1 2013-02-02 David Kilzer <ddkilzer@apple.com>
3 Upstream iOS FeatureDefines
4 <http://webkit.org/b/108753>
6 Reviewed by Anders Carlsson.
8 * Configurations/FeatureDefines.xcconfig:
9 - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
10 - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
11 - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO. Add
12 PLATFORM_NAME variant to reduce future merge conflicts.
14 2013-02-01 Mark Hahnenberg <mhahnenberg@apple.com>
16 Structure::m_enumerationCache should be moved to StructureRareData
17 https://bugs.webkit.org/show_bug.cgi?id=108723
19 Reviewed by Oliver Hunt.
21 m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this
22 field and it can therefore be moved safely to StructureRareData to help with memory savings.
24 * runtime/JSPropertyNameIterator.h:
25 (JSPropertyNameIterator):
26 (JSC::Register::propertyNameIterator):
27 (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
28 (JSC::StructureRareData::setEnumerationCache): Ditto.
29 * runtime/Structure.cpp:
30 (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
31 (JSC::Structure::removePropertyWithoutTransition): Ditto.
32 (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
33 * runtime/Structure.h:
34 (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of
35 the JSPropertyNameIterator type.
36 (JSC::Structure::enumerationCache): Ditto.
37 * runtime/StructureRareData.cpp:
38 (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
39 * runtime/StructureRareData.h: Add new functions/fields.
42 2013-02-01 Roger Fong <roger_fong@apple.com>
44 Unreviewed. JavaScriptCore VS2010 project cleanup.
46 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
47 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
48 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
49 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
51 2013-02-01 Sheriff Bot <webkit.review.bot@gmail.com>
53 Unreviewed, rolling out r141662.
54 http://trac.webkit.org/changeset/141662
55 https://bugs.webkit.org/show_bug.cgi?id=108738
57 it's an incorrect change since processPhiStack will
58 dereference dangling BasicBlock pointers (Requested by pizlo
61 * dfg/DFGByteCodeParser.cpp:
62 (JSC::DFG::ByteCodeParser::parse):
64 2013-02-01 Filip Pizlo <fpizlo@apple.com>
66 Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
67 https://bugs.webkit.org/show_bug.cgi?id=108717
69 Reviewed by Mark Hahnenberg.
71 I think this makes the code clearer. It doesn't change behavior.
73 * dfg/DFGByteCodeParser.cpp:
74 (JSC::DFG::ByteCodeParser::parse):
76 2013-02-01 Mark Hahnenberg <mhahnenberg@apple.com>
78 Structure should have a StructureRareData field to save space
79 https://bugs.webkit.org/show_bug.cgi?id=108659
81 Reviewed by Oliver Hunt.
83 Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must
84 pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially
85 many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to
86 refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
88 To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we
89 can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and
90 can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union
91 with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has
92 a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData
93 if it has one. There could be some potential for optimizing this process, but the initial implementation will
94 be dumb since we'd be paying these overhead costs for each Structure anyways.
96 Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll
97 continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our
98 Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from
99 Structures (and into StructureRareData).
102 * GNUmakefile.list.am:
103 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
104 * JavaScriptCore.xcodeproj/project.pbxproj:
106 * dfg/DFGRepatch.cpp: Includes for linking purposes.
109 * llint/LLIntSlowPaths.cpp:
110 * runtime/JSCellInlines.h: Added ifdef guards.
111 * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
112 (JSC::JSGlobalData::JSGlobalData):
113 * runtime/JSGlobalData.h:
115 * runtime/JSGlobalObject.h:
116 * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
117 (JSC::TypeInfo::flags):
118 (JSC::TypeInfo::structureHasRareData):
119 * runtime/ObjectPrototype.cpp:
120 * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
121 (JSC::Structure::dumpStatistics):
122 (JSC::Structure::Structure):
123 (JSC::Structure::materializePropertyMap):
124 (JSC::Structure::addPropertyTransition):
125 (JSC::Structure::nonPropertyTransition):
126 (JSC::Structure::pin):
127 (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
128 (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure
130 (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
131 * runtime/Structure.h:
132 (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
133 (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
134 (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function
136 (JSC::Structure::materializePropertyMapIfNecessary):
137 (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
139 (JSC::Structure::clearPreviousID): Ditto.
140 (JSC::Structure::create):
141 * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved
142 from Structure and the functions required to access/modify those fields as Structure would have done.
144 (JSC::StructureRareData::createStructure):
145 (JSC::StructureRareData::create):
146 (JSC::StructureRareData::clone):
147 (JSC::StructureRareData::StructureRareData):
148 (JSC::StructureRareData::visitChildren):
149 * runtime/StructureRareData.h: Added.
152 * runtime/StructureRareDataInlines.h: Added.
154 (JSC::StructureRareData::previousID):
155 (JSC::StructureRareData::setPreviousID):
156 (JSC::StructureRareData::clearPreviousID):
157 (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
158 (JSC::Structure::rareData): Ditto.
159 (JSC::StructureRareData::objectToStringValue):
160 (JSC::StructureRareData::setObjectToStringValue):
163 * GNUmakefile.list.am:
164 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
165 * JavaScriptCore.xcodeproj/project.pbxproj:
167 * dfg/DFGRepatch.cpp:
170 * llint/LLIntSlowPaths.cpp:
171 * runtime/JSCellInlines.h:
172 * runtime/JSGlobalData.cpp:
173 (JSC::JSGlobalData::JSGlobalData):
174 * runtime/JSGlobalData.h:
176 * runtime/JSGlobalObject.h:
177 * runtime/JSTypeInfo.h:
179 (JSC::TypeInfo::flags):
180 (JSC::TypeInfo::structureHasRareData):
181 * runtime/ObjectPrototype.cpp:
182 * runtime/Structure.cpp:
183 (JSC::Structure::dumpStatistics):
184 (JSC::Structure::Structure):
185 (JSC::Structure::materializePropertyMap):
186 (JSC::Structure::addPropertyTransition):
187 (JSC::Structure::nonPropertyTransition):
188 (JSC::Structure::pin):
189 (JSC::Structure::allocateRareData):
191 (JSC::Structure::cloneRareDataFrom):
192 (JSC::Structure::visitChildren):
193 * runtime/Structure.h:
194 (JSC::Structure::previousID):
195 (JSC::Structure::objectToStringValue):
196 (JSC::Structure::setObjectToStringValue):
197 (JSC::Structure::materializePropertyMapIfNecessary):
198 (JSC::Structure::setPreviousID):
200 (JSC::Structure::clearPreviousID):
201 (JSC::Structure::previous):
202 (JSC::Structure::rareData):
203 (JSC::Structure::create):
204 * runtime/StructureRareData.cpp: Added.
206 (JSC::StructureRareData::createStructure):
207 (JSC::StructureRareData::create):
208 (JSC::StructureRareData::clone):
209 (JSC::StructureRareData::StructureRareData):
210 (JSC::StructureRareData::visitChildren):
211 * runtime/StructureRareData.h: Added.
214 * runtime/StructureRareDataInlines.h: Added.
216 (JSC::StructureRareData::previousID):
217 (JSC::StructureRareData::setPreviousID):
218 (JSC::StructureRareData::clearPreviousID):
219 (JSC::StructureRareData::objectToStringValue):
220 (JSC::StructureRareData::setObjectToStringValue):
222 2013-02-01 Balazs Kilvady <kilvadyb@homejinni.com>
224 offlineasm BaseIndex handling is broken on ARM due to MIPS changes
225 https://bugs.webkit.org/show_bug.cgi?id=108261
227 Reviewed by Filip Pizlo.
229 offlineasm BaseIndex handling fix on MIPS.
231 * offlineasm/mips.rb:
232 * offlineasm/risc.rb:
234 2013-02-01 Geoffrey Garen <ggaren@apple.com>
236 Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
237 https://bugs.webkit.org/show_bug.cgi?id=108657
239 Reviewed by Anders Carlsson.
241 * runtime/JSGlobalObject.cpp:
243 * runtime/JSGlobalObject.h:
246 2013-02-01 Geoffrey Garen <ggaren@apple.com>
248 Added TriState to WTF and started using it in one place
249 https://bugs.webkit.org/show_bug.cgi?id=108628
251 Reviewed by Beth Dakin.
253 * runtime/PrototypeMap.h:
254 (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
255 response to review feedback, this is an attempt to clarify that our
256 'true' condition is actually just a 'maybe'.
258 * runtime/PrototypeMap.h:
260 (JSC::PrototypeMap::isPrototype):
262 2013-02-01 Alexis Menard <alexis@webkit.org>
264 Enable unprefixed CSS transitions by default.
265 https://bugs.webkit.org/show_bug.cgi?id=108216
267 Reviewed by Dean Jackson.
269 Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
270 to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to
271 guard the unprefixing work for CSS Transforms and animations.
273 * Configurations/FeatureDefines.xcconfig:
275 2013-01-31 Filip Pizlo <fpizlo@apple.com>
277 DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
278 https://bugs.webkit.org/show_bug.cgi?id=108580
280 Reviewed by Oliver Hunt.
282 This is a harmless bug in that it only results in us keeping a bit too many things
283 for OSR. But it's worth fixing so that the code is consistent.
285 keepOperandAlive() is called when block A has a branch to blocks B and C, but the
286 A->B edge is proven to never be taken and we want to optimize the code to have A
287 unconditionally jump to C. In that case, for the purposes of OSR, we need to
288 preserve the knowledge that the state that B expected to be live incoming from A
289 ought still to be live up to the point of where the A->B,C branch used to be. The
290 way we keep things alive is by using the variablesAtTail of A (i.e., we use the
291 knowledge of in what manner A made state available to B and C). The way we choose
292 which state should be kept alive ought to be chosen by the variablesAtHead of B
293 (i.e. the things B says it needs from its predecessors, including A), except that
294 keepOperandAlive() was previously just using variablesAtTail of A for this
297 The fix is to have keepOperandAlive() use both liveness and availability in its
298 logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
299 alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
302 This might be a microscopic win on some programs, but it's mainly intended to be
303 a code clean-up so that I don't end up scratching my head in confusion the next
304 time I look at this code.
306 * dfg/DFGCFGSimplificationPhase.cpp:
307 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
308 (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
309 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
311 2013-01-31 Geoffrey Garen <ggaren@apple.com>
313 REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
314 https://bugs.webkit.org/show_bug.cgi?id=108576
316 Reviewed by Filip Pizlo.
318 This was a long-standing bug. The DFG would destructively reuse a register
319 in op_convert_this, but:
321 * The bug only presented during speculation failure for type Other
323 * The bug presented by removing the low bits of a pointer, which
324 used to be harmless, since all objects were so aligned anyway.
326 * dfg/DFGSpeculativeJIT64.cpp:
327 (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
328 our scratch register. The whole point of our scratch register is to
329 avoid destructively modifying our this register. I'm pretty sure this
330 was a copy-paste error.
332 2013-01-31 Roger Fong <roger_fong@apple.com>
334 Unreviewed. Windows build fix.
336 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
338 2013-01-31 Jessie Berlin <jberlin@apple.com>
340 Rolling out r141407 because it is causing crashes under
341 WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
343 * bytecode/CodeBlock.cpp:
344 (JSC::CodeBlock::CodeBlock):
346 2013-01-31 Mark Hahnenberg <mhahnenberg@apple.com>
348 Objective-C API: JSContext exception property causes reference cycle
349 https://bugs.webkit.org/show_bug.cgi?id=107778
351 Reviewed by Darin Adler.
353 JSContext has a (retain) JSValue * exception property which, when non-null, creates a
354 reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
356 * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
357 (-[JSContext initWithVirtualMachine:]):
358 (-[JSContext setException:]):
359 (-[JSContext exception]):
361 2013-01-31 Roger Fong <roger_fong@apple.com>
363 Unreviewed build fix. Win7 port.
365 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
367 2013-01-31 Joseph Pecoraro <pecoraro@apple.com>
369 Disable ENABLE_FULLSCREEN_API on iOS
370 https://bugs.webkit.org/show_bug.cgi?id=108250
372 Reviewed by Benjamin Poulain.
374 * Configurations/FeatureDefines.xcconfig:
376 2013-01-31 Mark Hahnenberg <mhahnenberg@apple.com>
378 Objective-C API: Fix insertion of values greater than the max index allowed by the spec
379 https://bugs.webkit.org/show_bug.cgi?id=108264
381 Reviewed by Oliver Hunt.
383 Fixed a bug, added a test to the API tests, cleaned up some code.
385 * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that
386 setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
388 (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
389 (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
390 (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
391 * API/tests/testapi.mm:
393 2013-01-30 Andreas Kling <akling@apple.com>
395 Vector should consult allocator about ideal size when choosing capacity.
396 <http://webkit.org/b/108410>
397 <rdar://problem/13124002>
399 Reviewed by Benjamin Poulain.
401 Remove assertion about Vector capacity that won't hold anymore since capacity()
402 may not be what you passed to reserveCapacity().
404 * bytecode/CodeBlock.cpp:
405 (JSC::CodeBlock::CodeBlock):
407 2013-01-30 Filip Pizlo <fpizlo@apple.com>
409 DFG bytecode parser should have more assertions about the status of local accesses
410 https://bugs.webkit.org/show_bug.cgi?id=108417
412 Reviewed by Mark Hahnenberg.
414 Assert some things that we already know to be true, just to reassure ourselves that they are true.
415 This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
416 make these rules even stricter.
418 * dfg/DFGByteCodeParser.cpp:
419 (JSC::DFG::ByteCodeParser::getLocal):
420 (JSC::DFG::ByteCodeParser::getArgument):
422 2013-01-30 Mark Hahnenberg <mhahnenberg@apple.com>
424 Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
425 https://bugs.webkit.org/show_bug.cgi?id=107978
427 Reviewed by Filip Pizlo.
429 We need to add the Identifier table save/restore in JSContextGroupRelease so that we
430 have the correct table if we end up destroying the JSGlobalData/Heap.
432 * API/JSContextRef.cpp:
433 (JSContextGroupRelease):
435 2013-01-30 Mark Hahnenberg <mhahnenberg@apple.com>
437 Objective-C API: exceptionHandler needs to be released in JSContext dealloc
438 https://bugs.webkit.org/show_bug.cgi?id=108378
440 Reviewed by Filip Pizlo.
442 JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc.
443 That sounds like the potential for a leak. It should be released.
446 (-[JSContext dealloc]):
448 2013-01-30 Filip Pizlo <fpizlo@apple.com>
450 REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
451 https://bugs.webkit.org/show_bug.cgi?id=108366
453 Reviewed by Geoffrey Garen and Mark Hahnenberg.
455 This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
456 Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
457 when comparing a possibly redundant node to its possible replacement. It was doing this
458 by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
459 just those flag bits that correspond to actual node behavior and not auxiliary things.
