1 2012-12-03 Filip Pizlo <fpizlo@apple.com>
3 DFG should inline code blocks that use scoped variable access
4 https://bugs.webkit.org/show_bug.cgi?id=103974
6 Reviewed by Oliver Hunt.
8 This mostly just turns on something we could have done all along, but also adds a few key
9 necessities to make this right:
11 1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the
14 2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar.
16 This is not meant to be a speed-up on major benchmarks since we don't yet inline most
17 closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster.
19 * dfg/DFGAbstractState.cpp:
20 (JSC::DFG::AbstractState::execute):
21 * dfg/DFGByteCodeParser.cpp:
22 (JSC::DFG::ByteCodeParser::getScope):
23 (JSC::DFG::ByteCodeParser::parseResolveOperations):
24 * dfg/DFGCSEPhase.cpp:
25 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
26 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
27 (JSC::DFG::CSEPhase::getLocalLoadElimination):
28 (JSC::DFG::CSEPhase::setLocalStoreElimination):
29 * dfg/DFGCapabilities.h:
30 (JSC::DFG::canInlineResolveOperations):
32 2012-12-03 Filip Pizlo <fpizlo@apple.com>
34 Replace JSValue::description() with JSValue::dump(PrintStream&)
35 https://bugs.webkit.org/show_bug.cgi?id=103866
37 Reviewed by Darin Adler.
39 JSValue now has a dump() method. Anywhere that you would have wanted to use
40 description(), you can either do toCString(value).data(), or if the callee
41 is a print()/dataLog() method then you just pass the value directly.
43 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
44 * bytecode/CodeBlock.cpp:
45 (JSC::valueToSourceString):
46 (JSC::CodeBlock::finalizeUnconditionally):
47 * bytecode/ValueProfile.h:
48 (JSC::ValueProfileBase::dump):
49 * bytecode/ValueRecovery.h:
50 (JSC::ValueRecovery::dump):
51 * dfg/DFGAbstractValue.h:
52 (JSC::DFG::AbstractValue::dump):
54 (JSC::DFG::Graph::dump):
55 * interpreter/Interpreter.cpp:
56 (JSC::Interpreter::dumpRegisters):
59 * llint/LLIntSlowPaths.cpp:
60 (JSC::LLInt::llint_trace_value):
61 * runtime/JSValue.cpp:
65 2012-12-04 Filip Pizlo <fpizlo@apple.com>
67 jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
68 https://bugs.webkit.org/show_bug.cgi?id=104020
69 <rdar://problem/12802478>
71 Reviewed by Mark Hahnenberg.
73 Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
74 and that is indeed the contract of ArrayBuffer and TypedArrayBase.
76 * JSCTypedArrayStubs.h:
79 2012-12-03 Peter Rybin <prybin@chromium.org>
81 Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
82 https://bugs.webkit.org/show_bug.cgi?id=103254
84 Reviewed by Pavel Feldman.
86 Missing symbol WTFReportFatalError is added to the linker list.
88 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
90 2012-12-03 Alexis Menard <alexis@webkit.org>
92 [Mac] Enable CSS3 background-position offset by default.
93 https://bugs.webkit.org/show_bug.cgi?id=103905
95 Reviewed by Simon Fraser.
97 Turn the flag on by default.
99 * Configurations/FeatureDefines.xcconfig:
101 2012-12-02 Filip Pizlo <fpizlo@apple.com>
103 DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
104 https://bugs.webkit.org/show_bug.cgi?id=103858
106 Reviewed by Gavin Barraclough.
108 A rage conversion from double to contiguous is one where you try to convert each
111 This is probably not the last we'll hear of rage conversion from double to contiguous.
112 It may be better to do this right during parsing, which will result in fewer cases of
113 Arrayification. But even so, this looks like a straight win already - 1% speed-up on
114 Kraken, no major regression anywhere else.
116 * dfg/DFGAbstractState.cpp:
117 (JSC::DFG::AbstractState::execute):
118 * dfg/DFGArrayMode.cpp:
119 (JSC::DFG::ArrayMode::refine):
120 (JSC::DFG::arrayConversionToString):
121 (JSC::DFG::ArrayMode::dump):
123 (WTF::printInternal):
124 * dfg/DFGArrayMode.h:
125 (JSC::DFG::ArrayMode::withConversion):
127 (JSC::DFG::ArrayMode::doesConversion):
129 * dfg/DFGFixupPhase.cpp:
130 (JSC::DFG::FixupPhase::fixupBlock):
131 (JSC::DFG::FixupPhase::fixupNode):
132 (JSC::DFG::FixupPhase::checkArray):
135 (JSC::DFG::Graph::dump):
136 * dfg/DFGNodeFlags.h:
138 * dfg/DFGOperations.cpp:
139 * dfg/DFGOperations.h:
140 * dfg/DFGPredictionPropagationPhase.cpp:
141 (JSC::DFG::PredictionPropagationPhase::propagate):
142 * dfg/DFGSpeculativeJIT.cpp:
143 (JSC::DFG::SpeculativeJIT::arrayify):
144 * dfg/DFGStructureCheckHoistingPhase.cpp:
145 (JSC::DFG::StructureCheckHoistingPhase::run):
146 * runtime/JSObject.cpp:
148 (JSC::JSObject::genericConvertDoubleToContiguous):
149 (JSC::JSObject::convertDoubleToContiguous):
150 (JSC::JSObject::rageConvertDoubleToContiguous):
151 (JSC::JSObject::ensureContiguousSlow):
152 (JSC::JSObject::rageEnsureContiguousSlow):
153 * runtime/JSObject.h:
155 (JSC::JSObject::rageEnsureContiguous):
157 2012-12-02 Filip Pizlo <fpizlo@apple.com>
159 DFG CSE should not keep alive things that aren't relevant to OSR
160 https://bugs.webkit.org/show_bug.cgi?id=103849
162 Reviewed by Oliver Hunt.
164 Most Phantom nodes are inserted by CSE, and by default have the same children as the
165 node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
166 those it creates and those that were created by other phases) to see if they have
167 children that are redundant - i.e. children that are not interesting to OSR, which
168 is the only reason why Phantoms exist in the first place. Being relevant to OSR is
169 defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
170 your definition and the Phantom there was a SetLocal that referred to you.
172 This is a slight speed-up in a few places.
174 * dfg/DFGCSEPhase.cpp:
175 (JSC::DFG::CSEPhase::CSEPhase):
176 (JSC::DFG::CSEPhase::run):
177 (JSC::DFG::CSEPhase::performSubstitution):
179 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
180 (JSC::DFG::CSEPhase::setReplacement):
181 (JSC::DFG::CSEPhase::eliminate):
182 (JSC::DFG::CSEPhase::performNodeCSE):
183 (JSC::DFG::CSEPhase::performBlockCSE):
185 2012-12-02 Filip Pizlo <fpizlo@apple.com>
187 It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
188 https://bugs.webkit.org/show_bug.cgi?id=103848
190 Reviewed by Sam Weinig.
192 Fix random dataLog() and print() statements.
194 * dfg/DFGArgumentsSimplificationPhase.cpp:
195 (JSC::DFG::ArgumentsSimplificationPhase::run):
196 * dfg/DFGByteCodeParser.cpp:
197 (JSC::DFG::ByteCodeParser::parseCodeBlock):
199 (JSC::DFG::Graph::dumpBlockHeader):
200 * dfg/DFGPredictionPropagationPhase.cpp:
201 (JSC::DFG::PredictionPropagationPhase::propagate):
202 * dfg/DFGStructureCheckHoistingPhase.cpp:
203 (JSC::DFG::StructureCheckHoistingPhase::run):
205 2012-12-01 Filip Pizlo <fpizlo@apple.com>
207 CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
208 https://bugs.webkit.org/show_bug.cgi?id=103832
210 Reviewed by Oliver Hunt.
212 Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.
214 * bytecode/CodeBlock.cpp:
215 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
216 (JSC::CodeBlock::printUnaryOp):
217 (JSC::CodeBlock::printBinaryOp):
218 (JSC::CodeBlock::printConditionalJump):
219 (JSC::CodeBlock::printGetByIdOp):
220 (JSC::dumpStructure):
222 (JSC::CodeBlock::printGetByIdCacheStatus):
223 (JSC::CodeBlock::printCallOp):
224 (JSC::CodeBlock::printPutByIdOp):
225 (JSC::CodeBlock::printStructure):
226 (JSC::CodeBlock::printStructures):
227 (JSC::CodeBlock::dumpBytecode):
228 * bytecode/CodeBlock.h:
230 * jit/JITDisassembler.cpp:
231 (JSC::JITDisassembler::dumpForInstructions):
233 2012-11-30 Pierre Rossi <pierre.rossi@gmail.com>
235 [Qt] Unreviewed speculative Mac build fix after r136232
237 Update the include path so that LLIntAssembly.h is picked up.
238 The bot didn't break until later when a clean build was triggered.
240 * JavaScriptCore.pri:
242 2012-11-30 Oliver Hunt <oliver@apple.com>
244 Optimise more cases of op_typeof
245 https://bugs.webkit.org/show_bug.cgi?id=103783
247 Reviewed by Mark Hahnenberg.
249 Increase our coverage of typeof based typechecks by
250 making sure that the codegenerators always uses
251 consistent operand ordering when feeding typeof operations
252 into equality operations.
254 * bytecompiler/NodesCodegen.cpp:
255 (JSC::BinaryOpNode::emitBytecode):
256 (JSC::EqualNode::emitBytecode):
257 (JSC::StrictEqualNode::emitBytecode):
259 2012-11-30 Filip Pizlo <fpizlo@apple.com>
261 Rationalize and clean up DFG handling of scoped accesses
262 https://bugs.webkit.org/show_bug.cgi?id=103715
264 Reviewed by Oliver Hunt.
266 Previously, we had a GetScope node that specified the depth to which you wanted
267 to travel to get a JSScope, and the backend implementation of the node would
268 perform all of the necessary footwork, including potentially skipping the top
269 scope if necessary, and doing however many loads were needed. But there were
270 strange things. First, if you had accesses at different scope depths, then the
271 loads to get to the common depth could not be CSE'd - CSE would match only
272 GetScope's that had identical depth. Second, GetScope would be emitted even if
273 we already had the scope, for example in put_to_base. And finally, even though
274 the ResolveOperations could tell us whether or not we had to skip the top scope,
275 the backend would recompute this information itself, often pessimistically.
277 This eliminates GetScope and replaces it with the following:
279 GetMyScope: just get the JSScope from the call frame header. This will forever
280 mean getting the JSScope associated with the machine call frame; it will not
281 mean getting the scope of an inlined function. Or at least that's the intent.
283 SkipTopScope: check if there is an activation, and if so, skip a scope. This
284 takes a scope as a child and returns a scope.
286 SkipScope: skip one scope level.
288 The bytecode parser now emits the right combination of the above, and
289 potentially emits multiple SkipScope's, based on the ResolveOperations.
291 This change also includes some fixups to debug logging. We now always print
292 the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
293 and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
295 This is performance-neutral. It's just meant to be a clean-up.
297 * bytecode/CodeBlock.cpp:
298 (JSC::CodeBlock::dumpAssumingJITType):
299 * bytecode/CodeOrigin.cpp:
300 (JSC::CodeOrigin::inlineStack):
301 (JSC::CodeOrigin::dump):
303 (JSC::InlineCallFrame::dump):
304 * bytecode/CodeOrigin.h:
307 * dfg/DFGAbstractState.cpp:
308 (JSC::DFG::AbstractState::execute):
309 * dfg/DFGByteCodeParser.cpp:
311 (JSC::DFG::ByteCodeParser::getScope):
313 (JSC::DFG::ByteCodeParser::parseResolveOperations):
314 (JSC::DFG::ByteCodeParser::parseBlock):
315 * dfg/DFGCSEPhase.cpp:
316 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
317 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
318 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
319 (JSC::DFG::CSEPhase::setLocalStoreElimination):
320 (JSC::DFG::CSEPhase::performNodeCSE):
321 * dfg/DFGDisassembler.cpp:
322 (JSC::DFG::Disassembler::dump):
324 (JSC::DFG::Graph::dumpCodeOrigin):
325 (JSC::DFG::Graph::dumpBlockHeader):
330 * dfg/DFGPredictionPropagationPhase.cpp:
331 (JSC::DFG::PredictionPropagationPhase::propagate):
332 * dfg/DFGSpeculativeJIT32_64.cpp:
333 (JSC::DFG::SpeculativeJIT::compile):
334 * dfg/DFGSpeculativeJIT64.cpp:
335 (JSC::DFG::SpeculativeJIT::compile):
336 * jit/JITDisassembler.cpp:
337 (JSC::JITDisassembler::dump):
339 2012-11-30 Oliver Hunt <oliver@apple.com>
341 Add direct string->function code cache
342 https://bugs.webkit.org/show_bug.cgi?id=103764
344 Reviewed by Michael Saboff.
346 A fairly logically simple patch. We now track the start of the
347 unique portion of a functions body, and use that as our key for
348 unlinked function code. This allows us to cache identical code
349 in different contexts, leading to a small but consistent improvement
350 on the benchmarks we track.
352 * bytecode/UnlinkedCodeBlock.cpp:
353 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
354 * bytecode/UnlinkedCodeBlock.h:
355 (JSC::UnlinkedFunctionExecutable::functionStartOffset):
356 (UnlinkedFunctionExecutable):
357 * parser/ASTBuilder.h:
359 (JSC::ASTBuilder::setFunctionStart):
362 (JSC::FunctionBodyNode::setFunctionStart):
363 (JSC::FunctionBodyNode::functionStart):
366 (JSC::::parseFunctionInfo):
368 (JSC::Parser::findCachedFunctionInfo):
369 * parser/SyntaxChecker.h:
370 (JSC::SyntaxChecker::setFunctionStart):
371 * runtime/CodeCache.cpp:
372 (JSC::CodeCache::generateFunctionCodeBlock):
373 (JSC::CodeCache::getFunctionCodeBlock):
374 (JSC::CodeCache::usedFunctionCode):
375 * runtime/CodeCache.h:
377 2012-11-30 Allan Sandfeld Jensen <allan.jensen@digia.com>
379 Crash in conversion of empty OpaqueJSString to Identifier
380 https://bugs.webkit.org/show_bug.cgi?id=101867
382 Reviewed by Michael Saboff.
384 The constructor call used for both null and empty OpaqueJSStrings results
385 in an assertion voilation and crash. This patch instead uses the Identifier
386 constructors which are specifically for null and empty Identifier.
388 * API/OpaqueJSString.cpp:
389 (OpaqueJSString::identifier):
391 2012-11-30 Tor Arne Vestbø <tor.arne.vestbo@digia.com>
393 [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac
395 Otherwise we'll end up using the same LLIntAssembly.h for both build
396 configs of JavaScriptCore -- one of them which will be for the wrong
399 Reviewed by Simon Hausmann.
401 * LLIntOffsetsExtractor.pro:
403 2012-11-30 Julien BRIANCEAU <jbrianceau@nds.com>
405 [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
406 https://bugs.webkit.org/show_bug.cgi?id=103378
408 Reviewed by Filip Pizlo.
410 * assembler/MacroAssemblerSH4.h:
411 (JSC::MacroAssemblerSH4::branchTest32):
412 (JSC::MacroAssemblerSH4::branchAdd32):
413 (JSC::MacroAssemblerSH4::branchMul32):
414 (JSC::MacroAssemblerSH4::branchSub32):
415 (JSC::MacroAssemblerSH4::branchOr32):
417 2012-11-29 Rafael Weinstein <rafaelw@chromium.org>
419 [HTMLTemplateElement] Add feature flag
420 https://bugs.webkit.org/show_bug.cgi?id=103694
422 Reviewed by Adam Barth.
424 This flag will guard the implementation of the HTMLTemplateElement.
425 http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html
427 * Configurations/FeatureDefines.xcconfig:
429 2012-11-29 Filip Pizlo <fpizlo@apple.com>
431 It should be easy to find code blocks in debug dumps
432 https://bugs.webkit.org/show_bug.cgi?id=103623
434 Reviewed by Goeffrey Garen.
436 This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
437 it lazily so that it only impacts run-time when debug support is enabled. We stringify
438 it smartly so that it's short and easy to type. We base it on the source code so that
439 the optimization level is irrelevant. And, we use SHA1 since it's already in our code
440 base. Now, when a piece of code wants to print some debugging to say that it's operating
441 on some code block, it can use this CodeBlockHash instead of memory addresses.
