summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore/ChangeLog-2013-04-24
diff options
context:
space:
mode:
Diffstat (limited to 'Source/JavaScriptCore/ChangeLog-2013-04-24')
-rw-r--r--Source/JavaScriptCore/ChangeLog-2013-04-2429044
1 files changed, 29044 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/ChangeLog-2013-04-24 b/Source/JavaScriptCore/ChangeLog-2013-04-24
new file mode 100644
index 000000000..d3b5d15cd
--- /dev/null
+++ b/Source/JavaScriptCore/ChangeLog-2013-04-24
@@ -0,0 +1,29044 @@
+2013-04-23 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change
+ https://bugs.webkit.org/show_bug.cgi?id=115077
+
+ Reviewed by Oliver Hunt.
+
+ The filtering did three things that are unusual:
+
+ 1) AbstractValue::filterByValue() assumed that the passed value's structure wouldn't change, in
+ the sense that at it assumed it could use that value's *current* structure to do structure
+ filtering. Filtering by structure only makes sense if you can prove that the given value will
+ always have that structure (for example by either using a watchpoing or emitting code that
+ checks that structure at run-time).
+
+ 2) AbstractValue::filterByValue() and the CheckFunction case in AbstractState::executeEffects()
+ tried to invalidate the CFA based on whether the filtration led to an empty value. This is
+ well-intentioned, but it's not how the CFA currently works. It's inconsistent with other
+ parts of the CFA. We shouldn't introduce this feature into just one kind of filtration and
+ not have it elsewhere.
+
+ 3) The attempt to detect when the value was empty was actually implemented incorrectly. It
+ relied on AbstractValue::validate(). That method says that a concrete value does not belong
+ to the abstract value if it has a different structure. This makes sense for the other place
+ where AbstractValue::validate() is called: during OSR entry, where we are talking about a
+ JSValue that we see *right now*. It doesn't make sense in the CFA, since in the CFA any
+ value we observe in the code is a value whose structure may change when the code starts
+ running, and so we cannot use the value's current structure to infer things about the code
+ when it starts running.
+
+ I fixed the above problems by (1) changing filterByValue() to not filter the structure, (2)
+ changing filterByValue() and the CheckFunction case to not invalidate the CFA, and (3)
+ making sure that nobody else was misusing AbstractValue::validate() (they weren't).
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::filterByValue):
+
+2013-04-23 Oliver Hunt <oliver@apple.com>
+
+ Default ParserError() initialiser doesn't initialise all fields
+ https://bugs.webkit.org/show_bug.cgi?id=115074
+
+ Reviewed by Joseph Pecoraro.
+
+ Only the jsc command prompt depended on this, but we'll fix it to
+ be on the safe side.
+
+ * parser/ParserError.h:
+ (JSC::ParserError::ParserError):
+
+2013-04-23 Christophe Dumez <ch.dumez@sisa.samsung.com>
+
+ Global constructors should be configurable and not enumerable
+ https://bugs.webkit.org/show_bug.cgi?id=110573
+
+ Reviewed by Geoffrey Garen.
+
+ Update JSObject::deleteProperty() so that mark to set the property
+ value to undefined if it is in static hashtable of properties. The
+ previous code was not doing anything in this case and this meant
+ we could not remove builtin DOMWindow properties such as
+ "ProgressEvent" even if marked as Deletable.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::deleteProperty):
+ * runtime/Lookup.h:
+ (JSC):
+ (JSC::putEntry):
+ (JSC::lookupPut):
+
+2013-04-23 Geoffrey Garen <ggaren@apple.com>
+
+ Filled out more cases of branch folding in bytecode when emitting
+ expressions into a branching context
+ https://bugs.webkit.org/show_bug.cgi?id=115057
+
+ Reviewed by Filip Pizlo.
+
+ This covers a few cases like:
+
+ - while (true) { }
+ - while (1) { }
+ - if (x) break;
+ - if (x) continue;
+ - if (boolean_expr == boolean_const) { }
+ - if (boolean_expr == 1_or_0) { }
+ - if (bitop == 1_or_0) { }
+
+ This also works, but will bring shame on your family:
+
+ - while ("hello world") { }
+
+ No change on the benchmarks we track, but a 2.5X speedup on a microbenchmark
+ that uses these techniques.
+
+ * JavaScriptCore.order: Order!
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitNewArray):
+ (JSC::BytecodeGenerator::emitThrowReferenceError):
+ (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::shouldEmitDebugHooks): Updated ancillary code
+ for interface simplifications.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ConstantNode::emitBytecodeInConditionContext): Constants can
+ jump unconditionally when used within a condition context.
+
+ (JSC::ConstantNode::emitBytecode):
+ (JSC::StringNode::jsValue): Gave constants a common base class so I
+ could implement their codegen just once.
+
+ (JSC::BinaryOpNode::emitBytecodeInConditionContext):
+ (JSC::canFoldToBranch):
+ (JSC::BinaryOpNode::tryFoldToBranch): Fold (!/=)= and (!/=)== where
+ appropriate. A lot of cases are not appropriate because of the surprising
+ type conversion semantics of ==. For example, if (number == true) { } is
+ not the same as if (number) { } because the former will up-convert true
+ to number and then do numeric comparison.
+
+ (JSC::singleStatement):
+ (JSC::IfElseNode::tryFoldBreakAndContinue):
+ (JSC::IfElseNode::emitBytecode):
+ (JSC::ContinueNode::trivialTarget):
+ (JSC::BreakNode::trivialTarget): Fold "if (expression) break" and
+ "if (expression) continue" into direct jumps from expression.
+
+ * parser/ASTBuilder.h:
+ (ASTBuilder):
+ (JSC::ASTBuilder::createIfStatement):
+ * parser/NodeConstructors.h:
+ (JSC::ConstantNode::ConstantNode):
+ (JSC):
+ (JSC::NullNode::NullNode):
+ (JSC::BooleanNode::BooleanNode):
+ (JSC::NumberNode::NumberNode):
+ (JSC::StringNode::StringNode):
+ (JSC::IfElseNode::IfElseNode):
+ * parser/Nodes.h:
+ (JSC::ExpressionNode::isConstant):
+ (JSC::ExpressionNode::isBoolean):
+ (JSC::StatementNode::isBreak):
+ (JSC::StatementNode::isContinue):
+ (ConstantNode):
+ (JSC::ConstantNode::isPure):
+ (JSC::ConstantNode::isConstant):
+ (NullNode):
+ (JSC::NullNode::jsValue):
+ (JSC::BooleanNode::value):
+ (JSC::BooleanNode::isBoolean):
+ (JSC::BooleanNode::jsValue):
+ (JSC::NumberNode::value):
+ (NumberNode):
+ (JSC::NumberNode::jsValue):
+ (StringNode):
+ (BinaryOpNode):
+ (IfElseNode):
+ (ContinueNode):
+ (JSC::ContinueNode::isContinue):
+ (BreakNode):
+ (JSC::BreakNode::isBreak):
+ * parser/Parser.cpp:
+ (JSC::::parseIfStatement):
+ * parser/ResultType.h:
+ (JSC::ResultType::definitelyIsBoolean):
+ (ResultType):
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::pureToBoolean):
+ * runtime/JSCell.h:
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::pureToBoolean): Updated for interface changes above.
+
+2013-04-23 Mark Lam <mark.lam@apple.com>
+
+ Simplify the baseline JIT loop hint call site.
+ https://bugs.webkit.org/show_bug.cgi?id=115052.
+
+ Reviewed by Geoffrey Garen.
+
+ Moved the watchdog timer check after the JIT optimization check. This
+ ensures that the JIT opimization counter is incremented on every loop
+ hint even if the watchdog timer fires.
+
+ Removed the code that allows the JIT OSR to happen if the watchdog
+ timer fires but does not result in a termination. It is extremely rare
+ that the JIT optimization counter would trigger an OSR on the same pass
+ as when the watchdog timer fire. If it does happen, we'll simply hold
+ off on servicing the watchdog timer until the next pass (because it's
+ not time critical).
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_loop_hint):
+ (JSC::JIT::emitSlow_op_loop_hint):
+
+2013-04-23 Roger Fong <roger_fong@apple.com>
+
+ AppleWin build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+
+2013-04-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Update public header documentation
+ https://bugs.webkit.org/show_bug.cgi?id=114841
+
+ Reviewed by Geoffrey Garen.
+
+ Added documentation for the newly added object lifetime-related stuff.
+
+ * API/JSManagedValue.h:
+ * API/JSVirtualMachine.h:
+
+2013-04-22 Mark Lam <mark.lam@apple.com>
+
+ Fix a typo in MacroAssemblerARMv7.h.
+ https://bugs.webkit.org/show_bug.cgi?id=115011.
+
+ Reviewed by Geoffrey Garen.
+
+ * assembler/ARMAssembler.h: Fix a comment.
+ * assembler/ARMv7Assembler.h: Added some comments.
+ * assembler/MacroAssemblerARMv7.h:
+ - ARMAssembler::PL should be ARMv7Assembler::ConditionPL.
+
+2013-04-22 Julien Brianceau <jbrianceau@nds.com>
+
+ Add branchAdd32 missing implementation in SH4 base JIT.
+ This should fix SH4 build, broken since r148893.
+ https://bugs.webkit.org/show_bug.cgi?id=114993.
+
+ Reviewed by Oliver Hunt.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::branchAdd32):
+ (MacroAssemblerSH4):
+
+2013-04-22 Benjamin Poulain <bpoulain@apple.com>
+
+ Windows build fix after r148921
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-22 Benjamin Poulain <benjamin@webkit.org>
+
+ Remove the memory instrumentation code
+ https://bugs.webkit.org/show_bug.cgi?id=114931
+
+ Reviewed by Andreas Kling.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-22 Mark Lam <mark.lam@apple.com>
+
+ Fix broken 32-bit build to green the bots.
+ https://bugs.webkit.org/show_bug.cgi?id=114968.
+
+ Unreviewed.
+
+ Basically, I moved a JIT::emit_op_loop_hint() and JIT::emitSlow_op_loop_hint()
+ into common code where they belong, instead of the 64-bit specific section.
+
+ Also fixed some SH4 assertions failures which were also caused by
+ https://bugs.webkit.org/show_bug.cgi?id=114963. Thanks to Julien Brianceau
+ for pointing this out.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::branchAdd32):
+ * jit/JITOpcodes.cpp:
+ (JSC):
+ (JSC::JIT::emit_op_loop_hint):
+ (JSC::JIT::emitSlow_op_loop_hint):
+
+2013-04-22 Oliver Hunt <oliver@apple.com>
+
+ Perform null check before trying to use the result of readline()
+
+ RS=Gavin
+
+ * jsc.cpp:
+ (runInteractive):
+
+2013-04-22 Oliver Hunt <oliver@apple.com>
+
+ Fix assertions to account for new Vector layout
+
+ RS=Gavin
+
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+
+2013-04-22 Mark Lam <mark.lam@apple.com>
+
+ Change baseline JIT watchdog timer check to use the proper fast slow path
+ infrastructure.
+ https://bugs.webkit.org/show_bug.cgi?id=114963.
+
+ Reviewed by Oliver Hunt.
+
+ Edit: The PositiveOrZero condition is added because it is needed for
+ the JIT optimization check. Previously, the JIT check branches around
+ the slow path if the test result is 'Signed' i.e. negative. Since we
+ now need to test for a condition that branches to the slow path (not
+ around it), we need the complement of 'Signed / Negative' i.e. Positive
+ or zero.
+
+ SH4 parts contributed by Julien Brianceau.
+
+ * assembler/ARMAssembler.h:
+ * assembler/MacroAssemblerARM.h:
+ * assembler/MacroAssemblerARMv7.h:
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::branchAdd32):
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::branchAdd32):
+ * assembler/MacroAssemblerX86Common.h:
+ * assembler/SH4Assembler.h:
+ * jit/JIT.cpp:
+ (JSC::JIT::emitEnterOptimizationCheck):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JSC::JIT::emitEnterOptimizationCheck):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_loop_hint):
+ (JSC::JIT::emitSlow_op_loop_hint):
+ (JSC::JIT::emit_op_enter):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_enter):
+
+2013-04-22 Andreas Kling <akling@apple.com>
+
+ Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size.
+ <http://webkit.org/b/97268>
+ <rdar://problem/12376519>
+
+ Reviewed by Sam Weinig.
