.com>
2680 CRASH in operationCreateDirectArgumentsDuringExit()
2681 https://bugs.webkit.org/show_bug.cgi?id=143962
2683 Reviewed by Geoffrey Garen.
2685 We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
2686 recoverable so long as they are live. Therefore, OSR exit should track liveness of
2687 constants instead of assuming that they are always live.
2689 * dfg/DFGGenerationInfo.h:
2690 (JSC::DFG::GenerationInfo::noticeOSRBirth):
2691 (JSC::DFG::GenerationInfo::appendBirth):
2692 * dfg/DFGSpeculativeJIT.cpp:
2693 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2694 * dfg/DFGVariableEvent.cpp:
2695 (JSC::DFG::VariableEvent::dump):
2696 * dfg/DFGVariableEvent.h:
2697 (JSC::DFG::VariableEvent::birth):
2698 (JSC::DFG::VariableEvent::id):
2699 (JSC::DFG::VariableEvent::dataFormat):
2700 * dfg/DFGVariableEventStream.cpp:
2701 (JSC::DFG::VariableEventStream::reconstruct):
2702 * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.
2705 * tests/stress/phantom-direct-arguments-clobber-callee.js: Added.
2709 2015-04-24 Benjamin Poulain <bpoulain@apple.com>
2711 [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray
2712 https://bugs.webkit.org/show_bug.cgi?id=144169
2714 Reviewed by Geoffrey Garen.
2716 * runtime/JSObject.cpp:
2717 (JSC::JSObject::convertInt32ForValue):
2718 DoubleArray do not store NaN, they are used for holes.
2720 1) We fail to insert the NaN in the Int32 array because it is a double.
2721 2) We were converting the array to DoubleArray.
2722 3) We were trying to insert the value again. We would fail again because
2723 DoubleArray does not store NaN.
2724 4) We would convert the DoubleArrayt to Contiguous Array, converting the values
2727 * tests/stress/int32array-transition-on-nan.js: Added.
2728 The behavior is not really observable. This only test nothing crashes in those
2731 (insertNaNWhileFilling):
2732 (testInsertNaNWhileFilling):
2733 (insertNaNAfterFilling):
2734 (testInsertNaNAfterFilling):
2735 (pushNaNWhileFilling):
2736 (testPushNaNWhileFilling):
2738 2015-04-21 Geoffrey Garen <ggaren@apple.com>
2740 It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
2741 https://bugs.webkit.org/show_bug.cgi?id=144013
2743 Reviewed by Mark Lam.
2745 This patch implements Array.prototype.sort in JavaScript, removing the
2746 C++ implementations. It is simpler and less error-prone to express our
2747 operations in JavaScript, which provides memory safety, exception safety,
2748 and recursion safety.
2750 The performance result is mixed, but net positive in my opinion. It's
2751 difficult to enumerate all the results, since we used to have so many
2752 different sorting modes, and there are lots of different data patterns
2753 across which you might want to measure sorting. Suffice it to say:
2755 (*) The benchmarks we track are faster or unchanged.
2757 (*) Sorting random input using a comparator -- which we think is
2758 common -- is 3X faster.
2760 (*) Sorting random input in a non-array object -- which jQuery does
2763 (*) Sorting random input in a compact array of integers using a
2764 trivial pattern-matchable comparator is 2X *slower*.
2766 * builtins/Array.prototype.js:
2768 (sort.stringComparator):
2769 (sort.compactSparse): Special case compaction for sparse arrays because
2770 we don't want to hang when sorting new Array(BIG).
2774 (sort.mergeSort): Use merge sort because it's a reasonably efficient
2775 stable sort. We have evidence that some sites depend on stable sort,
2776 even though the ES6 spec does not mandate it. (See
2777 <http://trac.webkit.org/changeset/33967>.)