460 Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
461 This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
462 very high probability that matching nodes would also have completely identical flag bits
463 (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
464 r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
465 access. These bits would be mutated as the CSE ran over a basic block, in such a way that
466 there was a very high probability that the possible replacement would already have the
467 bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
468 returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
471 The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
472 flags that are relevant to arithmetic behavior. This patch introduces a new mask that
473 represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
474 used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
475 the other flags are relevant to Node::arithNodeFlags() since they either correspond to
476 information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
477 NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
478 the result that the node will produce or any of the queries performed on the result of
479 Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
481 This is a 10% speed-up on Kraken, undoing the regression from r140504.
484 (JSC::DFG::Node::arithNodeFlags):
485 * dfg/DFGNodeFlags.h:
488 2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
490 Structure::m_outOfLineCapacity is unnecessary
491 https://bugs.webkit.org/show_bug.cgi?id=108206
493 Reviewed by Geoffrey Garen.
495 We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
496 According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
497 better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our
500 * runtime/Structure.cpp:
501 (JSC::Structure::Structure):
503 (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
504 (JSC::Structure::addPropertyTransition):
505 (JSC::Structure::addPropertyWithoutTransition):
506 * runtime/Structure.h:
508 (JSC::Structure::outOfLineCapacity):
509 (JSC::Structure::totalStorageCapacity):
511 2013-01-29 Geoffrey Garen <ggaren@apple.com>
513 Be a little more conservative about emitting table-based switches
514 https://bugs.webkit.org/show_bug.cgi?id=108292
516 Reviewed by Filip Pizlo.
518 Profiling shows we're using op_switch in cases where it's a regression.
520 * bytecompiler/NodesCodegen.cpp:
523 (JSC::CaseBlockNode::tryTableSwitch):
524 (JSC::CaseBlockNode::emitBytecodeForBlock):
528 2013-01-29 Sheriff Bot <webkit.review.bot@gmail.com>
530 Unreviewed, rolling out r140983.
531 http://trac.webkit.org/changeset/140983
532 https://bugs.webkit.org/show_bug.cgi?id=108277
534 Unfortunately, this API has one last client (Requested by
537 * Configurations/FeatureDefines.xcconfig:
539 2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
541 Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
542 https://bugs.webkit.org/show_bug.cgi?id=107839
544 Reviewed by Geoffrey Garen.
546 Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and
547 m_constructor that they were based on.
549 * API/JSWrapperMap.mm:
550 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
551 fields that are null (i.e. have been collected or have never been allocated to begin with).
552 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're
553 reallocating one or both of the prototype/constructor combo.
554 (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
555 (-[JSObjCClassInfo constructor]): Ditto.
557 2013-01-29 Geoffrey Garen <ggaren@apple.com>
559 Make precise size classes more precise
560 https://bugs.webkit.org/show_bug.cgi?id=108270
562 Reviewed by Mark Hahnenberg.
564 Size inference makes this profitable.
566 I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
567 byte increments might be better.
570 (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
572 * heap/MarkedBlock.h:
573 (MarkedBlock): Updated constants.
575 * heap/MarkedSpace.h:
577 (JSC): Also reduced the maximum precise size class because my testing
578 has shown that the smaller size classes are much more common. This
579 offsets some of the size class explosion caused by reducing the precise
582 * llint/LLIntData.cpp:
583 (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
584 because we don't rely on firstAllocatorWithoutDestructors anymore, since
585 we pick size classes dynamically now.
587 2013-01-29 Oliver Hunt <oliver@apple.com>
589 Add some hardening to methodTable()
590 https://bugs.webkit.org/show_bug.cgi?id=108253
592 Reviewed by Mark Hahnenberg.
594 When accessing methodTable() we now always make sure that our
595 structure _could_ be valid. Added a separate method to get a
596 classes methodTable during destruction as it's not possible to
597 validate the structure at that point. This separation might
598 also make it possible to improve the performance of methodTable
599 access more generally in future.
601 * heap/MarkedBlock.cpp:
602 (JSC::MarkedBlock::callDestructor):
605 * runtime/JSCellInlines.h:
606 (JSC::JSCell::methodTableForDestruction):
608 (JSC::JSCell::methodTable):
610 2013-01-29 Filip Pizlo <fpizlo@apple.com>
612 offlineasm BaseIndex handling is broken on ARM due to MIPS changes
613 https://bugs.webkit.org/show_bug.cgi?id=108261
615 Reviewed by Oliver Hunt.
617 Backends shouldn't override each other's methods. That's not cool.
619 * offlineasm/mips.rb:
621 2013-01-29 Filip Pizlo <fpizlo@apple.com>
623 cloop.rb shouldn't use a method called 'dump' for code generation
624 https://bugs.webkit.org/show_bug.cgi?id=108251
626 Reviewed by Mark Hahnenberg.
628 Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
630 Also made trivial build fixes for !ENABLE(JIT).
632 * offlineasm/cloop.rb:
633 * runtime/Executable.h:
635 (JSC::ExecutableBase::intrinsicFor):
636 * runtime/JSGlobalData.h:
638 2013-01-29 Geoffrey Garen <ggaren@apple.com>
640 Removed GGC because it has been disabled for a long time
641 https://bugs.webkit.org/show_bug.cgi?id=108245
643 Reviewed by Filip Pizlo.
645 * GNUmakefile.list.am:
646 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
647 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
648 * JavaScriptCore.xcodeproj/project.pbxproj:
649 * dfg/DFGRepatch.cpp:
650 (JSC::DFG::emitPutReplaceStub):
651 (JSC::DFG::emitPutTransitionStub):
652 * dfg/DFGSpeculativeJIT.cpp:
653 (JSC::DFG::SpeculativeJIT::writeBarrier):
654 * dfg/DFGSpeculativeJIT.h:
656 * dfg/DFGSpeculativeJIT32_64.cpp:
657 (JSC::DFG::SpeculativeJIT::compile):
658 * dfg/DFGSpeculativeJIT64.cpp:
659 (JSC::DFG::SpeculativeJIT::compile):
660 * heap/CardSet.h: Removed.
662 (JSC::Heap::markRoots):
663 (JSC::Heap::collect):
666 (JSC::Heap::shouldCollect):
667 (JSC::Heap::isWriteBarrierEnabled):
669 (JSC::Heap::writeBarrier):
670 * heap/MarkedBlock.h:
673 * heap/MarkedSpace.cpp:
675 * jit/JITPropertyAccess.cpp:
676 (JSC::JIT::emitWriteBarrier):
678 2013-01-29 Filip Pizlo <fpizlo@apple.com>
680 Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
681 https://bugs.webkit.org/show_bug.cgi?id=108247
683 Reviewed by Oliver Hunt.
685 Makes offlineasm dumping easier to read and less likely to cause assertion failures.
686 Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
687 but cloop.rb was winning.
689 * offlineasm/cloop.rb:
691 2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
693 Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
694 https://bugs.webkit.org/show_bug.cgi?id=107839
696 Reviewed by Oliver Hunt.
698 JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that
699 are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and
700 m_constructor, which in turn have strong references to the JSContext, creating a reference cycle.
701 We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference
702 to the JSContext and also prevents clients from accidentally creating reference cycles by assigning
703 to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will
707 (-[JSContext wrapperMap]):
708 * API/JSContextInternal.h:
709 * API/JSWrapperMap.mm:
710 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
711 (-[JSObjCClassInfo dealloc]):
712 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
713 (-[JSObjCClassInfo allocateConstructorAndPrototype]):
714 (-[JSObjCClassInfo wrapperForObject:]):
715 (-[JSObjCClassInfo constructor]):
717 2013-01-29 Oliver Hunt <oliver@apple.com>
719 REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
720 https://bugs.webkit.org/show_bug.cgi?id=108097
722 Reviewed by Geoffrey Garen.
724 LiteralParser was accepting a bogus 'var a.b = c' statement
726 * runtime/LiteralParser.cpp:
727 (JSC::::tryJSONPParse):
729 2013-01-29 Oliver Hunt <oliver@apple.com>
731 Force debug builds to do bounds checks on contiguous property storage
732 https://bugs.webkit.org/show_bug.cgi?id=108212
734 Reviewed by Mark Hahnenberg.
736 Add a ContiguousData type that we use to represent contiguous property
737 storage. In release builds it is simply a pointer to the correct type,
738 but in debug builds it also carries the data length and performs bounds
739 checks. This means we don't have to add as many manual bounds assertions
740 when performing operations over contiguous data.
742 * dfg/DFGOperations.cpp:
743 * runtime/ArrayStorage.h:
745 (JSC::ArrayStorage::vector):
746 * runtime/Butterfly.h:
747 (JSC::ContiguousData::ContiguousData):
749 (JSC::ContiguousData::operator[]):
750 (JSC::ContiguousData::data):
751 (JSC::ContiguousData::length):
753 (JSC::Butterfly::contiguousInt32):
755 (JSC::Butterfly::contiguousDouble):
756 (JSC::Butterfly::contiguous):
757 * runtime/JSArray.cpp:
758 (JSC::JSArray::sortNumericVector):
759 (ContiguousTypeAccessor):
760 (JSC::ContiguousTypeAccessor::getAsValue):
761 (JSC::ContiguousTypeAccessor::setWithValue):
762 (JSC::ContiguousTypeAccessor::replaceDataReference):
764 (JSC::JSArray::sortCompactedVector):
765 (JSC::JSArray::sort):
766 (JSC::JSArray::fillArgList):
767 (JSC::JSArray::copyToArguments):
770 * runtime/JSObject.cpp:
771 (JSC::JSObject::copyButterfly):
772 (JSC::JSObject::visitButterfly):
773 (JSC::JSObject::createInitialInt32):
774 (JSC::JSObject::createInitialDouble):
775 (JSC::JSObject::createInitialContiguous):
776 (JSC::JSObject::convertUndecidedToInt32):
777 (JSC::JSObject::convertUndecidedToDouble):
778 (JSC::JSObject::convertUndecidedToContiguous):
779 (JSC::JSObject::convertInt32ToDouble):
780 (JSC::JSObject::convertInt32ToContiguous):
781 (JSC::JSObject::genericConvertDoubleToContiguous):
782 (JSC::JSObject::convertDoubleToContiguous):
783 (JSC::JSObject::rageConvertDoubleToContiguous):
784 (JSC::JSObject::ensureInt32Slow):
785 (JSC::JSObject::ensureDoubleSlow):
786 (JSC::JSObject::ensureContiguousSlow):
787 (JSC::JSObject::rageEnsureContiguousSlow):
788 (JSC::JSObject::ensureLengthSlow):
789 * runtime/JSObject.h:
790 (JSC::JSObject::ensureInt32):
791 (JSC::JSObject::ensureDouble):
792 (JSC::JSObject::ensureContiguous):
793 (JSC::JSObject::rageEnsureContiguous):
795 (JSC::JSObject::indexingData):
796 (JSC::JSObject::currentIndexingData):
798 2013-01-29 Brent Fulgham <bfulgham@webkit.org>
800 [Windows, WinCairo] Unreviewed build fix after r141050
802 * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
803 to match JavaScriptCore.vcproj version.
805 2013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com>
807 [Qt] Implement GCActivityCallback
808 https://bugs.webkit.org/show_bug.cgi?id=103998
810 Reviewed by Simon Hausmann.
812 Implements the activity triggered garbage collector.
814 * runtime/GCActivityCallback.cpp:
815 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
816 (JSC::DefaultGCActivityCallback::scheduleTimer):
817 (JSC::DefaultGCActivityCallback::cancelTimer):
818 * runtime/GCActivityCallback.h:
819 (GCActivityCallback):
820 (DefaultGCActivityCallback):
822 2013-01-29 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
824 Compilation warning in JSC
825 https://bugs.webkit.org/show_bug.cgi?id=108178
827 Reviewed by Kentaro Hara.
829 Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
831 * runtime/Structure.cpp:
832 (JSC::Structure::Structure):
834 2013-01-29 Jocelyn Turcotte <jocelyn.turcotte@digia.com>
836 [Qt] Fix the JSC build on Mac
838 Unreviewed, build fix.
841 Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
843 2013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com>
845 [Qt] Implement IncrementalSweeper and HeapTimer
846 https://bugs.webkit.org/show_bug.cgi?id=103996
848 Reviewed by Simon Hausmann.
850 Implements the incremental sweeping garbage collection for the Qt platform.
852 * heap/HeapTimer.cpp:
853 (JSC::HeapTimer::HeapTimer):
854 (JSC::HeapTimer::~HeapTimer):
855 (JSC::HeapTimer::timerEvent):
856 (JSC::HeapTimer::synchronize):
857 (JSC::HeapTimer::invalidate):
858 (JSC::HeapTimer::didStartVMShutdown):
861 * heap/IncrementalSweeper.cpp:
862 (JSC::IncrementalSweeper::IncrementalSweeper):
863 (JSC::IncrementalSweeper::scheduleTimer):
864 * heap/IncrementalSweeper.h:
865 (IncrementalSweeper):
867 2013-01-28 Filip Pizlo <fpizlo@apple.com>
869 DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
870 https://bugs.webkit.org/show_bug.cgi?id=106868
872 Reviewed by Oliver Hunt.
874 This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
875 uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
876 for debugging (Node::index(), which is not guaranteed to be O(1)).
878 1% speed-up on SunSpider, presumably because this improves compile times.
881 * GNUmakefile.list.am:
882 * JavaScriptCore.xcodeproj/project.pbxproj:
884 * bytecode/DataFormat.h:
885 (JSC::dataFormatToString):
886 * dfg/DFGAbstractState.cpp:
887 (JSC::DFG::AbstractState::initialize):
888 (JSC::DFG::AbstractState::booleanResult):
889 (JSC::DFG::AbstractState::execute):
890 (JSC::DFG::AbstractState::mergeStateAtTail):
891 (JSC::DFG::AbstractState::mergeToSuccessors):
892 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
893 (JSC::DFG::AbstractState::dump):
894 * dfg/DFGAbstractState.h:
896 (JSC::DFG::AbstractState::forNode):
898 (JSC::DFG::AbstractState::speculateInt32Unary):
899 (JSC::DFG::AbstractState::speculateNumberUnary):
900 (JSC::DFG::AbstractState::speculateBooleanUnary):
901 (JSC::DFG::AbstractState::speculateInt32Binary):
902 (JSC::DFG::AbstractState::speculateNumberBinary):
903 (JSC::DFG::AbstractState::trySetConstant):
904 * dfg/DFGAbstractValue.h:
906 * dfg/DFGAdjacencyList.h:
907 (JSC::DFG::AdjacencyList::AdjacencyList):
908 (JSC::DFG::AdjacencyList::initialize):
909 * dfg/DFGAllocator.h: Added.