+
+ Update LLInt WTF::Vector offset constants to match the new memory layout.
+
+ * llint/LowLevelInterpreter.asm:
+
+2013-04-21 Oliver Hunt <oliver@apple.com>
+
+ JS Lexer and Parser should be more informative when they encounter errors
+ https://bugs.webkit.org/show_bug.cgi?id=114924
+
+ Reviewed by Filip Pizlo.
+
+ Add new tokens to represent the various ways that parsing and lexing have failed.
+ This gives us the ability to produce better error messages in some cases,
+ and to indicate whether or not the failure was due to invalid source, or simply
+ early termination.
+
+ The jsc prompt now makes use of this so that you can write functions that
+ are more than one line long.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::generate):
+ * jsc.cpp:
+ (stringFromUTF):
+ (jscSource):
+ (runInteractive):
+ * parser/Lexer.cpp:
+ (JSC::::parseFourDigitUnicodeHex):
+ (JSC::::parseIdentifierSlowCase):
+ (JSC::::parseString):
+ (JSC::::parseStringSlowCase):
+ (JSC::::lex):
+ * parser/Lexer.h:
+ (UnicodeHexValue):
+ (JSC::Lexer::UnicodeHexValue::UnicodeHexValue):
+ (JSC::Lexer::UnicodeHexValue::valueType):
+ (JSC::Lexer::UnicodeHexValue::isValid):
+ (JSC::Lexer::UnicodeHexValue::value):
+ (Lexer):
+ * parser/Parser.h:
+ (JSC::Parser::getTokenName):
+ (JSC::Parser::updateErrorMessageSpecialCase):
+ (JSC::::parse):
+ * parser/ParserError.h:
+ (ParserError):
+ (JSC::ParserError::ParserError):
+ * parser/ParserTokens.h:
+ * runtime/Completion.cpp:
+ (JSC):
+ (JSC::checkSyntax):
+ * runtime/Completion.h:
+ (JSC):
+
+2013-04-21 Mark Lam <mark.lam@apple.com>
+
+ Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections
+ out into the common section.
+ https://bugs.webkit.org/show_bug.cgi?id=114910.
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+
+2013-04-20 Allan Sandfeld Jensen <allan.jensen@digia.com>
+
+ LLint should be able to use x87 instead of SSE for floating pointer
+ https://bugs.webkit.org/show_bug.cgi?id=112239
+
+ Reviewed by Filip Pizlo.
+
+ Implements LLInt floating point operations in x87, to ensure we support
+ x86 without SSE2.
+
+ X86 (except 64bit) now defaults to using x87 instructions in order to
+ support all 32bit x86 back to i686. The implementation uses the fucomi
+ instruction from i686 which sets the new minimum.
+
+ The FPU registers must always be empty on entering or exiting a function.
+ We make sure to only use two X87 registers, and they are always emptied
+ before calling deeper functions or returning from the LLInt.
+
+ * jit/JITStubs.cpp:
+ (JSC): Empty FPU registers before exiting.
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * offlineasm/instructions.rb:
+ * offlineasm/x86.rb:
+
+2013-04-19 Roger Fong <roger_fong@apple.com>
+
+ Remove uses of WebKit_Source from AppleWin build in JavaScriptCore.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.make:
+ * JavaScriptCore.vcxproj/build-generated-files.sh:
+ * JavaScriptCore.vcxproj/copy-files.cmd:
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
+
+2013-04-19 Benjamin Poulain <bpoulain@apple.com>
+
+ Rename JSStringJoiner::build() to join()
+ https://bugs.webkit.org/show_bug.cgi?id=114845
+
+ Reviewed by Geoffrey Garen.
+
+ The method name build() came from StringBuilder history. It does not make much
+ sense on the StringJoiner.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncToString):
+ (JSC::arrayProtoFuncToLocaleString):
+ (JSC::arrayProtoFuncJoin):
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::join):
+ * runtime/JSStringJoiner.h:
+ (JSStringJoiner):
+
+2013-04-19 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. WebKit_Source is incorrectly set.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.make:
+
+2013-04-19 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] JSCore.gir.in has a few problems
+ https://bugs.webkit.org/show_bug.cgi?id=114710
+
+ Reviewed by Philippe Normand.
+
+ * GNUmakefile.am: Add the gobject introspection steps for JavaScriptCore here,
+ because they are shared between WebKit1 and WebKit2.
+ * JavaScriptCore.gir.in: Added. Moved from the WebKit1 directory. Now written
+ as foreign interfaces and referencing the javascriptcoregtk library.
+
+2013-04-18 Benjamin Poulain <bpoulain@apple.com>
+
+ Use StringJoiner to create the JSString of arrayProtoFuncToString
+ https://bugs.webkit.org/show_bug.cgi?id=114779
+
+ Reviewed by Geoffrey Garen.
+
+ The function arrayProtoFuncToString was just a glorified JSStringJoiner.
+ This patch replaces it by JSStringJoiner to simplify the code and enjoy any optimization
+ made on JSStringJoiner.
+
+ For some reason, this makes the execution 3.4% faster, despite having almost identical code.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncToString):
+
+2013-04-18 Oliver Hunt <oliver@apple.com>
+
+ StackFrame::column() returning bogus value
+ https://bugs.webkit.org/show_bug.cgi?id=114840
+
+ Reviewed by Gavin Barraclough.
+
+ Don't add one part of the expression offset to the other part of the expression.
+ Make StackFrame::toString() include the column info.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::StackFrame::expressionInfo):
+ (JSC::StackFrame::toString):
+
+2013-04-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
+ https://bugs.webkit.org/show_bug.cgi?id=114774
+
+ Reviewed by Geoffrey Garen.
+
+ We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emitSlow_op_put_to_base):
+
+2013-04-18 Mark Lam <mark.lam@apple.com>
+
+ Interpreter entry points should throw the TerminatedExecutionException from the caller frame.
+ https://bugs.webkit.org/show_bug.cgi?id=114816.
+
+ Reviewed by Oliver Hunt.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+
+2013-04-18 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ LLInt ARM backend should not use the d8 register as scratch register
+ https://bugs.webkit.org/show_bug.cgi?id=114811
+
+ Reviewed by Filip Pizlo.
+
+ The d8 register must preserved across function calls and should
+ not used as scratch register. Changing it to d6.
+
+ * offlineasm/arm.rb:
+
+2013-04-18 Geoffrey Garen <ggaren@apple.com>
+
+ Removed HeapTimer::synchronize
+ https://bugs.webkit.org/show_bug.cgi?id=114832
+
+ Reviewed by Mark Hahnenberg.
+
+ HeapTimer::synchronize was a flawed attempt to make HeapTimer thread-safe.
+ Instead, we use proper locking now.
+
+ This is a slight API change, since the GC timer will now only fire in the
+ run loop that created the JS VM, even if another run loop later executes
+ some JS.
+
+ * API/APIShims.h:
+ (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
+ * heap/HeapTimer.cpp:
+ (JSC):
+ * heap/HeapTimer.h:
+ (HeapTimer):
+
+2013-04-17 Geoffrey Garen <ggaren@apple.com>
+
+ Renamed JSGlobalData to VM
+ https://bugs.webkit.org/show_bug.cgi?id=114777
+
+ Reviewed by Phil Pizlo.
+
+ * API/APICast.h:
+ (JSC):
+ (toJS):
+ (toRef):
+ * API/APIShims.h:
+ (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
+ (APIEntryShimWithoutLock):
+ (JSC::APIEntryShim::APIEntryShim):
+ (APIEntryShim):
+ (JSC::APIEntryShim::~APIEntryShim):
+ (JSC::APICallbackShim::APICallbackShim):
+ (JSC::APICallbackShim::~APICallbackShim):
+ (APICallbackShim):
+ * API/JSAPIWrapperObject.h:
+ (JSAPIWrapperObject):
+ * API/JSAPIWrapperObject.mm:
+ (JSC::::createStructure):
+ (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
+ (JSC::JSAPIWrapperObject::finishCreation):
+ (JSC::JSAPIWrapperObject::visitChildren):
+ * API/JSBase.cpp:
+ (JSGarbageCollect):
+ (JSReportExtraMemoryCost):
+ (JSSynchronousGarbageCollectForDebugging):
+ * API/JSCallbackConstructor.cpp:
+ (JSC::JSCallbackConstructor::JSCallbackConstructor):
+ (JSC::JSCallbackConstructor::finishCreation):
+ * API/JSCallbackConstructor.h:
+ (JSC::JSCallbackConstructor::createStructure):
+ * API/JSCallbackFunction.cpp:
+ (JSC::JSCallbackFunction::finishCreation):
+ (JSC::JSCallbackFunction::create):
+ * API/JSCallbackFunction.h:
+ (JSCallbackFunction):
+ (JSC::JSCallbackFunction::createStructure):
+ * API/JSCallbackObject.cpp:
+ (JSC::::create):
+ (JSC::::createStructure):
+ * API/JSCallbackObject.h:
+ (JSC::JSCallbackObjectData::setPrivateProperty):
+ (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
+ (JSCallbackObject):
+ (JSC::JSCallbackObject::setPrivateProperty):
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::JSCallbackObject):
+ (JSC::::finishCreation):
+ (JSC::::put):
+ (JSC::::staticFunctionGetter):
+ * API/JSClassRef.cpp:
+ (OpaqueJSClassContextData::OpaqueJSClassContextData):
+ (OpaqueJSClass::contextData):
+ (OpaqueJSClass::prototype):
+ * API/JSClassRef.h:
+ (OpaqueJSClassContextData):
+ * API/JSContext.mm:
+ (-[JSContext setException:]):
+ (-[JSContext initWithGlobalContextRef:]):
+ (+[JSContext contextWithGlobalContextRef:]):
+ * API/JSContextRef.cpp:
+ (JSContextGroupCreate):
+ (JSContextGroupRelease):
+ (JSGlobalContextCreate):
+ (JSGlobalContextCreateInGroup):
+ (JSGlobalContextRetain):
+ (JSGlobalContextRelease):
+ (JSContextGetGroup):
+ (JSContextCreateBacktrace):
+ * API/JSObjectRef.cpp:
+ (JSObjectMake):
+ (JSObjectMakeConstructor):
+ (JSObjectMakeFunction):
+ (JSObjectSetPrototype):
+ (JSObjectHasProperty):
+ (JSObjectGetProperty):
+ (JSObjectSetProperty):
+ (JSObjectDeleteProperty):
+ (JSObjectGetPrivateProperty):
+ (JSObjectSetPrivateProperty):
+ (JSObjectDeletePrivateProperty):
+ (OpaqueJSPropertyNameArray::OpaqueJSPropertyNameArray):
+ (OpaqueJSPropertyNameArray):
+ (JSObjectCopyPropertyNames):
+ (JSPropertyNameArrayRelease):
+ (JSPropertyNameAccumulatorAddName):
+ * API/JSScriptRef.cpp:
+ (OpaqueJSScript::create):
+ (OpaqueJSScript::vm):
+ (OpaqueJSScript::OpaqueJSScript):
+ (OpaqueJSScript):
+ (parseScript):
+ * API/JSVirtualMachine.mm:
+ (scanExternalObjectGraph):
+ * API/JSVirtualMachineInternal.h:
+ (JSC):
+ * API/JSWrapperMap.mm:
+ (makeWrapper):
+ * API/ObjCCallbackFunction.h:
+ (JSC::ObjCCallbackFunction::createStructure):
+ * API/ObjCCallbackFunction.mm:
+ (JSC::ObjCCallbackFunction::create):