2779 This is a textbook implementation of merge sort with three optimizations:
2781 (1) Use iteration instead of recursion;
2783 (2) Use array subscripting instead of array copying in order to
2784 create logical sub-lists without creating physical sub-lists;
2786 (3) Swap src and dst at each iteration instead of copying src into
2787 dst, and only copy src into the subject array at the end if src is
2788 not the subject array.
2791 (sort.comparatorSort):
2792 (sort): Sort in JavaScript for the win.
2794 * builtins/BuiltinExecutables.cpp:
2795 (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
2796 names so we can use helper functions.
2798 * bytecode/CodeBlock.h:
2799 (JSC::CodeBlock::isNumericCompareFunction): Deleted.
2800 * bytecode/UnlinkedCodeBlock.cpp:
2801 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2802 * bytecode/UnlinkedCodeBlock.h:
2803 (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
2804 (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
2805 * bytecompiler/BytecodeGenerator.cpp:
2806 (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
2807 * bytecompiler/BytecodeGenerator.h:
2808 * bytecompiler/NodesCodegen.cpp:
2809 (JSC::FunctionNode::emitBytecode): We don't do this special casing based
2810 on pattern matching anymore. This was mainly an optimization to avoid
2811 the overhead of calling from C++ to JS, which we now avoid by
2815 (JSC::Heap::markRoots):
2816 (JSC::Heap::pushTempSortVector): Deleted.
2817 (JSC::Heap::popTempSortVector): Deleted.
2818 (JSC::Heap::visitTempSortVectors): Deleted.
2819 * heap/Heap.h: We don't have temp sort vectors anymore because we sort
2820 in JavaScript using a normal JavaScript array for our temporary storage.
2822 * parser/Parser.cpp:
2823 (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
2826 * runtime/ArrayPrototype.cpp:
2827 (JSC::isNumericCompareFunction): Deleted.
2828 (JSC::attemptFastSort): Deleted.
2829 (JSC::performSlowSort): Deleted.
2830 (JSC::arrayProtoFuncSort): Deleted.
2832 * runtime/CommonIdentifiers.h: New strings used by sort.
2834 * runtime/JSArray.cpp:
2835 (JSC::compareNumbersForQSortWithInt32): Deleted.
2836 (JSC::compareNumbersForQSortWithDouble): Deleted.
2837 (JSC::compareNumbersForQSort): Deleted.
2838 (JSC::compareByStringPairForQSort): Deleted.
2839 (JSC::JSArray::sortNumericVector): Deleted.
2840 (JSC::JSArray::sortNumeric): Deleted.
2841 (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
2842 (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
2843 (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
2844 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
2845 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
2846 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
2847 (JSC::JSArray::sortCompactedVector): Deleted.
2848 (JSC::JSArray::sort): Deleted.
2849 (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
2850 (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
2851 (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
2852 (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
2853 (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
2854 (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
2855 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
2856 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
2857 (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
2858 (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
2859 (JSC::JSArray::sortVector): Deleted.
2860 (JSC::JSArray::compactForSorting): Deleted.
2861 * runtime/JSArray.h:
2863 * runtime/JSGlobalObject.cpp:
2864 (JSC::JSGlobalObject::init):
2865 * runtime/ObjectConstructor.cpp:
2866 (JSC::ObjectConstructor::finishCreation): Provide some builtins used
2869 2015-04-24 Matthew Mirman <mmirman@apple.com>
2871 Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
2872 https://bugs.webkit.org/show_bug.cgi?id=141865
2873 rdar://problem/19927273
2875 Reviewed by Filip Pizlo.
2877 * runtime/JSGlobalObjectFunctions.cpp:
2878 (JSC::globalFuncProtoGetter):
2879 (JSC::globalFuncProtoSetter):
2881 2015-04-23 Benjamin Poulain <bpoulain@apple.com>
2883 Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt()