912 (JSC::DFG::Allocator::Region::size):
913 (JSC::DFG::Allocator::Region::headerSize):
914 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
915 (JSC::DFG::Allocator::Region::data):
916 (JSC::DFG::Allocator::Region::isInThisRegion):
917 (JSC::DFG::Allocator::Region::regionFor):
919 (JSC::DFG::::Allocator):
920 (JSC::DFG::::~Allocator):
921 (JSC::DFG::::allocate):
923 (JSC::DFG::::freeAll):
925 (JSC::DFG::::indexOf):
926 (JSC::DFG::::allocatorOf):
927 (JSC::DFG::::bumpAllocate):
928 (JSC::DFG::::freeListAllocate):
929 (JSC::DFG::::allocateSlow):
930 (JSC::DFG::::freeRegionsStartingAt):
931 (JSC::DFG::::startBumpingIn):
932 * dfg/DFGArgumentsSimplificationPhase.cpp:
933 (JSC::DFG::ArgumentsSimplificationPhase::run):
934 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
935 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
936 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
937 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
938 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
939 * dfg/DFGArrayMode.cpp:
940 (JSC::DFG::ArrayMode::originalArrayStructure):
941 (JSC::DFG::ArrayMode::alreadyChecked):
942 * dfg/DFGArrayMode.h:
944 * dfg/DFGArrayifySlowPathGenerator.h:
945 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
946 * dfg/DFGBasicBlock.h:
947 (JSC::DFG::BasicBlock::node):
948 (JSC::DFG::BasicBlock::isInPhis):
949 (JSC::DFG::BasicBlock::isInBlock):
951 * dfg/DFGBasicBlockInlines.h:
953 * dfg/DFGByteCodeParser.cpp:
955 (JSC::DFG::ByteCodeParser::getDirect):
956 (JSC::DFG::ByteCodeParser::get):
957 (JSC::DFG::ByteCodeParser::setDirect):
958 (JSC::DFG::ByteCodeParser::set):
959 (JSC::DFG::ByteCodeParser::setPair):
960 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
961 (JSC::DFG::ByteCodeParser::getLocal):
962 (JSC::DFG::ByteCodeParser::setLocal):
963 (JSC::DFG::ByteCodeParser::getArgument):
964 (JSC::DFG::ByteCodeParser::setArgument):
965 (JSC::DFG::ByteCodeParser::flushDirect):
966 (JSC::DFG::ByteCodeParser::getToInt32):
967 (JSC::DFG::ByteCodeParser::toInt32):
968 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
969 (JSC::DFG::ByteCodeParser::getJSConstant):
970 (JSC::DFG::ByteCodeParser::getCallee):
971 (JSC::DFG::ByteCodeParser::getThis):
972 (JSC::DFG::ByteCodeParser::setThis):
973 (JSC::DFG::ByteCodeParser::isJSConstant):
974 (JSC::DFG::ByteCodeParser::isInt32Constant):
975 (JSC::DFG::ByteCodeParser::valueOfJSConstant):
976 (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
977 (JSC::DFG::ByteCodeParser::constantUndefined):
978 (JSC::DFG::ByteCodeParser::constantNull):
979 (JSC::DFG::ByteCodeParser::one):
980 (JSC::DFG::ByteCodeParser::constantNaN):
981 (JSC::DFG::ByteCodeParser::cellConstant):
982 (JSC::DFG::ByteCodeParser::addToGraph):
983 (JSC::DFG::ByteCodeParser::insertPhiNode):
984 (JSC::DFG::ByteCodeParser::addVarArgChild):
985 (JSC::DFG::ByteCodeParser::addCall):
986 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
987 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
988 (JSC::DFG::ByteCodeParser::getPrediction):
989 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
990 (JSC::DFG::ByteCodeParser::makeSafe):
991 (JSC::DFG::ByteCodeParser::makeDivSafe):
992 (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
994 (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
996 (JSC::DFG::ByteCodeParser::handleCall):
997 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
998 (JSC::DFG::ByteCodeParser::handleInlining):
999 (JSC::DFG::ByteCodeParser::setIntrinsicResult):
1000 (JSC::DFG::ByteCodeParser::handleMinMax):
1001 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1002 (JSC::DFG::ByteCodeParser::handleGetByOffset):
1003 (JSC::DFG::ByteCodeParser::handleGetById):
1004 (JSC::DFG::ByteCodeParser::getScope):
1005 (JSC::DFG::ByteCodeParser::parseResolveOperations):
1006 (JSC::DFG::ByteCodeParser::parseBlock):
1007 (JSC::DFG::ByteCodeParser::processPhiStack):
1008 (JSC::DFG::ByteCodeParser::linkBlock):
1009 (JSC::DFG::ByteCodeParser::parseCodeBlock):
1010 (JSC::DFG::ByteCodeParser::parse):
1011 * dfg/DFGCFAPhase.cpp:
1012 (JSC::DFG::CFAPhase::performBlockCFA):
1013 * dfg/DFGCFGSimplificationPhase.cpp:
1014 (JSC::DFG::CFGSimplificationPhase::run):
1015 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
1016 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
1017 (JSC::DFG::CFGSimplificationPhase::fixPhis):
1018 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
1019 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
1020 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
1021 (OperandSubstitution):
1022 (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
1023 (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
1024 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
1025 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
1026 * dfg/DFGCSEPhase.cpp:
1027 (JSC::DFG::CSEPhase::canonicalize):
1028 (JSC::DFG::CSEPhase::endIndexForPureCSE):
1029 (JSC::DFG::CSEPhase::pureCSE):
1030 (JSC::DFG::CSEPhase::constantCSE):
1031 (JSC::DFG::CSEPhase::weakConstantCSE):
1032 (JSC::DFG::CSEPhase::getCalleeLoadElimination):
1033 (JSC::DFG::CSEPhase::getArrayLengthElimination):
1034 (JSC::DFG::CSEPhase::globalVarLoadElimination):
1035 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
1036 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
1037 (JSC::DFG::CSEPhase::globalVarStoreElimination):
1038 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
1039 (JSC::DFG::CSEPhase::getByValLoadElimination):
1040 (JSC::DFG::CSEPhase::checkFunctionElimination):
1041 (JSC::DFG::CSEPhase::checkExecutableElimination):
1042 (JSC::DFG::CSEPhase::checkStructureElimination):
1043 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
1044 (JSC::DFG::CSEPhase::putStructureStoreElimination):
1045 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1046 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
1047 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1048 (JSC::DFG::CSEPhase::checkArrayElimination):
1049 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
1050 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
1051 (JSC::DFG::CSEPhase::getLocalLoadElimination):
1052 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1053 (JSC::DFG::CSEPhase::performSubstitution):
1054 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
1055 (JSC::DFG::CSEPhase::setReplacement):
1056 (JSC::DFG::CSEPhase::eliminate):
1057 (JSC::DFG::CSEPhase::performNodeCSE):
1058 (JSC::DFG::CSEPhase::performBlockCSE):
1060 * dfg/DFGCommon.cpp: Added.
1062 (JSC::DFG::NodePointerTraits::dump):
1065 (JSC::DFG::NodePointerTraits::defaultValue):
1066 (NodePointerTraits):
1067 (JSC::DFG::verboseCompilationEnabled):
1068 (JSC::DFG::shouldDumpGraphAtEachPhase):
1069 (JSC::DFG::validationEnabled):
1070 * dfg/DFGConstantFoldingPhase.cpp:
1071 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1072 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1073 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
1074 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
1075 * dfg/DFGDisassembler.cpp:
1076 (JSC::DFG::Disassembler::Disassembler):
1077 (JSC::DFG::Disassembler::createDumpList):
1078 (JSC::DFG::Disassembler::dumpDisassembly):
1079 * dfg/DFGDisassembler.h:
1080 (JSC::DFG::Disassembler::setForNode):
1082 * dfg/DFGDriver.cpp:
1083 (JSC::DFG::compile):
1084 * dfg/DFGEdge.cpp: Added.
1086 (JSC::DFG::Edge::dump):
1088 (JSC::DFG::Edge::Edge):
1089 (JSC::DFG::Edge::node):
1090 (JSC::DFG::Edge::operator*):
1091 (JSC::DFG::Edge::operator->):
1093 (JSC::DFG::Edge::setNode):
1094 (JSC::DFG::Edge::useKind):
1095 (JSC::DFG::Edge::setUseKind):
1096 (JSC::DFG::Edge::isSet):
1097 (JSC::DFG::Edge::shift):
1098 (JSC::DFG::Edge::makeWord):
1099 (JSC::DFG::operator==):
1100 (JSC::DFG::operator!=):
1101 * dfg/DFGFixupPhase.cpp:
1102 (JSC::DFG::FixupPhase::fixupBlock):
1103 (JSC::DFG::FixupPhase::fixupNode):
1104 (JSC::DFG::FixupPhase::checkArray):
1105 (JSC::DFG::FixupPhase::blessArrayOperation):
1106 (JSC::DFG::FixupPhase::fixIntEdge):
1107 (JSC::DFG::FixupPhase::fixDoubleEdge):
1108 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
1110 * dfg/DFGGenerationInfo.h:
1111 (JSC::DFG::GenerationInfo::GenerationInfo):
1112 (JSC::DFG::GenerationInfo::initConstant):
1113 (JSC::DFG::GenerationInfo::initInteger):
1114 (JSC::DFG::GenerationInfo::initJSValue):
1115 (JSC::DFG::GenerationInfo::initCell):
1116 (JSC::DFG::GenerationInfo::initBoolean):
1117 (JSC::DFG::GenerationInfo::initDouble):
1118 (JSC::DFG::GenerationInfo::initStorage):
1120 (JSC::DFG::GenerationInfo::node):
1121 (JSC::DFG::GenerationInfo::noticeOSRBirth):
1122 (JSC::DFG::GenerationInfo::use):
1123 (JSC::DFG::GenerationInfo::appendFill):
1124 (JSC::DFG::GenerationInfo::appendSpill):
1126 (JSC::DFG::Graph::Graph):
1127 (JSC::DFG::Graph::~Graph):
1129 (JSC::DFG::Graph::dumpCodeOrigin):
1130 (JSC::DFG::Graph::amountOfNodeWhiteSpace):
1131 (JSC::DFG::Graph::printNodeWhiteSpace):
1132 (JSC::DFG::Graph::dump):
1133 (JSC::DFG::Graph::dumpBlockHeader):
1134 (JSC::DFG::Graph::refChildren):
1135 (JSC::DFG::Graph::derefChildren):
1136 (JSC::DFG::Graph::predictArgumentTypes):
1137 (JSC::DFG::Graph::collectGarbage):
1138 (JSC::DFG::Graph::determineReachability):
1139 (JSC::DFG::Graph::resetExitStates):
1142 (JSC::DFG::Graph::ref):
1143 (JSC::DFG::Graph::deref):
1144 (JSC::DFG::Graph::changeChild):
1145 (JSC::DFG::Graph::compareAndSwap):
1146 (JSC::DFG::Graph::clearAndDerefChild):
1147 (JSC::DFG::Graph::clearAndDerefChild1):
1148 (JSC::DFG::Graph::clearAndDerefChild2):
1149 (JSC::DFG::Graph::clearAndDerefChild3):
1150 (JSC::DFG::Graph::convertToConstant):
1151 (JSC::DFG::Graph::getJSConstantSpeculation):
1152 (JSC::DFG::Graph::addSpeculationMode):
1153 (JSC::DFG::Graph::valueAddSpeculationMode):
1154 (JSC::DFG::Graph::arithAddSpeculationMode):
1155 (JSC::DFG::Graph::addShouldSpeculateInteger):
1156 (JSC::DFG::Graph::mulShouldSpeculateInteger):
1157 (JSC::DFG::Graph::negateShouldSpeculateInteger):
1158 (JSC::DFG::Graph::isConstant):
1159 (JSC::DFG::Graph::isJSConstant):
1160 (JSC::DFG::Graph::isInt32Constant):
1161 (JSC::DFG::Graph::isDoubleConstant):
1162 (JSC::DFG::Graph::isNumberConstant):
1163 (JSC::DFG::Graph::isBooleanConstant):
1164 (JSC::DFG::Graph::isCellConstant):
1165 (JSC::DFG::Graph::isFunctionConstant):
1166 (JSC::DFG::Graph::isInternalFunctionConstant):
1167 (JSC::DFG::Graph::valueOfJSConstant):
1168 (JSC::DFG::Graph::valueOfInt32Constant):
1169 (JSC::DFG::Graph::valueOfNumberConstant):
1170 (JSC::DFG::Graph::valueOfBooleanConstant):
1171 (JSC::DFG::Graph::valueOfFunctionConstant):
1172 (JSC::DFG::Graph::valueProfileFor):
1173 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1174 (JSC::DFG::Graph::numSuccessors):
1175 (JSC::DFG::Graph::successor):
1176 (JSC::DFG::Graph::successorForCondition):
1177 (JSC::DFG::Graph::isPredictedNumerical):
1178 (JSC::DFG::Graph::byValIsPure):
1179 (JSC::DFG::Graph::clobbersWorld):
1180 (JSC::DFG::Graph::varArgNumChildren):
1181 (JSC::DFG::Graph::numChildren):
1182 (JSC::DFG::Graph::varArgChild):
1183 (JSC::DFG::Graph::child):
1184 (JSC::DFG::Graph::voteNode):
1185 (JSC::DFG::Graph::voteChildren):
1186 (JSC::DFG::Graph::substitute):
1187 (JSC::DFG::Graph::substituteGetLocal):
1188 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
1189 (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
1190 * dfg/DFGInsertionSet.h:
1191 (JSC::DFG::Insertion::Insertion):
1192 (JSC::DFG::Insertion::element):
1194 (JSC::DFG::InsertionSet::insert):
1196 * dfg/DFGJITCompiler.cpp:
1197 * dfg/DFGJITCompiler.h:
1198 (JSC::DFG::JITCompiler::setForNode):
1199 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1200 (JSC::DFG::JITCompiler::noticeOSREntry):
1201 * dfg/DFGLongLivedState.cpp: Added.
1203 (JSC::DFG::LongLivedState::LongLivedState):
1204 (JSC::DFG::LongLivedState::~LongLivedState):
1205 (JSC::DFG::LongLivedState::shrinkToFit):
1206 * dfg/DFGLongLivedState.h: Added.
1209 * dfg/DFGMinifiedID.h:
1210 (JSC::DFG::MinifiedID::MinifiedID):
1211 (JSC::DFG::MinifiedID::node):
1212 * dfg/DFGMinifiedNode.cpp:
1213 (JSC::DFG::MinifiedNode::fromNode):
1214 * dfg/DFGMinifiedNode.h:
1216 * dfg/DFGNode.cpp: Added.
1218 (JSC::DFG::Node::index):
1220 (WTF::printInternal):
1223 (JSC::DFG::Node::Node):
1225 (JSC::DFG::Node::convertToGetByOffset):
1226 (JSC::DFG::Node::convertToPutByOffset):
1227 (JSC::DFG::Node::ref):
1228 (JSC::DFG::Node::shouldSpeculateInteger):
1229 (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
1230 (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
1231 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
1232 (JSC::DFG::Node::shouldSpeculateNumber):
1233 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
1234 (JSC::DFG::Node::shouldSpeculateFinalObject):
1235 (JSC::DFG::Node::shouldSpeculateArray):
1236 (JSC::DFG::Node::dumpChildren):
1238 * dfg/DFGNodeAllocator.h: Added.