443 This also takes CodeBlock debugging into the new world of print() and dataLog(). In
444 particular, CodeBlock::dump() corresponds to the thing you want printed if you do:
446 dataLog("I heart ", *myCodeBlock);
448 Probably, you want to just print some identifying information at this point rather than
449 the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
450 CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
451 a few little tidbits.
453 Here's an example of CodeBlock::dump() output:
455 EkILzr:[0x103883a00, BaselineFunctionCall]
457 EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
458 part is self-explanatory.
460 Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
461 breakage. As such CodeBlockHash has all of the comparison operator overloads. When
462 bisecting in DFGDriver.cpp, you can now say things like:
464 if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
467 And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
468 is life when you use base 62 to encode a 32-bit number.
471 * GNUmakefile.list.am:
472 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
473 * JavaScriptCore.xcodeproj/project.pbxproj:
475 * bytecode/CallLinkInfo.h:
477 (JSC::CallLinkInfo::specializationKind):
478 * bytecode/CodeBlock.cpp:
479 (JSC::CodeBlock::hash):
481 (JSC::CodeBlock::dumpAssumingJITType):
482 (JSC::CodeBlock::dump):
483 (JSC::CodeBlock::dumpBytecode):
484 (JSC::CodeBlock::CodeBlock):
485 (JSC::CodeBlock::finalizeUnconditionally):
486 (JSC::CodeBlock::resetStubInternal):
487 (JSC::CodeBlock::reoptimize):
488 (JSC::ProgramCodeBlock::jettison):
489 (JSC::EvalCodeBlock::jettison):
490 (JSC::FunctionCodeBlock::jettison):
491 (JSC::CodeBlock::shouldOptimizeNow):
492 (JSC::CodeBlock::tallyFrequentExitSites):
493 (JSC::CodeBlock::dumpValueProfiles):
494 * bytecode/CodeBlock.h:
495 (JSC::CodeBlock::specializationKind):
497 (JSC::CodeBlock::getJITType):
498 * bytecode/CodeBlockHash.cpp: Added.
500 (JSC::CodeBlockHash::CodeBlockHash):
501 (JSC::CodeBlockHash::dump):
502 * bytecode/CodeBlockHash.h: Added.
505 (JSC::CodeBlockHash::CodeBlockHash):
506 (JSC::CodeBlockHash::hash):
507 (JSC::CodeBlockHash::operator==):
508 (JSC::CodeBlockHash::operator!=):
509 (JSC::CodeBlockHash::operator<):
510 (JSC::CodeBlockHash::operator>):
511 (JSC::CodeBlockHash::operator<=):
512 (JSC::CodeBlockHash::operator>=):
513 * bytecode/CodeBlockWithJITType.h: Added.
515 (CodeBlockWithJITType):
516 (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
517 (JSC::CodeBlockWithJITType::dump):
518 * bytecode/CodeOrigin.cpp: Added.
520 (JSC::CodeOrigin::inlineDepthForCallFrame):
521 (JSC::CodeOrigin::inlineDepth):
522 (JSC::CodeOrigin::inlineStack):
523 (JSC::InlineCallFrame::hash):
524 * bytecode/CodeOrigin.h:
526 (JSC::InlineCallFrame::specializationKind):
528 * bytecode/CodeType.cpp: Added.
530 (WTF::printInternal):
531 * bytecode/CodeType.h:
533 * bytecode/ExecutionCounter.cpp:
534 (JSC::ExecutionCounter::dump):
535 * bytecode/ExecutionCounter.h:
537 * dfg/DFGByteCodeParser.cpp:
538 (JSC::DFG::ByteCodeParser::parseCodeBlock):
539 * dfg/DFGDisassembler.cpp:
540 (JSC::DFG::Disassembler::dump):
542 (JSC::DFG::Graph::dumpCodeOrigin):
543 * dfg/DFGOSRExitCompiler.cpp:
544 * dfg/DFGOperations.cpp:
545 * dfg/DFGRepatch.cpp:
546 (JSC::DFG::generateProtoChainAccessStub):
547 (JSC::DFG::tryCacheGetByID):
548 (JSC::DFG::tryBuildGetByIDList):
549 (JSC::DFG::emitPutReplaceStub):
550 (JSC::DFG::emitPutTransitionStub):
551 (JSC::DFG::dfgLinkClosureCall):
552 * interpreter/Interpreter.cpp:
553 (JSC::Interpreter::dumpCallFrame):
554 * jit/JITCode.cpp: Added.
556 (WTF::printInternal):
558 (JSC::JITCode::jitType):
560 * jit/JITDisassembler.cpp:
561 (JSC::JITDisassembler::dump):
562 (JSC::JITDisassembler::dumpForInstructions):
563 * jit/JITPropertyAccess.cpp:
564 (JSC::JIT::privateCompilePutByIdTransition):
565 (JSC::JIT::privateCompilePatchGetArrayLength):
566 (JSC::JIT::privateCompileGetByIdProto):
567 (JSC::JIT::privateCompileGetByIdSelfList):
568 (JSC::JIT::privateCompileGetByIdProtoList):
569 (JSC::JIT::privateCompileGetByIdChainList):
570 (JSC::JIT::privateCompileGetByIdChain):
571 (JSC::JIT::privateCompileGetByVal):
572 (JSC::JIT::privateCompilePutByVal):
573 * jit/JITPropertyAccess32_64.cpp:
574 (JSC::JIT::privateCompilePutByIdTransition):
575 (JSC::JIT::privateCompilePatchGetArrayLength):
576 (JSC::JIT::privateCompileGetByIdProto):
577 (JSC::JIT::privateCompileGetByIdSelfList):
578 (JSC::JIT::privateCompileGetByIdProtoList):
579 (JSC::JIT::privateCompileGetByIdChainList):
580 (JSC::JIT::privateCompileGetByIdChain):
582 (JSC::DEFINE_STUB_FUNCTION):
583 * runtime/CodeSpecializationKind.cpp: Added.
585 (WTF::printInternal):
586 * runtime/CodeSpecializationKind.h:
587 (JSC::specializationFromIsCall):
589 (JSC::specializationFromIsConstruct):
591 * runtime/Executable.cpp:
592 (JSC::ExecutableBase::hashFor):
594 (JSC::NativeExecutable::hashFor):
595 (JSC::ScriptExecutable::hashFor):
596 * runtime/Executable.h:
600 (JSC::ScriptExecutable::source):
602 2012-11-29 Michael Saboff <msaboff@apple.com>
604 Speculative Windows build fix after r136086.
606 Unreviewed build fix.
608 Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
609 export list since the symbol was removed in r136086.
611 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
613 2012-11-28 Filip Pizlo <fpizlo@apple.com>
615 SpeculatedType dumping should not use the static char buffer[thingy] idiom
616 https://bugs.webkit.org/show_bug.cgi?id=103584
618 Reviewed by Michael Saboff.
620 Changed SpeculatedType to be "dumpable" by saying things like:
622 dataLog("thingy = ", SpeculationDump(thingy))
624 Removed the old stringification functions, and changed all code that referred to them
625 to use the new dataLog()/print() style.
628 * GNUmakefile.list.am:
629 * JavaScriptCore.xcodeproj/project.pbxproj:
631 * bytecode/SpeculatedType.cpp:
632 (JSC::dumpSpeculation):
633 (JSC::speculationToAbbreviatedString):
634 (JSC::dumpSpeculationAbbreviated):
635 * bytecode/SpeculatedType.h:
636 * bytecode/ValueProfile.h:
637 (JSC::ValueProfileBase::dump):
638 * bytecode/VirtualRegister.h:
639 (WTF::printInternal):
640 * dfg/DFGAbstractValue.h:
641 (JSC::DFG::AbstractValue::dump):
642 * dfg/DFGByteCodeParser.cpp:
643 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
644 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
646 (JSC::DFG::Graph::dump):
647 (JSC::DFG::Graph::predictArgumentTypes):
650 * dfg/DFGStructureAbstractValue.h:
651 * dfg/DFGVariableAccessDataDump.cpp: Added.
652 (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
653 (JSC::DFG::VariableAccessDataDump::dump):
654 * dfg/DFGVariableAccessDataDump.h: Added.
655 (VariableAccessDataDump):
657 2012-11-28 Michael Saboff <msaboff@apple.com>
659 Change Bytecompiler s_dumpsGeneratedCode to an Options value
660 https://bugs.webkit.org/show_bug.cgi?id=103588
662 Reviewed by Filip Pizlo.
664 Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.
666 * bytecode/CodeBlock.cpp:
667 (JSC::CodeBlock::CodeBlock):
668 * bytecompiler/BytecodeGenerator.cpp:
669 * bytecompiler/BytecodeGenerator.h:
674 2012-11-28 Mark Hahnenberg <mhahnenberg@apple.com>
676 Copying phase should use work lists
677 https://bugs.webkit.org/show_bug.cgi?id=101390
679 Reviewed by Filip Pizlo.
681 * JavaScriptCore.xcodeproj/project.pbxproj:
682 * heap/BlockAllocator.cpp:
683 (JSC::BlockAllocator::BlockAllocator):
684 * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
686 (JSC::CopyWorkListSegment):
687 * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
688 phase to copy their backing stores.
690 (JSC::CopiedBlock::CopiedBlock):
691 (JSC::CopiedBlock::didSurviveGC):
692 (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're
693 responsible for evacuating, we no longer need any of that fancy compare and swap stuff.
694 (JSC::CopiedBlock::pin):
695 (JSC::CopiedBlock::hasWorkList):
696 (JSC::CopiedBlock::workList):
697 * heap/CopiedBlockInlines.h: Added.
698 (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
699 we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
700 * heap/CopiedSpace.h:
702 * heap/CopiedSpaceInlines.h:
703 (JSC::CopiedSpace::pin):
704 * heap/CopyVisitor.cpp:
705 (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
706 blocks' CopyWorkLists.
707 * heap/CopyVisitor.h:
709 * heap/CopyVisitorInlines.h:
710 (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from
711 a CopiedBlock's CopyWorkList.
712 (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done
713 evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
714 * heap/CopyWorkList.h: Added.
715 (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
716 (JSC::CopyWorkListSegment::create):
717 (JSC::CopyWorkListSegment::size):
718 (JSC::CopyWorkListSegment::isFull):
719 (JSC::CopyWorkListSegment::get):
720 (JSC::CopyWorkListSegment::append):
721 (JSC::CopyWorkListSegment::CopyWorkListSegment):
722 (JSC::CopyWorkListSegment::data):
723 (JSC::CopyWorkListSegment::endOfBlock):
724 (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
725 that make up each CopyWorkList.
726 (JSC::CopyWorkListIterator::get):
727 (JSC::CopyWorkListIterator::operator*):
728 (JSC::CopyWorkListIterator::operator->):
729 (JSC::CopyWorkListIterator::operator++):
730 (JSC::CopyWorkListIterator::operator==):
731 (JSC::CopyWorkListIterator::operator!=):
732 (JSC::CopyWorkListIterator::CopyWorkListIterator):
733 (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
734 (JSC::CopyWorkList::CopyWorkList):
735 (JSC::CopyWorkList::~CopyWorkList):
736 (JSC::CopyWorkList::append):
737 (JSC::CopyWorkList::begin):
738 (JSC::CopyWorkList::end):
739 * heap/GCThreadSharedData.cpp:
740 (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
741 (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for
742 iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and
743 recycled throughout the copying phase.
744 * heap/GCThreadSharedData.h:
745 (GCThreadSharedData):
748 * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it
749 in a CopyWorkList to revisit later during the copying phase.
750 * heap/SlotVisitorInlines.h:
751 (JSC::SlotVisitor::copyLater):
752 * runtime/JSObject.cpp:
753 (JSC::JSObject::visitButterfly):
755 2012-11-28 Filip Pizlo <fpizlo@apple.com>
757 Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
758 https://bugs.webkit.org/show_bug.cgi?id=103492
760 Reviewed by Mark Hahnenberg.
762 Switched disassembly code to use PrintStream&, and to use print() rather than printf().
764 * dfg/DFGDisassembler.cpp:
765 (JSC::DFG::Disassembler::dump):
767 (JSC::DFG::Disassembler::dumpDisassembly):
768 * dfg/DFGDisassembler.h:
771 (JSC::DFG::printWhiteSpace):
772 (JSC::DFG::Graph::dumpCodeOrigin):
773 (JSC::DFG::Graph::printNodeWhiteSpace):
774 (JSC::DFG::Graph::dump):
776 (JSC::DFG::Graph::dumpBlockHeader):
779 * jit/JITDisassembler.cpp:
780 (JSC::JITDisassembler::dump):
781 (JSC::JITDisassembler::dumpForInstructions):
782 (JSC::JITDisassembler::dumpDisassembly):
783 * jit/JITDisassembler.h:
786 2012-11-28 Filip Pizlo <fpizlo@apple.com>
788 It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
789 https://bugs.webkit.org/show_bug.cgi?id=103009
791 Reviewed by Michael Saboff.
793 Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
794 one place: dumping of abstract values. This is mainly just to ensure that the code I
795 added to WTF is actually doing things.
797 * bytecode/CodeBlock.cpp:
798 (JSC::CodeBlock::dump):
799 * dfg/DFGAbstractValue.h:
800 (JSC::DFG::AbstractValue::dump):
802 (WTF::printInternal):
803 * dfg/DFGStructureAbstractValue.h:
804 (JSC::DFG::StructureAbstractValue::dump):
806 (WTF::printInternal):
808 2012-11-28 Oliver Hunt <oliver@apple.com>
810 Make source cache include more information about the function extent.
811 https://bugs.webkit.org/show_bug.cgi?id=103552
813 Reviewed by Gavin Barraclough.
815 Add a bit more information to the source cache.
818 (JSC::::parseFunctionInfo):
819 Store the function start offset
820 * parser/SourceProviderCacheItem.h:
821 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
822 (SourceProviderCacheItem):
823 Add additional field for the start of the real function string, and re-arrange
824 fields to avoid growing the struct.
826 2012-11-27 Filip Pizlo <fpizlo@apple.com>
828 Convert some remaining uses of FILE* to PrintStream&.
830 Rubber stamped by Mark Hahnenberg.
832 * bytecode/ValueProfile.h:
833 (JSC::ValueProfileBase::dump):
834 * bytecode/ValueRecovery.h:
835 (JSC::ValueRecovery::dump):
836 * dfg/DFGByteCodeParser.cpp:
837 (JSC::DFG::ByteCodeParser::parseCodeBlock):
839 (JSC::DFG::Node::dumpChildren):
841 2012-11-27 Filip Pizlo <fpizlo@apple.com>
843 Fix indentation in JSValue.h
845 Rubber stamped by Mark Hahnenberg.
849 2012-11-26 Filip Pizlo <fpizlo@apple.com>
851 DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
852 https://bugs.webkit.org/show_bug.cgi?id=103353
854 Reviewed by Oliver Hunt and Gavin Barraclough.
856 Made it possible to use forward speculations for most of the operand classes. Changed the conditional
857 direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
858 to use forward speculations and got rid of its half-baked version of same.
860 Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.
862 * dfg/DFGByteCodeParser.cpp:
863 (JSC::DFG::ByteCodeParser::parseBlock):
864 * dfg/DFGDisassembler.cpp:
865 (JSC::DFG::Disassembler::dump):
868 * dfg/DFGSpeculativeJIT.cpp:
869 (JSC::DFG::SpeculativeJIT::speculationCheck):
871 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
872 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
873 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
874 (JSC::DFG::SpeculativeJIT::fillStorage):
875 * dfg/DFGSpeculativeJIT.h:
877 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
878 (JSC::DFG::SpeculateIntegerOperand::gpr):
879 (SpeculateIntegerOperand):
880 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
881 (JSC::DFG::SpeculateDoubleOperand::fpr):
882 (SpeculateDoubleOperand):
883 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
884 (JSC::DFG::SpeculateCellOperand::gpr):
885 (SpeculateCellOperand):
886 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
887 (JSC::DFG::SpeculateBooleanOperand::gpr):
888 (SpeculateBooleanOperand):
889 * dfg/DFGSpeculativeJIT32_64.cpp:
890 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
891 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
892 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
893 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
894 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
895 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
896 (JSC::DFG::SpeculativeJIT::compile):
897 * dfg/DFGSpeculativeJIT64.cpp:
898 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
899 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
900 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
901 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
902 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
903 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
904 (JSC::DFG::SpeculativeJIT::compile):
908 2012-11-26 Daniel Bates <dbates@webkit.org>
910 Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
911 <https://bugs.webkit.org/show_bug.cgi?id=103303>
913 Reviewed by Simon Fraser.
915 Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().