2884 https://bugs.webkit.org/show_bug.cgi?id=144118
2886 Reviewed by Geoffrey Garen.
2889 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
2890 Both block do the same thing.
2892 2015-04-23 Joseph Pecoraro <pecoraro@apple.com>
2894 Web Inspector: Speculative fix for non-main thread auto-attach failures
2895 https://bugs.webkit.org/show_bug.cgi?id=144134
2897 Reviewed by Timothy Hatcher.
2899 * inspector/remote/RemoteInspector.mm:
2900 (Inspector::RemoteInspector::singleton):
2902 2015-04-23 Basile Clement <basile_clement@apple.com>
2904 Allow function allocation sinking
2905 https://bugs.webkit.org/show_bug.cgi?id=144016
2907 Reviewed by Filip Pizlo.
2909 This adds the ability to sink function allocations in the
2910 DFGObjectAllocationSinkingPhase.
2912 In order to enable this, we add a new PhantomNewFunction node that is
2913 used similarily to the PhantomNewObject node, i.e. as a placeholder to replace
2914 a sunk NewFunction and keep track of the allocations that have to be performed
2915 in case of OSR exit after the sunk allocation but before the real one.
2916 The FunctionExecutable and JSLexicalEnvironment (activation) of the function
2917 are stored onto the PhantomNewFunction through PutHints in order for them
2918 to be recovered on OSR exit.
2920 Contrary to sunk object allocations, sunk function allocations do not
2921 support any kind of operations (e.g. storing into a field) ; any such operation
2922 will mark the function allocation as escaping and trigger materialization. As
2923 such, function allocations can only be sunk to places where it would have been
2924 correct to syntactically move them, and we don't need a special
2925 MaterializeNewFunction node to recover possible operations on the function. A
2926 sunk NewFunction node will simply create new NewFunction nodes, then replace
2927 itself with a PhantomNewFunction node.
2929 In itself, this change is not expected to have a significant impact on
2930 performances other than in degenerate cases (see e.g.
2931 JSRegress/sink-function), but it is a step towards being able to sink recursive
2932 closures onces we support CreateActivation sinking as well as allocation cycles
2935 * dfg/DFGAbstractInterpreterInlines.h:
2936 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2937 * dfg/DFGClobberize.h:
2938 (JSC::DFG::clobberize):
2939 * dfg/DFGDoesGC.cpp:
2941 * dfg/DFGFixupPhase.cpp:
2942 (JSC::DFG::FixupPhase::fixupNode):
2944 (JSC::DFG::Node::convertToPhantomNewFunction):
2945 (JSC::DFG::Node::isPhantomAllocation):
2946 * dfg/DFGNodeType.h:
2947 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2948 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
2949 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2950 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
2951 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
2952 * dfg/DFGPredictionPropagationPhase.cpp:
2953 (JSC::DFG::PredictionPropagationPhase::propagate):
2954 * dfg/DFGPromotedHeapLocation.cpp:
2955 (WTF::printInternal):
2956 * dfg/DFGPromotedHeapLocation.h:
2957 * dfg/DFGSafeToExecute.h:
2958 (JSC::DFG::safeToExecute):
2959 * dfg/DFGSpeculativeJIT32_64.cpp:
2960 (JSC::DFG::SpeculativeJIT::compile):
2961 * dfg/DFGSpeculativeJIT64.cpp:
2962 (JSC::DFG::SpeculativeJIT::compile):
2963 * dfg/DFGValidate.cpp:
2964 (JSC::DFG::Validate::validateCPS):
2965 * ftl/FTLCapabilities.cpp:
2966 (JSC::FTL::canCompile):
2967 * ftl/FTLLowerDFGToLLVM.cpp:
2968 (JSC::FTL::LowerDFGToLLVM::compileNode):
2969 * ftl/FTLOperations.cpp:
2970 (JSC::FTL::operationMaterializeObjectInOSR):
2971 * tests/stress/function-sinking-no-double-allocate.js: Added.
2975 * tests/stress/function-sinking-osrexit.js: Added.
2978 * tests/stress/function-sinking-put.js: Added.