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::identifier):
+ * API/OpaqueJSString.h:
+ (JSC):
+ (OpaqueJSString):
+ * GNUmakefile.list.am:
+ * JSCTypedArrayStubs.h:
+ (JSC):
+ * JavaScriptCore.order:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * KeywordLookupGenerator.py:
+ (Trie.printSubTreeAsC):
+ * Target.pri:
+ * assembler/ARMAssembler.cpp:
+ (JSC::ARMAssembler::executableCopy):
+ * assembler/ARMAssembler.h:
+ (ARMAssembler):
+ * assembler/AssemblerBuffer.h:
+ (JSC::AssemblerBuffer::executableCopy):
+ * assembler/AssemblerBufferWithConstantPool.h:
+ (JSC::AssemblerBufferWithConstantPool::executableCopy):
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::linkCode):
+ * assembler/LinkBuffer.h:
+ (JSC):
+ (JSC::LinkBuffer::LinkBuffer):
+ (LinkBuffer):
+ * assembler/MIPSAssembler.h:
+ (JSC::MIPSAssembler::executableCopy):
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::executableCopy):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::executableCopy):
+ (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
+ * bytecode/CallLinkInfo.cpp:
+ (JSC::CallLinkInfo::unlink):
+ * bytecode/CallLinkInfo.h:
+ (CallLinkInfo):
+ * bytecode/CodeBlock.cpp:
+ (JSC::dumpStructure):
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::~CodeBlock):
+ (JSC::CodeBlock::visitStructures):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::createActivation):
+ (JSC::CodeBlock::unlinkCalls):
+ (JSC::CodeBlock::unlinkIncomingCalls):
+ (JSC::CodeBlock::findClosureCallForReturnPC):
+ (JSC::ProgramCodeBlock::jettisonImpl):
+ (JSC::EvalCodeBlock::jettisonImpl):
+ (JSC::FunctionCodeBlock::jettisonImpl):
+ (JSC::CodeBlock::predictedMachineCodeSize):
+ (JSC::CodeBlock::usesOpcode):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::appendWeakReference):
+ (JSC::CodeBlock::appendWeakReferenceTransition):
+ (JSC::CodeBlock::setJITCode):
+ (JSC::CodeBlock::setGlobalData):
+ (JSC::CodeBlock::vm):
+ (JSC::CodeBlock::valueProfileForBytecodeOffset):
+ (JSC::CodeBlock::addConstant):
+ (JSC::CodeBlock::setConstantRegisters):
+ (CodeBlock):
+ (JSC::CodeBlock::WeakReferenceTransition::WeakReferenceTransition):
+ * bytecode/EvalCodeCache.h:
+ (JSC::EvalCodeCache::getSlow):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeFromLLInt):
+ (JSC::GetByIdStatus::computeForChain):
+ (JSC::GetByIdStatus::computeFor):
+ * bytecode/GetByIdStatus.h:
+ (GetByIdStatus):
+ * bytecode/Instruction.h:
+ (JSC::Instruction::Instruction):
+ * bytecode/ObjectAllocationProfile.h:
+ (JSC::ObjectAllocationProfile::initialize):
+ (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
+ * bytecode/PolymorphicAccessStructureList.h:
+ (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
+ (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
+ * bytecode/PolymorphicPutByIdList.h:
+ (JSC::PutByIdAccess::transition):
+ (JSC::PutByIdAccess::replace):
+ * bytecode/PreciseJumpTargets.cpp:
+ (JSC::computePreciseJumpTargets):
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFromLLInt):
+ (JSC::PutByIdStatus::computeFor):
+ * bytecode/PutByIdStatus.h:
+ (JSC):
+ (PutByIdStatus):
+ * bytecode/ResolveGlobalStatus.cpp:
+ (JSC::computeForStructure):
+ * bytecode/SamplingTool.cpp:
+ (JSC::SamplingTool::notifyOfScope):
+ * bytecode/SamplingTool.h:
+ (JSC::ScriptSampleRecord::ScriptSampleRecord):
+ (SamplingTool):
+ * bytecode/StructureStubInfo.h:
+ (JSC::StructureStubInfo::initGetByIdSelf):
+ (JSC::StructureStubInfo::initGetByIdProto):
+ (JSC::StructureStubInfo::initGetByIdChain):
+ (JSC::StructureStubInfo::initPutByIdTransition):
+ (JSC::StructureStubInfo::initPutByIdReplace):
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::generateFunctionCodeBlock):
+ (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+ (JSC::UnlinkedFunctionExecutable::link):
+ (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+ (JSC::UnlinkedFunctionExecutable::codeBlockFor):
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC::UnlinkedFunctionExecutable::create):
+ (UnlinkedFunctionExecutable):
+ (JSC::UnlinkedFunctionExecutable::finishCreation):
+ (JSC::UnlinkedFunctionExecutable::createStructure):
+ (JSC::UnlinkedCodeBlock::addRegExp):
+ (JSC::UnlinkedCodeBlock::addConstant):
+ (JSC::UnlinkedCodeBlock::addFunctionDecl):
+ (JSC::UnlinkedCodeBlock::addFunctionExpr):
+ (JSC::UnlinkedCodeBlock::vm):
+ (UnlinkedCodeBlock):
+ (JSC::UnlinkedCodeBlock::finishCreation):
+ (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
+ (JSC::UnlinkedProgramCodeBlock::create):
+ (JSC::UnlinkedProgramCodeBlock::addFunctionDeclaration):
+ (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
+ (JSC::UnlinkedProgramCodeBlock::createStructure):
+ (JSC::UnlinkedEvalCodeBlock::create):
+ (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
+ (JSC::UnlinkedEvalCodeBlock::createStructure):
+ (JSC::UnlinkedFunctionCodeBlock::create):
+ (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
+ (JSC::UnlinkedFunctionCodeBlock::createStructure):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::addConstant):
+ (JSC::BytecodeGenerator::emitLoad):
+ (JSC::BytecodeGenerator::emitDirectPutById):
+ (JSC::BytecodeGenerator::addStringConstant):
+ (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
+ (JSC::BytecodeGenerator::emitThrowReferenceError):
+ (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::vm):
+ (JSC::BytecodeGenerator::propertyNames):
+ (JSC::BytecodeGenerator::makeFunction):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::RegExpNode::emitBytecode):
+ (JSC::ArrayNode::toArgumentList):
+ (JSC::ApplyFunctionCallDotNode::emitBytecode):
+ (JSC::InstanceOfNode::emitBytecode):
+ * debugger/Debugger.cpp:
+ (JSC::Debugger::recompileAllJSFunctions):
+ (JSC::evaluateInGlobalCallFrame):
+ * debugger/Debugger.h:
+ (JSC):
+ * debugger/DebuggerActivation.cpp:
+ (JSC::DebuggerActivation::DebuggerActivation):
+ (JSC::DebuggerActivation::finishCreation):
+ * debugger/DebuggerActivation.h:
+ (JSC::DebuggerActivation::create):
+ (JSC::DebuggerActivation::createStructure):
+ (DebuggerActivation):
+ * debugger/DebuggerCallFrame.cpp:
+ (JSC::DebuggerCallFrame::evaluate):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
+ (JSC::DFG::AssemblyHelpers::vm):
+ (JSC::DFG::AssemblyHelpers::debugCall):
+ (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
+ (AssemblyHelpers):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::ByteCodeParser):
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGByteCodeParser.h:
+ (JSC):
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::CCallHelpers):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::canHandleOpcodes):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::reportToProfiler):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGDriver.h:
+ (JSC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
+ (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::JITCompiler):
+ (JSC::DFG::JITCompiler::linkOSRExits):
+ (JSC::DFG::JITCompiler::link):
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGJITCompiler.h:
+ (JSC):
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ (JSC::DFG::putByVal):
+ (JSC::DFG::operationPutByValInternal):
+ (JSC::getHostCallReturnValueWithExecState):
+ * dfg/DFGPhase.h:
+ (JSC::DFG::Phase::vm):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::generateProtoChainAccessStub):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::tryBuildGetByIDProtoList):
+ (JSC::DFG::emitPutReplaceStub):
+ (JSC::DFG::emitPutTransitionStub):
+ (JSC::DFG::tryCachePutByID):
+ (JSC::DFG::tryBuildPutByIdList):
+ (JSC::DFG::linkSlowFor):
+ (JSC::DFG::dfgLinkFor):
+ (JSC::DFG::dfgLinkSlowFor):
+ (JSC::DFG::dfgLinkClosureCall):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+ (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+ (JSC::DFG::SpeculativeJIT::compileMakeRope):
+ (JSC::DFG::SpeculativeJIT::compileStringEquality):
+ (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+ (JSC::DFG::SpeculativeJIT::speculateObject):
+ (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+ (JSC::DFG::SpeculativeJIT::speculateString):
+ (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGThunks.cpp:
+ (JSC::DFG::osrExitGenerationThunkGenerator):
+ (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
+ (JSC::DFG::slowPathFor):
+ (JSC::DFG::linkForThunkGenerator):
+ (JSC::DFG::linkCallThunkGenerator):
+ (JSC::DFG::linkConstructThunkGenerator):
+ (JSC::DFG::linkClosureCallThunkGenerator):
+ (JSC::DFG::virtualForThunkGenerator):
+ (JSC::DFG::virtualCallThunkGenerator):
+ (JSC::DFG::virtualConstructThunkGenerator):
+ * dfg/DFGThunks.h:
+ (JSC):
+ (DFG):
+ * heap/BlockAllocator.h:
+ (JSC):
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::tryAllocateSlowCase):
+ (JSC::CopiedSpace::tryReallocate):
+ * heap/CopiedSpaceInlines.h:
+ (JSC::CopiedSpace::tryAllocate):
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData):
+ (JSC::GCThreadSharedData::reset):
+ * heap/GCThreadSharedData.h:
+ (JSC):
+ (GCThreadSharedData):
+ * heap/HandleSet.cpp:
+ (JSC::HandleSet::HandleSet):
+ (JSC::HandleSet::~HandleSet):
+ (JSC::HandleSet::grow):
+ * heap/HandleSet.h:
+ (JSC):
+ (HandleSet):
+ (JSC::HandleSet::vm):
+ * heap/Heap.cpp:
+ (JSC::Heap::Heap):
+ (JSC):
+ (JSC::Heap::lastChanceToFinalize):
+ (JSC::Heap::protect):
+ (JSC::Heap::unprotect):
+ (JSC::Heap::stack):
+ (JSC::Heap::getConservativeRegisterRoots):
+ (JSC::Heap::markRoots):
+ (JSC::Heap::deleteAllCompiledCode):
+ (JSC::Heap::collect):
+ (JSC::Heap::isValidAllocation):
+ * heap/Heap.h:
+ (JSC):
+ (Heap):
+ (JSC::Heap::vm):
+ * heap/HeapTimer.cpp:
+ (JSC::HeapTimer::HeapTimer):
+ (JSC::HeapTimer::timerDidFire):
+ (JSC::HeapTimer::timerEvent):
+ * heap/HeapTimer.h:
+ (JSC):
+ (HeapTimer):
+ * heap/IncrementalSweeper.cpp:
+ (JSC::IncrementalSweeper::IncrementalSweeper):
+ (JSC::IncrementalSweeper::sweepNextBlock):
+ (JSC::IncrementalSweeper::willFinishSweeping):
+ (JSC::IncrementalSweeper::create):