1241 * dfg/DFGOSRExit.cpp:
1242 (JSC::DFG::OSRExit::OSRExit):
1245 (SpeculationFailureDebugInfo):
1246 * dfg/DFGOSRExitCompiler.cpp:
1247 * dfg/DFGOSRExitCompiler32_64.cpp:
1248 (JSC::DFG::OSRExitCompiler::compileExit):
1249 * dfg/DFGOSRExitCompiler64.cpp:
1250 (JSC::DFG::OSRExitCompiler::compileExit):
1251 * dfg/DFGOperations.cpp:
1254 (JSC::DFG::Phase::beginPhase):
1255 (JSC::DFG::Phase::endPhase):
1258 (JSC::DFG::runAndLog):
1259 * dfg/DFGPredictionPropagationPhase.cpp:
1260 (JSC::DFG::PredictionPropagationPhase::setPrediction):
1261 (JSC::DFG::PredictionPropagationPhase::mergePrediction):
1262 (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
1263 (JSC::DFG::PredictionPropagationPhase::isNotZero):
1264 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
1265 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
1266 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
1267 (JSC::DFG::PredictionPropagationPhase::propagate):
1268 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
1269 (JSC::DFG::PredictionPropagationPhase::propagateForward):
1270 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1271 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1272 (PredictionPropagationPhase):
1273 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1274 * dfg/DFGScoreBoard.h:
1275 (JSC::DFG::ScoreBoard::ScoreBoard):
1276 (JSC::DFG::ScoreBoard::use):
1277 (JSC::DFG::ScoreBoard::useIfHasResult):
1279 * dfg/DFGSilentRegisterSavePlan.h:
1280 (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
1281 (JSC::DFG::SilentRegisterSavePlan::node):
1282 (SilentRegisterSavePlan):
1283 * dfg/DFGSlowPathGenerator.h:
1284 (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
1285 (JSC::DFG::SlowPathGenerator::generate):
1286 (SlowPathGenerator):
1287 * dfg/DFGSpeculativeJIT.cpp:
1288 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1289 (JSC::DFG::SpeculativeJIT::speculationCheck):
1290 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
1291 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1292 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
1293 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
1294 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
1295 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
1296 (JSC::DFG::SpeculativeJIT::silentSpill):
1297 (JSC::DFG::SpeculativeJIT::silentFill):
1298 (JSC::DFG::SpeculativeJIT::checkArray):
1299 (JSC::DFG::SpeculativeJIT::arrayify):
1300 (JSC::DFG::SpeculativeJIT::fillStorage):
1301 (JSC::DFG::SpeculativeJIT::useChildren):
1302 (JSC::DFG::SpeculativeJIT::isStrictInt32):
1303 (JSC::DFG::SpeculativeJIT::isKnownInteger):
1304 (JSC::DFG::SpeculativeJIT::isKnownNumeric):
1305 (JSC::DFG::SpeculativeJIT::isKnownCell):
1306 (JSC::DFG::SpeculativeJIT::isKnownNotCell):
1307 (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
1308 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
1309 (JSC::DFG::SpeculativeJIT::writeBarrier):
1310 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1311 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1312 (JSC::DFG::GPRTemporary::GPRTemporary):
1313 (JSC::DFG::FPRTemporary::FPRTemporary):
1314 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1315 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1316 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1317 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1318 (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
1319 (JSC::DFG::SpeculativeJIT::compileMovHint):
1320 (JSC::DFG::SpeculativeJIT::compile):
1321 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1322 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
1323 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1324 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
1325 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1326 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
1327 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
1328 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
1329 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
1330 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
1331 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
1332 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
1333 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
1334 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
1335 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
1336 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1337 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
1338 (JSC::DFG::SpeculativeJIT::compileAdd):
1339 (JSC::DFG::SpeculativeJIT::compileArithSub):
1340 (JSC::DFG::SpeculativeJIT::compileArithNegate):
1341 (JSC::DFG::SpeculativeJIT::compileArithMul):
1342 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
1343 (JSC::DFG::SpeculativeJIT::compileArithMod):
1344 (JSC::DFG::SpeculativeJIT::compare):
1345 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1346 (JSC::DFG::SpeculativeJIT::compileStrictEq):
1347 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1348 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1349 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1350 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1351 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1352 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1353 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1354 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1355 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1356 * dfg/DFGSpeculativeJIT.h:
1358 (JSC::DFG::SpeculativeJIT::canReuse):
1359 (JSC::DFG::SpeculativeJIT::isFilled):
1360 (JSC::DFG::SpeculativeJIT::isFilledDouble):
1361 (JSC::DFG::SpeculativeJIT::use):
1362 (JSC::DFG::SpeculativeJIT::isConstant):
1363 (JSC::DFG::SpeculativeJIT::isJSConstant):
1364 (JSC::DFG::SpeculativeJIT::isInt32Constant):
1365 (JSC::DFG::SpeculativeJIT::isDoubleConstant):
1366 (JSC::DFG::SpeculativeJIT::isNumberConstant):
1367 (JSC::DFG::SpeculativeJIT::isBooleanConstant):
1368 (JSC::DFG::SpeculativeJIT::isFunctionConstant):
1369 (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
1370 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
1371 (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
1372 (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
1373 (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
1374 (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
1375 (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
1376 (JSC::DFG::SpeculativeJIT::isNullConstant):
1377 (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
1378 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1379 (JSC::DFG::SpeculativeJIT::integerResult):
1380 (JSC::DFG::SpeculativeJIT::noResult):
1381 (JSC::DFG::SpeculativeJIT::cellResult):
1382 (JSC::DFG::SpeculativeJIT::booleanResult):
1383 (JSC::DFG::SpeculativeJIT::jsValueResult):
1384 (JSC::DFG::SpeculativeJIT::storageResult):
1385 (JSC::DFG::SpeculativeJIT::doubleResult):
1386 (JSC::DFG::SpeculativeJIT::initConstantInfo):
1387 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1388 (JSC::DFG::SpeculativeJIT::isInteger):
1389 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
1390 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1391 (JSC::DFG::SpeculativeJIT::setNodeForOperand):
1392 (JSC::DFG::IntegerOperand::IntegerOperand):
1393 (JSC::DFG::IntegerOperand::node):
1394 (JSC::DFG::IntegerOperand::gpr):
1395 (JSC::DFG::IntegerOperand::use):
1397 (JSC::DFG::DoubleOperand::DoubleOperand):
1398 (JSC::DFG::DoubleOperand::node):
1399 (JSC::DFG::DoubleOperand::fpr):
1400 (JSC::DFG::DoubleOperand::use):
1402 (JSC::DFG::JSValueOperand::JSValueOperand):
1403 (JSC::DFG::JSValueOperand::node):
1404 (JSC::DFG::JSValueOperand::gpr):
1405 (JSC::DFG::JSValueOperand::fill):
1406 (JSC::DFG::JSValueOperand::use):
1408 (JSC::DFG::StorageOperand::StorageOperand):
1409 (JSC::DFG::StorageOperand::node):
1410 (JSC::DFG::StorageOperand::gpr):
1411 (JSC::DFG::StorageOperand::use):
1413 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
1414 (JSC::DFG::SpeculateIntegerOperand::node):
1415 (JSC::DFG::SpeculateIntegerOperand::gpr):
1416 (JSC::DFG::SpeculateIntegerOperand::use):
1417 (SpeculateIntegerOperand):
1418 (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
1419 (JSC::DFG::SpeculateStrictInt32Operand::node):
1420 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
1421 (JSC::DFG::SpeculateStrictInt32Operand::use):
1422 (SpeculateStrictInt32Operand):
1423 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
1424 (JSC::DFG::SpeculateDoubleOperand::node):
1425 (JSC::DFG::SpeculateDoubleOperand::fpr):
1426 (JSC::DFG::SpeculateDoubleOperand::use):
1427 (SpeculateDoubleOperand):
1428 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
1429 (JSC::DFG::SpeculateCellOperand::node):
1430 (JSC::DFG::SpeculateCellOperand::gpr):
1431 (JSC::DFG::SpeculateCellOperand::use):
1432 (SpeculateCellOperand):
1433 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
1434 (JSC::DFG::SpeculateBooleanOperand::node):
1435 (JSC::DFG::SpeculateBooleanOperand::gpr):
1436 (JSC::DFG::SpeculateBooleanOperand::use):
1437 (SpeculateBooleanOperand):
1438 * dfg/DFGSpeculativeJIT32_64.cpp:
1439 (JSC::DFG::SpeculativeJIT::fillInteger):
1440 (JSC::DFG::SpeculativeJIT::fillDouble):
1441 (JSC::DFG::SpeculativeJIT::fillJSValue):
1442 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1443 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1444 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1445 (JSC::DFG::SpeculativeJIT::cachedPutById):
1446 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1447 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1448 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1449 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1450 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1451 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1452 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1453 (JSC::DFG::SpeculativeJIT::emitCall):
1454 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1455 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1456 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1457 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1458 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1459 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1460 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1461 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1462 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1463 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1464 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1465 (JSC::DFG::SpeculativeJIT::compileValueAdd):
1466 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1467 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1468 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1469 (JSC::DFG::SpeculativeJIT::emitBranch):
1470 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
1471 (JSC::DFG::SpeculativeJIT::compile):
1472 * dfg/DFGSpeculativeJIT64.cpp:
1473 (JSC::DFG::SpeculativeJIT::fillInteger):
1474 (JSC::DFG::SpeculativeJIT::fillDouble):
1475 (JSC::DFG::SpeculativeJIT::fillJSValue):
1476 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
1477 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
1478 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
1479 (JSC::DFG::SpeculativeJIT::cachedPutById):
1480 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
1481 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1482 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1483 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1484 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1485 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1486 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
1487 (JSC::DFG::SpeculativeJIT::emitCall):
1488 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1489 (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
1490 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
1491 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1492 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1493 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1494 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
1495 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
1496 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1497 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
1498 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
1499 (JSC::DFG::SpeculativeJIT::compileValueAdd):
1500 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
1501 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
1502 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
1503 (JSC::DFG::SpeculativeJIT::emitBranch):
1504 (JSC::DFG::SpeculativeJIT::compile):
1505 * dfg/DFGStructureAbstractValue.h:
1506 (StructureAbstractValue):
1507 * dfg/DFGStructureCheckHoistingPhase.cpp:
1508 (JSC::DFG::StructureCheckHoistingPhase::run):
1509 * dfg/DFGValidate.cpp:
1512 (JSC::DFG::Validate::validate):
1513 (JSC::DFG::Validate::reportValidationContext):
1514 * dfg/DFGValidate.h:
1515 * dfg/DFGValueSource.cpp:
1516 (JSC::DFG::ValueSource::dump):
1517 * dfg/DFGValueSource.h:
1518 (JSC::DFG::ValueSource::ValueSource):
1519 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1520 (JSC::DFG::VirtualRegisterAllocationPhase::run):
1521 * runtime/FunctionExecutableDump.cpp: Added.
1523 (JSC::FunctionExecutableDump::dump):
1524 * runtime/FunctionExecutableDump.h: Added.
1526 (FunctionExecutableDump):
1527 (JSC::FunctionExecutableDump::FunctionExecutableDump):
1528 * runtime/JSGlobalData.cpp:
1529 (JSC::JSGlobalData::JSGlobalData):
1530 * runtime/JSGlobalData.h:
1534 * runtime/Options.h:
1537 2013-01-28 Laszlo Gombos <l.gombos@samsung.com>
1539 Collapse testing for a list of PLATFORM() into OS() and USE() tests
1540 https://bugs.webkit.org/show_bug.cgi?id=108018
1542 Reviewed by Eric Seidel.
1544 No functional change as "OS(DARWIN) && USE(CF)" equals to the
1545 following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
1546 is not using JavaScriptCore.
1548 * runtime/DatePrototype.cpp:
1551 2013-01-28 Geoffrey Garen <ggaren@apple.com>
1553 Static size inference for JavaScript objects
1554 https://bugs.webkit.org/show_bug.cgi?id=108093
1556 Reviewed by Phil Pizlo.
1558 * API/JSObjectRef.cpp:
1559 * JavaScriptCore.order:
1560 * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
1562 * bytecode/CodeBlock.cpp:
1563 (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
1564 have an extra inferredInlineCapacity argument. This is the statically
1565 inferred inline capacity, just from analyzing source text. op_new_object
1566 also gets a pointer to an allocation profile. (For op_create_this, the
1567 profile is in the construtor function.)
1569 (JSC::CodeBlock::CodeBlock): Link op_new_object.
1571 (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
1573 * bytecode/CodeBlock.h:
1574 (CodeBlock): Removed some dead code. Added object allocation profiles.
1576 * bytecode/Instruction.h:
1577 (JSC): New union type, since an instruction operand may point to an
1578 object allocation profile now.
1580 * bytecode/ObjectAllocationProfile.h: Added.
1582 (ObjectAllocationProfile):
1583 (JSC::ObjectAllocationProfile::offsetOfAllocator):
1584 (JSC::ObjectAllocationProfile::offsetOfStructure):
1585 (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
1586 (JSC::ObjectAllocationProfile::isNull):
1587 (JSC::ObjectAllocationProfile::initialize):
1588 (JSC::ObjectAllocationProfile::structure):
1589 (JSC::ObjectAllocationProfile::inlineCapacity):
1590 (JSC::ObjectAllocationProfile::clear):
1591 (JSC::ObjectAllocationProfile::visitAggregate):
1592 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
1593 for tracking a prediction about object allocation: structure, inline
1594 capacity, allocator to use.
1596 * bytecode/Opcode.h:
1598 (JSC::padOpcodeName): Updated instruction sizes.
1600 * bytecode/UnlinkedCodeBlock.cpp:
1601 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1602 * bytecode/UnlinkedCodeBlock.h:
1604 (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
1605 (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
1606 (UnlinkedCodeBlock): Unlinked support for allocation profiles.
1608 * bytecompiler/BytecodeGenerator.cpp:
1609 (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
1610 end of codegen, since this is our last opportunity.
1612 (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
1613 analyzer to bytecode generation. It tracks initializing assignments and
1614 makes a guess about how many will happen.
1616 (JSC::BytecodeGenerator::newObjectAllocationProfile):
1618 (JSC::BytecodeGenerator::emitProfiledOpcode):
1619 (JSC::BytecodeGenerator::emitMove):
1620 (JSC::BytecodeGenerator::emitResolve):
1621 (JSC::BytecodeGenerator::emitResolveBase):
1622 (JSC::BytecodeGenerator::emitResolveBaseForPut):
1623 (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
1624 (JSC::BytecodeGenerator::emitResolveWithThis):
1625 (JSC::BytecodeGenerator::emitGetById):
1626 (JSC::BytecodeGenerator::emitPutById):
1627 (JSC::BytecodeGenerator::emitDirectPutById):
1628 (JSC::BytecodeGenerator::emitPutGetterSetter):
1629 (JSC::BytecodeGenerator::emitGetArgumentByVal):
1630 (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
1631 analyzer, so it can observe allocations and stores.
1633 (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
1634 function because it was a significant amount of logic, and I wanted to
1637 (JSC::BytecodeGenerator::emitNewObject):
1638 (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
1639 (JSC::BytecodeGenerator::emitCall):
1640 (JSC::BytecodeGenerator::emitCallVarargs):
1641 (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
1642 to track their stores, in case a store kills a profiled allocation. Since
1643 profiled opcodes are basically the only interesting stores we do, this
1644 is a convenient place to notice any store that might kill an allocation.
1646 * bytecompiler/BytecodeGenerator.h:
1647 (BytecodeGenerator): As above.
1649 * bytecompiler/StaticPropertyAnalysis.h: Added.
1651 (StaticPropertyAnalysis):
1652 (JSC::StaticPropertyAnalysis::create):
1653 (JSC::StaticPropertyAnalysis::addPropertyIndex):
1654 (JSC::StaticPropertyAnalysis::record):
1655 (JSC::StaticPropertyAnalysis::propertyIndexCount):
1656 (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
1657 class for tracking allocations and stores.
1659 * bytecompiler/StaticPropertyAnalyzer.h: Added.
1660 (StaticPropertyAnalyzer):
1661 (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
1662 (JSC::StaticPropertyAnalyzer::createThis):
1663 (JSC::StaticPropertyAnalyzer::newObject):
1664 (JSC::StaticPropertyAnalyzer::putById):
1665 (JSC::StaticPropertyAnalyzer::mov):
1666 (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
1667 and stores and making an inline capacity guess. The heuristics here are
1668 intentionally minimal because we don't want this one class to try to
1669 re-create something like a DFG or a runtime analysis. If we discover that
1670 we need those kinds of analyses, we should just replace this class with
1673 This class tracks multiple registers that alias the same object -- that
1674 happens a lot, when moving locals into temporary registers -- but it
1675 doesn't track control flow or multiple objects that alias the same register.
1677 * dfg/DFGAbstractState.cpp:
1678 (JSC::DFG::AbstractState::execute): Updated for rename.
1680 * dfg/DFGByteCodeParser.cpp:
1681 (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
1685 (JSC::DFG::Node::hasInlineCapacity):
1687 (JSC::DFG::Node::inlineCapacity):
1688 (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
1689 inline capacity for an allocation.
1691 * dfg/DFGNodeType.h:
1692 (DFG): Updated for rename.
1694 * dfg/DFGOperations.cpp: Updated for interface change.
1696 * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
1697 an argument. This is the simplest way, since it's stored as a bytecode operand.
1699 * dfg/DFGPredictionPropagationPhase.cpp:
1700 (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
1702 * dfg/DFGRepatch.cpp:
1703 (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
1704 appears when doing an inline cached load for property number 64 on a 32-bit
1705 system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
1706 offset of the 64bit JSValue -- but we'll actually issue two loads, one for
1707 the payload at that offset, and one for the tag at that offset + 4. We need
1708 to ensure that both loads have a compact representation, or we'll corrupt
1709 the instruction stream.