2982 2015-04-23 Basile Clement <basile_clement@apple.com>
2984 Make FunctionRareData allocation thread-safe
2985 https://bugs.webkit.org/show_bug.cgi?id=144001
2987 Reviewed by Mark Lam.
2989 The two things we want to prevent are:
2991 1. A thread seeing a pointer to a not-yet-fully-created rare data from
2993 2. A thread seeing a pointer to a not-yet-fully-created Structure from
2994 an ObjectAllocationProfile
2996 For 1., only the JS thread can be creating the rare data (in
2997 runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to
2998 worry about concurrent writes, and we don't need any fences when *reading* the
2999 rare data from the JS thread. Thus we only need a storeStoreFence between the
3000 rare data creation and assignment to m_rareData in
3001 JSFunction::createAndInitializeRareData() to ensure that when the store to
3002 m_rareData is issued, the rare data has been properly created.
3004 For the DFG compilation threads, the only place they can access the
3005 rare data is through JSFunction::rareData(), and so we only need a
3006 loadLoadFence there to ensure that when we see a non-null pointer in
3007 m_rareData, the pointed object will be seen as a fully created
3011 For 2., the structure is created in
3012 ObjectAllocationProfile::initialize() (which appears to be called only by the
3013 JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization,
3014 which always happen in the JS thread), and read through
3015 ObjectAllocationProfile::structure() and
3016 ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we
3017 put a storeStoreFence in ObjectAllocationProfile::initialize() and a
3018 loadLoadFence in ObjectAllocationProfile::structure() (and change
3019 ObjectAllocationProfile::inlineCapacity() to go through
3020 ObjectAllocationProfile::structure()).
3022 We don't need a fence in ObjectAllocationProfile::clear() because
3023 clearing the structure is already as atomic as it gets.
3025 Finally, notice that we don't care about the ObjectAllocationProfile's
3026 m_allocator as that is only used by ObjectAllocationProfile::initialize() and
3027 ObjectAllocationProfile::clear() that are always run in the JS thread.
3028 ObjectAllocationProfile::isNull() could cause some trouble, but it is
3029 currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS
3030 thread. Doing isNull()-style pre-checks would be wrong in any other concurrent
3033 * bytecode/ObjectAllocationProfile.h:
3034 (JSC::ObjectAllocationProfile::initialize):
3035 (JSC::ObjectAllocationProfile::structure):
3036 (JSC::ObjectAllocationProfile::inlineCapacity):
3037 * runtime/JSFunction.cpp:
3038 (JSC::JSFunction::allocateAndInitializeRareData):
3039 * runtime/JSFunction.h:
3040 (JSC::JSFunction::rareData):
3041 (JSC::JSFunction::allocationStructure): Deleted.
3042 This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data.
3044 2015-04-22 Filip Pizlo <fpizlo@apple.com>
3046 DFG should insert Phantoms late using BytecodeKills and block-local OSR availability
3047 https://bugs.webkit.org/show_bug.cgi?id=143735
3049 Reviewed by Geoffrey Garen.
3051 We've always had bugs arising from the fact that we would MovHint something into a local,
3052 and then fail to keep it alive. We would then try to keep things alive by putting Phantoms
3053 on those Nodes that were MovHinted. But this became increasingly tricky. Given the
3054 sophistication of the transformations we are doing today, this approach is just not sound
3057 This comprehensively fixes these bugs by having the DFG backend automatically insert
3058 Phantoms just before codegen based on bytecode liveness. To make this practical, this also
3059 makes it much faster to query bytecode liveness.