917 * runtime/StringPrototype.cpp:
918 (JSC::jsSpliceSubstringsWithSeparators):
920 2012-11-26 Daniel Bates <dbates@webkit.org>
922 JavaScript fails to handle String.replace() with large replacement string
923 https://bugs.webkit.org/show_bug.cgi?id=102956
924 <rdar://problem/12738012>
926 Reviewed by Oliver Hunt.
928 Fix an issue where we didn't check for overflow when computing the length
929 of the result of String.replace() with a large replacement string.
931 * runtime/StringPrototype.cpp:
932 (JSC::jsSpliceSubstringsWithSeparators):
934 2012-11-26 Zeno Albisser <zeno@webkit.org>
936 [Qt] Fix the LLInt build on Mac
937 https://bugs.webkit.org/show_bug.cgi?id=97587
939 Reviewed by Simon Hausmann.
941 * DerivedSources.pri:
942 * JavaScriptCore.pro:
944 2012-11-26 Oliver Hunt <oliver@apple.com>
946 32-bit build fix. Move the method decalration outside of the X86_64 only section.
948 * assembler/MacroAssembler.h:
950 (JSC::MacroAssembler::shouldConsiderBlinding):
952 2012-11-26 Oliver Hunt <oliver@apple.com>
954 Don't blind all the things.
955 https://bugs.webkit.org/show_bug.cgi?id=102572
957 Reviewed by Gavin Barraclough.
959 No longer blind all the constants in the instruction stream. We use a
960 simple non-deterministic filter to avoid blinding everything. Also modified
961 the basic integer blinding logic to avoid blinding small negative values.
963 * assembler/MacroAssembler.h:
965 (JSC::MacroAssembler::shouldConsiderBlinding):
966 (JSC::MacroAssembler::shouldBlind):
968 2012-11-26 Mark Hahnenberg <mhahnenberg@apple.com>
970 JSObject::copyButterfly doesn't handle undecided indexing types correctly
971 https://bugs.webkit.org/show_bug.cgi?id=102573
973 Reviewed by Filip Pizlo.
975 We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks
976 during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing
977 types. We should just do the actual memcpy from the old block to the new one.
979 * runtime/JSObject.cpp:
980 (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
982 2012-11-26 Julien BRIANCEAU <jbrianceau@nds.com>
984 [sh4] JavaScriptCore JIT build is broken since r135330
985 Add missing implementation for sh4 arch.
986 https://bugs.webkit.org/show_bug.cgi?id=103145
988 Reviewed by Oliver Hunt.
990 * assembler/MacroAssemblerSH4.h:
991 (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
993 (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
994 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
995 (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
996 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
997 * assembler/SH4Assembler.h:
998 (JSC::SH4Assembler::revertJump):
1000 (JSC::SH4Assembler::printInstr):
1002 2012-11-26 Yuqiang Xian <yuqiang.xian@intel.com>
1004 Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
1005 https://bugs.webkit.org/show_bug.cgi?id=100909
1007 Reviewed by Brent Fulgham.
1009 This is a (trivial) fix after r132701.
1011 * dfg/DFGOSRExitCompiler64.cpp:
1012 (JSC::DFG::OSRExitCompiler::compileExit):
1014 2012-11-26 Gabor Ballabas <gaborb@inf.u-szeged.hu>
1016 [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
1017 https://bugs.webkit.org/show_bug.cgi?id=98857
1019 Reviewed by Zoltan Herczeg.
1021 Implement a new version of patchableBranch32 to fix crashing JSC
1024 * assembler/MacroAssembler.h:
1026 * assembler/MacroAssemblerARM.h:
1027 (JSC::MacroAssemblerARM::patchableBranch32):
1028 (MacroAssemblerARM):
1030 2012-11-21 Filip Pizlo <fpizlo@apple.com>
1032 Any function that can log things should be able to easily log them to a memory buffer as well
1033 https://bugs.webkit.org/show_bug.cgi?id=103000
1035 Reviewed by Sam Weinig.
1037 Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.
1039 * bytecode/Operands.h:
1040 (JSC::OperandValueTraits::dump):
1041 (JSC::dumpOperands):
1043 * dfg/DFGAbstractState.cpp:
1044 (JSC::DFG::AbstractState::dump):
1045 * dfg/DFGAbstractState.h:
1047 * dfg/DFGAbstractValue.h:
1048 (JSC::DFG::AbstractValue::dump):
1050 (JSC::DFG::NodeIndexTraits::dump):
1051 * dfg/DFGStructureAbstractValue.h:
1052 (JSC::DFG::StructureAbstractValue::dump):
1053 * dfg/DFGVariableEvent.cpp:
1054 (JSC::DFG::VariableEvent::dump):
1055 (JSC::DFG::VariableEvent::dumpFillInfo):
1056 (JSC::DFG::VariableEvent::dumpSpillInfo):
1057 * dfg/DFGVariableEvent.h:
1059 * disassembler/Disassembler.h:
1061 (JSC::tryToDisassemble):
1062 * disassembler/UDis86Disassembler.cpp:
1063 (JSC::tryToDisassemble):
1065 2012-11-23 Alexis Menard <alexis@webkit.org>
1067 [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
1068 https://bugs.webkit.org/show_bug.cgi?id=102104
1070 Reviewed by Julien Chaffraix.
1072 Protect the new feature behind a feature flag.
1074 * Configurations/FeatureDefines.xcconfig:
1076 2012-11-23 Gabor Ballabas <gaborb@inf.u-szeged.hu>
1078 Fix the ARM traditional build after r135330
1079 https://bugs.webkit.org/show_bug.cgi?id=102871
1081 Reviewed by Zoltan Herczeg.
1083 Added missing functionality to traditional ARM architecture.
1085 * assembler/ARMAssembler.h:
1086 (JSC::ARMAssembler::revertJump):
1088 * assembler/MacroAssemblerARM.h:
1089 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
1090 (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
1091 (MacroAssemblerARM):
1092 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
1094 2012-11-16 Yury Semikhatsky <yurys@chromium.org>
1096 Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
1097 https://bugs.webkit.org/show_bug.cgi?id=102510
1099 Reviewed by Pavel Feldman.
1101 Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp
1103 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1105 2012-11-23 Julien BRIANCEAU <jbrianceau@nds.com>
1107 [sh4] JavaScriptCore JIT build is broken since r130839
1108 Add missing implementation for sh4 arch.
1109 https://bugs.webkit.org/show_bug.cgi?id=101479
1111 Reviewed by Filip Pizlo.
1113 * assembler/MacroAssemblerSH4.h:
1114 (JSC::MacroAssemblerSH4::load8Signed):
1115 (MacroAssemblerSH4):
1116 (JSC::MacroAssemblerSH4::load16Signed):
1117 (JSC::MacroAssemblerSH4::store8):
1118 (JSC::MacroAssemblerSH4::store16):
1119 (JSC::MacroAssemblerSH4::moveDoubleToInts):
1120 (JSC::MacroAssemblerSH4::moveIntsToDouble):
1121 (JSC::MacroAssemblerSH4::loadFloat):
1122 (JSC::MacroAssemblerSH4::loadDouble):
1123 (JSC::MacroAssemblerSH4::storeFloat):
1124 (JSC::MacroAssemblerSH4::storeDouble):
1125 (JSC::MacroAssemblerSH4::addDouble):
1126 (JSC::MacroAssemblerSH4::convertFloatToDouble):
1127 (JSC::MacroAssemblerSH4::convertDoubleToFloat):
1128 (JSC::MacroAssemblerSH4::urshift32):
1129 * assembler/SH4Assembler.h:
1130 (JSC::SH4Assembler::sublRegReg):
1131 (JSC::SH4Assembler::subvlRegReg):
1132 (JSC::SH4Assembler::floatfpulfrn):
1133 (JSC::SH4Assembler::fldsfpul):
1134 (JSC::SH4Assembler::fstsfpul):
1135 (JSC::SH4Assembler::dcnvsd):
1137 (JSC::SH4Assembler::movbRegMem):
1138 (JSC::SH4Assembler::sizeOfConstantPool):
1139 (JSC::SH4Assembler::linkJump):
1140 (JSC::SH4Assembler::printInstr):
1141 (JSC::SH4Assembler::printBlockInstr):
1143 2012-11-22 Balazs Kilvady <kilvadyb@homejinni.com>
1145 Fix the MIPS build after r135330
1146 https://bugs.webkit.org/show_bug.cgi?id=102872
1148 Reviewed by Gavin Barraclough.
1150 Revert/replace functions added to MIPS port.
1152 * assembler/MIPSAssembler.h:
1153 (JSC::MIPSAssembler::revertJumpToMove):
1155 (JSC::MIPSAssembler::replaceWithJump):
1156 * assembler/MacroAssemblerMIPS.h:
1157 (MacroAssemblerMIPS):
1158 (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
1159 (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
1160 (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
1162 2012-11-21 Filip Pizlo <fpizlo@apple.com>
1164 Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
1165 https://bugs.webkit.org/show_bug.cgi?id=103001
1167 Rubber stamped by Dan Bernstein.
1169 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1170 * assembler/LinkBuffer.cpp:
1171 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1172 (JSC::LinkBuffer::dumpLinkStatistics):
1173 (JSC::LinkBuffer::dumpCode):
1174 * assembler/LinkBuffer.h:
1176 * assembler/SH4Assembler.h:
1177 (JSC::SH4Assembler::vprintfStdoutInstr):
1178 * bytecode/CodeBlock.cpp:
1179 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
1180 (JSC::CodeBlock::printUnaryOp):
1181 (JSC::CodeBlock::printBinaryOp):
1182 (JSC::CodeBlock::printConditionalJump):
1183 (JSC::CodeBlock::printGetByIdOp):
1184 (JSC::dumpStructure):
1186 (JSC::CodeBlock::printGetByIdCacheStatus):
1187 (JSC::CodeBlock::printCallOp):
1188 (JSC::CodeBlock::printPutByIdOp):
1189 (JSC::CodeBlock::printStructure):
1190 (JSC::CodeBlock::printStructures):
1191 (JSC::CodeBlock::dump):
1192 (JSC::CodeBlock::dumpStatistics):
1193 (JSC::CodeBlock::finalizeUnconditionally):
1194 (JSC::CodeBlock::resetStubInternal):
1195 (JSC::CodeBlock::reoptimize):
1196 (JSC::ProgramCodeBlock::jettison):
1197 (JSC::EvalCodeBlock::jettison):
1198 (JSC::FunctionCodeBlock::jettison):
1199 (JSC::CodeBlock::shouldOptimizeNow):
1200 (JSC::CodeBlock::tallyFrequentExitSites):
1201 (JSC::CodeBlock::dumpValueProfiles):
1202 * bytecode/Opcode.cpp:
1203 (JSC::OpcodeStats::~OpcodeStats):
1204 * bytecode/SamplingTool.cpp:
1205 (JSC::SamplingFlags::stop):
1206 (JSC::SamplingRegion::dumpInternal):
1207 (JSC::SamplingTool::dump):
1208 * dfg/DFGAbstractState.cpp:
1209 (JSC::DFG::AbstractState::initialize):
1210 (JSC::DFG::AbstractState::endBasicBlock):
1211 (JSC::DFG::AbstractState::mergeStateAtTail):
1212 (JSC::DFG::AbstractState::mergeToSuccessors):
1213 * dfg/DFGAbstractValue.h:
1214 (JSC::DFG::AbstractValue::dump):
1215 * dfg/DFGArgumentsSimplificationPhase.cpp:
1216 (JSC::DFG::ArgumentsSimplificationPhase::run):
1217 * dfg/DFGByteCodeParser.cpp:
1218 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
1219 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1220 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1221 (JSC::DFG::ByteCodeParser::makeSafe):
1222 (JSC::DFG::ByteCodeParser::makeDivSafe):
1223 (JSC::DFG::ByteCodeParser::handleCall):
1224 (JSC::DFG::ByteCodeParser::handleInlining):
1225 (JSC::DFG::ByteCodeParser::parseBlock):
1226 (JSC::DFG::ByteCodeParser::processPhiStack):
1227 (JSC::DFG::ByteCodeParser::linkBlock):
1228 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1229 (JSC::DFG::ByteCodeParser::parseCodeBlock):
1230 (JSC::DFG::ByteCodeParser::parse):
1231 * dfg/DFGCFAPhase.cpp:
1232 (JSC::DFG::CFAPhase::performBlockCFA):
1233 (JSC::DFG::CFAPhase::performForwardCFA):
1234 * dfg/DFGCFGSimplificationPhase.cpp:
1235 (JSC::DFG::CFGSimplificationPhase::run):
1236 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1237 (JSC::DFG::CFGSimplificationPhase::fixPhis):
1238 (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
1239 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1240 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1241 * dfg/DFGCSEPhase.cpp:
1242 (JSC::DFG::CSEPhase::endIndexForPureCSE):
1243 (JSC::DFG::CSEPhase::setReplacement):
1244 (JSC::DFG::CSEPhase::eliminate):
1245 (JSC::DFG::CSEPhase::performNodeCSE):
1246 * dfg/DFGCapabilities.cpp:
1247 (JSC::DFG::debugFail):
1248 * dfg/DFGConstantFoldingPhase.cpp:
1249 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1250 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1251 * dfg/DFGDisassembler.cpp:
1252 (JSC::DFG::Disassembler::dump):
1253 * dfg/DFGDriver.cpp:
1254 (JSC::DFG::compile):
1255 * dfg/DFGFixupPhase.cpp:
1256 (JSC::DFG::FixupPhase::fixupNode):
1257 (JSC::DFG::FixupPhase::fixDoubleEdge):
1259 (JSC::DFG::printWhiteSpace):
1260 (JSC::DFG::Graph::dumpCodeOrigin):
1261 (JSC::DFG::Graph::dump):
1262 (JSC::DFG::Graph::dumpBlockHeader):
1263 (JSC::DFG::Graph::predictArgumentTypes):
1264 * dfg/DFGJITCompiler.cpp:
1265 (JSC::DFG::JITCompiler::link):
1266 * dfg/DFGOSREntry.cpp:
1267 (JSC::DFG::prepareOSREntry):
1268 * dfg/DFGOSRExitCompiler.cpp:
1269 * dfg/DFGOSRExitCompiler32_64.cpp:
1270 (JSC::DFG::OSRExitCompiler::compileExit):
1271 * dfg/DFGOSRExitCompiler64.cpp:
1272 (JSC::DFG::OSRExitCompiler::compileExit):
1273 * dfg/DFGOperations.cpp:
1275 (JSC::DFG::Phase::beginPhase):
1277 (JSC::DFG::runAndLog):
1278 * dfg/DFGPredictionPropagationPhase.cpp:
1279 (JSC::DFG::PredictionPropagationPhase::propagate):
1280 (JSC::DFG::PredictionPropagationPhase::propagateForward):
1281 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1282 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1283 * dfg/DFGRegisterBank.h:
1284 (JSC::DFG::RegisterBank::dump):
1285 * dfg/DFGScoreBoard.h:
1286 (JSC::DFG::ScoreBoard::use):
1287 (JSC::DFG::ScoreBoard::dump):
1288 * dfg/DFGSlowPathGenerator.h:
1289 (JSC::DFG::SlowPathGenerator::generate):
1290 * dfg/DFGSpeculativeJIT.cpp:
1291 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1292 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
1293 (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
1294 (JSC::DFG::SpeculativeJIT::dump):
1295 (JSC::DFG::SpeculativeJIT::checkConsistency):
1296 (JSC::DFG::SpeculativeJIT::compile):
1297 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1298 * dfg/DFGSpeculativeJIT32_64.cpp:
1299 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1300 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1301 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1302 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1303 * dfg/DFGSpeculativeJIT64.cpp:
1304 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1305 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1306 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1307 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1308 * dfg/DFGStructureCheckHoistingPhase.cpp:
1309 (JSC::DFG::StructureCheckHoistingPhase::run):
1310 * dfg/DFGValidate.cpp:
1312 (JSC::DFG::Validate::reportValidationContext):
1313 (JSC::DFG::Validate::dumpData):
1314 (JSC::DFG::Validate::dumpGraphIfAppropriate):
1315 * dfg/DFGVariableEventStream.cpp:
1316 (JSC::DFG::VariableEventStream::logEvent):
1317 (JSC::DFG::VariableEventStream::reconstruct):
1318 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1319 (JSC::DFG::VirtualRegisterAllocationPhase::run):
1321 * heap/HeapStatistics.cpp:
1322 (JSC::HeapStatistics::logStatistics):
1323 (JSC::HeapStatistics::showObjectStatistics):
1325 * heap/MarkedBlock.h:
1326 * heap/SlotVisitor.cpp:
1327 (JSC::SlotVisitor::validate):
1328 * interpreter/CallFrame.cpp:
1329 (JSC::CallFrame::dumpCaller):
1330 * interpreter/Interpreter.cpp:
1331 (JSC::Interpreter::dumpRegisters):
1333 (JSC::JIT::privateCompileMainPass):
1334 (JSC::JIT::privateCompileSlowCases):
1335 (JSC::JIT::privateCompile):
1336 * jit/JITDisassembler.cpp:
1337 (JSC::JITDisassembler::dump):
1338 (JSC::JITDisassembler::dumpForInstructions):
1339 * jit/JITStubRoutine.h:
1342 (JSC::DEFINE_STUB_FUNCTION):
1343 * jit/JumpReplacementWatchpoint.cpp:
1344 (JSC::JumpReplacementWatchpoint::fireInternal):
1345 * llint/LLIntExceptions.cpp:
1346 (JSC::LLInt::interpreterThrowInCaller):
1347 (JSC::LLInt::returnToThrow):
1348 (JSC::LLInt::callToThrow):
1349 * llint/LLIntSlowPaths.cpp:
1350 (JSC::LLInt::llint_trace_operand):
1351 (JSC::LLInt::llint_trace_value):
1352 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1353 (JSC::LLInt::traceFunctionPrologue):
1354 (JSC::LLInt::jitCompileAndSetHeuristics):
1355 (JSC::LLInt::entryOSR):
1356 (JSC::LLInt::handleHostCall):
1357 (JSC::LLInt::setUpCall):
1358 * profiler/Profile.cpp:
1359 (JSC::Profile::debugPrintData):
1360 (JSC::Profile::debugPrintDataSampleStyle):
1361 * profiler/ProfileNode.cpp:
1362 (JSC::ProfileNode::debugPrintData):
1363 (JSC::ProfileNode::debugPrintDataSampleStyle):
1364 * runtime/JSGlobalData.cpp:
1365 (JSC::JSGlobalData::dumpRegExpTrace):
1366 * runtime/RegExp.cpp:
1367 (JSC::RegExp::matchCompareWithInterpreter):
1368 * runtime/SamplingCounter.cpp:
1369 (JSC::AbstractSamplingCounter::dump):
1370 * runtime/Structure.cpp:
1371 (JSC::Structure::dumpStatistics):
1372 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
1373 * tools/CodeProfile.cpp:
1374 (JSC::CodeProfile::report):
1375 * tools/ProfileTreeNode.h:
1376 (JSC::ProfileTreeNode::dumpInternal):
1377 * yarr/YarrInterpreter.cpp:
1378 (JSC::Yarr::ByteCompiler::dumpDisjunction):