1711 * dfg/DFGSpeculativeJIT.cpp:
1712 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
1713 * dfg/DFGSpeculativeJIT.h:
1714 (JSC::DFG::SpeculativeJIT::callOperation):
1715 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
1717 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1718 * dfg/DFGSpeculativeJIT32_64.cpp:
1719 (JSC::DFG::SpeculativeJIT::compile):
1720 * dfg/DFGSpeculativeJIT64.cpp:
1721 (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
1722 passing an allocator to our allocation function, and/or passing a Structure
1723 as a register instead of an immediate.
1725 * heap/MarkedAllocator.h:
1728 (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
1729 JIT code generation of allocation from an arbitrary allocator.
1735 (JSC::JIT::emitAllocateJSObject):
1736 * jit/JITOpcodes.cpp:
1737 (JSC::JIT::emit_op_new_object):
1738 (JSC::JIT::emitSlow_op_new_object):
1739 (JSC::JIT::emit_op_create_this):
1740 (JSC::JIT::emitSlow_op_create_this):
1741 * jit/JITOpcodes32_64.cpp:
1742 (JSC::JIT::emit_op_new_object):
1743 (JSC::JIT::emitSlow_op_new_object):
1744 (JSC::JIT::emit_op_create_this):
1745 (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
1748 (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
1750 (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
1752 * llint/LLIntData.cpp:
1753 (JSC::LLInt::Data::performAssertions): Updated for interface changes.
1755 * llint/LLIntSlowPaths.cpp:
1756 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1757 * llint/LowLevelInterpreter.asm:
1758 * llint/LowLevelInterpreter32_64.asm:
1759 * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
1761 * profiler/ProfilerBytecode.cpp:
1762 * profiler/ProfilerBytecodes.cpp:
1763 * profiler/ProfilerCompilation.cpp:
1764 * profiler/ProfilerCompiledBytecode.cpp:
1765 * profiler/ProfilerDatabase.cpp:
1766 * profiler/ProfilerOSRExit.cpp:
1767 * profiler/ProfilerOrigin.cpp:
1768 * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
1769 because that's where createEmptyObject() lives now.
1771 * runtime/Executable.h:
1772 (JSC::JSFunction::JSFunction): Updated for rename.
1774 * runtime/JSCellInlines.h:
1775 (JSC::allocateCell): Updated to match the allocator selection code in
1776 the JIT, so it's clearer that both are correct.
1778 * runtime/JSFunction.cpp:
1779 (JSC::JSFunction::JSFunction):
1780 (JSC::JSFunction::createAllocationProfile):
1781 (JSC::JSFunction::visitChildren):
1782 (JSC::JSFunction::getOwnPropertySlot):
1783 (JSC::JSFunction::put):
1784 (JSC::JSFunction::defineOwnProperty):
1785 (JSC::JSFunction::getConstructData):
1786 * runtime/JSFunction.h:
1787 (JSC::JSFunction::offsetOfScopeChain):
1788 (JSC::JSFunction::offsetOfExecutable):
1789 (JSC::JSFunction::offsetOfAllocationProfile):
1790 (JSC::JSFunction::allocationProfile):
1792 (JSC::JSFunction::tryGetAllocationProfile):
1793 (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
1794 data member to be an ObjectAllocationProfile, which includes a pointer
1795 to the desired allocator. This simplifies JIT code, since we don't have
1796 to compute the allocator on the fly. I verified by code inspection that
1797 JSFunction is still only 64 bytes.
1799 * runtime/JSGlobalObject.cpp:
1800 (JSC::JSGlobalObject::reset):
1801 (JSC::JSGlobalObject::visitChildren):
1802 * runtime/JSGlobalObject.h:
1804 (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
1805 object structure anymore, because now clients need to specify how much
1806 inline capacity they want.
1808 * runtime/JSONObject.cpp:
1809 * runtime/JSObject.h:
1812 (JSC::JSFinalObject::defaultInlineCapacity):
1813 (JSC::JSFinalObject::maxInlineCapacity):
1814 (JSC::JSFinalObject::createStructure): A little refactoring to try to
1815 clarify where some of these constants derive from.
1817 (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
1819 * runtime/JSProxy.cpp:
1820 (JSC::JSProxy::setTarget): Ugly, but effective.
1822 * runtime/LiteralParser.cpp:
1823 * runtime/ObjectConstructor.cpp:
1824 (JSC::constructObject):
1825 (JSC::constructWithObjectConstructor):
1826 (JSC::callObjectConstructor):
1827 (JSC::objectConstructorCreate): Updated for interface changes.
1829 * runtime/ObjectConstructor.h:
1830 (JSC::constructEmptyObject): Clarified your options for how to allocate
1831 an empty object, to emphasize what things can actually vary.
1833 * runtime/PropertyOffset.h: These constants have moved because they're
1834 really higher level concepts to do with the layout of objects and the
1835 collector. PropertyOffset is just an abstract number line, independent
1838 * runtime/PrototypeMap.cpp:
1839 (JSC::PrototypeMap::emptyObjectStructureForPrototype):
1840 (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
1841 * runtime/PrototypeMap.h:
1842 (PrototypeMap): The map key is now a pair of prototype and inline capacity,
1843 since Structure encodes inline capacity.
1845 * runtime/Structure.cpp:
1846 (JSC::Structure::Structure):
1847 (JSC::Structure::materializePropertyMap):
1848 (JSC::Structure::addPropertyTransition):
1849 (JSC::Structure::nonPropertyTransition):
1850 (JSC::Structure::copyPropertyTableForPinning):
1851 * runtime/Structure.h:
1853 (JSC::Structure::totalStorageSize):
1854 (JSC::Structure::transitionCount):
1855 (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
1856 up after enabling variable-sized inline capacities: we were passing our
1857 type info where our inline capacity was expected. The compiler didn't
1858 notice because both have type int :(.
1860 2013-01-28 Oliver Hunt <oliver@apple.com>
1862 Add more assertions to the property storage use in arrays
1863 https://bugs.webkit.org/show_bug.cgi?id=107728
1865 Reviewed by Filip Pizlo.
1867 Add a bunch of assertions to array and object butterfly
1868 usage. This should make debugging somewhat easier.
1870 I also converted a couple of assertions to release asserts
1871 as they were so low cost it seemed a sensible thing to do.
1873 * runtime/JSArray.cpp:
1874 (JSC::JSArray::sortVector):
1875 (JSC::JSArray::compactForSorting):
1876 * runtime/JSObject.h:
1877 (JSC::JSObject::getHolyIndexQuickly):
1879 2013-01-28 Adam Barth <abarth@webkit.org>
1881 Remove webkitNotifications.createHTMLNotification
1882 https://bugs.webkit.org/show_bug.cgi?id=107598
1884 Reviewed by Benjamin Poulain.
1886 * Configurations/FeatureDefines.xcconfig:
1888 2013-01-28 Michael Saboff <msaboff@apple.com>
1890 Cleanup ARM version of debugName() in DFGFPRInfo.h
1891 https://bugs.webkit.org/show_bug.cgi?id=108090
1893 Reviewed by David Kilzer.
1895 Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
1898 (JSC::DFG::FPRInfo::debugName):
1900 2013-01-27 Andreas Kling <akling@apple.com>
1902 JSC: FunctionParameters are memory hungry.
1903 <http://webkit.org/b/108033>
1904 <rdar://problem/13094803>
1906 Reviewed by Sam Weinig.
1908 Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
1909 with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
1912 2.73 MB progression on Membuster3.
1914 * bytecode/UnlinkedCodeBlock.cpp:
1915 (JSC::UnlinkedFunctionExecutable::paramString):
1916 * bytecompiler/BytecodeGenerator.cpp:
1917 (JSC::BytecodeGenerator::BytecodeGenerator):
1919 (JSC::FunctionParameters::create):
1920 (JSC::FunctionParameters::FunctionParameters):
1921 (JSC::FunctionParameters::~FunctionParameters):
1923 (FunctionParameters):
1924 (JSC::FunctionParameters::size):
1925 (JSC::FunctionParameters::at):
1926 (JSC::FunctionParameters::identifiers):
1928 2013-01-27 Andreas Kling <akling@apple.com>
1930 JSC: SourceProviderCache is memory hungry.
1931 <http://webkit.org/b/108029>
1932 <rdar://problem/13094806>
1934 Reviewed by Sam Weinig.
1936 Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
1937 Since the lists never change after the object is created, there's no need to keep them in Vectors
1938 and we can instead create the whole cache item in a single allocation.
1940 13.37 MB progression on Membuster3.
1942 * parser/Parser.cpp:
1943 (JSC::::parseFunctionInfo):
1945 (JSC::Scope::copyCapturedVariablesToVector):
1946 (JSC::Scope::fillParametersForSourceProviderCache):
1947 (JSC::Scope::restoreFromSourceProviderCache):
1948 * parser/SourceProviderCacheItem.h:
1949 (SourceProviderCacheItemCreationParameters):
1950 (SourceProviderCacheItem):
1951 (JSC::SourceProviderCacheItem::approximateByteSize):
1952 (JSC::SourceProviderCacheItem::usedVariables):
1953 (JSC::SourceProviderCacheItem::writtenVariables):
1954 (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
1955 (JSC::SourceProviderCacheItem::create):
1956 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1958 2013-01-27 Zoltan Arvai <zarvai@inf.u-szeged.hu>
1960 Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
1961 https://bugs.webkit.org/show_bug.cgi?id=106740
1963 Reviewed by Benjamin Poulain.
1967 2013-01-25 Filip Pizlo <fpizlo@apple.com>
1969 DFG variable event stream shouldn't use NodeIndex
1970 https://bugs.webkit.org/show_bug.cgi?id=107996
1972 Reviewed by Oliver Hunt.
1974 Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
1975 Internally it currently uses a NodeIndex, but we could change this without having
1976 to recode all of the users of MinifiedID. This effectively decouples the OSR exit
1977 compiler's way of identifying nodes from the speculative JIT's way of identifying
1978 nodes, and should make it easier to make changes to the speculative JIT's internals
1981 Also changed variable event stream logging to exclude information about births and
1982 deaths of constants, since the OSR exit compiler never cares about which register
1983 holds a constant; if a value is constant then the OSR exit compiler can reify it.
1985 Also changed the variable event stream's value recovery computation to use a
1986 HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
1988 This appears to be performance-neutral. It's primarily meant as a small step
1989 towards https://bugs.webkit.org/show_bug.cgi?id=106868.
1991 * GNUmakefile.list.am:
1992 * JavaScriptCore.xcodeproj/project.pbxproj:
1993 * dfg/DFGGenerationInfo.h:
1994 (JSC::DFG::GenerationInfo::GenerationInfo):
1995 (JSC::DFG::GenerationInfo::initConstant):
1996 (JSC::DFG::GenerationInfo::initInteger):
1997 (JSC::DFG::GenerationInfo::initJSValue):
1998 (JSC::DFG::GenerationInfo::initCell):
1999 (JSC::DFG::GenerationInfo::initBoolean):
2000 (JSC::DFG::GenerationInfo::initDouble):
2001 (JSC::DFG::GenerationInfo::initStorage):
2002 (JSC::DFG::GenerationInfo::noticeOSRBirth):
2003 (JSC::DFG::GenerationInfo::use):
2004 (JSC::DFG::GenerationInfo::appendFill):
2005 (JSC::DFG::GenerationInfo::appendSpill):
2007 * dfg/DFGJITCompiler.cpp:
2008 (JSC::DFG::JITCompiler::link):
2009 * dfg/DFGMinifiedGraph.h:
2010 (JSC::DFG::MinifiedGraph::at):
2012 * dfg/DFGMinifiedID.h: Added.
2015 (JSC::DFG::MinifiedID::MinifiedID):
2016 (JSC::DFG::MinifiedID::operator!):
2017 (JSC::DFG::MinifiedID::nodeIndex):
2018 (JSC::DFG::MinifiedID::operator==):
2019 (JSC::DFG::MinifiedID::operator!=):
2020 (JSC::DFG::MinifiedID::operator<):
2021 (JSC::DFG::MinifiedID::operator>):
2022 (JSC::DFG::MinifiedID::operator<=):
2023 (JSC::DFG::MinifiedID::operator>=):
2024 (JSC::DFG::MinifiedID::hash):
2025 (JSC::DFG::MinifiedID::dump):
2026 (JSC::DFG::MinifiedID::isHashTableDeletedValue):
2027 (JSC::DFG::MinifiedID::invalidID):
2028 (JSC::DFG::MinifiedID::otherInvalidID):
2029 (JSC::DFG::MinifiedID::fromBits):
2030 (JSC::DFG::MinifiedIDHash::hash):
2031 (JSC::DFG::MinifiedIDHash::equal):
2034 * dfg/DFGMinifiedNode.cpp:
2035 (JSC::DFG::MinifiedNode::fromNode):
2036 * dfg/DFGMinifiedNode.h:
2037 (JSC::DFG::MinifiedNode::id):
2038 (JSC::DFG::MinifiedNode::child1):
2039 (JSC::DFG::MinifiedNode::getID):
2040 (JSC::DFG::MinifiedNode::compareByNodeIndex):
2042 * dfg/DFGSpeculativeJIT.cpp:
2043 (JSC::DFG::SpeculativeJIT::compileMovHint):
2044 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2045 * dfg/DFGSpeculativeJIT.h:
2046 (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
2047 * dfg/DFGValueSource.cpp:
2048 (JSC::DFG::ValueSource::dump):
2049 * dfg/DFGValueSource.h:
2050 (JSC::DFG::ValueSource::ValueSource):
2051 (JSC::DFG::ValueSource::isSet):
2052 (JSC::DFG::ValueSource::kind):
2053 (JSC::DFG::ValueSource::id):
2055 (JSC::DFG::ValueSource::idFromKind):
2056 (JSC::DFG::ValueSource::kindFromID):
2057 * dfg/DFGVariableEvent.cpp:
2058 (JSC::DFG::VariableEvent::dump):
2059 (JSC::DFG::VariableEvent::dumpFillInfo):
2060 (JSC::DFG::VariableEvent::dumpSpillInfo):
2061 * dfg/DFGVariableEvent.h:
2062 (JSC::DFG::VariableEvent::fillGPR):
2063 (JSC::DFG::VariableEvent::fillPair):
2064 (JSC::DFG::VariableEvent::fillFPR):
2065 (JSC::DFG::VariableEvent::spill):
2066 (JSC::DFG::VariableEvent::death):
2067 (JSC::DFG::VariableEvent::movHint):
2068 (JSC::DFG::VariableEvent::id):
2070 * dfg/DFGVariableEventStream.cpp:
2072 (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
2073 (JSC::DFG::VariableEventStream::reconstruct):
2074 * dfg/DFGVariableEventStream.h:
2075 (VariableEventStream):
2077 2013-01-25 Roger Fong <roger_fong@apple.com>
2079 Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
2081 * JavaScriptCore.vcxproj/JavaScriptCore.sln:
2082 * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
2083 * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
2084 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
2085 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
2086 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
2087 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
2088 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
2089 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
2090 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
2091 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
2092 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
2093 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
2094 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
2095 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
2096 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
2097 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
2098 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
2099 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
2101 2013-01-24 Roger Fong <roger_fong@apple.com>
2103 VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
2104 https://bugs.webkit.org/show_bug.cgi?id=106987
2106 Reviewed by Brent Fulgham.
2108 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
2109 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
2110 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2111 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
2112 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
2113 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
2114 * JavaScriptCore.vcxproj/jsc/jscDebug.props:
2115 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
2116 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
2117 * JavaScriptCore.vcxproj/testRegExp: Added.
2118 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
2119 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
2120 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
2121 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
2122 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
2123 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
2124 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
2125 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
2126 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
2127 * JavaScriptCore.vcxproj/testapi: Added.