3061 It's about as perf-neutral as it gets for a change that increases compiler work without
3062 actually optimizing anything. Later changes will remove the old Phantom-preserving logic,
3063 which should then speed us up. I can't really report concrete slow-down numbers because
3064 they are low enough to basically be in the noise. For example, a 20-iteration run of
3065 SunSpider yields "maybe 0.8% slower", whatever that means.
3068 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3069 * JavaScriptCore.xcodeproj/project.pbxproj:
3070 * bytecode/BytecodeLivenessAnalysis.cpp:
3071 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3072 * bytecode/FullBytecodeLiveness.h:
3073 (JSC::FullBytecodeLiveness::getLiveness):
3074 * bytecode/VirtualRegister.h:
3075 (JSC::VirtualRegister::operator+):
3076 (JSC::VirtualRegister::operator-):
3077 * dfg/DFGForAllKills.h:
3078 (JSC::DFG::forAllLiveNodesAtTail):
3079 (JSC::DFG::forAllKilledOperands):
3080 (JSC::DFG::forAllKilledNodesAtNodeIndex):
3082 (JSC::DFG::Graph::isLiveInBytecode):
3083 (JSC::DFG::Graph::localsLiveInBytecode):
3085 (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
3086 (JSC::DFG::Graph::forAllLiveInBytecode):
3087 * dfg/DFGMayExit.cpp:
3088 (JSC::DFG::mayExit):
3089 * dfg/DFGMovHintRemovalPhase.cpp:
3090 * dfg/DFGNodeType.h:
3091 * dfg/DFGPhantomInsertionPhase.cpp: Added.
3092 (JSC::DFG::performPhantomInsertion):
3093 * dfg/DFGPhantomInsertionPhase.h: Added.
3095 (JSC::DFG::Plan::compileInThreadImpl):
3096 * dfg/DFGScoreBoard.h:
3097 (JSC::DFG::ScoreBoard::sortFree):
3098 (JSC::DFG::ScoreBoard::assertClear):
3099 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3100 (JSC::DFG::VirtualRegisterAllocationPhase::run):
3101 * ftl/FTLLowerDFGToLLVM.cpp:
3102 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
3103 * tests/stress/phantom-inadequacy.js: Added.
3108 2015-04-23 Filip Pizlo <fpizlo@apple.com>
3110 Rename HardPhantom to MustGenerate.
3112 Rubber stamped by Geoffrey Garen.
3114 We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom
3115 is more than that; it's a utility for forcing the execution of otherwise killable nodes.
3116 NodeMustGenerate is the flag we use to indicate that something isn't killable. So this
3117 node should just be called MustGenerate.
3119 * dfg/DFGAbstractInterpreterInlines.h:
3120 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3121 * dfg/DFGArgumentsEliminationPhase.cpp:
3122 * dfg/DFGClobberize.h:
3123 (JSC::DFG::clobberize):
3124 * dfg/DFGDCEPhase.cpp:
3125 (JSC::DFG::DCEPhase::run):
3126 * dfg/DFGDoesGC.cpp:
3128 * dfg/DFGFixupPhase.cpp:
3129 (JSC::DFG::FixupPhase::fixupNode):
3130 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
3131 * dfg/DFGIntegerCheckCombiningPhase.cpp:
3132 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
3133 * dfg/DFGMayExit.cpp:
3134 (JSC::DFG::mayExit):
3136 (JSC::DFG::Node::willHaveCodeGenOrOSR):
3137 * dfg/DFGNodeType.h:
3138 * dfg/DFGObjectAllocationSinkingPhase.cpp:
3139 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
3140 * dfg/DFGPhantomCanonicalizationPhase.cpp:
3141 (JSC::DFG::PhantomCanonicalizationPhase::run):
3142 * dfg/DFGPhantomRemovalPhase.cpp:
3143 (JSC::DFG::PhantomRemovalPhase::run):
3144 * dfg/DFGPredictionPropagationPhase.cpp:
3145 (JSC::DFG::PredictionPropagationPhase::propagate):
3146 * dfg/DFGSafeToExecute.h:
3147 (JSC::DFG::safeToExecute):
3148 * dfg/DFGSpeculativeJIT32_64.cpp:
3149 (JSC::DFG::SpeculativeJIT::compile):
3150 * dfg/DFGSpeculativeJIT64.cpp:
3151 (JSC::DFG::SpeculativeJIT::compile):
3152 * dfg/DFGTypeCheckHoistingPhase.cpp:
3153 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3154 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3155 * dfg/DFGVarargsForwardingPhase.cpp:
3156 * ftl/FTLCapabilities.cpp:
3157 (JSC::FTL::canCompile):
3158 * ftl/FTLLowerDFGToLLVM.cpp:
3159 (JSC::FTL::LowerDFGToLLVM::compileNode):