1380 2012-11-21 Filip Pizlo <fpizlo@apple.com>
1382 It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
1383 https://bugs.webkit.org/show_bug.cgi?id=103010
1385 Reviewed by Anders Carlsson.
1387 You can still say tryToDisassemble(), which will tell you if it failed; you can then
1388 decide what to do instead. But it's better to say disassemble(), which will just print
1389 the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
1390 since that's what all previous users of tryToDisassemble() would have done in some
1394 * GNUmakefile.list.am:
1395 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1396 * JavaScriptCore.xcodeproj/project.pbxproj:
1398 * assembler/LinkBuffer.cpp:
1399 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1400 * dfg/DFGDisassembler.cpp:
1401 (JSC::DFG::Disassembler::dumpDisassembly):
1402 * disassembler/Disassembler.cpp: Added.
1405 * disassembler/Disassembler.h:
1407 * jit/JITDisassembler.cpp:
1408 (JSC::JITDisassembler::dumpDisassembly):
1410 2012-11-21 Filip Pizlo <fpizlo@apple.com>
1412 dumpOperands() claims that it needs a non-const Operands& when that is completely false
1413 https://bugs.webkit.org/show_bug.cgi?id=103005
1415 Reviewed by Eric Carlson.
1417 * bytecode/Operands.h:
1418 (JSC::dumpOperands):
1421 2012-11-20 Filip Pizlo <fpizlo@apple.com>
1423 Baseline JIT's disassembly should be just as pretty as the DFG's
1424 https://bugs.webkit.org/show_bug.cgi?id=102873
1426 Reviewed by Sam Weinig.
1428 Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
1429 some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
1430 iterator makes no sense) and stream-lined some things (you don't actually need a
1431 full-fledged ExecState* to dump bytecode).
1434 * GNUmakefile.list.am:
1435 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1436 * JavaScriptCore.xcodeproj/project.pbxproj:
1438 * bytecode/CodeBlock.cpp:
1439 (JSC::CodeBlock::printUnaryOp):
1440 (JSC::CodeBlock::printBinaryOp):
1441 (JSC::CodeBlock::printConditionalJump):
1442 (JSC::CodeBlock::printGetByIdOp):
1443 (JSC::CodeBlock::printCallOp):
1444 (JSC::CodeBlock::printPutByIdOp):
1445 (JSC::CodeBlock::dump):
1447 (JSC::CodeBlock::CodeBlock):
1448 * bytecode/CodeBlock.h:
1450 * interpreter/Interpreter.cpp:
1451 (JSC::Interpreter::dumpCallFrame):
1453 (JSC::JIT::privateCompileMainPass):
1454 (JSC::JIT::privateCompileSlowCases):
1455 (JSC::JIT::privateCompile):
1458 * jit/JITDisassembler.cpp: Added.
1460 (JSC::JITDisassembler::JITDisassembler):
1461 (JSC::JITDisassembler::~JITDisassembler):
1462 (JSC::JITDisassembler::dump):
1463 (JSC::JITDisassembler::dumpForInstructions):
1464 (JSC::JITDisassembler::dumpDisassembly):
1465 * jit/JITDisassembler.h: Added.
1468 (JSC::JITDisassembler::setStartOfCode):
1469 (JSC::JITDisassembler::setForBytecodeMainPath):
1470 (JSC::JITDisassembler::setForBytecodeSlowPath):
1471 (JSC::JITDisassembler::setEndOfSlowPath):
1472 (JSC::JITDisassembler::setEndOfCode):
1474 2012-11-21 Daniel Bates <dbates@webkit.org>
1476 JavaScript fails to concatenate large strings
1477 <https://bugs.webkit.org/show_bug.cgi?id=102963>
1479 Reviewed by Michael Saboff.
1481 Fixes an issue where we inadvertently didn't check the length of
1482 a JavaScript string for overflow.
1484 * runtime/Operations.h:
1486 (JSC::jsStringFromArguments):
1488 2012-11-20 Filip Pizlo <fpizlo@apple.com>
1490 DFG should be able to cache closure calls (part 2/2)
1491 https://bugs.webkit.org/show_bug.cgi?id=102662
1493 Reviewed by Gavin Barraclough.
1495 Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
1496 stay the same. This is accomplished by replacing the branch that compares against a constant
1497 JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
1498 and jumps slow directly to the virtual call thunk.
1500 Looks like a 1% win on V8v7.
1503 * GNUmakefile.list.am:
1504 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1505 * JavaScriptCore.xcodeproj/project.pbxproj:
1507 * bytecode/CallLinkInfo.cpp:
1508 (JSC::CallLinkInfo::unlink):
1509 * bytecode/CallLinkInfo.h:
1511 (JSC::CallLinkInfo::isLinked):
1512 (JSC::getCallLinkInfoBytecodeIndex):
1513 * bytecode/CodeBlock.cpp:
1514 (JSC::CodeBlock::finalizeUnconditionally):
1516 (JSC::CodeBlock::findClosureCallForReturnPC):
1517 (JSC::CodeBlock::bytecodeOffset):
1518 (JSC::CodeBlock::codeOriginForReturn):
1519 * bytecode/CodeBlock.h:
1520 (JSC::CodeBlock::getCallLinkInfo):
1522 (JSC::CodeBlock::isIncomingCallAlreadyLinked):
1523 * dfg/DFGJITCompiler.cpp:
1524 (JSC::DFG::JITCompiler::link):
1525 * dfg/DFGJITCompiler.h:
1526 (JSC::DFG::JITCompiler::addJSCall):
1527 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
1529 * dfg/DFGOperations.cpp:
1530 * dfg/DFGOperations.h:
1531 * dfg/DFGRepatch.cpp:
1532 (JSC::DFG::linkSlowFor):
1534 (JSC::DFG::dfgLinkFor):
1535 (JSC::DFG::dfgLinkSlowFor):
1536 (JSC::DFG::dfgLinkClosureCall):
1539 * dfg/DFGSpeculativeJIT32_64.cpp:
1540 (JSC::DFG::SpeculativeJIT::emitCall):
1541 * dfg/DFGSpeculativeJIT64.cpp:
1542 (JSC::DFG::SpeculativeJIT::emitCall):
1543 * dfg/DFGThunks.cpp:
1545 (JSC::DFG::linkClosureCallThunkGenerator):
1550 (JSC::Heap::jitStubRoutines):
1551 * heap/JITStubRoutineSet.h:
1552 (JSC::JITStubRoutineSet::size):
1553 (JSC::JITStubRoutineSet::at):
1554 (JITStubRoutineSet):
1555 * jit/ClosureCallStubRoutine.cpp: Added.
1557 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
1558 (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
1559 (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
1560 * jit/ClosureCallStubRoutine.h: Added.
1562 (ClosureCallStubRoutine):
1563 (JSC::ClosureCallStubRoutine::structure):
1564 (JSC::ClosureCallStubRoutine::executable):
1565 (JSC::ClosureCallStubRoutine::codeOrigin):
1566 * jit/GCAwareJITStubRoutine.cpp:
1567 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
1568 * jit/GCAwareJITStubRoutine.h:
1569 (GCAwareJITStubRoutine):
1570 (JSC::GCAwareJITStubRoutine::isClosureCall):
1572 (JSC::JIT::privateCompile):
1574 2012-11-20 Filip Pizlo <fpizlo@apple.com>
1576 DFG should be able to cache closure calls (part 1/2)
1577 https://bugs.webkit.org/show_bug.cgi?id=102662
1579 Reviewed by Gavin Barraclough.
1581 Add ability to revert a jump replacement back to
1582 branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
1583 a mandatory piece of functionality for all assemblers. I also renamed some of
1584 the functions for reverting jump replacements back to
1585 patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
1588 * assembler/ARMv7Assembler.h:
1589 (JSC::ARMv7Assembler::BadReg):
1591 (JSC::ARMv7Assembler::revertJumpTo_movT3):
1592 * assembler/LinkBuffer.h:
1594 * assembler/MacroAssemblerARMv7.h:
1595 (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
1596 (MacroAssemblerARMv7):
1597 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
1598 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
1599 * assembler/MacroAssemblerX86.h:
1600 (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
1601 (MacroAssemblerX86):
1602 (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
1603 (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
1604 * assembler/MacroAssemblerX86_64.h:
1605 (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
1606 (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
1607 (MacroAssemblerX86_64):
1608 (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
1609 * assembler/RepatchBuffer.h:
1610 (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
1612 (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
1613 (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
1614 * assembler/X86Assembler.h:
1615 (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
1617 * dfg/DFGRepatch.cpp:
1618 (JSC::DFG::replaceWithJump):
1619 (JSC::DFG::dfgResetGetByID):
1620 (JSC::DFG::dfgResetPutByID):
1622 2012-11-20 Yong Li <yoli@rim.com>
1624 [ARMv7] Neither linkCall() nor linkPointer() should flush code.
1625 https://bugs.webkit.org/show_bug.cgi?id=99213
1627 Reviewed by George Staikos.
1629 LinkBuffer doesn't need to flush code during linking. It will
1630 eventually flush the whole executable. Fixing this gives >%5
1631 sunspider boost (on QNX).
1633 Also make replaceWithLoad() and replaceWithAddressComputation() flush
1634 only when necessary.
1636 * assembler/ARMv7Assembler.h:
1637 (JSC::ARMv7Assembler::linkCall):
1638 (JSC::ARMv7Assembler::linkPointer):
1639 (JSC::ARMv7Assembler::relinkCall):
1640 (JSC::ARMv7Assembler::repatchInt32):
1641 (JSC::ARMv7Assembler::repatchPointer):
1642 (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
1643 (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
1644 (JSC::ARMv7Assembler::setInt32):
1645 (JSC::ARMv7Assembler::setPointer):
1647 2012-11-19 Filip Pizlo <fpizlo@apple.com>
1649 Remove support for ARMv7 errata from the jump code
1650 https://bugs.webkit.org/show_bug.cgi?id=102759
1652 Reviewed by Oliver Hunt.
1654 The jump replacement code was wrong to begin with since it wasn't doing
1655 a cache flush on the inserted padding. And, to my knowledge, we don't need
1656 this anymore, so this patch removes all errata code from the ARMv7 port.
1658 * assembler/ARMv7Assembler.h:
1659 (JSC::ARMv7Assembler::computeJumpType):
1660 (JSC::ARMv7Assembler::replaceWithJump):
1661 (JSC::ARMv7Assembler::maxJumpReplacementSize):
1662 (JSC::ARMv7Assembler::canBeJumpT3):
1663 (JSC::ARMv7Assembler::canBeJumpT4):
1665 2012-11-19 Patrick Gansterer <paroga@webkit.org>
1667 [CMake] Create JavaScriptCore ForwardingHeaders
1668 https://bugs.webkit.org/show_bug.cgi?id=92665
1670 Reviewed by Brent Fulgham.
1672 When using CMake to build the Windows port, we need
1673 to generate the forwarding headers with it too.
1677 2012-11-19 Kihong Kwon <kihong.kwon@samsung.com>
1679 Add PROXIMITY_EVENTS feature
1680 https://bugs.webkit.org/show_bug.cgi?id=102658
1682 Reviewed by Kentaro Hara.
1684 Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.
1686 * Configurations/FeatureDefines.xcconfig:
1688 2012-11-18 Dan Bernstein <mitz@apple.com>
1690 Try to fix the DFG build after r135099.
1693 (JSC::DFG::shouldShowDisassembly):
1695 2012-11-18 Filip Pizlo <fpizlo@apple.com>
1697 Unreviewed, build fix for !ENABLE(DFG_JIT).
1700 (JSC::DFG::shouldShowDisassembly):
1703 2012-11-18 Filip Pizlo <fpizlo@apple.com>
1705 JSC should have more logging in structure-related code
1706 https://bugs.webkit.org/show_bug.cgi?id=102630
1708 Reviewed by Simon Fraser.
1710 - JSValue::description() now tells you if something is a structure, and if so,
1711 what kind of structure it is.
1713 - Jettisoning logic now tells you why things are being jettisoned.
1715 - It's now possible to turn off GC-triggered jettisoning entirely.