2128 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
2129 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
2130 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
2131 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
2132 * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
2133 * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
2134 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
2135 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
2136 * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
2138 2013-01-24 Roger Fong <roger_fong@apple.com>
2140 Unreviewed. Windows build fix.
2142 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
2144 2013-01-24 Filip Pizlo <fpizlo@apple.com>
2146 DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
2147 https://bugs.webkit.org/show_bug.cgi?id=107860
2149 Reviewed by Mark Hahnenberg.
2151 * dfg/DFGJITCompiler.h:
2153 * dfg/DFGSpeculativeJIT64.cpp:
2154 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2155 (JSC::DFG::SpeculativeJIT::emitBranch):
2157 2013-01-24 Mark Hahnenberg <mhahnenberg@apple.com>
2159 Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
2160 https://bugs.webkit.org/show_bug.cgi?id=107327
2162 Reviewed by Filip Pizlo.
2164 We're renaming these two files, so we have to replace the names everywhere.
2167 * API/APIJSValue.h: Removed.
2168 * API/JSBlockAdaptor.mm:
2169 * API/JSStringRefCF.cpp:
2170 * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
2172 * API/JSValueInternal.h:
2173 * API/JSValueRef.cpp:
2174 * API/JSWeakObjectMapRefPrivate.cpp:
2175 * API/JavaScriptCore.h:
2177 * GNUmakefile.list.am:
2178 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2179 * JavaScriptCore.xcodeproj/project.pbxproj:
2181 * bytecode/CallLinkStatus.h:
2182 * bytecode/CodeBlock.cpp:
2183 * bytecode/MethodOfGettingAValueProfile.h:
2184 * bytecode/ResolveGlobalStatus.cpp:
2185 * bytecode/ResolveGlobalStatus.h:
2186 * bytecode/SpeculatedType.h:
2187 * bytecode/ValueRecovery.h:
2188 * dfg/DFGByteCodeParser.cpp:
2189 * dfg/DFGJITCompiler.cpp:
2191 * dfg/DFGSpeculativeJIT.cpp:
2192 * dfg/DFGSpeculativeJIT64.cpp:
2193 * heap/CopiedBlock.h:
2194 * heap/HandleStack.cpp:
2195 * heap/HandleTypes.h:
2197 * interpreter/Interpreter.h:
2198 * interpreter/Register.h:
2199 * interpreter/VMInspector.h:
2200 * jit/HostCallReturnValue.cpp:
2201 * jit/HostCallReturnValue.h:
2203 * jit/JITExceptions.cpp:
2204 * jit/JITExceptions.h:
2205 * jit/JSInterfaceJIT.h:
2206 * llint/LLIntCLoop.h:
2207 * llint/LLIntData.h:
2208 * llint/LLIntSlowPaths.cpp:
2209 * profiler/ProfilerBytecode.h:
2210 * profiler/ProfilerBytecodeSequence.h:
2211 * profiler/ProfilerBytecodes.h:
2212 * profiler/ProfilerCompilation.h:
2213 * profiler/ProfilerCompiledBytecode.h:
2214 * profiler/ProfilerDatabase.h:
2215 * profiler/ProfilerOSRExit.h:
2216 * profiler/ProfilerOSRExitSite.h:
2217 * profiler/ProfilerOrigin.h:
2218 * profiler/ProfilerOriginStack.h:
2219 * runtime/ArgList.cpp:
2220 * runtime/CachedTranscendentalFunction.h:
2221 * runtime/CallData.h:
2222 * runtime/Completion.h:
2223 * runtime/ConstructData.h:
2224 * runtime/DateConstructor.cpp:
2225 * runtime/DateInstance.cpp:
2226 * runtime/DatePrototype.cpp:
2227 * runtime/JSAPIValueWrapper.h:
2228 * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
2229 * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
2231 * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
2232 * runtime/JSGlobalData.h:
2233 * runtime/JSGlobalObject.cpp:
2234 * runtime/JSGlobalObjectFunctions.h:
2235 * runtime/JSStringJoiner.h:
2236 * runtime/JSValue.cpp: Removed.
2237 * runtime/JSValue.h: Removed.
2238 * runtime/JSValueInlines.h: Removed.
2239 * runtime/LiteralParser.h:
2240 * runtime/Operations.h:
2241 * runtime/PropertyDescriptor.h:
2242 * runtime/PropertySlot.h:
2243 * runtime/Protect.h:
2244 * runtime/RegExpPrototype.cpp:
2245 * runtime/Structure.h:
2247 2013-01-23 Oliver Hunt <oliver@apple.com>
2249 Harden JSC a bit with RELEASE_ASSERT
2250 https://bugs.webkit.org/show_bug.cgi?id=107766
2252 Reviewed by Mark Hahnenberg.
2254 Went through and replaced a pile of ASSERTs that were covering
2255 significantly important details (bounds checks, etc) where
2256 having the checks did not impact release performance in any
2259 * API/JSContextRef.cpp:
2260 (JSContextCreateBacktrace):
2261 * assembler/MacroAssembler.h:
2262 (JSC::MacroAssembler::branchAdd32):
2263 (JSC::MacroAssembler::branchMul32):
2264 * bytecode/CodeBlock.cpp:
2265 (JSC::CodeBlock::dumpBytecode):
2266 (JSC::CodeBlock::handlerForBytecodeOffset):
2267 (JSC::CodeBlock::lineNumberForBytecodeOffset):
2268 (JSC::CodeBlock::bytecodeOffset):
2269 * bytecode/CodeBlock.h:
2270 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
2271 (JSC::CodeBlock::bytecodeOffset):
2272 (JSC::CodeBlock::exceptionHandler):
2273 (JSC::CodeBlock::codeOrigin):
2274 (JSC::CodeBlock::immediateSwitchJumpTable):
2275 (JSC::CodeBlock::characterSwitchJumpTable):
2276 (JSC::CodeBlock::stringSwitchJumpTable):
2277 (JSC::CodeBlock::setIdentifiers):
2278 (JSC::baselineCodeBlockForInlineCallFrame):
2279 (JSC::ExecState::uncheckedR):
2280 * bytecode/CodeOrigin.cpp:
2281 (JSC::CodeOrigin::inlineStack):
2282 * bytecode/CodeOrigin.h:
2283 (JSC::CodeOrigin::CodeOrigin):
2284 * dfg/DFGCSEPhase.cpp:
2285 * dfg/DFGOSRExit.cpp:
2286 * dfg/DFGScratchRegisterAllocator.h:
2287 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
2288 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
2289 * dfg/DFGSpeculativeJIT.h:
2290 (JSC::DFG::SpeculativeJIT::allocate):
2291 (JSC::DFG::SpeculativeJIT::spill):
2292 (JSC::DFG::SpeculativeJIT::integerResult):
2293 * dfg/DFGSpeculativeJIT64.cpp:
2294 (JSC::DFG::SpeculativeJIT::fillInteger):
2295 (JSC::DFG::SpeculativeJIT::fillDouble):
2296 (JSC::DFG::SpeculativeJIT::fillJSValue):
2297 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
2298 (JSC::DFG::SpeculativeJIT::emitCall):
2299 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2300 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
2301 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2302 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2303 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2304 (JSC::DFG::SpeculativeJIT::compile):
2305 * dfg/DFGValueSource.h:
2306 (JSC::DFG::dataFormatToValueSourceKind):
2307 (JSC::DFG::ValueSource::ValueSource):
2308 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2309 * heap/BlockAllocator.cpp:
2310 (JSC::BlockAllocator::BlockAllocator):
2311 (JSC::BlockAllocator::releaseFreeRegions):
2312 (JSC::BlockAllocator::blockFreeingThreadMain):
2314 (JSC::Heap::lastChanceToFinalize):
2315 (JSC::Heap::collect):
2316 * interpreter/Interpreter.cpp:
2317 (JSC::Interpreter::throwException):
2318 (JSC::Interpreter::execute):
2319 * jit/GCAwareJITStubRoutine.cpp:
2320 (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
2322 (JSC::JIT::privateCompileMainPass):
2323 (JSC::JIT::privateCompileSlowCases):
2324 * jit/JITExceptions.cpp:
2325 (JSC::genericThrow):
2327 (JSC::JIT::emitLoad):
2328 * jit/JITOpcodes.cpp:
2329 (JSC::JIT::emit_op_end):
2330 (JSC::JIT::emit_resolve_operations):
2331 * jit/JITStubRoutine.cpp:
2332 (JSC::JITStubRoutine::observeZeroRefCount):
2334 (JSC::returnToThrowTrampoline):
2335 * runtime/Arguments.cpp:
2336 (JSC::Arguments::getOwnPropertySlot):
2337 (JSC::Arguments::getOwnPropertyDescriptor):
2338 (JSC::Arguments::deleteProperty):
2339 (JSC::Arguments::defineOwnProperty):
2340 (JSC::Arguments::didTearOffActivation):
2341 * runtime/ArrayPrototype.cpp:
2344 (JSC::arrayProtoFuncLastIndexOf):
2345 * runtime/ButterflyInlines.h:
2346 (JSC::Butterfly::growPropertyStorage):
2347 * runtime/CodeCache.cpp:
2348 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2349 * runtime/CodeCache.h:
2350 (JSC::CacheMap::add):
2351 * runtime/Completion.cpp:
2354 * runtime/Executable.cpp:
2355 (JSC::FunctionExecutable::FunctionExecutable):
2356 (JSC::EvalExecutable::unlinkCalls):
2357 (JSC::ProgramExecutable::compileOptimized):
2358 (JSC::ProgramExecutable::unlinkCalls):
2359 (JSC::ProgramExecutable::initializeGlobalProperties):
2360 (JSC::FunctionExecutable::baselineCodeBlockFor):
2361 (JSC::FunctionExecutable::compileOptimizedForCall):
2362 (JSC::FunctionExecutable::compileOptimizedForConstruct):
2363 (JSC::FunctionExecutable::compileForCallInternal):
2364 (JSC::FunctionExecutable::compileForConstructInternal):
2365 (JSC::FunctionExecutable::unlinkCalls):
2366 (JSC::NativeExecutable::hashFor):
2367 * runtime/Executable.h:
2368 (JSC::EvalExecutable::compile):
2369 (JSC::ProgramExecutable::compile):
2370 (JSC::FunctionExecutable::compileForCall):
2371 (JSC::FunctionExecutable::compileForConstruct):
2372 * runtime/IndexingHeader.h:
2373 (JSC::IndexingHeader::setVectorLength):
2374 * runtime/JSArray.cpp:
2375 (JSC::JSArray::pop):
2376 (JSC::JSArray::shiftCountWithArrayStorage):
2377 (JSC::JSArray::shiftCountWithAnyIndexingType):
2378 (JSC::JSArray::unshiftCountWithArrayStorage):
2379 * runtime/JSGlobalObjectFunctions.cpp:
2380 (JSC::jsStrDecimalLiteral):
2381 * runtime/JSObject.cpp:
2382 (JSC::JSObject::copyButterfly):
2383 (JSC::JSObject::defineOwnIndexedProperty):
2384 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2385 * runtime/JSString.cpp:
2386 (JSC::JSRopeString::getIndexSlowCase):
2387 * yarr/YarrInterpreter.cpp:
2388 (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
2390 2013-01-23 Filip Pizlo <fpizlo@apple.com>
2392 Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
2393 https://bugs.webkit.org/show_bug.cgi?id=107750
2394 <rdar://problem/12387265>
2396 Reviewed by Mark Hahnenberg.
2398 The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
2399 for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
2400 GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
2401 checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
2402 GetLocal we are eliminating, then we allow redundant GetLocals.
2404 * dfg/DFGConstantFoldingPhase.cpp:
2405 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2406 (ConstantFoldingPhase):