+ * heap/IncrementalSweeper.h:
+ (IncrementalSweeper):
+ * heap/Local.h:
+ (Local):
+ (JSC::::Local):
+ (JSC::LocalStack::LocalStack):
+ (JSC::LocalStack::push):
+ (LocalStack):
+ * heap/LocalScope.h:
+ (JSC):
+ (LocalScope):
+ (JSC::LocalScope::LocalScope):
+ * heap/MachineStackMarker.cpp:
+ (JSC::MachineThreads::addCurrentThread):
+ * heap/MarkedAllocator.cpp:
+ (JSC::MarkedAllocator::allocateSlowCase):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::MarkedBlock):
+ * heap/MarkedBlock.h:
+ (JSC::MarkedBlock::vm):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::SlotVisitor):
+ (JSC::SlotVisitor::setup):
+ * heap/Strong.h:
+ (JSC):
+ (Strong):
+ (JSC::Strong::operator=):
+ * heap/StrongInlines.h:
+ (JSC::::Strong):
+ (JSC::::set):
+ * heap/SuperRegion.h:
+ (JSC):
+ * heap/WeakSet.cpp:
+ * heap/WeakSet.h:
+ (WeakSet):
+ (JSC::WeakSet::WeakSet):
+ (JSC::WeakSet::vm):
+ * interpreter/AbstractPC.cpp:
+ (JSC::AbstractPC::AbstractPC):
+ * interpreter/AbstractPC.h:
+ (JSC):
+ (AbstractPC):
+ * interpreter/CachedCall.h:
+ (JSC::CachedCall::CachedCall):
+ * interpreter/CallFrame.h:
+ (ExecState):
+ (JSC::ExecState::clearException):
+ (JSC::ExecState::clearSupplementaryExceptionInfo):
+ (JSC::ExecState::exception):
+ (JSC::ExecState::hadException):
+ (JSC::ExecState::propertyNames):
+ (JSC::ExecState::emptyList):
+ (JSC::ExecState::interpreter):
+ (JSC::ExecState::heap):
+ (JSC::ExecState::arrayConstructorTable):
+ (JSC::ExecState::arrayPrototypeTable):
+ (JSC::ExecState::booleanPrototypeTable):
+ (JSC::ExecState::dateTable):
+ (JSC::ExecState::dateConstructorTable):
+ (JSC::ExecState::errorPrototypeTable):
+ (JSC::ExecState::globalObjectTable):
+ (JSC::ExecState::jsonTable):
+ (JSC::ExecState::mathTable):
+ (JSC::ExecState::numberConstructorTable):
+ (JSC::ExecState::numberPrototypeTable):
+ (JSC::ExecState::objectConstructorTable):
+ (JSC::ExecState::privateNamePrototypeTable):
+ (JSC::ExecState::regExpTable):
+ (JSC::ExecState::regExpConstructorTable):
+ (JSC::ExecState::regExpPrototypeTable):
+ (JSC::ExecState::stringConstructorTable):
+ (JSC::ExecState::abstractReturnPC):
+ * interpreter/CallFrameClosure.h:
+ (CallFrameClosure):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::eval):
+ (JSC::loadVarargs):
+ (JSC::Interpreter::Interpreter):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::unwindCallFrame):
+ (JSC::appendSourceToError):
+ (JSC::getCallerInfo):
+ (JSC::Interpreter::getStackTrace):
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ (JSC::Interpreter::prepareForRepeatCall):
+ (JSC::Interpreter::retrieveArgumentsFromVMCode):
+ (JSC::Interpreter::retrieveCallerFromVMCode):
+ * interpreter/Interpreter.h:
+ (JSC):
+ (JSC::TopCallFrameSetter::TopCallFrameSetter):
+ (JSC::TopCallFrameSetter::~TopCallFrameSetter):
+ (TopCallFrameSetter):
+ (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+ (Interpreter):
+ * interpreter/JSStack.cpp:
+ (JSC::JSStack::JSStack):
+ * interpreter/JSStack.h:
+ (JSC):
+ * jit/ClosureCallStubRoutine.cpp:
+ (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
+ * jit/ClosureCallStubRoutine.h:
+ (ClosureCallStubRoutine):
+ * jit/ExecutableAllocator.cpp:
+ (JSC::ExecutableAllocator::ExecutableAllocator):
+ (JSC::ExecutableAllocator::allocate):
+ * jit/ExecutableAllocator.h:
+ (JSC):
+ (ExecutableAllocator):
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+ (JSC::ExecutableAllocator::ExecutableAllocator):
+ (JSC::ExecutableAllocator::allocate):
+ * jit/GCAwareJITStubRoutine.cpp:
+ (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
+ (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject):
+ (JSC::createJITStubRoutine):
+ * jit/GCAwareJITStubRoutine.h:
+ (GCAwareJITStubRoutine):
+ (MarkingGCAwareJITStubRoutineWithOneObject):
+ (JSC):
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+ (JSC::JIT::privateCompile):
+ (JSC::JIT::linkFor):
+ (JSC::JIT::linkSlowCall):
+ * jit/JIT.h:
+ (JSC::JIT::compile):
+ (JSC::JIT::compileClosureCall):
+ (JSC::JIT::compileGetByIdProto):
+ (JSC::JIT::compileGetByIdSelfList):
+ (JSC::JIT::compileGetByIdProtoList):
+ (JSC::JIT::compileGetByIdChainList):
+ (JSC::JIT::compileGetByIdChain):
+ (JSC::JIT::compilePutByIdTransition):
+ (JSC::JIT::compileGetByVal):
+ (JSC::JIT::compilePutByVal):
+ (JSC::JIT::compileCTINativeCall):
+ (JSC::JIT::compilePatchGetArrayLength):
+ (JIT):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCallSlowCase):
+ (JSC::JIT::privateCompileClosureCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCallSlowCase):
+ (JSC::JIT::privateCompileClosureCall):
+ * jit/JITCode.h:
+ (JSC):
+ (JSC::JITCode::execute):
+ * jit/JITDriver.h:
+ (JSC::jitCompileIfAppropriate):
+ (JSC::jitCompileFunctionIfAppropriate):
+ * jit/JITExceptions.cpp:
+ (JSC::genericThrow):
+ (JSC::jitThrow):
+ * jit/JITExceptions.h:
+ (JSC):
+ * jit/JITInlines.h:
+ (JSC::JIT::emitLoadCharacterString):
+ (JSC::JIT::updateTopCallFrame):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::privateCompileCTINativeCall):
+ (JSC::JIT::emit_op_new_object):
+ (JSC::JIT::emit_op_to_primitive):
+ (JSC::JIT::emit_op_catch):
+ (JSC::JIT::emit_op_convert_this):
+ (JSC::JIT::emitSlow_op_convert_this):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::privateCompileCTINativeCall):
+ (JSC::JIT::emit_op_new_object):
+ (JSC::JIT::emit_op_to_primitive):
+ (JSC::JIT::emitSlow_op_eq):
+ (JSC::JIT::emitSlow_op_neq):
+ (JSC::JIT::compileOpStrictEq):
+ (JSC::JIT::emit_op_catch):
+ (JSC::JIT::emit_op_convert_this):
+ (JSC::JIT::emitSlow_op_convert_this):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::stringGetByValStubGenerator):
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdSelfList):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+ (JSC::JIT::privateCompileGetByVal):
+ (JSC::JIT::privateCompilePutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::stringGetByValStubGenerator):
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdSelfList):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+ * jit/JITStubs.cpp:
+ (JSC::ctiTrampoline):
+ (JSC):
+ (JSC::performPlatformSpecificJITAssertions):
+ (JSC::tryCachePutByID):
+ (JSC::tryCacheGetByID):
+ (JSC::returnToThrowTrampoline):
+ (JSC::throwExceptionFromOpCall):
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC::getPolymorphicAccessStructureListSlot):
+ (JSC::jitCompileFor):
+ (JSC::lazyLinkFor):
+ (JSC::putByVal):
+ * jit/JITStubs.h:
+ (JSC):
+ (JITStackFrame):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::ctiNativeCall):
+ (JSC::JITThunks::ctiNativeConstruct):
+ (JSC::JITThunks::ctiStub):
+ (JSC::JITThunks::hostFunctionStub):
+ * jit/JITThunks.h:
+ (JSC):
+ (JITThunks):
+ * jit/JITWriteBarrier.h:
+ (JSC):
+ (JSC::JITWriteBarrierBase::set):
+ (JSC::JITWriteBarrier::set):
+ * jit/SpecializedThunkJIT.h:
+ (JSC::SpecializedThunkJIT::loadJSStringArgument):
+ (JSC::SpecializedThunkJIT::finalize):
+ * jit/ThunkGenerator.h:
+ (JSC):
+ * jit/ThunkGenerators.cpp:
+ (JSC::generateSlowCaseFor):
+ (JSC::linkForGenerator):
+ (JSC::linkCallGenerator):
+ (JSC::linkConstructGenerator):
+ (JSC::linkClosureCallGenerator):
+ (JSC::virtualForGenerator):
+ (JSC::virtualCallGenerator):
+ (JSC::virtualConstructGenerator):
+ (JSC::stringLengthTrampolineGenerator):
+ (JSC::nativeForGenerator):
+ (JSC::nativeCallGenerator):
+ (JSC::nativeConstructGenerator):
+ (JSC::stringCharLoad):
+ (JSC::charToString):
+ (JSC::charCodeAtThunkGenerator):
+ (JSC::charAtThunkGenerator):
+ (JSC::fromCharCodeThunkGenerator):
+ (JSC::sqrtThunkGenerator):
+ (JSC::floorThunkGenerator):
+ (JSC::ceilThunkGenerator):
+ (JSC::roundThunkGenerator):
+ (JSC::expThunkGenerator):
+ (JSC::logThunkGenerator):
+ (JSC::absThunkGenerator):
+ (JSC::powThunkGenerator):
+ * jit/ThunkGenerators.h:
+ (JSC):
+ * jsc.cpp:
+ (GlobalObject):
+ (GlobalObject::create):
+ (GlobalObject::createStructure):
+ (GlobalObject::finishCreation):
+ (GlobalObject::addFunction):
+ (GlobalObject::addConstructableFunction):
+ (functionDumpCallFrame):
+ (functionJSCStack):
+ (functionReleaseExecutableMemory):
+ (functionRun):
+ (main):
+ (runWithScripts):
+ (jscmain):
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+ * llint/LLIntData.h:
+ (JSC):
+ (Data):
+ (JSC::LLInt::Data::performAssertions):
+ * llint/LLIntEntrypoints.cpp:
+ (JSC::LLInt::getFunctionEntrypoint):
+ (JSC::LLInt::getEvalEntrypoint):
+ (JSC::LLInt::getProgramEntrypoint):
+ * llint/LLIntEntrypoints.h:
+ (JSC):
+ (LLInt):
+ (JSC::LLInt::getEntrypoint):
+ * llint/LLIntExceptions.cpp:
+ (JSC::LLInt::interpreterThrowInCaller):
+ (JSC::LLInt::returnToThrow):
+ (JSC::LLInt::callToThrow):
+ * llint/LLIntOffsetsExtractor.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (LLInt):
+ (JSC::LLInt::llint_trace_operand):
+ (JSC::LLInt::llint_trace_value):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::shouldJIT):
+ (JSC::LLInt::handleHostCall):
+ (JSC::LLInt::setUpCall):
+ * llint/LLIntThunks.cpp:
+ (JSC::LLInt::generateThunkWithJumpTo):
+ (JSC::LLInt::functionForCallEntryThunkGenerator):
+ (JSC::LLInt::functionForConstructEntryThunkGenerator):
+ (JSC::LLInt::functionForCallArityCheckThunkGenerator):
+ (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
+ (JSC::LLInt::evalEntryThunkGenerator):
+ (JSC::LLInt::programEntryThunkGenerator):
+ * llint/LLIntThunks.h:
+ (JSC):
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoop::execute):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * offlineasm/cloop.rb:
+ * parser/ASTBuilder.h:
+ (JSC::ASTBuilder::ASTBuilder):
+ (JSC::ASTBuilder::createSourceElements):
+ (JSC::ASTBuilder::createCommaExpr):
+ (JSC::ASTBuilder::createLogicalNot):
+ (JSC::ASTBuilder::createUnaryPlus):
+ (JSC::ASTBuilder::createVoid):
+ (JSC::ASTBuilder::thisExpr):
+ (JSC::ASTBuilder::createResolve):
+ (JSC::ASTBuilder::createObjectLiteral):
+ (JSC::ASTBuilder::createArray):
+ (JSC::ASTBuilder::createNumberExpr):
+ (JSC::ASTBuilder::createString):
+ (JSC::ASTBuilder::createBoolean):