1717 * bytecode/CodeBlock.cpp:
1718 (JSC::CodeBlock::finalizeUnconditionally):
1719 (JSC::CodeBlock::reoptimize):
1720 (JSC::ProgramCodeBlock::jettison):
1721 (JSC::EvalCodeBlock::jettison):
1722 (JSC::FunctionCodeBlock::jettison):
1723 * bytecode/CodeBlock.h:
1724 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
1725 * runtime/JSValue.cpp:
1726 (JSC::JSValue::description):
1727 * runtime/Options.h:
1730 2012-11-18 Filip Pizlo <fpizlo@apple.com>
1732 DFG constant folding phase should say 'changed = true' whenever it changes the graph
1733 https://bugs.webkit.org/show_bug.cgi?id=102550
1735 Rubber stamped by Mark Hahnenberg.
1737 * dfg/DFGConstantFoldingPhase.cpp:
1738 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1740 2012-11-17 Elliott Sprehn <esprehn@chromium.org>
1742 Expose JSObject removeDirect and PrivateName to WebCore
1743 https://bugs.webkit.org/show_bug.cgi?id=102546
1745 Reviewed by Geoffrey Garen.
1747 Export removeDirect for use in WebCore so JSDependentRetained works.
1749 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1751 2012-11-16 Filip Pizlo <fpizlo@apple.com>
1753 Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
1754 https://bugs.webkit.org/show_bug.cgi?id=102327
1756 Reviewed by Mark Hahnenberg.
1758 If the profiler tells us that a GetById or PutById may be polymorphic but our
1759 control flow analysis proves that it isn't, we should trust the control flow
1760 analysis over the profiler. This arises in cases where GetById or PutById were
1761 inlined: the inlined function may have been called from other places that led
1762 to polymorphism, but in the current inlined context, there is no polymorphism.
1764 * bytecode/CodeBlock.cpp:
1765 (JSC::CodeBlock::dump):
1766 * bytecode/GetByIdStatus.cpp:
1767 (JSC::GetByIdStatus::computeFor):
1769 * bytecode/GetByIdStatus.h:
1770 (JSC::GetByIdStatus::GetByIdStatus):
1772 * bytecode/PutByIdStatus.cpp:
1773 (JSC::PutByIdStatus::computeFor):
1775 * bytecode/PutByIdStatus.h:
1777 (JSC::PutByIdStatus::PutByIdStatus):
1779 * dfg/DFGAbstractState.cpp:
1780 (JSC::DFG::AbstractState::execute):
1781 * dfg/DFGAbstractValue.h:
1782 (JSC::DFG::AbstractValue::bestProvenStructure):
1784 * dfg/DFGConstantFoldingPhase.cpp:
1785 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1786 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1787 (ConstantFoldingPhase):
1789 (JSC::DFG::Node::convertToGetByOffset):
1791 (JSC::DFG::Node::convertToPutByOffset):
1792 (JSC::DFG::Node::hasStorageResult):
1793 * runtime/JSGlobalObject.h:
1794 (JSC::Structure::prototypeChain):
1796 (JSC::Structure::isValid):
1797 * runtime/Operations.h:
1798 (JSC::isPrototypeChainNormalized):
1800 * runtime/Structure.h:
1802 (JSC::Structure::transitionDidInvolveSpecificValue):
1804 2012-11-16 Tony Chang <tony@chromium.org>
1806 Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
1807 https://bugs.webkit.org/show_bug.cgi?id=102554
1809 Reviewed by Andreas Kling.
1811 As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
1812 we're going to revist this feature once additional vendor support is
1815 * Configurations/FeatureDefines.xcconfig:
1817 2012-11-16 Patrick Gansterer <paroga@webkit.org>
1819 Build fix for WinCE after r133688.
1821 Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.
1823 * runtime/CodeCache.h:
1824 (JSC::CacheMap::CacheMap):
1826 2012-11-15 Filip Pizlo <fpizlo@apple.com>
1828 ClassInfo.h should have correct indentation.
1830 Rubber stamped by Mark Hahnenberg.
1832 ClassInfo.h had some true creativity in its use of whitespace. Some things within
1833 the namespace were indented four spaces and others where not. One #define had its
1834 contents indented four spaces, while another didn't. I applied the following rule:
1836 - Non-macro things in the namespace should not be indented (that's our current
1839 - Macros should never be indented but if they are multi-line then their subsequent
1840 bodies should be indented four spaces. I believe that is consistent with what we
1843 * runtime/ClassInfo.h:
1847 (JSC::ClassInfo::propHashTable):
1848 (JSC::ClassInfo::isSubClassOf):
1849 (JSC::ClassInfo::hasStaticProperties):
1851 2012-11-15 Filip Pizlo <fpizlo@apple.com>
1853 DFG should copy propagate trivially no-op ConvertThis
1854 https://bugs.webkit.org/show_bug.cgi?id=102445
1856 Reviewed by Oliver Hunt.
1858 Copy propagation is always a good thing, since it reveals must-alias relationships
1859 to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
1860 converting it to an Identity node (which is done by the constant folder since it
1861 has access to CFA results) and then performing substitution of references to
1862 Identity with references to Identity's child in the CSE.
1864 I'm not aiming for a big speed-up here; I just think that this will be useful for
1865 the work on https://bugs.webkit.org/show_bug.cgi?id=102327.
1867 * dfg/DFGAbstractState.cpp:
1868 (JSC::DFG::AbstractState::execute):
1869 * dfg/DFGCSEPhase.cpp:
1870 (JSC::DFG::CSEPhase::performNodeCSE):
1871 * dfg/DFGConstantFoldingPhase.cpp:
1872 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1873 * dfg/DFGNodeType.h:
1875 * dfg/DFGPredictionPropagationPhase.cpp:
1876 (JSC::DFG::PredictionPropagationPhase::propagate):
1877 * dfg/DFGSpeculativeJIT32_64.cpp:
1878 (JSC::DFG::SpeculativeJIT::compile):
1879 * dfg/DFGSpeculativeJIT64.cpp:
1880 (JSC::DFG::SpeculativeJIT::compile):
1882 2012-11-15 Filip Pizlo <fpizlo@apple.com>
1884 CallData.h should have correct indentation.
1886 Rubber stamped by Mark Hahneberg.
1888 * runtime/CallData.h:
1891 2012-11-15 Filip Pizlo <fpizlo@apple.com>
1893 Remove methodCallDummy since it is not used anymore.
1895 Rubber stamped by Mark Hahnenberg.
1897 * runtime/JSGlobalObject.cpp:
1898 (JSC::JSGlobalObject::reset):
1900 (JSC::JSGlobalObject::visitChildren):
1901 * runtime/JSGlobalObject.h:
1904 2012-11-14 Filip Pizlo <fpizlo@apple.com>
1906 Structure should be able to easily tell if the prototype chain might intercept a store
1907 https://bugs.webkit.org/show_bug.cgi?id=102326
1909 Reviewed by Geoffrey Garen.
1911 This improves our ability to reason about the correctness of the more optimized
1912 prototype chain walk in JSObject::put(), while also making it straight forward to
1913 check if the prototype chain will do strange things to a property store by just
1914 looking at the structure.
1916 * runtime/JSObject.cpp:
1917 (JSC::JSObject::put):
1918 * runtime/Structure.cpp:
1919 (JSC::Structure::prototypeChainMayInterceptStoreTo):
1921 * runtime/Structure.h:
1924 2012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com>
1926 [CMake] Do not regenerate LLIntAssembly.h on every incremental build
1927 https://bugs.webkit.org/show_bug.cgi?id=102248
1929 Reviewed by Kenneth Rohde Christiansen.
1931 Update LLIntAssembly.h's mtime after running asm.rb to make the build
1932 system dependency tracking consistent.
1936 2012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com>
1938 Fix compiler warnings about signed/unsigned comparison on i386
1939 https://bugs.webkit.org/show_bug.cgi?id=102249
1941 Reviewed by Kenneth Rohde Christiansen.
1943 Add casting to unsigned to shut up gcc warnings. Build was broken on
1944 JSVALUE32_64 ports compiling with -Werror.
1946 * llint/LLIntData.cpp:
1947 (JSC::LLInt::Data::performAssertions):
1949 2012-11-14 Brent Fulgham <bfulgham@webkit.org>
1951 [Windows, WinCairo] Unreviewed build fix.
1953 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1954 Missed one of the exports that was part of the WebKit2.def.
1956 2012-11-14 Brent Fulgham <bfulgham@webkit.org>
1958 [Windows, WinCairo] Correct build failure.
1959 https://bugs.webkit.org/show_bug.cgi?id=102302
1961 WebCore symbols were mistakenly added to the JavaScriptCore
1962 library definition file.
1964 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
1965 WebCore symbols that were incorrectly added to the export file.
1967 2012-11-14 Mark Lam <mark.lam@apple.com>
1969 Change JSEventListener::m_jsFunction to be a weak ref.
1970 https://bugs.webkit.org/show_bug.cgi?id=101989.
1972 Reviewed by Geoffrey Garen.
1974 Added infrastructure for scanning weak ref slots.
1976 * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
1977 * heap/SlotVisitor.h:
1978 (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
1979 * heap/SlotVisitorInlines.h: Added #include "Weak.h".
1980 (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
1982 (JSC::operator==): Added operator==() for Weak.
1983 * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
1984 * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".
1986 2012-11-14 Filip Pizlo <fpizlo@apple.com>
1988 Read-only properties created with putDirect() should tell the structure that there are read-only properties
1989 https://bugs.webkit.org/show_bug.cgi?id=102292
1991 Reviewed by Gavin Barraclough.
1993 This mostly affects things like function.length.
1995 * runtime/JSObject.h:
1996 (JSC::JSObject::putDirectInternal):
1998 2012-11-13 Filip Pizlo <fpizlo@apple.com>
2000 Don't access Node& after adding nodes to the graph.
2001 https://bugs.webkit.org/show_bug.cgi?id=102005
2003 Reviewed by Oliver Hunt.
2005 * dfg/DFGFixupPhase.cpp:
2006 (JSC::DFG::FixupPhase::fixupNode):
2008 2012-11-14 Valery Ignatyev <valery.ignatyev@ispras.ru>
2010 Replace (typeof(x) != <"object", "undefined", ...>) with
2011 !(typeof(x) == <"object",..>). Later is_object, is_<...> bytecode operation
2014 https://bugs.webkit.org/show_bug.cgi?id=98893
2016 Reviewed by Filip Pizlo.
2018 This eliminates expensive typeof implementation and
2019 allows to use DFG optimizations, which doesn't support 'typeof'.
2021 * bytecompiler/NodesCodegen.cpp:
2022 (JSC::BinaryOpNode::emitBytecode):
2024 2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
2026 [Qt][ARM]REGRESSION(r133985): It broke the build
2027 https://bugs.webkit.org/show_bug.cgi?id=101740
2029 Reviewed by Csaba Osztrogonác.
2031 Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
2032 This information was passed as a template parameter.
2035 (JSC::JIT::emitInt32PutByVal):
2036 (JSC::JIT::emitDoublePutByVal):
2037 (JSC::JIT::emitContiguousPutByVal):
2039 * jit/JITPropertyAccess.cpp:
2040 (JSC::JIT::emitGenericContiguousPutByVal):
2041 * jit/JITPropertyAccess32_64.cpp:
2042 (JSC::JIT::emitGenericContiguousPutByVal):
2044 2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
2046 Fix the MIPS build after r134332
2047 https://bugs.webkit.org/show_bug.cgi?id=102227
2049 Reviewed by Csaba Osztrogonác.
2051 Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.
2053 * assembler/MacroAssemblerMIPS.h:
2054 (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
2055 (MacroAssemblerMIPS):
2056 (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
2057 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
2059 2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
2061 Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
2062 https://bugs.webkit.org/show_bug.cgi?id=102206
2064 Reviewed by Csaba Osztrogonác.
2066 Add a return value for the function to suppress the warning.
2068 * assembler/MacroAssemblerARM.h:
2069 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2071 2012-11-14 Sheriff Bot <webkit.review.bot@gmail.com>
2073 Unreviewed, rolling out r134599.
2074 http://trac.webkit.org/changeset/134599
2075 https://bugs.webkit.org/show_bug.cgi?id=102225
2077 It broke the 32 bit EFL build (Requested by Ossy on #webkit).
2079 * jit/JITPropertyAccess.cpp:
2080 * jit/JITPropertyAccess32_64.cpp:
2082 (JSC::JIT::emitGenericContiguousPutByVal):
2084 2012-11-14 Balazs Kilvady <kilvadyb@homejinni.com>
2086 [Qt][ARM]REGRESSION(r133985): It broke the build
2087 https://bugs.webkit.org/show_bug.cgi?id=101740
2089 Reviewed by Csaba Osztrogonác.
2091 Template function body moved to fix VALUE_PROFILER disabled case.
2093 * jit/JITPropertyAccess.cpp:
2095 (JSC::JIT::emitGenericContiguousPutByVal):
2096 * jit/JITPropertyAccess32_64.cpp:
2098 2012-11-13 Filip Pizlo <fpizlo@apple.com>
2100 DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
2101 https://bugs.webkit.org/show_bug.cgi?id=102017
2103 Reviewed by Geoffrey Garen.
2105 This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
2106 NewObject to take a structure as an operand (previously it implicitly used the owning
2107 global object's empty object structure). Any GetCallee where the callee is predictable
2108 is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
2109 where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
2110 followed by a NewObject. NewObject already accounts for the structure it uses for object
2111 creation in the CFA.
2113 * dfg/DFGAbstractState.cpp:
2114 (JSC::DFG::AbstractState::execute):
2115 * dfg/DFGByteCodeParser.cpp:
2116 (JSC::DFG::ByteCodeParser::parseBlock):
2117 * dfg/DFGCSEPhase.cpp:
2118 (JSC::DFG::CSEPhase::checkFunctionElimination):
2120 (JSC::DFG::Graph::dump):
2122 (JSC::DFG::Node::hasFunction):
2123 (JSC::DFG::Node::function):
2124 (JSC::DFG::Node::hasStructure):
2125 * dfg/DFGNodeType.h:
2127 * dfg/DFGOperations.cpp:
2128 * dfg/DFGOperations.h:
2129 * dfg/DFGPredictionPropagationPhase.cpp:
2130 (JSC::DFG::PredictionPropagationPhase::propagate):
2131 * dfg/DFGSpeculativeJIT.h:
2132 (JSC::DFG::SpeculativeJIT::callOperation):
2133 * dfg/DFGSpeculativeJIT32_64.cpp:
2134 (JSC::DFG::SpeculativeJIT::compile):
2135 * dfg/DFGSpeculativeJIT64.cpp:
2136 (JSC::DFG::SpeculativeJIT::compile):
2137 * runtime/Executable.h:
2138 (JSC::JSFunction::JSFunction):
2139 * runtime/JSBoundFunction.cpp:
2141 * runtime/JSFunction.cpp:
2142 (JSC::JSFunction::JSFunction):
2143 (JSC::JSFunction::put):
2144 (JSC::JSFunction::defineOwnProperty):
2145 * runtime/JSFunction.h:
2146 (JSC::JSFunction::tryGetKnownInheritorID):
2148 (JSC::JSFunction::addInheritorIDWatchpoint):
2150 2012-11-13 Filip Pizlo <fpizlo@apple.com>
2152 JSFunction and its descendants should be destructible
2153 https://bugs.webkit.org/show_bug.cgi?id=102062
2155 Reviewed by Mark Hahnenberg.
2157 This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
2158 future, we could make JSFunction non-destructible again by making a version of
2159 WatchpointSet that is entirely GC'd, but this seems like overkill for now.
2161 This is performance-neutral.
2163 * runtime/JSBoundFunction.cpp:
2164 (JSC::JSBoundFunction::destroy):
2166 * runtime/JSBoundFunction.h:
2168 * runtime/JSFunction.cpp:
2170 (JSC::JSFunction::destroy):
2171 * runtime/JSFunction.h:
2174 2012-11-13 Cosmin Truta <ctruta@rim.com>
2176 Uninitialized fields in class JSLock
2177 https://bugs.webkit.org/show_bug.cgi?id=101695
2179 Reviewed by Mark Hahnenberg.
2181 Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.
2183 * runtime/JSLock.cpp:
2184 (JSC::JSLock::JSLock):
2186 2012-11-13 Peter Gal <galpeter@inf.u-szeged.hu>
2188 Fix the ARM traditional build after r134332
2189 https://bugs.webkit.org/show_bug.cgi?id=102044
2191 Reviewed by Zoltan Herczeg.
2193 Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.
2195 * assembler/MacroAssemblerARM.h:
2196 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
2197 (MacroAssemblerARM):
2198 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
2199 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
2201 2012-11-12 Filip Pizlo <fpizlo@apple.com>
2203 op_get_callee should have value profiling
2204 https://bugs.webkit.org/show_bug.cgi?id=102047
2206 Reviewed by Sam Weinig.
2208 This will allow us to detect if the callee is always the same, which is probably
2209 the common case for a lot of constructors.