2407 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
2409 2013-01-23 Oliver Hunt <oliver@apple.com>
2411 Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
2412 https://bugs.webkit.org/show_bug.cgi?id=107736
2414 Reviewed by Mark Hahnenberg.
2416 Mechanical change with no performance impact.
2418 * API/JSBlockAdaptor.mm:
2419 (BlockArgumentTypeDelegate::typeVoid):
2420 * API/JSCallbackObjectFunctions.h:
2423 * API/JSScriptRef.cpp:
2424 * API/ObjCCallbackFunction.mm:
2425 (ArgumentTypeDelegate::typeVoid):
2426 * assembler/ARMv7Assembler.h:
2427 (JSC::ARMv7Assembler::link):
2428 (JSC::ARMv7Assembler::replaceWithLoad):
2429 (JSC::ARMv7Assembler::replaceWithAddressComputation):
2430 * assembler/MacroAssembler.h:
2431 (JSC::MacroAssembler::invert):
2432 * assembler/MacroAssemblerARM.h:
2433 (JSC::MacroAssemblerARM::countLeadingZeros32):
2434 (JSC::MacroAssemblerARM::divDouble):
2435 * assembler/MacroAssemblerMIPS.h:
2436 (JSC::MacroAssemblerMIPS::absDouble):
2437 (JSC::MacroAssemblerMIPS::replaceWithJump):
2438 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
2439 * assembler/MacroAssemblerSH4.h:
2440 (JSC::MacroAssemblerSH4::absDouble):
2441 (JSC::MacroAssemblerSH4::replaceWithJump):
2442 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
2443 * assembler/SH4Assembler.h:
2444 (JSC::SH4Assembler::shllImm8r):
2445 (JSC::SH4Assembler::shlrImm8r):
2446 (JSC::SH4Assembler::cmplRegReg):
2447 (JSC::SH4Assembler::branch):
2448 * assembler/X86Assembler.h:
2449 (JSC::X86Assembler::replaceWithLoad):
2450 (JSC::X86Assembler::replaceWithAddressComputation):
2451 * bytecode/CallLinkInfo.cpp:
2452 (JSC::CallLinkInfo::unlink):
2453 * bytecode/CodeBlock.cpp:
2454 (JSC::debugHookName):
2455 (JSC::CodeBlock::printGetByIdOp):
2456 (JSC::CodeBlock::printGetByIdCacheStatus):
2457 (JSC::CodeBlock::visitAggregate):
2458 (JSC::CodeBlock::finalizeUnconditionally):
2459 (JSC::CodeBlock::usesOpcode):
2460 * bytecode/DataFormat.h:
2461 (JSC::needDataFormatConversion):
2462 * bytecode/ExitKind.cpp:
2463 (JSC::exitKindToString):
2464 (JSC::exitKindIsCountable):
2465 * bytecode/MethodOfGettingAValueProfile.cpp:
2466 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
2467 * bytecode/Opcode.h:
2468 (JSC::opcodeLength):
2469 * bytecode/PolymorphicPutByIdList.cpp:
2470 (JSC::PutByIdAccess::fromStructureStubInfo):
2471 (JSC::PutByIdAccess::visitWeak):
2472 * bytecode/StructureStubInfo.cpp:
2473 (JSC::StructureStubInfo::deref):
2474 * bytecompiler/BytecodeGenerator.cpp:
2475 (JSC::ResolveResult::checkValidity):
2476 (JSC::BytecodeGenerator::emitGetLocalVar):
2477 (JSC::BytecodeGenerator::beginSwitch):
2478 * bytecompiler/NodesCodegen.cpp:
2479 (JSC::BinaryOpNode::emitBytecode):
2480 (JSC::emitReadModifyAssignment):
2481 * dfg/DFGAbstractState.cpp:
2482 (JSC::DFG::AbstractState::execute):
2483 (JSC::DFG::AbstractState::mergeStateAtTail):
2484 (JSC::DFG::AbstractState::mergeToSuccessors):
2485 * dfg/DFGByteCodeParser.cpp:
2486 (JSC::DFG::ByteCodeParser::makeSafe):
2487 (JSC::DFG::ByteCodeParser::parseBlock):
2488 * dfg/DFGCFGSimplificationPhase.cpp:
2489 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
2490 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
2491 * dfg/DFGCSEPhase.cpp:
2492 (JSC::DFG::CSEPhase::setLocalStoreElimination):
2493 * dfg/DFGCapabilities.cpp:
2494 (JSC::DFG::canHandleOpcodes):
2496 (JSC::DFG::useKindToString):
2497 * dfg/DFGDoubleFormatState.h:
2498 (JSC::DFG::mergeDoubleFormatStates):
2499 (JSC::DFG::doubleFormatStateToString):
2500 * dfg/DFGFixupPhase.cpp:
2501 (JSC::DFG::FixupPhase::blessArrayOperation):
2503 (JSC::DFG::Graph::clobbersWorld):
2505 (JSC::DFG::Node::valueOfJSConstant):
2506 (JSC::DFG::Node::successor):
2507 * dfg/DFGNodeFlags.cpp:
2508 (JSC::DFG::nodeFlagsAsString):
2509 * dfg/DFGNodeType.h:
2510 (JSC::DFG::defaultFlags):
2512 (JSC::DFG::dfgResetGetByID):
2513 (JSC::DFG::dfgResetPutByID):
2514 * dfg/DFGSlowPathGenerator.h:
2515 (JSC::DFG::SlowPathGenerator::call):
2516 * dfg/DFGSpeculativeJIT.cpp:
2517 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2518 (JSC::DFG::SpeculativeJIT::silentSpill):
2519 (JSC::DFG::SpeculativeJIT::silentFill):
2520 (JSC::DFG::SpeculativeJIT::checkArray):
2521 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
2522 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2523 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
2524 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
2525 * dfg/DFGSpeculativeJIT.h:
2526 (JSC::DFG::SpeculativeJIT::bitOp):
2527 (JSC::DFG::SpeculativeJIT::shiftOp):
2528 (JSC::DFG::SpeculativeJIT::integerResult):
2529 * dfg/DFGSpeculativeJIT32_64.cpp:
2530 (JSC::DFG::SpeculativeJIT::fillInteger):
2531 (JSC::DFG::SpeculativeJIT::fillDouble):
2532 (JSC::DFG::SpeculativeJIT::fillJSValue):
2533 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2534 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2535 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2536 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2537 (JSC::DFG::SpeculativeJIT::compile):
2538 * dfg/DFGSpeculativeJIT64.cpp:
2539 (JSC::DFG::SpeculativeJIT::fillInteger):
2540 (JSC::DFG::SpeculativeJIT::fillDouble):
2541 (JSC::DFG::SpeculativeJIT::fillJSValue):
2542 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
2543 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
2544 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2545 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
2546 (JSC::DFG::SpeculativeJIT::compile):
2547 * dfg/DFGStructureCheckHoistingPhase.cpp:
2548 (JSC::DFG::StructureCheckHoistingPhase::run):
2549 * dfg/DFGValueSource.h:
2550 (JSC::DFG::ValueSource::valueRecovery):
2551 * dfg/DFGVariableEvent.cpp:
2552 (JSC::DFG::VariableEvent::dump):
2553 * dfg/DFGVariableEventStream.cpp:
2554 (JSC::DFG::VariableEventStream::reconstruct):
2555 * heap/BlockAllocator.h:
2556 (JSC::BlockAllocator::regionSetFor):
2557 * heap/GCThread.cpp:
2558 (JSC::GCThread::gcThreadMain):
2559 * heap/MarkedBlock.cpp:
2560 (JSC::MarkedBlock::sweepHelper):
2561 * heap/MarkedBlock.h:
2562 (JSC::MarkedBlock::isLive):
2563 * interpreter/CallFrame.h:
2564 (JSC::ExecState::inlineCallFrame):
2565 * interpreter/Interpreter.cpp:
2566 (JSC::getCallerInfo):
2567 (JSC::getStackFrameCodeType):
2568 (JSC::Interpreter::execute):
2569 * jit/ExecutableAllocatorFixedVMPool.cpp:
2570 (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
2572 (JSC::JIT::privateCompileMainPass):
2573 (JSC::JIT::privateCompileSlowCases):
2574 (JSC::JIT::privateCompile):
2575 * jit/JITArithmetic.cpp:
2576 (JSC::JIT::emitSlow_op_mod):
2577 * jit/JITArithmetic32_64.cpp:
2578 (JSC::JIT::emitBinaryDoubleOp):
2579 (JSC::JIT::emitSlow_op_mod):
2580 * jit/JITPropertyAccess.cpp:
2581 (JSC::JIT::isDirectPutById):
2583 (JSC::getPolymorphicAccessStructureListSlot):
2584 (JSC::DEFINE_STUB_FUNCTION):
2585 * llint/LLIntSlowPaths.cpp:
2586 (JSC::LLInt::jitCompileAndSetHeuristics):
2590 (JSC::ExpressionNode::emitBytecodeInConditionContext):
2592 (JSC::Parser::getTokenName):
2593 (JSC::Parser::updateErrorMessageSpecialCase):
2594 * parser/SyntaxChecker.h:
2595 (JSC::SyntaxChecker::operatorStackPop):
2596 * runtime/Arguments.cpp:
2597 (JSC::Arguments::tearOffForInlineCallFrame):
2598 * runtime/DatePrototype.cpp:
2599 (JSC::formatLocaleDate):
2600 * runtime/Executable.cpp:
2601 (JSC::samplingDescription):
2602 * runtime/Executable.h:
2603 (JSC::ScriptExecutable::unlinkCalls):
2604 * runtime/Identifier.cpp:
2606 * runtime/InternalFunction.cpp:
2607 (JSC::InternalFunction::getCallData):
2608 * runtime/JSArray.cpp:
2609 (JSC::JSArray::push):
2610 (JSC::JSArray::sort):
2611 * runtime/JSCell.cpp:
2612 (JSC::JSCell::defaultValue):
2613 (JSC::JSCell::getOwnPropertyNames):
2614 (JSC::JSCell::getOwnNonIndexPropertyNames):
2615 (JSC::JSCell::className):
2616 (JSC::JSCell::getPropertyNames):
2617 (JSC::JSCell::customHasInstance):
2618 (JSC::JSCell::putDirectVirtual):
2619 (JSC::JSCell::defineOwnProperty):
2620 (JSC::JSCell::getOwnPropertyDescriptor):
2623 * runtime/JSNameScope.cpp:
2624 (JSC::JSNameScope::put):
2625 * runtime/JSObject.cpp:
2626 (JSC::JSObject::getOwnPropertySlotByIndex):
2627 (JSC::JSObject::putByIndex):
2628 (JSC::JSObject::ensureArrayStorageSlow):
2629 (JSC::JSObject::deletePropertyByIndex):
2630 (JSC::JSObject::getOwnPropertyNames):
2631 (JSC::JSObject::putByIndexBeyondVectorLength):
2632 (JSC::JSObject::putDirectIndexBeyondVectorLength):
2633 (JSC::JSObject::getOwnPropertyDescriptor):
2634 * runtime/JSObject.h:
2635 (JSC::JSObject::canGetIndexQuickly):
2636 (JSC::JSObject::getIndexQuickly):
2637 (JSC::JSObject::tryGetIndexQuickly):
2638 (JSC::JSObject::canSetIndexQuickly):
2639 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
2640 (JSC::JSObject::setIndexQuickly):
2641 (JSC::JSObject::initializeIndex):
2642 (JSC::JSObject::hasSparseMap):
2643 (JSC::JSObject::inSparseIndexingMode):
2644 * runtime/JSScope.cpp:
2645 (JSC::JSScope::isDynamicScope):
2646 * runtime/JSSymbolTableObject.cpp:
2647 (JSC::JSSymbolTableObject::putDirectVirtual):
2648 * runtime/JSSymbolTableObject.h:
2649 (JSSymbolTableObject):
2650 * runtime/LiteralParser.cpp:
2652 * runtime/RegExp.cpp:
2653 (JSC::RegExp::compile):
2654 (JSC::RegExp::compileMatchOnly):
2655 * runtime/StructureTransitionTable.h:
2656 (JSC::newIndexingType):
2657 * tools/CodeProfile.cpp:
2658 (JSC::CodeProfile::sample):
2659 * yarr/YarrCanonicalizeUCS2.h:
2660 (JSC::Yarr::getCanonicalPair):
2661 (JSC::Yarr::areCanonicallyEquivalent):
2662 * yarr/YarrInterpreter.cpp:
2663 (JSC::Yarr::Interpreter::matchCharacterClass):
2664 (JSC::Yarr::Interpreter::matchBackReference):
2665 (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
2666 (JSC::Yarr::Interpreter::matchParentheses):
2667 (JSC::Yarr::Interpreter::backtrackParentheses):
2668 (JSC::Yarr::Interpreter::matchDisjunction):
2670 (JSC::Yarr::YarrGenerator::generateTerm):
2671 (JSC::Yarr::YarrGenerator::backtrackTerm):
2672 * yarr/YarrParser.h:
2673 (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
2674 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
2675 * yarr/YarrPattern.cpp:
2676 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
2678 2013-01-23 Tony Chang <tony@chromium.org>
2680 Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
2682 * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
2683 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
2685 2013-01-23 Oliver Hunt <oliver@apple.com>
2687 Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
2688 https://bugs.webkit.org/show_bug.cgi?id=107726
2690 Reviewed by Filip Pizlo.
2692 Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
2694 * assembler/MacroAssembler.h:
2695 (JSC::MacroAssembler::branchAdd32):
2696 (JSC::MacroAssembler::branchMul32):
2697 * bytecode/CodeBlockHash.cpp:
2698 (JSC::CodeBlockHash::CodeBlockHash):
2699 * heap/BlockAllocator.h:
2700 (JSC::Region::create):
2701 (JSC::Region::createCustomSize):
2702 * heap/GCAssertions.h:
2703 * heap/HandleSet.cpp:
2704 (JSC::HandleSet::visitStrongHandles):
2705 (JSC::HandleSet::writeBarrier):
2707 (JSC::HandleSet::allocate):
2709 (JSC::Heap::collect):
2710 * heap/SlotVisitor.cpp:
2711 (JSC::SlotVisitor::validate):
2712 * interpreter/Interpreter.cpp:
2713 (JSC::Interpreter::execute):
2714 * jit/ExecutableAllocator.cpp:
2715 (JSC::DemandExecutableAllocator::allocateNewSpace):
2716 (JSC::ExecutableAllocator::allocate):
2717 * jit/ExecutableAllocator.h:
2718 (JSC::roundUpAllocationSize):
2719 * jit/ExecutableAllocatorFixedVMPool.cpp:
2720 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2721 (JSC::ExecutableAllocator::allocate):
2722 * runtime/ButterflyInlines.h:
2723 (JSC::Butterfly::createUninitialized):
2724 * runtime/Completion.cpp:
2726 * runtime/JSArray.h:
2727 (JSC::constructArray):
2728 * runtime/JSGlobalObject.cpp:
2729 (JSC::slowValidateCell):
2730 * runtime/JSObject.cpp:
2731 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
2732 (JSC::JSObject::createArrayStorage):
2733 * tools/TieredMMapArray.h:
2734 (JSC::TieredMMapArray::append):
2735 * yarr/YarrInterpreter.cpp:
2736 (JSC::Yarr::Interpreter::allocDisjunctionContext):
2737 (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2738 (JSC::Yarr::Interpreter::InputStream::readChecked):
2739 (JSC::Yarr::Interpreter::InputStream::uncheckInput):
2740 (JSC::Yarr::Interpreter::InputStream::atEnd):
2741 (JSC::Yarr::Interpreter::interpret):
2743 2013-01-22 Filip Pizlo <fpizlo@apple.com>
2745 Convert CSE phase to not rely too much on NodeIndex
2746 https://bugs.webkit.org/show_bug.cgi?id=107616
2748 Reviewed by Geoffrey Garen.
2750 - Instead of looping over the graph (which assumes that you can simply loop over all
2751 nodes without considering blocks first) to reset node.replacement, do that in the
2752 loop that sets up relevantToOSR, just before running CSE on the block.
2754 - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
2755 NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
2756 some reshuffling to fit it in.
2758 * dfg/DFGCSEPhase.cpp:
2759 (JSC::DFG::CSEPhase::CSEPhase):
2760 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
2761 (JSC::DFG::CSEPhase::performNodeCSE):
2762 (JSC::DFG::CSEPhase::performBlockCSE):
2764 * dfg/DFGNodeFlags.h:
2766 * dfg/DFGNodeType.h:
2769 2013-01-21 Kentaro Hara <haraken@chromium.org>
2771 Implement UIEvent constructor
2772 https://bugs.webkit.org/show_bug.cgi?id=107430
2774 Reviewed by Adam Barth.
2776 Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
2778 UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
2779 which is enabled on Safari and Chromium for now.
2781 * Configurations/FeatureDefines.xcconfig:
2783 2013-01-22 Roger Fong <roger_fong@apple.com>
2785 Unreviewed VS2010 build fix following r140259.
2787 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2788 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2790 2013-01-22 Roger Fong <roger_fong@apple.com>
2792 JavaScriptCore property sheets, project files and modified build scripts.
2793 https://bugs.webkit.org/show_bug.cgi?id=106987
2795 Reviewed by Brent Fulgham.
2797 * JavaScriptCore.vcxproj: Added.
2798 * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
2799 * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
2800 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
2801 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
2802 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
2803 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
2804 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
2805 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
2806 * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
2807 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
2808 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
2809 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
2810 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
2811 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
2812 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
2813 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
2814 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
2815 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
2816 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
2817 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
2818 * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
2819 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
2820 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2821 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
2822 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
2823 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2824 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
2825 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2826 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
2827 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
2828 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2829 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
2830 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
2831 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
2832 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
2833 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
2834 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
2835 * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
2836 * JavaScriptCore.vcxproj/copy-files.cmd: Added.
2837 * JavaScriptCore.vcxproj/jsc: Added.
2838 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
2839 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
2840 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
2841 * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
2842 * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
2843 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
2844 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
2845 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
2846 * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
2849 2013-01-22 Joseph Pecoraro <pecoraro@apple.com>
2851 [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
2852 https://bugs.webkit.org/show_bug.cgi?id=107230
2854 Reviewed by David Kilzer.
2856 * Configurations/FeatureDefines.xcconfig:
2858 2013-01-22 Tobias Netzel <tobias.netzel@googlemail.com>
2860 Yarr JIT isn't big endian compatible
2861 https://bugs.webkit.org/show_bug.cgi?id=102897
2863 Reviewed by Oliver Hunt.
2865 This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
2868 (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2870 2013-01-22 David Kilzer <ddkilzer@apple.com>
2872 Fix DateMath.cpp to compile with -Wshorten-64-to-32
2873 <http://webkit.org/b/107503>
2875 Reviewed by Darin Adler.
2877 * runtime/JSDateMath.cpp:
2878 (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
2881 2013-01-22 Tim Horton <timothy_horton@apple.com>
2883 PDFPlugin: Build PDFPlugin everywhere, enable at runtime
2884 https://bugs.webkit.org/show_bug.cgi?id=107117
2886 Reviewed by Alexey Proskuryakov.
2888 Since PDFLayerController SPI is all forward-declared, the plugin should build
2889 on all Mac platforms, and can be enabled at runtime.
2891 * Configurations/FeatureDefines.xcconfig:
2893 2013-01-21 Justin Schuh <jschuh@chromium.org>
2895 [CHROMIUM] Suppress c4267 build warnings for Win64 targets
2896 https://bugs.webkit.org/show_bug.cgi?id=107499
2898 Reviewed by Abhishek Arya.
2900 * JavaScriptCore.gyp/JavaScriptCore.gyp:
2902 2013-01-21 Dirk Schulze <dschulze@adobe.com>
2904 Add build flag for Canvas's Path object (disabled by default)
2905 https://bugs.webkit.org/show_bug.cgi?id=107473
2907 Reviewed by Dean Jackson.
2909 Add CANVAS_PATH build flag to build systems.
2911 * Configurations/FeatureDefines.xcconfig:
2913 2013-01-20 Geoffrey Garen <ggaren@apple.com>
2915 Weak GC maps should be easier to use
2916 https://bugs.webkit.org/show_bug.cgi?id=107312
2918 Reviewed by Sam Weinig.
2922 * runtime/PrototypeMap.cpp:
2923 (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
2924 ASSERT, which was disabled because of a bug in WeakGCMap.
2926 * runtime/WeakGCMap.h:
2927 (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
2928 a PassWeak() clears itself when passed to another function. So, we pass
2929 nullptr instead, and fix things up afterwards.