3161 2015-04-23 Jordan Harband <ljharb@gmail.com>
3163 Implement `Object.assign`
3164 https://bugs.webkit.org/show_bug.cgi?id=143980
3166 Reviewed by Filip Pizlo.
3168 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign
3170 * builtins/ObjectConstructor.js: Added.
3172 * runtime/CommonIdentifiers.h:
3173 * runtime/JSGlobalObject.cpp:
3174 (JSC::JSGlobalObject::init):
3175 * runtime/ObjectConstructor.cpp:
3176 * runtime/ObjectConstructor.h:
3178 2015-04-22 Filip Pizlo <fpizlo@apple.com>
3180 Unreviewed, fix debug build.
3183 (JSC::DFG::Graph::performSubstitutionForEdge):
3185 2015-04-22 Filip Pizlo <fpizlo@apple.com>
3187 Nodes should have an optional epoch field
3188 https://bugs.webkit.org/show_bug.cgi?id=144084
3190 Reviewed by Ryosuke Niwa and Mark Lam.
3192 This makes it easier to do epoch-based analyses on nodes. I plan to do just that in
3193 https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet
3196 * dfg/DFGCPSRethreadingPhase.cpp:
3197 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
3198 * dfg/DFGCSEPhase.cpp:
3200 (JSC::DFG::Epoch::fromUnsigned):
3201 (JSC::DFG::Epoch::toUnsigned):
3203 (JSC::DFG::Graph::clearReplacements):
3204 (JSC::DFG::Graph::clearEpochs):
3206 (JSC::DFG::Graph::performSubstitutionForEdge):
3208 (JSC::DFG::Node::Node):
3209 (JSC::DFG::Node::replaceWith):
3210 (JSC::DFG::Node::replacement):
3211 (JSC::DFG::Node::setReplacement):
3212 (JSC::DFG::Node::epoch):
3213 (JSC::DFG::Node::setEpoch):
3214 * dfg/DFGSSAConversionPhase.cpp:
3215 (JSC::DFG::SSAConversionPhase::run):
3217 2015-04-22 Mark Lam <mark.lam@apple.com>
3219 Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
3220 https://bugs.webkit.org/show_bug.cgi?id=143898
3222 Reviewed by Filip Pizlo.
3224 CodeBlock::dumpSource() will access SourceCode strings in a way that requires
3225 ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
3226 compilation threads because StringImpls are not thread safe. As a result, we get
3227 an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
3230 This patch fixes the issue by only collecting the CodeBlock (and associated info)
3231 into a DeferredSourceDump record while compiling, and stashing it away in a
3232 deferredSourceDump list in the DeferredCompilationCallback object to be dumped
3235 When compilation is done, the callback object will be notified that
3236 compilationDidComplete(). We will dump the SourceCode strings from there.
3237 Since compilationDidComplete() is guaranteed to only be called on the thread
3238 doing JS execution, it is safe to access the SourceCode strings there and ref
3239 their underlying StringImpls as needed.
3242 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3243 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3244 * JavaScriptCore.xcodeproj/project.pbxproj:
3245 * bytecode/DeferredCompilationCallback.cpp:
3246 (JSC::DeferredCompilationCallback::compilationDidComplete):
3247 (JSC::DeferredCompilationCallback::sourceDumpInfo):
3248 (JSC::DeferredCompilationCallback::dumpCompiledSources):
3249 * bytecode/DeferredCompilationCallback.h:
3250 * bytecode/DeferredSourceDump.cpp: Added.
3251 (JSC::DeferredSourceDump::DeferredSourceDump):
3252 (JSC::DeferredSourceDump::dump):
3253 * bytecode/DeferredSourceDump.h: Added.