+ (JSC::ASTBuilder::createNull):
+ (JSC::ASTBuilder::createBracketAccess):
+ (JSC::ASTBuilder::createDotAccess):
+ (JSC::ASTBuilder::createRegExp):
+ (JSC::ASTBuilder::createNewExpr):
+ (JSC::ASTBuilder::createConditionalExpr):
+ (JSC::ASTBuilder::createAssignResolve):
+ (JSC::ASTBuilder::createFunctionExpr):
+ (JSC::ASTBuilder::createFunctionBody):
+ (JSC::ASTBuilder::createGetterOrSetterProperty):
+ (JSC::ASTBuilder::createArguments):
+ (JSC::ASTBuilder::createArgumentsList):
+ (JSC::ASTBuilder::createProperty):
+ (JSC::ASTBuilder::createPropertyList):
+ (JSC::ASTBuilder::createElementList):
+ (JSC::ASTBuilder::createFormalParameterList):
+ (JSC::ASTBuilder::createClause):
+ (JSC::ASTBuilder::createClauseList):
+ (JSC::ASTBuilder::createFuncDeclStatement):
+ (JSC::ASTBuilder::createBlockStatement):
+ (JSC::ASTBuilder::createExprStatement):
+ (JSC::ASTBuilder::createIfStatement):
+ (JSC::ASTBuilder::createForLoop):
+ (JSC::ASTBuilder::createForInLoop):
+ (JSC::ASTBuilder::createEmptyStatement):
+ (JSC::ASTBuilder::createVarStatement):
+ (JSC::ASTBuilder::createReturnStatement):
+ (JSC::ASTBuilder::createBreakStatement):
+ (JSC::ASTBuilder::createContinueStatement):
+ (JSC::ASTBuilder::createTryStatement):
+ (JSC::ASTBuilder::createSwitchStatement):
+ (JSC::ASTBuilder::createWhileStatement):
+ (JSC::ASTBuilder::createDoWhileStatement):
+ (JSC::ASTBuilder::createLabelStatement):
+ (JSC::ASTBuilder::createWithStatement):
+ (JSC::ASTBuilder::createThrowStatement):
+ (JSC::ASTBuilder::createDebugger):
+ (JSC::ASTBuilder::createConstStatement):
+ (JSC::ASTBuilder::appendConstDecl):
+ (JSC::ASTBuilder::addVar):
+ (JSC::ASTBuilder::combineCommaNodes):
+ (JSC::ASTBuilder::Scope::Scope):
+ (JSC::ASTBuilder::createNumber):
+ (ASTBuilder):
+ (JSC::ASTBuilder::makeTypeOfNode):
+ (JSC::ASTBuilder::makeDeleteNode):
+ (JSC::ASTBuilder::makeNegateNode):
+ (JSC::ASTBuilder::makeBitwiseNotNode):
+ (JSC::ASTBuilder::makeMultNode):
+ (JSC::ASTBuilder::makeDivNode):
+ (JSC::ASTBuilder::makeModNode):
+ (JSC::ASTBuilder::makeAddNode):
+ (JSC::ASTBuilder::makeSubNode):
+ (JSC::ASTBuilder::makeLeftShiftNode):
+ (JSC::ASTBuilder::makeRightShiftNode):
+ (JSC::ASTBuilder::makeURightShiftNode):
+ (JSC::ASTBuilder::makeBitOrNode):
+ (JSC::ASTBuilder::makeBitAndNode):
+ (JSC::ASTBuilder::makeBitXOrNode):
+ (JSC::ASTBuilder::makeFunctionCallNode):
+ (JSC::ASTBuilder::makeBinaryNode):
+ (JSC::ASTBuilder::makeAssignNode):
+ (JSC::ASTBuilder::makePrefixNode):
+ (JSC::ASTBuilder::makePostfixNode):
+ * parser/Lexer.cpp:
+ (JSC::Keywords::Keywords):
+ (JSC::::Lexer):
+ (JSC::::parseIdentifier):
+ (JSC::::parseIdentifierSlowCase):
+ * parser/Lexer.h:
+ (JSC::Keywords::isKeyword):
+ (JSC::Keywords::getKeyword):
+ (Keywords):
+ (Lexer):
+ (JSC::::makeIdentifier):
+ (JSC::::makeRightSizedIdentifier):
+ (JSC::::makeIdentifierLCharFromUChar):
+ (JSC::::makeLCharIdentifier):
+ * parser/NodeConstructors.h:
+ (JSC::ParserArenaFreeable::operator new):
+ (JSC::ParserArenaDeletable::operator new):
+ (JSC::ParserArenaRefCounted::ParserArenaRefCounted):
+ (JSC::PropertyNode::PropertyNode):
+ (JSC::ContinueNode::ContinueNode):
+ (JSC::BreakNode::BreakNode):
+ (JSC::ForInNode::ForInNode):
+ * parser/Nodes.cpp:
+ (JSC::ScopeNode::ScopeNode):
+ (JSC::ProgramNode::ProgramNode):
+ (JSC::ProgramNode::create):
+ (JSC::EvalNode::EvalNode):
+ (JSC::EvalNode::create):
+ (JSC::FunctionBodyNode::FunctionBodyNode):
+ (JSC::FunctionBodyNode::create):
+ * parser/Nodes.h:
+ (ParserArenaFreeable):
+ (ParserArenaDeletable):
+ (ParserArenaRefCounted):
+ (ArrayNode):
+ (ForInNode):
+ (ContinueNode):
+ (BreakNode):
+ (ScopeNode):
+ (ProgramNode):
+ (EvalNode):
+ (FunctionBodyNode):
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ (JSC::::parseInner):
+ (JSC::::parseSourceElements):
+ (JSC::::parseTryStatement):
+ (JSC::::parseFunctionBody):
+ (JSC::::parseFunctionInfo):
+ (JSC::::parseAssignmentExpression):
+ (JSC::::parseProperty):
+ (JSC::::parsePrimaryExpression):
+ (JSC::::parseMemberExpression):
+ (JSC::::parseUnaryExpression):
+ * parser/Parser.h:
+ (JSC):
+ (JSC::Scope::Scope):
+ (JSC::Scope::declareVariable):
+ (JSC::Scope::declareParameter):
+ (Scope):
+ (Parser):
+ (JSC::Parser::pushScope):
+ (JSC::::parse):
+ (JSC::parse):
+ * parser/ParserArena.h:
+ (IdentifierArena):
+ (JSC::IdentifierArena::makeIdentifier):
+ (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
+ (JSC::IdentifierArena::makeNumericIdentifier):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::SyntaxChecker):
+ (JSC::SyntaxChecker::createProperty):
+ (JSC::SyntaxChecker::createGetterOrSetterProperty):
+ * profiler/LegacyProfiler.cpp:
+ (JSC::LegacyProfiler::startProfiling):
+ (JSC::LegacyProfiler::stopProfiling):
+ * profiler/LegacyProfiler.h:
+ (JSC):
+ * profiler/ProfilerBytecode.cpp:
+ (JSC::Profiler::Bytecode::toJS):
+ * profiler/ProfilerBytecodeSequence.cpp:
+ (JSC::Profiler::BytecodeSequence::BytecodeSequence):
+ (JSC::Profiler::BytecodeSequence::addSequenceProperties):
+ * profiler/ProfilerBytecodes.cpp:
+ (JSC::Profiler::Bytecodes::toJS):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerCompiledBytecode.cpp:
+ (JSC::Profiler::CompiledBytecode::toJS):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::Database):
+ (JSC::Profiler::Database::toJS):
+ (JSC::Profiler::Database::toJSON):
+ * profiler/ProfilerDatabase.h:
+ (Database):
+ * profiler/ProfilerOSRExit.cpp:
+ (JSC::Profiler::OSRExit::toJS):
+ * profiler/ProfilerOrigin.cpp:
+ (JSC::Profiler::Origin::toJS):
+ * profiler/ProfilerProfiledBytecodes.cpp:
+ (JSC::Profiler::ProfiledBytecodes::toJS):
+ * runtime/ArgList.h:
+ (MarkedArgumentBuffer):
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::putByIndex):
+ (JSC::Arguments::put):
+ (JSC::Arguments::deleteProperty):
+ (JSC::Arguments::defineOwnProperty):
+ (JSC::Arguments::tearOff):
+ (JSC::Arguments::didTearOffActivation):
+ (JSC::Arguments::tearOffForInlineCallFrame):
+ * runtime/Arguments.h:
+ (JSC::Arguments::create):
+ (JSC::Arguments::createStructure):
+ (Arguments):
+ (JSC::Arguments::Arguments):
+ (JSC::Arguments::trySetArgument):
+ (JSC::Arguments::finishCreation):
+ * runtime/ArrayConstructor.cpp:
+ (JSC::ArrayConstructor::finishCreation):
+ * runtime/ArrayConstructor.h:
+ (JSC::ArrayConstructor::createStructure):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::ArrayPrototype::ArrayPrototype):
+ (JSC::ArrayPrototype::finishCreation):
+ (JSC::arrayProtoFuncSort):
+ (JSC::arrayProtoFuncSplice):
+ * runtime/ArrayPrototype.h:
+ (JSC::ArrayPrototype::createStructure):
+ * runtime/BatchedTransitionOptimizer.h:
+ (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
+ (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
+ (BatchedTransitionOptimizer):
+ * runtime/BooleanConstructor.cpp:
+ (JSC::BooleanConstructor::finishCreation):
+ (JSC::constructBoolean):
+ (JSC::constructBooleanFromImmediateBoolean):
+ * runtime/BooleanConstructor.h:
+ (JSC::BooleanConstructor::createStructure):
+ * runtime/BooleanObject.cpp:
+ (JSC::BooleanObject::BooleanObject):
+ (JSC::BooleanObject::finishCreation):
+ * runtime/BooleanObject.h:
+ (BooleanObject):
+ (JSC::BooleanObject::create):
+ (JSC::BooleanObject::createStructure):
+ * runtime/BooleanPrototype.cpp:
+ (JSC::BooleanPrototype::BooleanPrototype):
+ (JSC::BooleanPrototype::finishCreation):
+ (JSC::booleanProtoFuncToString):
+ * runtime/BooleanPrototype.h:
+ (JSC::BooleanPrototype::createStructure):
+ * runtime/Butterfly.h:
+ (JSC):
+ (Butterfly):
+ * runtime/ButterflyInlines.h:
+ (JSC::Butterfly::createUninitialized):
+ (JSC::Butterfly::create):
+ (JSC::Butterfly::growPropertyStorage):
+ (JSC::Butterfly::createOrGrowArrayRight):
+ (JSC::Butterfly::growArrayRight):
+ (JSC::Butterfly::resizeArray):
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::getProgramCodeBlock):
+ (JSC::CodeCache::getEvalCodeBlock):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ * runtime/CodeCache.h:
+ (JSC):
+ (JSC::SourceCodeValue::SourceCodeValue):
+ (CodeCache):
+ * runtime/CommonIdentifiers.cpp:
+ (JSC):
+ (JSC::CommonIdentifiers::CommonIdentifiers):
+ * runtime/CommonIdentifiers.h:
+ (CommonIdentifiers):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::opIn):
+ * runtime/Completion.cpp:
+ (JSC::checkSyntax):
+ (JSC::evaluate):
+ * runtime/DateConstructor.cpp:
+ (JSC::DateConstructor::finishCreation):
+ * runtime/DateConstructor.h:
+ (JSC::DateConstructor::createStructure):
+ * runtime/DateInstance.cpp:
+ (JSC::DateInstance::DateInstance):
+ (JSC::DateInstance::finishCreation):
+ (JSC::DateInstance::calculateGregorianDateTime):
+ (JSC::DateInstance::calculateGregorianDateTimeUTC):
+ * runtime/DateInstance.h:
+ (DateInstance):
+ (JSC::DateInstance::create):
+ (JSC::DateInstance::createStructure):
+ * runtime/DatePrototype.cpp:
+ (JSC::DatePrototype::finishCreation):
+ (JSC::dateProtoFuncSetTime):
+ (JSC::setNewValueFromTimeArgs):
+ (JSC::setNewValueFromDateArgs):
+ (JSC::dateProtoFuncSetYear):
+ (JSC::dateProtoFuncToJSON):
+ * runtime/DatePrototype.h:
+ (JSC::DatePrototype::createStructure):
+ * runtime/Error.cpp:
+ (JSC::createError):
+ (JSC::createEvalError):
+ (JSC::createRangeError):
+ (JSC::createReferenceError):
+ (JSC::createSyntaxError):
+ (JSC::createTypeError):
+ (JSC::createURIError):
+ (JSC::addErrorInfo):
+ (JSC::throwError):
+ * runtime/Error.h:
+ (JSC):
+ (JSC::StrictModeTypeErrorFunction::create):
+ (JSC::StrictModeTypeErrorFunction::createStructure):
+ * runtime/ErrorConstructor.cpp:
+ (JSC::ErrorConstructor::finishCreation):
+ * runtime/ErrorConstructor.h:
+ (JSC::ErrorConstructor::createStructure):
+ * runtime/ErrorInstance.cpp:
+ (JSC::ErrorInstance::ErrorInstance):
+ * runtime/ErrorInstance.h:
+ (JSC::ErrorInstance::createStructure):
+ (JSC::ErrorInstance::create):
+ (ErrorInstance):
+ (JSC::ErrorInstance::finishCreation):
+ * runtime/ErrorPrototype.cpp:
+ (JSC::ErrorPrototype::ErrorPrototype):
+ (JSC::ErrorPrototype::finishCreation):