2211 * bytecode/CodeBlock.cpp:
2212 (JSC::CodeBlock::CodeBlock):
2213 * bytecode/Opcode.h:
2215 (JSC::padOpcodeName):
2216 * bytecompiler/BytecodeGenerator.cpp:
2217 (JSC::BytecodeGenerator::BytecodeGenerator):
2218 * jit/JITOpcodes.cpp:
2219 (JSC::JIT::emit_op_get_callee):
2220 * jit/JITOpcodes32_64.cpp:
2221 (JSC::JIT::emit_op_get_callee):
2222 * llint/LowLevelInterpreter32_64.asm:
2223 * llint/LowLevelInterpreter64.asm:
2225 2012-11-12 Filip Pizlo <fpizlo@apple.com>
2227 The act of getting the callee during 'this' construction should be explicit in bytecode
2228 https://bugs.webkit.org/show_bug.cgi?id=102016
2230 Reviewed by Michael Saboff.
2232 This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes
2233 changes to have create_this use the result of get_callee.
2235 No performance or behavioral impact. This is just meant to allow us to profile
2236 get_callee in the future.
2238 * bytecode/CodeBlock.cpp:
2239 (JSC::CodeBlock::dump):
2240 * bytecode/Opcode.h:
2242 (JSC::padOpcodeName):
2243 * bytecompiler/BytecodeGenerator.cpp:
2244 (JSC::BytecodeGenerator::BytecodeGenerator):
2245 * dfg/DFGByteCodeParser.cpp:
2246 (JSC::DFG::ByteCodeParser::parseBlock):
2247 * dfg/DFGCapabilities.h:
2248 (JSC::DFG::canCompileOpcode):
2250 (JSC::JIT::privateCompileMainPass):
2253 * jit/JITOpcodes.cpp:
2254 (JSC::JIT::emit_op_get_callee):
2256 (JSC::JIT::emit_op_create_this):
2257 * jit/JITOpcodes32_64.cpp:
2258 (JSC::JIT::emit_op_get_callee):
2260 (JSC::JIT::emit_op_create_this):
2261 * llint/LLIntSlowPaths.cpp:
2262 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2263 * llint/LowLevelInterpreter32_64.asm:
2264 * llint/LowLevelInterpreter64.asm:
2266 2012-11-12 Filip Pizlo <fpizlo@apple.com>
2268 Unreviewed, fix ARMv7 build.
2270 * assembler/MacroAssemblerARMv7.h:
2271 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
2272 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2274 2012-11-12 Filip Pizlo <fpizlo@apple.com>
2276 Patching of jumps to stubs should use jump replacement rather than branch destination overwrite
2277 https://bugs.webkit.org/show_bug.cgi?id=101909
2279 Reviewed by Geoffrey Garen.
2281 This saves a few instructions in inline cases, on those architectures where it is
2282 easy to figure out where to put the jump replacement. Sub-1% speed-up across the
2285 * assembler/MacroAssemblerARMv7.h:
2286 (MacroAssemblerARMv7):
2287 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch):
2288 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
2289 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
2290 * assembler/MacroAssemblerX86.h:
2291 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch):
2292 (MacroAssemblerX86):
2293 (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch):
2294 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
2295 * assembler/MacroAssemblerX86_64.h:
2296 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch):
2297 (MacroAssemblerX86_64):
2298 (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch):
2299 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
2300 * assembler/RepatchBuffer.h:
2301 (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch):
2303 (JSC::RepatchBuffer::replaceWithJump):
2304 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch):
2305 * assembler/X86Assembler.h:
2307 (JSC::X86Assembler::revertJumpTo_movq_i64r):
2308 (JSC::X86Assembler::revertJumpTo_cmpl_im_force32):
2309 (X86InstructionFormatter):
2310 * bytecode/StructureStubInfo.h:
2311 * dfg/DFGRepatch.cpp:
2312 (JSC::DFG::replaceWithJump):
2314 (JSC::DFG::tryCacheGetByID):
2315 (JSC::DFG::tryBuildGetByIDList):
2316 (JSC::DFG::tryBuildGetByIDProtoList):
2317 (JSC::DFG::tryCachePutByID):
2318 (JSC::DFG::dfgResetGetByID):
2319 (JSC::DFG::dfgResetPutByID):
2321 2012-11-11 Filip Pizlo <fpizlo@apple.com>
2323 DFG ArithMul overflow check elimination is too aggressive
2324 https://bugs.webkit.org/show_bug.cgi?id=101871
2326 Reviewed by Oliver Hunt.
2328 The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0)
2329 only holds if a * b < 2^53. So, I changed it to only enable the optimization
2330 when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole
2331 analysis to prove the inequality. I considered writing an epic forward flow
2332 formulation that tracks the ranges of integer values but then I thought better
2335 This also rewires the ArithMul integer speculation logic. Previously, we would
2336 assume that an ArithMul was only UsedAsNumber if it escaped, and separately we
2337 would decide whether to speculate integer based on a proof of the <2^22
2338 inequality. Now, we treat the double rounding behavior of ArithMul as if the
2339 result was UsedAsNumber even if it did not escape. Then we try to prove that
2340 double rounding cannot happen by attemping to prove that a < 2^22. This then
2341 feeds back into the decision of whether or not to speculate integer (if we fail
2342 to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then
2343 that forces double speculation).
2345 No performance impact. It just fixes a bug.
2348 (JSC::DFG::Graph::mulShouldSpeculateInteger):
2349 * dfg/DFGPredictionPropagationPhase.cpp:
2350 (PredictionPropagationPhase):
2351 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
2352 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
2353 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
2354 (JSC::DFG::PredictionPropagationPhase::propagate):
2356 2012-11-11 Filip Pizlo <fpizlo@apple.com>
2358 DFG should not emit function checks if we've already proved that the operand is that exact function
2359 https://bugs.webkit.org/show_bug.cgi?id=101885
2361 Reviewed by Oliver Hunt.
2363 * dfg/DFGAbstractState.cpp:
2364 (JSC::DFG::AbstractState::execute):
2365 * dfg/DFGAbstractValue.h:
2366 (JSC::DFG::AbstractValue::filterByValue):
2368 * dfg/DFGConstantFoldingPhase.cpp:
2369 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2371 2012-11-12 Kentaro Hara <haraken@chromium.org>
2373 [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom]
2374 https://bugs.webkit.org/show_bug.cgi?id=101892
2376 Reviewed by Adam Barth.
2378 Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID.
2380 * profiler/ProfileNode.h:
2381 (JSC::ProfileNode::callUID):
2383 2012-11-12 Carlos Garcia Campos <cgarcia@igalia.com>
2385 Unreviewed. Fix make distcheck.
2387 * GNUmakefile.list.am: Add missing header.
2389 2012-11-11 Michael Pruett <michael@68k.org>
2391 Fix assertion failure in JSObject::tryGetIndexQuickly()
2392 https://bugs.webkit.org/show_bug.cgi?id=101869
2394 Reviewed by Filip Pizlo.
2396 Currently JSObject::tryGetIndexQuickly() triggers an assertion
2397 failure when the object has an undecided indexing type. This
2398 case should be treated the same as a blank indexing type.
2400 * runtime/JSObject.h:
2401 (JSC::JSObject::tryGetIndexQuickly):
2403 2012-11-11 Filip Pizlo <fpizlo@apple.com>
2405 DFG register allocation should be greedy rather than round-robin
2406 https://bugs.webkit.org/show_bug.cgi?id=101870
2408 Reviewed by Geoffrey Garen.
2410 This simplifies the code, reduces some code duplication, and shows some slight
2411 performance improvements in a few places, likely due to the fact that lower-numered
2412 registers also typically have smaller encodings.
2414 * dfg/DFGRegisterBank.h:
2415 (JSC::DFG::RegisterBank::RegisterBank):
2416 (JSC::DFG::RegisterBank::tryAllocate):
2417 (JSC::DFG::RegisterBank::allocate):
2418 (JSC::DFG::RegisterBank::allocateInternal):
2421 2012-11-11 Kenichi Ishibashi <bashi@chromium.org>
2423 WTFString::utf8() should have a mode of conversion to use replacement character
2424 https://bugs.webkit.org/show_bug.cgi?id=101678
2426 Reviewed by Alexey Proskuryakov.
2428 Follow the change on String::utf8()
2430 * runtime/JSGlobalObjectFunctions.cpp:
2431 (JSC::encode): Pass String::StrictConversion instead of true to String::utf8().
2433 2012-11-10 Filip Pizlo <fpizlo@apple.com>
2435 DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time
2436 https://bugs.webkit.org/show_bug.cgi?id=101718
2438 Reviewed by Geoffrey Garen.
2440 If we're reading from a JSArray in double mode, where the array's structure is
2441 primordial (all aspects of the structure are unchanged except for indexing type),
2442 and the result of the load is used in arithmetic that is known to not distinguish
2443 between NaN and undefined, then we should not emit a NaN check. Looks like a 5%
2444 win on navier-stokes.
2446 Also fixed an OpInfo initialization goof for String ops that was revealed by this
2449 * dfg/DFGAbstractState.cpp:
2450 (JSC::DFG::AbstractState::execute):
2451 * dfg/DFGArrayMode.cpp:
2452 (JSC::DFG::arraySpeculationToString):
2453 * dfg/DFGArrayMode.h:
2454 (JSC::DFG::ArrayMode::isSaneChain):
2456 (JSC::DFG::ArrayMode::isInBounds):
2457 * dfg/DFGByteCodeParser.cpp:
2458 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2459 * dfg/DFGFixupPhase.cpp:
2460 (JSC::DFG::FixupPhase::fixupNode):
2461 * dfg/DFGNodeFlags.cpp:
2462 (JSC::DFG::nodeFlagsAsString):
2463 * dfg/DFGNodeFlags.h:
2465 * dfg/DFGPredictionPropagationPhase.cpp:
2466 (JSC::DFG::PredictionPropagationPhase::propagate):
2467 * dfg/DFGSpeculativeJIT32_64.cpp:
2468 (JSC::DFG::SpeculativeJIT::compile):
2469 * dfg/DFGSpeculativeJIT64.cpp:
2470 (JSC::DFG::SpeculativeJIT::compile):
2471 * runtime/JSGlobalObject.cpp:
2472 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2474 * runtime/JSGlobalObject.h:
2477 2012-11-10 Filip Pizlo <fpizlo@apple.com>
2479 DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
2480 https://bugs.webkit.org/show_bug.cgi?id=101511
2482 Reviewed by Geoffrey Garen.
2484 This is the second attempt at this patch, which fixes the !"" case.
2486 To make life easier, this moves BranchDirection into BasicBlock so that after
2487 running the CFA, we always know, for each block, what direction the CFA
2488 proved. CFG simplification now both uses and preserves cfaBranchDirection in
2489 its transformations.
2491 Also made both LogicalNot and Branch check whether the operand is a known cell
2492 with a known structure, and if so, made them do the appropriate folding.
2494 5% speed-up on V8/raytrace because it makes raytrace's own null checks
2495 evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
2496 that we were already doing structure check hoisting.
2498 * JavaScriptCore.xcodeproj/project.pbxproj:
2499 * dfg/DFGAbstractState.cpp:
2500 (JSC::DFG::AbstractState::endBasicBlock):
2501 (JSC::DFG::AbstractState::execute):
2502 (JSC::DFG::AbstractState::mergeToSuccessors):
2503 * dfg/DFGAbstractState.h:
2505 * dfg/DFGBasicBlock.h:
2506 (JSC::DFG::BasicBlock::BasicBlock):
2508 * dfg/DFGBranchDirection.h: Added.
2510 (JSC::DFG::branchDirectionToString):
2511 (JSC::DFG::isKnownDirection):
2512 (JSC::DFG::branchCondition):
2513 * dfg/DFGCFGSimplificationPhase.cpp:
2514 (JSC::DFG::CFGSimplificationPhase::run):
2515 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2517 2012-11-10 Sheriff Bot <webkit.review.bot@gmail.com>
2519 Unreviewed, rolling out r133971.
2520 http://trac.webkit.org/changeset/133971
2521 https://bugs.webkit.org/show_bug.cgi?id=101839
2523 Causes WebProcess to hang at 100% on www.apple.com (Requested
2524 by kling on #webkit).
2526 * JavaScriptCore.xcodeproj/project.pbxproj:
2527 * dfg/DFGAbstractState.cpp:
2528 (JSC::DFG::AbstractState::endBasicBlock):
2529 (JSC::DFG::AbstractState::execute):
2530 (JSC::DFG::AbstractState::mergeToSuccessors):
2531 * dfg/DFGAbstractState.h:
2532 (JSC::DFG::AbstractState::branchDirectionToString):
2534 * dfg/DFGBasicBlock.h:
2535 (JSC::DFG::BasicBlock::BasicBlock):
2537 * dfg/DFGBranchDirection.h: Removed.
2538 * dfg/DFGCFGSimplificationPhase.cpp:
2539 (JSC::DFG::CFGSimplificationPhase::run):
2540 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2542 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2544 If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
2545 https://bugs.webkit.org/show_bug.cgi?id=101720
2547 Reviewed by Mark Hahnenberg.
2549 Previously, "original" arrays was just a hint that we could find the structure
2550 of the array if we needed to even if the array profile didn't have it due to
2551 polymorphism. Now, "original" arrays are a property that is actually checked:
2552 if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
2553 can be sure that the code performing the access is dealing with not just a
2554 JSArray, but a JSArray that has no named properties, no indexed accessors, and
2555 the ArrayPrototype as its prototype. This will be useful for optimizations that
2556 are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.
2558 * dfg/DFGAbstractState.cpp:
2559 (JSC::DFG::AbstractState::execute):
2560 * dfg/DFGArrayMode.cpp:
2561 (JSC::DFG::ArrayMode::originalArrayStructure):
2563 (JSC::DFG::ArrayMode::alreadyChecked):
2564 * dfg/DFGArrayMode.h:
2567 (JSC::DFG::ArrayMode::withProfile):
2569 (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
2570 * dfg/DFGConstantFoldingPhase.cpp:
2571 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2572 * dfg/DFGFixupPhase.cpp:
2573 (JSC::DFG::FixupPhase::checkArray):
2574 * dfg/DFGSpeculativeJIT.cpp:
2575 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2576 (JSC::DFG::SpeculativeJIT::checkArray):
2577 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2578 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
2579 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2580 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2581 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2582 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
2584 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2586 Fix indentation of BooleanPrototype.h
2588 Rubber stamped by Mark Hahnenberg.
2590 * runtime/BooleanPrototype.h:
2592 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2594 Fix indentation of BooleanObject.h
2596 Rubber stamped by Mark Hahnenberg.
2598 * runtime/BooleanObject.h:
2600 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2602 Fix indentation of BooleanConstructor.h
2604 Rubber stamped by Mark Hahnenberg.
2606 * runtime/BooleanConstructor.h:
2608 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2610 Fix indentation of BatchedTransitionOptimizer.h
2612 Rubber stamped by Mark Hahnenberg.
2614 * runtime/BatchedTransitionOptimizer.h:
2616 2012-11-09 Oliver Hunt <oliver@apple.com>
2618 So Thingy probably isn't the best name for a class, so
2619 renamed to CacheMap.
2623 * runtime/CodeCache.h:
2624 (JSC::CacheMap::CacheMap):
2626 2012-11-09 Filip Pizlo <fpizlo@apple.com>
2628 ArrayPrototype should start out with a blank indexing type
2629 https://bugs.webkit.org/show_bug.cgi?id=101719
2631 Reviewed by Mark Hahnenberg.
2633 This allows us to track if the array prototype ever ends up with indexed
2636 * runtime/ArrayPrototype.cpp:
2637 (JSC::ArrayPrototype::create):
2638 (JSC::ArrayPrototype::ArrayPrototype):
2639 * runtime/ArrayPrototype.h:
2641 (JSC::ArrayPrototype::createStructure):
2643 2012-11-08 Mark Hahnenberg <mhahnenberg@apple.com>
2645 MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator
2646 https://bugs.webkit.org/show_bug.cgi?id=101642
2648 Reviewed by Filip Pizlo.
2650 MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support
2651 for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator.
2653 * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments.