2931 2013-01-20 Geoffrey Garen <ggaren@apple.com>
2935 Temporarily disabling this ASSERT to get the bots green
2936 while I investigate a fix.
2938 * runtime/PrototypeMap.cpp:
2939 (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2941 2013-01-20 Filip Pizlo <fpizlo@apple.com>
2943 Inserting a node into the DFG graph should not require five lines of code
2944 https://bugs.webkit.org/show_bug.cgi?id=107381
2946 Reviewed by Sam Weinig.
2948 This adds fairly comprehensive support for inserting a node into a DFG graph in one
2949 method call. A common example of this is:
2951 m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
2953 The arguments to insert() specify what reference counting you need to have happen
2954 (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
2955 that was created), the prediction to set (SpecNone is a common default), followed by
2956 the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
2957 (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
2958 function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
2959 non-recursively ref() the node being created if the flags say NodeMustGenerate.
2961 In all, this new mechanism retains the flexibility of the old approach (you get to
2962 manage ref counts yourself, albeit in less code) while ensuring that most code that adds
2963 nodes to the graph now needs less code to do it.
2965 In the future, we should revisit the reference counting methodology in the DFG: we could
2966 do like most compilers and get rid of it entirely, or we could make it automatic. This
2967 patch doesn't attempt to make any such major changes, and only seeks to simplify the
2968 technique we were already using (manual ref counting).
2970 * GNUmakefile.list.am:
2971 * JavaScriptCore.xcodeproj/project.pbxproj:
2972 * bytecode/Operands.h:
2973 (JSC::dumpOperands):
2974 * dfg/DFGAdjacencyList.h:
2976 (JSC::DFG::AdjacencyList::kind):
2977 * dfg/DFGArgumentsSimplificationPhase.cpp:
2978 (JSC::DFG::ArgumentsSimplificationPhase::run):
2979 * dfg/DFGBasicBlock.h:
2982 * dfg/DFGBasicBlockInlines.h: Added.
2984 * dfg/DFGCFGSimplificationPhase.cpp:
2985 (JSC::DFG::CFGSimplificationPhase::run):
2986 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2988 * dfg/DFGConstantFoldingPhase.cpp:
2989 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
2990 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2991 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2992 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
2993 (ConstantFoldingPhase):
2994 * dfg/DFGFixupPhase.cpp:
2995 (JSC::DFG::FixupPhase::FixupPhase):
2996 (JSC::DFG::FixupPhase::fixupBlock):
2997 (JSC::DFG::FixupPhase::fixupNode):
2999 (JSC::DFG::FixupPhase::checkArray):
3000 (JSC::DFG::FixupPhase::blessArrayOperation):
3001 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3003 (JSC::DFG::Graph::ref):
3005 * dfg/DFGInsertionSet.h:
3007 (JSC::DFG::Insertion::Insertion):
3008 (JSC::DFG::Insertion::element):
3010 (JSC::DFG::InsertionSet::InsertionSet):
3011 (JSC::DFG::InsertionSet::insert):
3013 (JSC::DFG::InsertionSet::execute):
3015 (JSC::DFG::Node::Node):
3017 * dfg/DFGStructureCheckHoistingPhase.cpp:
3018 (JSC::DFG::StructureCheckHoistingPhase::run):
3019 * dfg/DFGVariadicFunction.h: Added.
3021 2013-01-19 Geoffrey Garen <ggaren@apple.com>
3023 Track inheritance structures in a side table, instead of using a private
3024 name in each prototype
3025 https://bugs.webkit.org/show_bug.cgi?id=107378
3027 Reviewed by Sam Weinig and Phil Pizlo.
3029 This is a step toward object size inference.
3031 Using a side table frees us to use a more complex key (a pair of
3032 prototype and expected inline capacity).
3034 It also avoids ruining inline caches for prototypes. (Adding a new private
3035 name for a new inline capacity would change the prototype's structure,
3036 possibly firing watchpoints, making inline caches go polymorphic, and
3037 generally causing us to have a bad time.)
3040 * GNUmakefile.list.am:
3041 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3042 * JavaScriptCore.xcodeproj/project.pbxproj:
3043 * Target.pri: Buildage.
3045 * runtime/ArrayPrototype.cpp:
3046 (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
3048 * runtime/JSFunction.cpp:
3049 (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
3051 (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
3052 forgot to visit one of its data members (m_cachedInheritorID). This
3053 wasn't a user-visible problem before because JSFunction would always
3054 visit its .prototype property, which visited its m_cachedInheritorID.
3055 But now, function.prototype only weakly owns function.m_cachedInheritorID.
3057 * runtime/JSGlobalData.h:
3058 (JSGlobalData): Added the map, taking care to make sure that its
3059 destructor would run after the heap destructor.
3061 * runtime/JSGlobalObject.cpp:
3062 (JSC::JSGlobalObject::reset): Updated to use new side table API.
3064 * runtime/JSObject.cpp:
3065 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3066 (JSC::JSObject::setPrototype):
3067 * runtime/JSObject.h:
3068 (JSObject): Updated to use new side table API, and removed lots of code
3069 that used to manage the per-object private name.
3071 * runtime/JSProxy.cpp:
3072 (JSC::JSProxy::setTarget):
3073 * runtime/ObjectConstructor.cpp:
3074 (JSC::objectConstructorCreate):
3075 * runtime/ObjectPrototype.cpp:
3076 (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
3078 * runtime/PrototypeMap.cpp: Added.
3080 (JSC::PrototypeMap::addPrototype):
3081 (JSC::PrototypeMap::emptyObjectStructureForPrototype):
3082 * runtime/PrototypeMap.h: Added.
3084 (JSC::PrototypeMap::isPrototype):
3085 (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
3086 This is a simple weak map, mapping an object to the structure you should
3087 use when inheriting from that object. (In future, inline capacity will
3088 be a part of the mapping.)
3090 I used two maps to preserve existing behavior that allowed us to speculate
3091 about an object becoming a prototype, even if it wasn't one at the moment.
3092 However, I suspect that behavior can be removed without harm.
3094 * runtime/WeakGCMap.h:
3095 (JSC::WeakGCMap::contains):
3096 (WeakGCMap): I would rate myself a 6 / 10 in C++.
3098 2013-01-18 Dan Bernstein <mitz@apple.com>
3100 Removed duplicate references to two headers in the project files.
3102 Rubber-stamped by Mark Rowe.
3104 * JavaScriptCore.xcodeproj/project.pbxproj:
3106 2013-01-18 Michael Saboff <msaboff@apple.com>
3108 Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
3109 Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
3111 * dfg/DFGFixupPhase.cpp:
3112 (JSC::DFG::FixupPhase::fixupNode):
3114 2013-01-18 Michael Saboff <msaboff@apple.com>
3116 Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
3118 * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
3120 2013-01-18 Michael Saboff <msaboff@apple.com>
3122 Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
3123 https://bugs.webkit.org/show_bug.cgi?id=107340
3125 Reviewed by Filip Pizlo.
3127 Due to the change landed in r140201, more nodes might end up
3128 generating Int32ToDouble nodes. Therefore, changed the JSVALUE64
3129 constant path of compileInt32ToDouble() to use the more
3130 restrictive isInt32Constant() check on the input. This check was
3131 the same as the existing ASSERT() so the ASSERT was eliminated.
3133 * dfg/DFGSpeculativeJIT.cpp:
3134 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
3136 2013-01-18 Viatcheslav Ostapenko <sl.ostapenko@samsung.com>
3138 Weak GC maps should be easier to use
3139 https://bugs.webkit.org/show_bug.cgi?id=107312
3141 Reviewed by Ryosuke Niwa.
3143 Build fix for linux platforms after r140194.
3145 * runtime/WeakGCMap.h:
3148 2013-01-18 Michael Saboff <msaboff@apple.com>
3150 Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
3151 https://bugs.webkit.org/show_bug.cgi?id=107321
3153 Reviewed by Filip Pizlo.
3155 Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
3156 an ArithDiv node with integer inputs and output for platforms that don't have integer division.
3157 Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
3158 without any further checks.
3160 * dfg/DFGFixupPhase.cpp:
3161 (JSC::DFG::FixupPhase::fixupNode):
3162 (JSC::DFG::FixupPhase::fixDoubleEdge):
3164 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
3166 2013-01-18 Michael Saboff <msaboff@apple.com>
3168 Fix up of ArithDiv nodes for non-x86 CPUs is broken
3169 https://bugs.webkit.org/show_bug.cgi?id=107309
3171 Reviewed by Filip Pizlo.
3173 Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
3175 * dfg/DFGFixupPhase.cpp:
3176 (JSC::DFG::FixupPhase::fixDoubleEdge):
3178 2013-01-18 Dan Bernstein <mitz@apple.com>
3180 Tried to fix the build after r140194.
3182 * API/JSWrapperMap.mm:
3183 (-[JSWrapperMap wrapperForObject:]):
3185 2013-01-18 Mark Hahnenberg <mhahnenberg@apple.com>
3187 Objective-C API: Update documentation for JSValue and JSContext
3188 https://bugs.webkit.org/show_bug.cgi?id=107313
3190 Reviewed by Geoffrey Garen.
3192 After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
3197 2013-01-18 Balazs Kilvady <kilvadyb@homejinni.com>
3199 r134080 causes heap problem on linux systems where PAGESIZE != 4096
3200 https://bugs.webkit.org/show_bug.cgi?id=102828
3202 Reviewed by Mark Hahnenberg.
3204 Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
3206 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
3207 * heap/MarkStack.cpp:
3209 (JSC::MarkStackArray::MarkStackArray):
3210 (JSC::MarkStackArray::expand):
3211 (JSC::MarkStackArray::donateSomeCellsTo):
3212 (JSC::MarkStackArray::stealSomeCellsFrom):
3214 (JSC::MarkStackSegment::data):
3217 * heap/MarkStackInlines.h:
3218 (JSC::MarkStackArray::setTopForFullSegment):
3219 (JSC::MarkStackArray::append):
3220 (JSC::MarkStackArray::isEmpty):
3221 (JSC::MarkStackArray::size):
3222 * runtime/Options.h:
3225 2013-01-18 Geoffrey Garen <ggaren@apple.com>
3227 Weak GC maps should be easier to use
3228 https://bugs.webkit.org/show_bug.cgi?id=107312
3230 Reviewed by Sam Weinig.
3232 This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
3233 items from the map, and to instead have the map automatically remove
3234 stale items itself upon insertion. This has a few advantages:
3236 (1) WeakGCMap is now compatible with all the specializations you would
3239 (2) There's no need for clients to write special finalization munging
3242 (3) Clients can specify custom value finalizers if they like.
3244 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
3246 * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
3247 data, since we've reduced interdependency.
3249 * heap/Handle.h: No more need to forward declare, since we've reduced
3253 (Weak): Use explicit so we can assign directly to a weak map iterator
3254 without ambiguity between Weak<T> and PassWeak<T>.
3256 * runtime/Structure.cpp:
3257 (JSC::StructureTransitionTable::add): See above.
3259 * runtime/Structure.h:
3261 * runtime/StructureTransitionTable.h:
3262 (StructureTransitionTable): Bad code goes away, programmer happy.
3264 * runtime/WeakGCMap.h:
3267 (JSC::WeakGCMap::WeakGCMap):
3268 (JSC::WeakGCMap::set):
3269 (JSC::WeakGCMap::add):
3270 (JSC::WeakGCMap::find):
3271 (JSC::WeakGCMap::contains):
3272 (JSC::WeakGCMap::gcMap):
3273 (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
3274 function that might observe a Weak<T> that has died, just enough to
3275 make such items appear as if they are not in the table.
3277 2013-01-18 Michael Saboff <msaboff@apple.com>
3279 Refactor isPowerOf2() and add getLSBSet()
3280 https://bugs.webkit.org/show_bug.cgi?id=107306
3282 Reviewed by Filip Pizlo.
3284 Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
3286 * runtime/PropertyMapHashTable.h:
3289 2013-01-17 Mark Hahnenberg <mhahnenberg@apple.com>
3291 Objective-C API: Clean up JSValue.mm
3292 https://bugs.webkit.org/show_bug.cgi?id=107163
3294 Reviewed by Darin Adler.
3296 m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send
3297 on every API call. In the head of just about every method in JSValue.mm we're doing:
3299 JSContext *context = [self context];
3303 This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.
3304 We can just delete all these lines from all functions doing this, and where they were referring to the local
3305 variable 'context', instead we can just access m_context directly.
3307 Since we're already going to be modifying most of JSValue.mm, we'll also do the following:
3309 1) context @property is no longer weak – the context property is declared as:
3311 @property(readonly, weak) JSContext *context;
3313 This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading.
3314 We should change it to:
3316 @property(readonly, retain) JSContext *context;
3318 2) the JSContext ivar and accessor can be automatically generated. Since we're no longer doing anything
3319 special with m_context, we can just let the compiler handle the ivar for us. We'll delete:
3321 JSContext *m_context;
3325 - (JSContext *)context
3331 and find&replace "m_context" to "_context" in JSValue.mm.
3335 (-[JSValue toObject]):
3336 (-[JSValue toBool]):
3337 (-[JSValue toDouble]):
3338 (-[JSValue toNumber]):
3339 (-[JSValue toString]):
3340 (-[JSValue toDate]):
3341 (-[JSValue toArray]):
3342 (-[JSValue toDictionary]):
3343 (-[JSValue valueForProperty:]):
3344 (-[JSValue setValue:forProperty:]):
3345 (-[JSValue deleteProperty:]):
3346 (-[JSValue hasProperty:]):
3347 (-[JSValue defineProperty:descriptor:]):
3348 (-[JSValue valueAtIndex:]):
3349 (-[JSValue setValue:atIndex:]):
3350 (-[JSValue isUndefined]):
3351 (-[JSValue isNull]):
3352 (-[JSValue isBoolean]):
3353 (-[JSValue isNumber]):
3354 (-[JSValue isString]):
3355 (-[JSValue isObject]):
3356 (-[JSValue isEqualToObject:]):
3357 (-[JSValue isEqualWithTypeCoercionToObject:]):
3358 (-[JSValue isInstanceOf:]):
3359 (-[JSValue callWithArguments:]):
3360 (-[JSValue constructWithArguments:]):
3361 (-[JSValue invokeMethod:withArguments:]):
3362 (-[JSValue objectForKeyedSubscript:]):
3363 (-[JSValue setObject:forKeyedSubscript:]):
3364 (-[JSValue initWithValue:inContext:]):
3365 (-[JSValue dealloc]):
3366 (-[JSValue description]):
3368 2013-01-17 Mark Hahnenberg <mhahnenberg@apple.com>
3370 Objective-C API: Clean up JSValue
3371 https://bugs.webkit.org/show_bug.cgi?id=107156
3373 Reviewed by Oliver Hunt.
3375 JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.
3376 These exist to handle the context going away before the value does; the context needs to be able to unprotect
3377 values early. Since the value is now keeping the context alive there is no longer any danger of this happening;
3378 instead we should just protect/unprotect the value in JSValue's init/dealloc methods.
3381 (-[JSContext dealloc]):
3382 * API/JSContextInternal.h:
git://git.webkit.org / WebKit-https.git / blob