+ * runtime/ErrorPrototype.h:
+ (JSC::ErrorPrototype::createStructure):
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::createInterruptedExecutionException):
+ (JSC::createTerminatedExecutionException):
+ * runtime/ExceptionHelpers.h:
+ (JSC):
+ (JSC::InterruptedExecutionError::InterruptedExecutionError):
+ (JSC::InterruptedExecutionError::create):
+ (JSC::InterruptedExecutionError::createStructure):
+ (JSC::TerminatedExecutionError::TerminatedExecutionError):
+ (JSC::TerminatedExecutionError::create):
+ (JSC::TerminatedExecutionError::createStructure):
+ * runtime/Executable.cpp:
+ (JSC::jettisonCodeBlock):
+ (JSC::EvalExecutable::EvalExecutable):
+ (JSC::ProgramExecutable::ProgramExecutable):
+ (JSC::FunctionExecutable::FunctionExecutable):
+ (JSC::EvalExecutable::compileOptimized):
+ (JSC::EvalExecutable::compileInternal):
+ (JSC::EvalExecutable::jettisonOptimizedCode):
+ (JSC::ProgramExecutable::checkSyntax):
+ (JSC::ProgramExecutable::compileOptimized):
+ (JSC::ProgramExecutable::jettisonOptimizedCode):
+ (JSC::ProgramExecutable::initializeGlobalProperties):
+ (JSC::FunctionExecutable::compileOptimizedForCall):
+ (JSC::FunctionExecutable::compileOptimizedForConstruct):
+ (JSC::FunctionExecutable::produceCodeBlockFor):
+ (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
+ (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
+ (JSC::FunctionExecutable::fromGlobalCode):
+ * runtime/Executable.h:
+ (JSC::ExecutableBase::ExecutableBase):
+ (JSC::ExecutableBase::finishCreation):
+ (JSC::ExecutableBase::createStructure):
+ (JSC::NativeExecutable::create):
+ (JSC::NativeExecutable::createStructure):
+ (JSC::NativeExecutable::finishCreation):
+ (JSC::NativeExecutable::NativeExecutable):
+ (JSC::ScriptExecutable::ScriptExecutable):
+ (JSC::ScriptExecutable::finishCreation):
+ (JSC::EvalExecutable::compile):
+ (EvalExecutable):
+ (JSC::EvalExecutable::create):
+ (JSC::EvalExecutable::createStructure):
+ (JSC::ProgramExecutable::create):
+ (ProgramExecutable):
+ (JSC::ProgramExecutable::compile):
+ (JSC::ProgramExecutable::createStructure):
+ (JSC::FunctionExecutable::create):
+ (JSC::FunctionExecutable::compileForCall):
+ (FunctionExecutable):
+ (JSC::FunctionExecutable::compileForConstruct):
+ (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
+ (JSC::FunctionExecutable::createStructure):
+ (JSC::JSFunction::JSFunction):
+ * runtime/ExecutionHarness.h:
+ (JSC::prepareForExecution):
+ (JSC::prepareFunctionForExecution):
+ * runtime/FunctionConstructor.cpp:
+ (JSC::FunctionConstructor::finishCreation):
+ * runtime/FunctionConstructor.h:
+ (JSC::FunctionConstructor::createStructure):
+ * runtime/FunctionPrototype.cpp:
+ (JSC::FunctionPrototype::finishCreation):
+ (JSC::FunctionPrototype::addFunctionProperties):
+ (JSC::functionProtoFuncBind):
+ * runtime/FunctionPrototype.h:
+ (JSC::FunctionPrototype::createStructure):
+ * runtime/GCActivityCallback.cpp:
+ (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
+ (JSC::DefaultGCActivityCallback::doWork):
+ (JSC::DefaultGCActivityCallback::didAllocate):
+ * runtime/GCActivityCallback.h:
+ (JSC::GCActivityCallback::GCActivityCallback):
+ * runtime/GCActivityCallbackBlackBerry.cpp:
+ (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
+ (JSC::DefaultGCActivityCallback::doWork):
+ (JSC::DefaultGCActivityCallback::didAllocate):
+ * runtime/GetterSetter.h:
+ (JSC::GetterSetter::GetterSetter):
+ (JSC::GetterSetter::create):
+ (JSC::GetterSetter::setGetter):
+ (JSC::GetterSetter::setSetter):
+ (JSC::GetterSetter::createStructure):
+ * runtime/Identifier.cpp:
+ (JSC::Identifier::add):
+ (JSC::Identifier::add8):
+ (JSC::Identifier::addSlowCase):
+ (JSC::Identifier::from):
+ (JSC::Identifier::checkCurrentIdentifierTable):
+ * runtime/Identifier.h:
+ (JSC::Identifier::Identifier):
+ (JSC::Identifier::createLCharFromUChar):
+ (Identifier):
+ (JSC::Identifier::add):
+ * runtime/InternalFunction.cpp:
+ (JSC::InternalFunction::InternalFunction):
+ (JSC::InternalFunction::finishCreation):
+ (JSC::InternalFunction::name):
+ (JSC::InternalFunction::displayName):
+ * runtime/InternalFunction.h:
+ (JSC::InternalFunction::createStructure):
+ (InternalFunction):
+ * runtime/JSAPIValueWrapper.h:
+ (JSC::JSAPIValueWrapper::createStructure):
+ (JSC::JSAPIValueWrapper::finishCreation):
+ (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::symbolTablePut):
+ (JSC::JSActivation::symbolTablePutWithAttributes):
+ (JSC::JSActivation::getOwnPropertySlot):
+ (JSC::JSActivation::put):
+ (JSC::JSActivation::putDirectVirtual):
+ (JSC::JSActivation::argumentsGetter):
+ * runtime/JSActivation.h:
+ (JSActivation):
+ (JSC::JSActivation::create):
+ (JSC::JSActivation::createStructure):
+ (JSC::JSActivation::JSActivation):
+ (JSC::JSActivation::tearOff):
+ * runtime/JSArray.cpp:
+ (JSC::createArrayButterflyInDictionaryIndexingMode):
+ (JSC::JSArray::setLengthWritable):
+ (JSC::JSArray::unshiftCountSlowCase):
+ (JSC::JSArray::setLength):
+ (JSC::JSArray::push):
+ (JSC::JSArray::shiftCountWithAnyIndexingType):
+ (JSC::JSArray::unshiftCountWithArrayStorage):
+ (JSC::JSArray::unshiftCountWithAnyIndexingType):
+ (JSC::ContiguousTypeAccessor::setWithValue):
+ (JSC::JSArray::sortCompactedVector):
+ (JSC::JSArray::sortVector):
+ * runtime/JSArray.h:
+ (JSC::JSArray::JSArray):
+ (JSArray):
+ (JSC::JSArray::shiftCountForShift):
+ (JSC::JSArray::unshiftCountForShift):
+ (JSC::JSArray::createStructure):
+ (JSC::createContiguousArrayButterfly):
+ (JSC::createArrayButterfly):
+ (JSC):
+ (JSC::JSArray::create):
+ (JSC::JSArray::tryCreateUninitialized):
+ (JSC::constructArray):
+ * runtime/JSBoundFunction.cpp:
+ (JSC::JSBoundFunction::create):
+ (JSC::JSBoundFunction::JSBoundFunction):
+ * runtime/JSBoundFunction.h:
+ (JSC::JSBoundFunction::createStructure):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::putToPrimitive):
+ (JSC::JSValue::toStringSlowCase):
+ * runtime/JSCJSValue.h:
+ (JSC):
+ * runtime/JSCell.h:
+ (JSCell):
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::JSCell):
+ (JSC::JSCell::finishCreation):
+ (JSC::allocateCell):
+ (JSC::JSCell::setStructure):
+ (JSC::JSCell::fastGetOwnProperty):
+ * runtime/JSDateMath.cpp:
+ (JSC::getDSTOffset):
+ (JSC::getUTCOffset):
+ (JSC::parseDate):
+ * runtime/JSDestructibleObject.h:
+ (JSC::JSDestructibleObject::JSDestructibleObject):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::create):
+ (JSC::JSFunction::JSFunction):
+ (JSC::JSFunction::finishCreation):
+ (JSC::JSFunction::createAllocationProfile):
+ (JSC::JSFunction::name):
+ (JSC::JSFunction::displayName):
+ (JSC::JSFunction::getOwnPropertySlot):
+ (JSC::JSFunction::deleteProperty):
+ * runtime/JSFunction.h:
+ (JSFunction):
+ (JSC::JSFunction::create):
+ (JSC::JSFunction::setScope):
+ (JSC::JSFunction::createStructure):
+ * runtime/JSGlobalData.cpp: Removed.
+ * runtime/JSGlobalData.h: Removed.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::JSGlobalObject):
+ (JSC::JSGlobalObject::~JSGlobalObject):
+ (JSC::JSGlobalObject::setGlobalThis):
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::putDirectVirtual):
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+ (JSC::JSGlobalObject::haveABadTime):
+ (JSC::JSGlobalObject::createThrowTypeError):
+ (JSC::JSGlobalObject::resetPrototype):
+ (JSC::JSGlobalObject::addStaticGlobals):
+ (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
+ (JSC::JSGlobalObject::createProgramCodeBlock):
+ (JSC::JSGlobalObject::createEvalCodeBlock):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::create):
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::finishCreation):
+ (JSC::JSGlobalObject::vm):
+ (JSC::JSGlobalObject::createStructure):
+ (JSC::ExecState::dynamicGlobalObject):
+ (JSC::constructEmptyArray):
+ (DynamicGlobalObjectScope):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncProtoSetter):
+ * runtime/JSLock.cpp:
+ (JSC::JSLockHolder::JSLockHolder):
+ (JSC::JSLockHolder::init):
+ (JSC::JSLockHolder::~JSLockHolder):
+ (JSC::JSLock::JSLock):
+ (JSC::JSLock::willDestroyGlobalData):
+ (JSC::JSLock::lock):
+ (JSC::JSLock::unlock):
+ (JSC::JSLock::DropAllLocks::DropAllLocks):
+ (JSC::JSLock::DropAllLocks::~DropAllLocks):
+ * runtime/JSLock.h:
+ (JSC):
+ (JSLockHolder):
+ (JSLock):
+ (JSC::JSLock::vm):
+ (DropAllLocks):
+ * runtime/JSNameScope.h:
+ (JSC::JSNameScope::createStructure):
+ (JSC::JSNameScope::finishCreation):
+ (JSC::JSNameScope::JSNameScope):
+ * runtime/JSNotAnObject.h:
+ (JSC::JSNotAnObject::JSNotAnObject):
+ (JSC::JSNotAnObject::create):
+ (JSC::JSNotAnObject::createStructure):
+ * runtime/JSONObject.cpp:
+ (JSC::JSONObject::JSONObject):
+ (JSC::JSONObject::finishCreation):
+ (Holder):
+ (JSC::Stringifier::Stringifier):
+ (JSC::Stringifier::stringify):
+ (JSC::Stringifier::toJSON):
+ (JSC::Stringifier::appendStringifiedValue):
+ (JSC::Stringifier::Holder::Holder):
+ (JSC::Stringifier::Holder::appendNextProperty):
+ (JSC::Walker::Walker):
+ (JSC::Walker::walk):
+ (JSC::JSONProtoFuncParse):
+ (JSC::JSONProtoFuncStringify):
+ (JSC::JSONStringify):
+ * runtime/JSONObject.h:
+ (JSC::JSONObject::createStructure):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::put):
+ (JSC::JSObject::putByIndex):
+ (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+ (JSC::JSObject::enterDictionaryIndexingMode):
+ (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+ (JSC::JSObject::createInitialIndexedStorage):
+ (JSC::JSObject::createInitialUndecided):
+ (JSC::JSObject::createInitialInt32):
+ (JSC::JSObject::createInitialDouble):
+ (JSC::JSObject::createInitialContiguous):
+ (JSC::JSObject::createArrayStorage):
+ (JSC::JSObject::createInitialArrayStorage):
+ (JSC::JSObject::convertUndecidedToInt32):
+ (JSC::JSObject::convertUndecidedToDouble):
+ (JSC::JSObject::convertUndecidedToContiguous):
+ (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+ (JSC::JSObject::convertUndecidedToArrayStorage):
+ (JSC::JSObject::convertInt32ToDouble):