2655 (JSC::MarkStackSegment):
2656 * heap/GCThreadSharedData.cpp:
2657 (JSC::GCThreadSharedData::GCThreadSharedData):
2658 (JSC::GCThreadSharedData::reset):
2659 * heap/GCThreadSharedData.h:
2660 (GCThreadSharedData):
2661 * heap/MarkStack.cpp:
2662 (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor
2663 all the places that used the old custom tail/previous logic.
2664 (JSC::MarkStackArray::~MarkStackArray):
2665 (JSC::MarkStackArray::expand):
2666 (JSC::MarkStackArray::refill):
2667 (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list.
2668 (JSC::MarkStackArray::stealSomeCellsFrom): Ditto.
2672 (JSC::MarkStackSegment::MarkStackSegment):
2673 (JSC::MarkStackSegment::sizeFromCapacity):
2675 * heap/MarkStackInlines.h:
2676 (JSC::MarkStackSegment::create):
2678 (JSC::MarkStackArray::postIncTop):
2679 (JSC::MarkStackArray::preDecTop):
2680 (JSC::MarkStackArray::setTopForFullSegment):
2681 (JSC::MarkStackArray::setTopForEmptySegment):
2682 (JSC::MarkStackArray::top):
2683 (JSC::MarkStackArray::validatePrevious):
2684 (JSC::MarkStackArray::append):
2685 (JSC::MarkStackArray::removeLast):
2686 (JSC::MarkStackArray::isEmpty):
2687 (JSC::MarkStackArray::size):
2688 * heap/SlotVisitor.cpp:
2689 (JSC::SlotVisitor::SlotVisitor):
2691 2012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu>
2693 [Qt] r133953 broke the ARM_TRADITIONAL build
2694 https://bugs.webkit.org/show_bug.cgi?id=101706
2696 Reviewed by Csaba Osztrogonác.
2698 Fix for both hardfp and softfp.
2700 * dfg/DFGCCallHelpers.h:
2702 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2704 2012-11-09 Sheriff Bot <webkit.review.bot@gmail.com>
2706 Unreviewed, rolling out r134051.
2707 http://trac.webkit.org/changeset/134051
2708 https://bugs.webkit.org/show_bug.cgi?id=101757
2710 It didn't fix the build (Requested by Ossy on #webkit).
2712 * dfg/DFGCCallHelpers.h:
2713 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2715 2012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu>
2717 [Qt] r133953 broke the ARM_TRADITIONAL build
2718 https://bugs.webkit.org/show_bug.cgi?id=101706
2720 Reviewed by Csaba Osztrogonác.
2722 Fix the ARM_TRADITIONAL build after r133953
2724 * dfg/DFGCCallHelpers.h:
2725 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
2728 2012-11-09 Csaba Osztrogonác <ossy@webkit.org>
2730 [Qt] Fix the LLINT build from ARMv7 platform
2731 https://bugs.webkit.org/show_bug.cgi?id=101712
2733 Reviewed by Simon Hausmann.
2735 Enable generating of LLIntAssembly.h on ARM platforms.
2737 * DerivedSources.pri:
2738 * JavaScriptCore.pro:
2740 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2742 ArrayPrototype.h should have correct indentation
2744 Rubber stamped by Sam Weinig.
2746 * runtime/ArrayPrototype.h:
2748 2012-11-08 Mark Lam <mark.lam@apple.com>
2750 Renamed ...InlineMethods.h files to ...Inlines.h.
2751 https://bugs.webkit.org/show_bug.cgi?id=101145.
2753 Reviewed by Geoffrey Garen.
2755 This is only a refactoring effort to rename the files. There are no
2756 functionality changes.
2758 * API/JSObjectRef.cpp:
2759 * GNUmakefile.list.am:
2760 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2761 * JavaScriptCore.xcodeproj/project.pbxproj:
2762 * bytecode/CodeBlock.cpp:
2763 * dfg/DFGOperations.cpp:
2764 * heap/ConservativeRoots.cpp:
2765 * heap/CopiedBlock.h:
2766 * heap/CopiedSpace.cpp:
2767 * heap/CopiedSpaceInlineMethods.h: Removed.
2768 * heap/CopiedSpaceInlines.h: Copied from Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h.
2769 * heap/CopyVisitor.cpp:
2770 * heap/CopyVisitorInlineMethods.h: Removed.
2771 * heap/CopyVisitorInlines.h: Copied from Source/JavaScriptCore/heap/CopyVisitorInlineMethods.h.
2772 * heap/GCThread.cpp:
2773 * heap/GCThreadSharedData.cpp:
2774 * heap/HandleStack.cpp:
2776 * heap/HeapRootVisitor.h:
2777 * heap/MarkStack.cpp:
2778 * heap/MarkStackInlineMethods.h: Removed.
2779 * heap/MarkStackInlines.h: Copied from Source/JavaScriptCore/heap/MarkStackInlineMethods.h.
2780 * heap/SlotVisitor.cpp:
2781 * heap/SlotVisitor.h:
2782 * heap/SlotVisitorInlineMethods.h: Removed.
2783 * heap/SlotVisitorInlines.h: Copied from Source/JavaScriptCore/heap/SlotVisitorInlineMethods.h.
2784 * jit/HostCallReturnValue.cpp:
2786 * jit/JITArithmetic.cpp:
2787 * jit/JITArithmetic32_64.cpp:
2789 * jit/JITCall32_64.cpp:
2790 * jit/JITInlineMethods.h: Removed.
2791 * jit/JITInlines.h: Copied from Source/JavaScriptCore/jit/JITInlineMethods.h.
2792 * jit/JITOpcodes.cpp:
2793 * jit/JITOpcodes32_64.cpp:
2794 * jit/JITPropertyAccess.cpp:
2795 * jit/JITPropertyAccess32_64.cpp:
2797 * runtime/ArrayConstructor.cpp:
2798 * runtime/ArrayPrototype.cpp:
2799 * runtime/ButterflyInlineMethods.h: Removed.
2800 * runtime/ButterflyInlines.h: Copied from Source/JavaScriptCore/runtime/ButterflyInlineMethods.h.
2801 * runtime/IndexingHeaderInlineMethods.h: Removed.
2802 * runtime/IndexingHeaderInlines.h: Copied from Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h.
2803 * runtime/JSActivation.h:
2804 * runtime/JSArray.cpp:
2805 * runtime/JSArray.h:
2807 * runtime/JSObject.cpp:
2808 * runtime/JSValueInlineMethods.h: Removed.
2809 * runtime/JSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlineMethods.h.
2810 * runtime/LiteralParser.cpp:
2811 * runtime/ObjectConstructor.cpp:
2812 * runtime/Operations.h:
2813 * runtime/RegExpMatchesArray.cpp:
2814 * runtime/RegExpObject.cpp:
2815 * runtime/StringPrototype.cpp:
2817 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2819 ArrayConstructor.h should have correct indentation
2821 Rubber stamped by Sam Weinig.
2823 * runtime/ArrayConstructor.h:
2825 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2827 DFG should know that int == null is always false
2828 https://bugs.webkit.org/show_bug.cgi?id=101665
2830 Reviewed by Oliver Hunt.
2832 * dfg/DFGAbstractState.cpp:
2833 (JSC::DFG::AbstractState::execute):
2835 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2837 Arguments.h should have correct indentation
2839 Rubber stamped by Sam Weinig.
2841 * runtime/Arguments.h:
2843 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2845 It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled.
2847 Reviewed by Oliver Hunt.
2849 * jit/JITInlineMethods.h:
2850 (JSC::JIT::chooseArrayMode):
2852 2012-11-08 Filip Pizlo <fpizlo@apple.com>
2854 op_call should have LLInt call link info even if the DFG is disabled
2855 https://bugs.webkit.org/show_bug.cgi?id=101672
2857 Reviewed by Oliver Hunt.
2859 Get rid of the evil uses of fall-through.
2861 * bytecode/CodeBlock.cpp:
2862 (JSC::CodeBlock::CodeBlock):
2864 2012-11-08 Oliver Hunt <oliver@apple.com>
2866 Improve effectiveness of function-level caching
2867 https://bugs.webkit.org/show_bug.cgi?id=101667
2869 Reviewed by Filip Pizlo.
2871 Added a random-eviction based cache for unlinked functions, and switch
2872 UnlinkedFunctionExecutable's code references to Weak<>, thereby letting
2873 us remove the explicit UnlinkedFunctionExecutable::clearCode() calls that
2874 were being triggered by GC.
2876 Refactored the random eviction part of the CodeCache into a separate data
2877 structure so that I didn't have to duplicate the code again, and then used
2878 that for the new function cache.
2880 * bytecode/UnlinkedCodeBlock.cpp:
2881 (JSC::UnlinkedFunctionExecutable::visitChildren):
2882 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2883 * bytecode/UnlinkedCodeBlock.h:
2884 (JSC::UnlinkedFunctionExecutable::clearCodeForRecompilation):
2885 (UnlinkedFunctionExecutable):
2886 * debugger/Debugger.cpp:
2887 * runtime/CodeCache.cpp:
2888 (JSC::CodeCache::getCodeBlock):
2889 (JSC::CodeCache::generateFunctionCodeBlock):
2890 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2891 (JSC::CodeCache::usedFunctionCode):
2893 * runtime/Executable.cpp:
2894 (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling):
2895 (JSC::FunctionExecutable::clearCode):
2896 * runtime/Executable.h:
2897 (FunctionExecutable):
2899 2012-11-07 Filip Pizlo <fpizlo@apple.com>
2901 DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
2902 https://bugs.webkit.org/show_bug.cgi?id=101511
2904 Reviewed by Oliver Hunt.
2906 To make life easier, this moves BranchDirection into BasicBlock so that after
2907 running the CFA, we always know, for each block, what direction the CFA
2908 proved. CFG simplification now both uses and preserves cfaBranchDirection in
2909 its transformations.
2911 Also made both LogicalNot and Branch check whether the operand is a known cell
2912 with a known structure, and if so, made them do the appropriate folding.
2914 5% speed-up on V8/raytrace because it makes raytrace's own null checks
2915 evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
2916 that we were already doing structure check hoisting.
2918 * JavaScriptCore.xcodeproj/project.pbxproj:
2919 * dfg/DFGAbstractState.cpp:
2920 (JSC::DFG::AbstractState::endBasicBlock):
2921 (JSC::DFG::AbstractState::execute):
2922 (JSC::DFG::AbstractState::mergeToSuccessors):
2923 * dfg/DFGAbstractState.h:
2925 * dfg/DFGBasicBlock.h:
2926 (JSC::DFG::BasicBlock::BasicBlock):
2928 * dfg/DFGBranchDirection.h: Added.
2930 (JSC::DFG::branchDirectionToString):
2931 (JSC::DFG::isKnownDirection):
2932 (JSC::DFG::branchCondition):
2933 * dfg/DFGCFGSimplificationPhase.cpp:
2934 (JSC::DFG::CFGSimplificationPhase::run):
2935 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2937 2012-11-08 Christophe Dumez <christophe.dumez@intel.com>
2939 [JSC] HTML extensions to String.prototype should escape " as " in argument values
2940 https://bugs.webkit.org/show_bug.cgi?id=90667
2942 Reviewed by Benjamin Poulain.
2944 Escape quotation mark as " in argument values to:
2945 - String.prototype.anchor(name)
2946 - String.prototype.fontcolor(color)
2947 - String.prototype.fontsize(size)
2948 - String.prototype.link(href)
2950 This behavior matches Chromium/V8 and Firefox/Spidermonkey
2951 implementations and is requited by:
2952 http://mathias.html5.org/specs/javascript/#escapeattributevalue
2954 This also fixes a potential security risk (XSS vector).
2956 * runtime/StringPrototype.cpp:
2957 (JSC::stringProtoFuncFontcolor):
2958 (JSC::stringProtoFuncFontsize):
2959 (JSC::stringProtoFuncAnchor):
2960 (JSC::stringProtoFuncLink):
2962 2012-11-08 Anders Carlsson <andersca@apple.com>
2964 HeapStatistics::s_pauseTimeStarts and s_pauseTimeEnds should be Vectors
2965 https://bugs.webkit.org/show_bug.cgi?id=101651
2967 Reviewed by Andreas Kling.
2969 HeapStatistics uses Deques when Vectors would work just as good.
2971 * heap/HeapStatistics.cpp:
2972 * heap/HeapStatistics.h:
2975 2012-11-07 Filip Pizlo <fpizlo@apple.com>
2977 DFG should not assume that something is a double just because it might be undefined
2978 https://bugs.webkit.org/show_bug.cgi?id=101438
2980 Reviewed by Oliver Hunt.
2982 This changes all non-bitop arithmetic to (a) statically expect that variables are
2983 defined prior to use in arithmetic and (b) not fall off into double paths just
2984 because a value may not be a number. This is accomplished with two new notions of
2987 shouldSpeculateIntegerExpectingDefined: Should we speculate that the value is an
2988 integer if we ignore undefined (i.e. SpecOther) predictions?
2990 shouldSpeculateIntegerForArithmetic: Should we speculate that the value is an
2991 integer if we ignore non-numeric predictions?
2993 This is a ~2x speed-up on programs that seem to our prediction propagator to have
2994 paths in which otherwise numeric variables are undefined.
2996 * bytecode/SpeculatedType.h:
2997 (JSC::isInt32SpeculationForArithmetic):
2999 (JSC::isInt32SpeculationExpectingDefined):
3000 (JSC::isDoubleSpeculationForArithmetic):
3001 (JSC::isNumberSpeculationExpectingDefined):
3002 * dfg/DFGAbstractState.cpp:
3003 (JSC::DFG::AbstractState::execute):
3004 * dfg/DFGFixupPhase.cpp:
3005 (JSC::DFG::FixupPhase::fixupNode):
3007 (JSC::DFG::Graph::addShouldSpeculateInteger):
3008 (JSC::DFG::Graph::mulShouldSpeculateInteger):
3009 (JSC::DFG::Graph::negateShouldSpeculateInteger):
3010 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
3011 (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
3013 (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
3015 (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
3016 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
3017 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
3018 * dfg/DFGPredictionPropagationPhase.cpp:
3019 (JSC::DFG::PredictionPropagationPhase::propagate):
3020 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3021 * dfg/DFGSpeculativeJIT.cpp:
3022 (JSC::DFG::SpeculativeJIT::compileAdd):
3023 (JSC::DFG::SpeculativeJIT::compileArithMod):
3024 * dfg/DFGSpeculativeJIT32_64.cpp:
3025 (JSC::DFG::SpeculativeJIT::compile):
3026 * dfg/DFGSpeculativeJIT64.cpp:
3027 (JSC::DFG::SpeculativeJIT::compile):
3028 * jit/JITArithmetic.cpp:
3029 (JSC::JIT::emit_op_div):
3031 2012-11-06 Filip Pizlo <fpizlo@apple.com>
3033 JSC should infer when indexed storage contains only integers or doubles
3034 https://bugs.webkit.org/show_bug.cgi?id=98606
3036 Reviewed by Oliver Hunt.
3038 This adds two new indexing types: int32 and double. It also adds array allocation profiling,
3039 which allows array allocations to converge to allocating arrays using those types to which
3040 those arrays would have been converted.
3042 20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
3043 but a performance win overall on all benchmarks we track.
3045 * API/JSObjectRef.cpp:
3046 (JSObjectMakeArray):
3048 * GNUmakefile.list.am:
3049 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3050 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3051 * JavaScriptCore.xcodeproj/project.pbxproj:
3053 * assembler/AbstractMacroAssembler.h:
3055 (JSC::AbstractMacroAssembler::JumpList::JumpList):
3056 * assembler/MacroAssemblerX86Common.h:
3057 (JSC::MacroAssemblerX86Common::branchDouble):
3058 * assembler/X86Assembler.h:
3059 (JSC::X86Assembler::jnp):
3061 (JSC::X86Assembler::X86InstructionFormatter::emitRex):
3062 * bytecode/ArrayAllocationProfile.cpp: Added.
3064 (JSC::ArrayAllocationProfile::updateIndexingType):
3065 * bytecode/ArrayAllocationProfile.h: Added.