3254 * dfg/DFGByteCodeParser.cpp:
3255 (JSC::DFG::ByteCodeParser::parseCodeBlock):
3256 * dfg/DFGDriver.cpp:
3257 (JSC::DFG::compileImpl):
3259 2015-04-22 Benjamin Poulain <benjamin@webkit.org>
3261 Implement String.codePointAt()
3262 https://bugs.webkit.org/show_bug.cgi?id=143934
3264 Reviewed by Darin Adler.
3266 This patch adds String.codePointAt() as defined by ES6.
3267 I opted for a C++ implementation for now.
3269 * runtime/StringPrototype.cpp:
3270 (JSC::StringPrototype::finishCreation):
3272 (JSC::stringProtoFuncCodePointAt):
3274 2015-04-22 Mark Lam <mark.lam@apple.com>
3276 SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
3277 https://bugs.webkit.org/show_bug.cgi?id=144067
3279 Reviewed by Michael Saboff.
3281 Currently, there are a few places where the JSObject that owns the
3282 SparseArrayValueMap is designated as the owner of the SparseArrayEntry
3283 write barrier. This is a bug and can result in the GC collecting the
3284 SparseArrayEntry even though it is being referenced by the
3285 SparseArrayValueMap. This patch fixes the bug.
3287 * runtime/JSObject.cpp:
3288 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3289 (JSC::JSObject::putIndexedDescriptor):
3290 * tests/stress/sparse-array-entry-update-144067.js: Added.
3291 (useMemoryToTriggerGCs):
3294 2015-04-22 Mark Lam <mark.lam@apple.com>
3296 Give the heap object iterators the ability to return early.
3297 https://bugs.webkit.org/show_bug.cgi?id=144011
3299 Reviewed by Michael Saboff.
3301 JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate
3302 candidate cell pointers, and, when in use, is called a lot more often than
3303 the normal way those iterators are used. As a result, I see my instrumented
3304 VM killed with a SIGXCPU (CPU time limit exceeded). This patch gives the
3305 callback functor the ability to tell the iterators to return early when the
3306 functor no longer needs to continue iterating. With this, my instrumented
3307 VM is useful again for debugging.
3309 Since heap iteration is not something that we do in a typical fast path,
3310 I don't expect this to have any noticeable impact on performance.
3312 I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since
3313 it checks JSCell addresses, not just JSObjects.
3315 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3316 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3317 * JavaScriptCore.xcodeproj/project.pbxproj:
3318 * debugger/Debugger.cpp:
3319 * heap/GCLogging.cpp:
3320 (JSC::LoggingFunctor::operator()):
3322 (JSC::Zombify::visit):
3323 (JSC::Zombify::operator()):
3324 * heap/HeapStatistics.cpp:
3325 (JSC::StorageStatistics::visit):
3326 (JSC::StorageStatistics::operator()):
3327 * heap/HeapVerifier.cpp:
3328 (JSC::GatherLiveObjFunctor::visit):
3329 (JSC::GatherLiveObjFunctor::operator()):
3330 * heap/MarkedBlock.cpp:
3331 (JSC::SetNewlyAllocatedFunctor::operator()):
3332 * heap/MarkedBlock.h:
3333 (JSC::MarkedBlock::forEachCell):
3334 (JSC::MarkedBlock::forEachLiveCell):
3335 (JSC::MarkedBlock::forEachDeadCell):
3336 * heap/MarkedSpace.h:
3337 (JSC::MarkedSpace::forEachLiveCell):
3338 (JSC::MarkedSpace::forEachDeadCell):
3339 * inspector/agents/InspectorRuntimeAgent.cpp:
3340 (Inspector::TypeRecompiler::visit):
3341 (Inspector::TypeRecompiler::operator()):
3342 * runtime/IterationStatus.h: Added.
3343 * runtime/JSGlobalObject.cpp:
git://git.webkit.org / WebKit-https.git / blob