+ (JSC::JSObject::convertInt32ToContiguous):
+ (JSC::JSObject::convertInt32ToArrayStorage):
+ (JSC::JSObject::genericConvertDoubleToContiguous):
+ (JSC::JSObject::convertDoubleToContiguous):
+ (JSC::JSObject::rageConvertDoubleToContiguous):
+ (JSC::JSObject::convertDoubleToArrayStorage):
+ (JSC::JSObject::convertContiguousToArrayStorage):
+ (JSC::JSObject::convertUndecidedForValue):
+ (JSC::JSObject::convertInt32ForValue):
+ (JSC::JSObject::setIndexQuicklyToUndecided):
+ (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
+ (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
+ (JSC::JSObject::ensureInt32Slow):
+ (JSC::JSObject::ensureDoubleSlow):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::rageEnsureContiguousSlow):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+ (JSC::JSObject::switchToSlowPutArrayStorage):
+ (JSC::JSObject::putDirectVirtual):
+ (JSC::JSObject::setPrototype):
+ (JSC::JSObject::setPrototypeWithCycleCheck):
+ (JSC::JSObject::putDirectAccessor):
+ (JSC::JSObject::deleteProperty):
+ (JSC::JSObject::getPropertySpecificValue):
+ (JSC::JSObject::getOwnNonIndexPropertyNames):
+ (JSC::JSObject::seal):
+ (JSC::JSObject::freeze):
+ (JSC::JSObject::preventExtensions):
+ (JSC::JSObject::reifyStaticFunctionsForDelete):
+ (JSC::JSObject::removeDirect):
+ (JSC::JSObject::putIndexedDescriptor):
+ (JSC::JSObject::defineOwnIndexedProperty):
+ (JSC::JSObject::allocateSparseIndexMap):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+ (JSC::JSObject::putByIndexBeyondVectorLength):
+ (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+ (JSC::JSObject::putDirectIndexBeyondVectorLength):
+ (JSC::JSObject::putDirectNativeFunction):
+ (JSC::JSObject::increaseVectorLength):
+ (JSC::JSObject::ensureLengthSlow):
+ (JSC::JSObject::growOutOfLineStorage):
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ (JSC::putDescriptor):
+ (JSC::JSObject::putDirectMayBeIndex):
+ (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope):
+ (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope):
+ (DefineOwnPropertyScope):
+ (JSC::JSObject::defineOwnNonIndexProperty):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC::JSObject::putByIndexInline):
+ (JSC::JSObject::putDirectIndex):
+ (JSC::JSObject::setIndexQuickly):
+ (JSC::JSObject::initializeIndex):
+ (JSC::JSObject::getDirect):
+ (JSC::JSObject::getDirectOffset):
+ (JSC::JSObject::putDirect):
+ (JSC::JSObject::isSealed):
+ (JSC::JSObject::isFrozen):
+ (JSC::JSObject::flattenDictionaryObject):
+ (JSC::JSObject::ensureInt32):
+ (JSC::JSObject::ensureDouble):
+ (JSC::JSObject::ensureContiguous):
+ (JSC::JSObject::rageEnsureContiguous):
+ (JSC::JSObject::ensureArrayStorage):
+ (JSC::JSObject::finishCreation):
+ (JSC::JSObject::createStructure):
+ (JSC::JSObject::ensureLength):
+ (JSC::JSNonFinalObject::createStructure):
+ (JSC::JSNonFinalObject::JSNonFinalObject):
+ (JSC::JSNonFinalObject::finishCreation):
+ (JSC::JSFinalObject::createStructure):
+ (JSC::JSFinalObject::finishCreation):
+ (JSC::JSFinalObject::JSFinalObject):
+ (JSC::JSFinalObject::create):
+ (JSC::JSObject::setButterfly):
+ (JSC::JSObject::JSObject):
+ (JSC::JSObject::inlineGetOwnPropertySlot):
+ (JSC::JSObject::putDirectInternal):
+ (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+ (JSC::JSObject::putOwnDataProperty):
+ (JSC::JSObject::putDirectWithoutTransition):
+ (JSC):
+ * runtime/JSPropertyNameIterator.cpp:
+ (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
+ (JSC::JSPropertyNameIterator::create):
+ * runtime/JSPropertyNameIterator.h:
+ (JSC::JSPropertyNameIterator::createStructure):
+ (JSC::JSPropertyNameIterator::setCachedStructure):
+ (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
+ (JSC::JSPropertyNameIterator::finishCreation):
+ (JSC::StructureRareData::setEnumerationCache):
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setTarget):
+ * runtime/JSProxy.h:
+ (JSC::JSProxy::create):
+ (JSC::JSProxy::createStructure):
+ (JSC::JSProxy::JSProxy):
+ (JSC::JSProxy::finishCreation):
+ (JSProxy):
+ * runtime/JSScope.cpp:
+ (JSC::executeResolveOperations):
+ (JSC::JSScope::resolveContainingScopeInternal):
+ (JSC::JSScope::resolveWithBase):
+ (JSC::JSScope::resolveWithThis):
+ (JSC::JSScope::resolvePut):
+ * runtime/JSScope.h:
+ (JSScope):
+ (JSC::JSScope::JSScope):
+ (JSC::JSScope::vm):
+ (JSC::ExecState::vm):
+ * runtime/JSSegmentedVariableObject.h:
+ (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
+ (JSC::JSSegmentedVariableObject::finishCreation):
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::RopeBuilder::expand):
+ (JSC::StringObject::create):
+ * runtime/JSString.h:
+ (JSC):
+ (JSString):
+ (JSC::JSString::JSString):
+ (JSC::JSString::finishCreation):
+ (JSC::JSString::create):
+ (JSC::JSString::createHasOtherOwner):
+ (JSC::JSString::createStructure):
+ (JSRopeString):
+ (JSC::JSRopeString::RopeBuilder::RopeBuilder):
+ (JSC::JSRopeString::RopeBuilder::append):
+ (RopeBuilder):
+ (JSC::JSRopeString::JSRopeString):
+ (JSC::JSRopeString::finishCreation):
+ (JSC::JSRopeString::append):
+ (JSC::JSRopeString::createNull):
+ (JSC::JSRopeString::create):
+ (JSC::jsEmptyString):
+ (JSC::jsSingleCharacterString):
+ (JSC::jsSingleCharacterSubstring):
+ (JSC::jsNontrivialString):
+ (JSC::jsString):
+ (JSC::jsSubstring):
+ (JSC::jsSubstring8):
+ (JSC::jsOwnedString):
+ (JSC::jsStringBuilder):
+ (JSC::inlineJSValueNotStringtoString):
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::build):
+ * runtime/JSSymbolTableObject.h:
+ (JSC::JSSymbolTableObject::JSSymbolTableObject):
+ (JSC::JSSymbolTableObject::finishCreation):
+ (JSC::symbolTablePut):
+ (JSC::symbolTablePutWithAttributes):
+ * runtime/JSVariableObject.h:
+ (JSC::JSVariableObject::JSVariableObject):
+ * runtime/JSWithScope.h:
+ (JSC::JSWithScope::create):
+ (JSC::JSWithScope::createStructure):
+ (JSC::JSWithScope::JSWithScope):
+ * runtime/JSWrapperObject.h:
+ (JSWrapperObject):
+ (JSC::JSWrapperObject::createStructure):
+ (JSC::JSWrapperObject::JSWrapperObject):
+ (JSC::JSWrapperObject::setInternalValue):
+ * runtime/LiteralParser.cpp:
+ (JSC::::tryJSONPParse):
+ (JSC::::makeIdentifier):
+ (JSC::::parse):
+ * runtime/Lookup.cpp:
+ (JSC::HashTable::createTable):
+ (JSC::setUpStaticFunctionSlot):
+ * runtime/Lookup.h:
+ (JSC::HashTable::initializeIfNeeded):
+ (JSC::HashTable::entry):
+ (JSC::HashTable::begin):
+ (JSC::HashTable::end):
+ (HashTable):
+ (JSC::lookupPut):
+ * runtime/MathObject.cpp:
+ (JSC::MathObject::MathObject):
+ (JSC::MathObject::finishCreation):
+ (JSC::mathProtoFuncSin):
+ * runtime/MathObject.h:
+ (JSC::MathObject::createStructure):
+ * runtime/MemoryStatistics.cpp:
+ * runtime/MemoryStatistics.h:
+ * runtime/NameConstructor.cpp:
+ (JSC::NameConstructor::finishCreation):
+ (JSC::constructPrivateName):
+ * runtime/NameConstructor.h:
+ (JSC::NameConstructor::createStructure):
+ * runtime/NameInstance.cpp:
+ (JSC::NameInstance::NameInstance):
+ * runtime/NameInstance.h:
+ (JSC::NameInstance::createStructure):
+ (JSC::NameInstance::create):
+ (NameInstance):
+ (JSC::NameInstance::finishCreation):
+ * runtime/NamePrototype.cpp:
+ (JSC::NamePrototype::NamePrototype):
+ (JSC::NamePrototype::finishCreation):
+ * runtime/NamePrototype.h:
+ (JSC::NamePrototype::createStructure):
+ * runtime/NativeErrorConstructor.h:
+ (JSC::NativeErrorConstructor::createStructure):
+ (JSC::NativeErrorConstructor::finishCreation):
+ * runtime/NativeErrorPrototype.cpp:
+ (JSC::NativeErrorPrototype::finishCreation):
+ * runtime/NumberConstructor.cpp:
+ (JSC::NumberConstructor::finishCreation):
+ (JSC::constructWithNumberConstructor):
+ * runtime/NumberConstructor.h:
+ (JSC::NumberConstructor::createStructure):
+ * runtime/NumberObject.cpp:
+ (JSC::NumberObject::NumberObject):
+ (JSC::NumberObject::finishCreation):
+ (JSC::constructNumber):
+ * runtime/NumberObject.h:
+ (NumberObject):
+ (JSC::NumberObject::create):
+ (JSC::NumberObject::createStructure):
+ * runtime/NumberPrototype.cpp:
+ (JSC::NumberPrototype::NumberPrototype):
+ (JSC::NumberPrototype::finishCreation):
+ (JSC::integerValueToString):
+ (JSC::numberProtoFuncToString):
+ * runtime/NumberPrototype.h:
+ (JSC::NumberPrototype::createStructure):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::ObjectConstructor::finishCreation):
+ (JSC::objectConstructorGetOwnPropertyDescriptor):
+ (JSC::objectConstructorSeal):
+ (JSC::objectConstructorFreeze):
+ (JSC::objectConstructorPreventExtensions):
+ (JSC::objectConstructorIsSealed):
+ (JSC::objectConstructorIsFrozen):
+ * runtime/ObjectConstructor.h:
+ (JSC::ObjectConstructor::createStructure):
+ (JSC::constructEmptyObject):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::ObjectPrototype::ObjectPrototype):
+ (JSC::ObjectPrototype::finishCreation):
+ (JSC::objectProtoFuncToString):
+ * runtime/ObjectPrototype.h:
+ (JSC::ObjectPrototype::createStructure):
+ * runtime/Operations.cpp:
+ (JSC::jsTypeStringForValue):
+ * runtime/Operations.h:
+ (JSC):
+ (JSC::jsString):
+ (JSC::jsStringFromArguments):
+ (JSC::normalizePrototypeChainForChainAccess):
+ (JSC::normalizePrototypeChain):
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyMapEntry::PropertyMapEntry):
+ (JSC::PropertyTable::createStructure):
+ (PropertyTable):
+ (JSC::PropertyTable::copy):
+ * runtime/PropertyNameArray.h:
+ (JSC::PropertyNameArray::PropertyNameArray):
+ (JSC::PropertyNameArray::vm):
+ (JSC::PropertyNameArray::addKnownUnique):
+ (PropertyNameArray):
+ * runtime/PropertyTable.cpp:
+ (JSC::PropertyTable::create):
+ (JSC::PropertyTable::clone):
+ (JSC::PropertyTable::PropertyTable):
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+ * runtime/RegExp.cpp:
+ (JSC::RegExp::RegExp):
+ (JSC::RegExp::finishCreation):
+ (JSC::RegExp::createWithoutCaching):
+ (JSC::RegExp::create):
+ (JSC::RegExp::compile):
+ (JSC::RegExp::compileIfNecessary):
+ (JSC::RegExp::match):
+ (JSC::RegExp::compileMatchOnly):
+ (JSC::RegExp::compileIfNecessaryMatchOnly):