3067 (ArrayAllocationProfile):
3068 (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
3069 (JSC::ArrayAllocationProfile::selectIndexingType):
3070 (JSC::ArrayAllocationProfile::updateLastAllocation):
3071 (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
3072 (JSC::ArrayAllocationProfile::updateLastAllocationFor):
3073 * bytecode/ArrayProfile.cpp:
3074 (JSC::ArrayProfile::updatedObservedArrayModes):
3076 * bytecode/ArrayProfile.h:
3078 (JSC::arrayModesInclude):
3079 (JSC::shouldUseSlowPutArrayStorage):
3080 (JSC::shouldUseFastArrayStorage):
3081 (JSC::shouldUseContiguous):
3082 (JSC::shouldUseDouble):
3083 (JSC::shouldUseInt32):
3085 * bytecode/ByValInfo.h:
3086 (JSC::isOptimizableIndexingType):
3087 (JSC::jitArrayModeForIndexingType):
3088 * bytecode/CodeBlock.cpp:
3089 (JSC::CodeBlock::dump):
3090 (JSC::CodeBlock::CodeBlock):
3091 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3093 (JSC::CodeBlock::updateAllValueProfilePredictions):
3094 (JSC::CodeBlock::updateAllArrayPredictions):
3095 (JSC::CodeBlock::updateAllPredictions):
3096 (JSC::CodeBlock::shouldOptimizeNow):
3097 * bytecode/CodeBlock.h:
3099 (JSC::CodeBlock::numberOfArrayAllocationProfiles):
3100 (JSC::CodeBlock::addArrayAllocationProfile):
3101 (JSC::CodeBlock::updateAllValueProfilePredictions):
3102 (JSC::CodeBlock::updateAllArrayPredictions):
3103 * bytecode/DFGExitProfile.h:
3104 (JSC::DFG::exitKindToString):
3105 * bytecode/Instruction.h:
3107 (JSC::Instruction::Instruction):
3108 * bytecode/Opcode.h:
3110 (JSC::padOpcodeName):
3111 * bytecode/SpeculatedType.h:
3113 (JSC::isRealNumberSpeculation):
3114 * bytecode/UnlinkedCodeBlock.cpp:
3115 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3116 * bytecode/UnlinkedCodeBlock.h:
3118 (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
3119 (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
3120 (UnlinkedCodeBlock):
3121 * bytecompiler/BytecodeGenerator.cpp:
3122 (JSC::BytecodeGenerator::newArrayAllocationProfile):
3124 (JSC::BytecodeGenerator::emitNewArray):
3125 (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
3126 * bytecompiler/BytecodeGenerator.h:
3127 (BytecodeGenerator):
3128 * dfg/DFGAbstractState.cpp:
3129 (JSC::DFG::AbstractState::execute):
3130 * dfg/DFGArrayMode.cpp:
3131 (JSC::DFG::ArrayMode::fromObserved):
3132 (JSC::DFG::ArrayMode::refine):
3134 (JSC::DFG::ArrayMode::alreadyChecked):
3135 (JSC::DFG::arrayTypeToString):
3136 * dfg/DFGArrayMode.h:
3137 (JSC::DFG::ArrayMode::withType):
3139 (JSC::DFG::ArrayMode::withTypeAndConversion):
3140 (JSC::DFG::ArrayMode::usesButterfly):
3141 (JSC::DFG::ArrayMode::isSpecific):
3142 (JSC::DFG::ArrayMode::supportsLength):
3143 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
3144 * dfg/DFGByteCodeParser.cpp:
3145 (JSC::DFG::ByteCodeParser::getArrayMode):
3147 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3148 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3149 (JSC::DFG::ByteCodeParser::parseBlock):
3150 * dfg/DFGCCallHelpers.h:
3151 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
3153 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3154 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
3155 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
3156 * dfg/DFGFixupPhase.cpp:
3157 (JSC::DFG::FixupPhase::fixupNode):
3158 (JSC::DFG::FixupPhase::checkArray):
3160 (JSC::DFG::Graph::dump):
3162 (JSC::DFG::Graph::byValIsPure):
3164 (NewArrayBufferData):
3165 (JSC::DFG::Node::hasIndexingType):
3167 (JSC::DFG::Node::indexingType):
3168 (JSC::DFG::Node::setIndexingType):
3169 * dfg/DFGOperations.cpp:
3170 * dfg/DFGOperations.h:
3171 * dfg/DFGPredictionPropagationPhase.cpp:
3172 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
3173 * dfg/DFGSpeculativeJIT.cpp:
3174 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
3175 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3177 (JSC::DFG::SpeculativeJIT::checkArray):
3178 (JSC::DFG::SpeculativeJIT::arrayify):
3179 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
3180 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3181 * dfg/DFGSpeculativeJIT.h:
3182 (JSC::DFG::SpeculativeJIT::callOperation):
3184 (SpeculateIntegerOperand):
3185 (JSC::DFG::SpeculateIntegerOperand::use):
3186 (SpeculateDoubleOperand):
3187 (JSC::DFG::SpeculateDoubleOperand::use):
3188 * dfg/DFGSpeculativeJIT32_64.cpp:
3190 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
3191 (JSC::DFG::SpeculativeJIT::compile):
3192 * dfg/DFGSpeculativeJIT64.cpp:
3193 (JSC::DFG::SpeculativeJIT::compile):
3195 (JSC::JIT::emitInt32GetByVal):
3197 (JSC::JIT::emitInt32PutByVal):
3198 (JSC::JIT::emitDoublePutByVal):
3199 (JSC::JIT::emitContiguousPutByVal):
3200 * jit/JITExceptions.cpp:
3201 (JSC::genericThrow):
3202 * jit/JITInlineMethods.h:
3203 (JSC::arrayProfileSaw):
3204 (JSC::JIT::chooseArrayMode):
3205 * jit/JITOpcodes.cpp:
3206 (JSC::JIT::emit_op_new_array):
3207 (JSC::JIT::emit_op_new_array_with_size):
3208 (JSC::JIT::emit_op_new_array_buffer):
3209 * jit/JITPropertyAccess.cpp:
3210 (JSC::JIT::emit_op_get_by_val):
3211 (JSC::JIT::emitDoubleGetByVal):
3213 (JSC::JIT::emitContiguousGetByVal):
3214 (JSC::JIT::emit_op_put_by_val):
3215 (JSC::JIT::emitGenericContiguousPutByVal):
3216 (JSC::JIT::emitSlow_op_put_by_val):
3217 (JSC::JIT::privateCompileGetByVal):
3218 (JSC::JIT::privateCompilePutByVal):
3219 * jit/JITPropertyAccess32_64.cpp:
3220 (JSC::JIT::emit_op_get_by_val):
3221 (JSC::JIT::emitContiguousGetByVal):
3222 (JSC::JIT::emitDoubleGetByVal):
3224 (JSC::JIT::emit_op_put_by_val):
3225 (JSC::JIT::emitGenericContiguousPutByVal):
3226 (JSC::JIT::emitSlow_op_put_by_val):
3228 (JSC::DEFINE_STUB_FUNCTION):
3232 (GlobalObject::finishCreation):
3233 * llint/LLIntSlowPaths.cpp:
3234 (JSC::LLInt::jitCompileAndSetHeuristics):
3235 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3236 * llint/LowLevelInterpreter.asm:
3237 * llint/LowLevelInterpreter32_64.asm:
3238 * llint/LowLevelInterpreter64.asm:
3239 * offlineasm/x86.rb:
3240 * runtime/ArrayConstructor.cpp:
3241 (JSC::constructArrayWithSizeQuirk):
3242 * runtime/ArrayConstructor.h:
3244 * runtime/ArrayPrototype.cpp:
3245 (JSC::arrayProtoFuncConcat):
3246 (JSC::arrayProtoFuncSlice):
3247 (JSC::arrayProtoFuncSplice):
3248 (JSC::arrayProtoFuncFilter):
3249 (JSC::arrayProtoFuncMap):
3250 * runtime/Butterfly.h:
3251 (JSC::Butterfly::contiguousInt32):
3252 (JSC::Butterfly::contiguousDouble):
3253 (JSC::Butterfly::fromContiguous):
3254 * runtime/ButterflyInlineMethods.h:
3255 (JSC::Butterfly::createUninitializedDuringCollection):
3256 * runtime/FunctionPrototype.cpp:
3257 (JSC::functionProtoFuncBind):
3258 * runtime/IndexingHeaderInlineMethods.h:
3259 (JSC::IndexingHeader::indexingPayloadSizeInBytes):
3260 * runtime/IndexingType.cpp:
3261 (JSC::leastUpperBoundOfIndexingTypes):
3263 (JSC::leastUpperBoundOfIndexingTypeAndType):
3264 (JSC::leastUpperBoundOfIndexingTypeAndValue):
3265 (JSC::indexingTypeToString):
3266 * runtime/IndexingType.h:
3268 (JSC::hasUndecided):
3271 * runtime/JSArray.cpp:
3272 (JSC::JSArray::setLength):
3273 (JSC::JSArray::pop):
3274 (JSC::JSArray::push):
3275 (JSC::JSArray::shiftCountWithAnyIndexingType):
3276 (JSC::JSArray::unshiftCountWithAnyIndexingType):
3277 (JSC::compareNumbersForQSortWithInt32):
3279 (JSC::compareNumbersForQSortWithDouble):
3280 (JSC::JSArray::sortNumericVector):
3281 (JSC::JSArray::sortNumeric):
3282 (JSC::JSArray::sortCompactedVector):
3283 (JSC::JSArray::sort):
3284 (JSC::JSArray::sortVector):
3285 (JSC::JSArray::fillArgList):
3286 (JSC::JSArray::copyToArguments):
3287 (JSC::JSArray::compactForSorting):
3288 * runtime/JSArray.h:
3290 (JSC::createContiguousArrayButterfly):
3291 (JSC::JSArray::create):
3292 (JSC::JSArray::tryCreateUninitialized):
3293 * runtime/JSGlobalObject.cpp:
3294 (JSC::JSGlobalObject::reset):
3296 (JSC::JSGlobalObject::haveABadTime):
3297 (JSC::JSGlobalObject::visitChildren):
3298 * runtime/JSGlobalObject.h:
3300 (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
3301 (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
3302 (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
3303 (JSC::JSGlobalObject::isOriginalArrayStructure):
3304 (JSC::constructEmptyArray):
3305 (JSC::constructArray):
3306 * runtime/JSObject.cpp:
3307 (JSC::JSObject::copyButterfly):
3308 (JSC::JSObject::getOwnPropertySlotByIndex):
3309 (JSC::JSObject::putByIndex):
3310 (JSC::JSObject::enterDictionaryIndexingMode):
3311 (JSC::JSObject::createInitialIndexedStorage):
3313 (JSC::JSObject::createInitialUndecided):
3314 (JSC::JSObject::createInitialInt32):
3315 (JSC::JSObject::createInitialDouble):
3316 (JSC::JSObject::createInitialContiguous):
3317 (JSC::JSObject::convertUndecidedToInt32):
3318 (JSC::JSObject::convertUndecidedToDouble):
3319 (JSC::JSObject::convertUndecidedToContiguous):
3320 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3321 (JSC::JSObject::convertUndecidedToArrayStorage):
3322 (JSC::JSObject::convertInt32ToDouble):
3323 (JSC::JSObject::convertInt32ToContiguous):
3324 (JSC::JSObject::convertInt32ToArrayStorage):
3325 (JSC::JSObject::convertDoubleToContiguous):
3326 (JSC::JSObject::convertDoubleToArrayStorage):
3327 (JSC::JSObject::convertContiguousToArrayStorage):
3328 (JSC::JSObject::convertUndecidedForValue):
3329 (JSC::JSObject::convertInt32ForValue):
3330 (JSC::JSObject::setIndexQuicklyToUndecided):
3331 (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
3332 (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
3333 (JSC::JSObject::ensureInt32Slow):
3334 (JSC::JSObject::ensureDoubleSlow):
3335 (JSC::JSObject::ensureContiguousSlow):
3336 (JSC::JSObject::ensureArrayStorageSlow):
3337 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3338 (JSC::JSObject::switchToSlowPutArrayStorage):
3339 (JSC::JSObject::deletePropertyByIndex):
3340 (JSC::JSObject::getOwnPropertyNames):
3341 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3342 (JSC::JSObject::putByIndexBeyondVectorLength):
3343 (JSC::JSObject::putDirectIndexBeyondVectorLength):
3344 (JSC::JSObject::getNewVectorLength):
3345 (JSC::JSObject::countElements):
3346 (JSC::JSObject::ensureLengthSlow):
3347 (JSC::JSObject::getOwnPropertyDescriptor):
3348 * runtime/JSObject.h:
3349 (JSC::JSObject::getArrayLength):
3350 (JSC::JSObject::getVectorLength):
3351 (JSC::JSObject::canGetIndexQuickly):
3352 (JSC::JSObject::getIndexQuickly):
3353 (JSC::JSObject::tryGetIndexQuickly):
3354 (JSC::JSObject::canSetIndexQuickly):
3355 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
3356 (JSC::JSObject::setIndexQuickly):
3357 (JSC::JSObject::initializeIndex):
3358 (JSC::JSObject::hasSparseMap):
3359 (JSC::JSObject::inSparseIndexingMode):
3361 (JSC::JSObject::ensureInt32):
3362 (JSC::JSObject::ensureDouble):
3363 (JSC::JSObject::ensureLength):
3364 (JSC::JSObject::indexingData):
3365 (JSC::JSObject::currentIndexingData):
3366 (JSC::JSObject::getHolyIndexQuickly):
3367 (JSC::JSObject::relevantLength):
3368 (JSC::JSObject::currentRelevantLength):
3369 * runtime/JSValue.cpp:
3370 (JSC::JSValue::description):
3371 * runtime/LiteralParser.cpp:
3373 * runtime/ObjectConstructor.cpp:
3374 (JSC::objectConstructorGetOwnPropertyNames):
3375 (JSC::objectConstructorKeys):
3376 * runtime/StringPrototype.cpp:
3377 (JSC::stringProtoFuncMatch):
3378 (JSC::stringProtoFuncSplit):
3379 * runtime/Structure.cpp:
3380 (JSC::Structure::nonPropertyTransition):
3381 * runtime/StructureTransitionTable.h:
3382 (JSC::newIndexingType):
3384 2012-11-08 Balazs Kilvady <kilvadyb@homejinni.com>
3386 ASSERT problem on MIPS
3387 https://bugs.webkit.org/show_bug.cgi?id=100589
3389 Reviewed by Oliver Hunt.
3391 ASSERT fix for MIPS arch.
3393 * jit/JITOpcodes.cpp:
3394 (JSC::JIT::emit_resolve_operations):
3396 2012-11-08 Michael Saboff <msaboff@apple.com>
3398 OpaqueJSClassContextData() should use StringImpl::isolatedCopy() to make string copies
3399 https://bugs.webkit.org/show_bug.cgi?id=101507
3401 Reviewed by Andreas Kling.
3403 Changed to use isolatedCopy() for key Strings.
3405 * API/JSClassRef.cpp:
3406 (OpaqueJSClassContextData::OpaqueJSClassContextData):
3408 2012-11-07 Mark Hahnenberg <mhahnenberg@apple.com>
3410 WeakBlocks should be HeapBlocks
3411 https://bugs.webkit.org/show_bug.cgi?id=101411
3413 Reviewed by Oliver Hunt.
3415 Currently WeakBlocks use fastMalloc memory. They are very similar to the other HeapBlocks, however,
3416 so we should change them to being allocated with the BlockAllocator.
3418 * heap/BlockAllocator.cpp:
3419 (JSC::BlockAllocator::BlockAllocator):
3420 * heap/BlockAllocator.h: Added a new RegionSet for WeakBlocks.
3424 * heap/Heap.h: Friended WeakSet to allow access to the BlockAllocator.
3426 * heap/WeakBlock.cpp:
3427 (JSC::WeakBlock::create): Refactored to use HeapBlocks rather than fastMalloc.
3428 (JSC::WeakBlock::WeakBlock):
3429 * heap/WeakBlock.h: Changed the WeakBlock size to 4 KB so that it divides evenly into the Region size.
3433 (JSC::WeakSet::~WeakSet):
3434 (JSC::WeakSet::addAllocator):
3436 2012-11-07 Filip Pizlo <fpizlo@apple.com>
3438 Indentation of ArgList.h is wrong
3439 https://bugs.webkit.org/show_bug.cgi?id=101441
3441 Reviewed by Andreas Kling.
3443 Just unindented by 4 spaces.
3445 * runtime/ArgList.h:
3447 2012-11-07 Gabor Ballabas <gaborb@inf.u-szeged.hu>