+ * runtime/RegExp.h:
+ (JSC):
+ (RegExp):
+ (JSC::RegExp::createStructure):
+ * runtime/RegExpCache.cpp:
+ (JSC::RegExpCache::lookupOrCreate):
+ (JSC::RegExpCache::RegExpCache):
+ (JSC::RegExpCache::addToStrongCache):
+ * runtime/RegExpCache.h:
+ (RegExpCache):
+ * runtime/RegExpCachedResult.cpp:
+ (JSC::RegExpCachedResult::lastResult):
+ (JSC::RegExpCachedResult::setInput):
+ * runtime/RegExpCachedResult.h:
+ (JSC::RegExpCachedResult::RegExpCachedResult):
+ (JSC::RegExpCachedResult::record):
+ * runtime/RegExpConstructor.cpp:
+ (JSC::RegExpConstructor::RegExpConstructor):
+ (JSC::RegExpConstructor::finishCreation):
+ (JSC::constructRegExp):
+ * runtime/RegExpConstructor.h:
+ (JSC::RegExpConstructor::createStructure):
+ (RegExpConstructor):
+ (JSC::RegExpConstructor::performMatch):
+ * runtime/RegExpMatchesArray.cpp:
+ (JSC::RegExpMatchesArray::RegExpMatchesArray):
+ (JSC::RegExpMatchesArray::create):
+ (JSC::RegExpMatchesArray::finishCreation):
+ (JSC::RegExpMatchesArray::reifyAllProperties):
+ * runtime/RegExpMatchesArray.h:
+ (RegExpMatchesArray):
+ (JSC::RegExpMatchesArray::createStructure):
+ * runtime/RegExpObject.cpp:
+ (JSC::RegExpObject::RegExpObject):
+ (JSC::RegExpObject::finishCreation):
+ (JSC::RegExpObject::match):
+ * runtime/RegExpObject.h:
+ (JSC::RegExpObject::create):
+ (JSC::RegExpObject::setRegExp):
+ (JSC::RegExpObject::setLastIndex):
+ (JSC::RegExpObject::createStructure):
+ * runtime/RegExpPrototype.cpp:
+ (JSC::regExpProtoFuncCompile):
+ * runtime/RegExpPrototype.h:
+ (JSC::RegExpPrototype::createStructure):
+ * runtime/SmallStrings.cpp:
+ (JSC::SmallStrings::initializeCommonStrings):
+ (JSC::SmallStrings::createEmptyString):
+ (JSC::SmallStrings::createSingleCharacterString):
+ (JSC::SmallStrings::initialize):
+ * runtime/SmallStrings.h:
+ (JSC):
+ (JSC::SmallStrings::singleCharacterString):
+ (SmallStrings):
+ * runtime/SparseArrayValueMap.cpp:
+ (JSC::SparseArrayValueMap::SparseArrayValueMap):
+ (JSC::SparseArrayValueMap::finishCreation):
+ (JSC::SparseArrayValueMap::create):
+ (JSC::SparseArrayValueMap::createStructure):
+ (JSC::SparseArrayValueMap::putDirect):
+ (JSC::SparseArrayEntry::put):
+ * runtime/SparseArrayValueMap.h:
+ * runtime/StrictEvalActivation.cpp:
+ (JSC::StrictEvalActivation::StrictEvalActivation):
+ * runtime/StrictEvalActivation.h:
+ (JSC::StrictEvalActivation::create):
+ (JSC::StrictEvalActivation::createStructure):
+ * runtime/StringConstructor.cpp:
+ (JSC::StringConstructor::finishCreation):
+ * runtime/StringConstructor.h:
+ (JSC::StringConstructor::createStructure):
+ * runtime/StringObject.cpp:
+ (JSC::StringObject::StringObject):
+ (JSC::StringObject::finishCreation):
+ (JSC::constructString):
+ * runtime/StringObject.h:
+ (JSC::StringObject::create):
+ (JSC::StringObject::createStructure):
+ (StringObject):
+ * runtime/StringPrototype.cpp:
+ (JSC::StringPrototype::StringPrototype):
+ (JSC::StringPrototype::finishCreation):
+ (JSC::removeUsingRegExpSearch):
+ (JSC::replaceUsingRegExpSearch):
+ (JSC::stringProtoFuncMatch):
+ (JSC::stringProtoFuncSearch):
+ (JSC::stringProtoFuncSplit):
+ * runtime/StringPrototype.h:
+ (JSC::StringPrototype::createStructure):
+ * runtime/StringRecursionChecker.h:
+ (JSC::StringRecursionChecker::performCheck):
+ (JSC::StringRecursionChecker::~StringRecursionChecker):
+ * runtime/Structure.cpp:
+ (JSC::StructureTransitionTable::add):
+ (JSC::Structure::Structure):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::despecifyDictionaryFunction):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::removePropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::toCacheableDictionaryTransition):
+ (JSC::Structure::toUncacheableDictionaryTransition):
+ (JSC::Structure::sealTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::takePropertyTableOrCloneIfPinned):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::isSealed):
+ (JSC::Structure::isFrozen):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::addPropertyWithoutTransition):
+ (JSC::Structure::removePropertyWithoutTransition):
+ (JSC::Structure::allocateRareData):
+ (JSC::Structure::cloneRareDataFrom):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::get):
+ (JSC::Structure::despecifyFunction):
+ (JSC::Structure::despecifyAllFunctions):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::prototypeChainMayInterceptStoreTo):
+ * runtime/Structure.h:
+ (Structure):
+ (JSC::Structure::finishCreation):
+ (JSC::Structure::setPrototypeWithoutTransition):
+ (JSC::Structure::setGlobalObject):
+ (JSC::Structure::setObjectToStringValue):
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+ (JSC::Structure::setPreviousID):
+ * runtime/StructureChain.cpp:
+ (JSC::StructureChain::StructureChain):
+ * runtime/StructureChain.h:
+ (JSC::StructureChain::create):
+ (JSC::StructureChain::createStructure):
+ (JSC::StructureChain::finishCreation):
+ (StructureChain):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::create):
+ (JSC::Structure::createStructure):
+ (JSC::Structure::get):
+ (JSC::Structure::setEnumerationCache):
+ (JSC::Structure::prototypeChain):
+ (JSC::Structure::propertyTable):
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::createStructure):
+ (JSC::StructureRareData::create):
+ (JSC::StructureRareData::clone):
+ (JSC::StructureRareData::StructureRareData):
+ * runtime/StructureRareData.h:
+ (StructureRareData):
+ * runtime/StructureRareDataInlines.h:
+ (JSC::StructureRareData::setPreviousID):
+ (JSC::StructureRareData::setObjectToStringValue):
+ * runtime/StructureTransitionTable.h:
+ (StructureTransitionTable):
+ (JSC::StructureTransitionTable::setSingleTransition):
+ * runtime/SymbolTable.h:
+ (JSC::SharedSymbolTable::create):
+ (JSC::SharedSymbolTable::createStructure):
+ (JSC::SharedSymbolTable::SharedSymbolTable):
+ * runtime/VM.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalData.cpp.
+ (JSC::VM::VM):
+ (JSC::VM::~VM):
+ (JSC::VM::createContextGroup):
+ (JSC::VM::create):
+ (JSC::VM::createLeaked):
+ (JSC::VM::sharedInstanceExists):
+ (JSC::VM::sharedInstance):
+ (JSC::VM::sharedInstanceInternal):
+ (JSC::VM::getHostFunction):
+ (JSC::VM::ClientData::~ClientData):
+ (JSC::VM::resetDateCache):
+ (JSC::VM::startSampling):
+ (JSC::VM::stopSampling):
+ (JSC::VM::discardAllCode):
+ (JSC::VM::dumpSampleData):
+ (JSC::VM::addSourceProviderCache):
+ (JSC::VM::clearSourceProviderCaches):
+ (JSC::VM::releaseExecutableMemory):
+ (JSC::releaseExecutableMemory):
+ (JSC::VM::gatherConservativeRoots):
+ (JSC::VM::addRegExpToTrace):
+ (JSC::VM::dumpRegExpTrace):
+ * runtime/VM.h: Copied from Source/JavaScriptCore/runtime/JSGlobalData.h.
+ (VM):
+ (JSC::VM::isSharedInstance):
+ (JSC::VM::usingAPI):
+ (JSC::VM::isInitializingObject):
+ (JSC::VM::setInitializingObjectClass):
+ (JSC::WeakSet::heap):
+ * runtime/WriteBarrier.h:
+ (JSC):
+ (JSC::WriteBarrierBase::set):
+ (JSC::WriteBarrierBase::setMayBeNull):
+ (JSC::WriteBarrierBase::setEarlyValue):
+ (JSC::WriteBarrier::WriteBarrier):
+ * testRegExp.cpp:
+ (GlobalObject):
+ (GlobalObject::create):
+ (GlobalObject::createStructure):
+ (GlobalObject::finishCreation):
+ (main):
+ (testOneRegExp):
+ (parseRegExpLine):
+ (runFromFiles):
+ (realMain):
+ * yarr/YarrInterpreter.h:
+ (BytecodePattern):
+ * yarr/YarrJIT.cpp:
+ (YarrGenerator):
+ (JSC::Yarr::YarrGenerator::compile):
+ (JSC::Yarr::jitCompile):
+ * yarr/YarrJIT.h:
+ (JSC):
+
+2013-04-18 Xuefei Ren <xren@blackberry.com>
+
+ remove build warning(unused parameter)
+ https://bugs.webkit.org/show_bug.cgi?id=114670
+
+ Reviewed by Rob Buis.
+
+ remove warning in Source/JavaScriptCore/runtime/GCActivityCallbackBlackBerry.cpp
+
+ * runtime/GCActivityCallbackBlackBerry.cpp:
+ (JSC::DefaultGCActivityCallback::didAllocate):
+
+2013-04-18 Jonathan Liu <net147@gmail.com>
+
+ Implement JIT for MinGW-w64 64-bit
+ https://bugs.webkit.org/show_bug.cgi?id=114580
+
+ Reviewed by Jocelyn Turcotte.
+
+ * jit/JITStubs.cpp:
+ (JSC):
+
+2013-04-17 Mark Lam <mark.lam@apple.com>
+
+ Avoid using a branch range that is too far for some CPU architectures.
+ https://bugs.webkit.org/show_bug.cgi?id=114782.
+
+ Reviewed by David Kilzer.
+
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2013-04-17 Julien Brianceau <jbrianceau@nds.com>
+
+ Fix SH4 build (broken since r148639).
+ https://bugs.webkit.org/show_bug.cgi?id=114773.
+
+ Allow longer displacements for specific branches in SH4 LLINT.
+
+ Reviewed by Oliver Hunt.
+
+ * offlineasm/sh4.rb:
+
+2013-04-14 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. More Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-14 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-17 Mark Lam <mark.lam@apple.com>
+
+ Fix broken build. Replaced a static const with a #define.
+ https://bugs.webkit.org/show_bug.cgi?id=114577.
+
+ Unreviewed.
+
+ * runtime/Watchdog.cpp:
+ (JSC::Watchdog::Watchdog):
+ (JSC::Watchdog::isEnabled):
+
+2013-04-17 Mark Lam <mark.lam@apple.com>
+
+ Add LLINT and baseline JIT support for timing out scripts.
+ https://bugs.webkit.org/show_bug.cgi?id=114577.
+
+ Reviewed by Geoffrey Garen.
+
+ Introduces the new Watchdog class which is used to track script
+ execution time, and initiate script termination if needed.
+
+ * API/JSContextRef.cpp:
+ (internalScriptTimeoutCallback):
+ (JSContextGroupSetExecutionTimeLimit):
+ (JSContextGroupClearExecutionTimeLimit):
+ * API/JSContextRefPrivate.h:
+ - Added new script execution time limit APIs.
+ * API/tests/testapi.c:
+ (currentCPUTime):
+ (shouldTerminateCallback):
+ (cancelTerminateCallback):
+ (extendTerminateCallback):
+ (main):
+ - Added new API tests for script execution time limit.
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitLoopHint):
+ - loop hints are needed for the llint as well. Hence, it will be
+ emitted unconditionally.
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ - Added checks for script termination before entering script code.
+ * jit/JIT.cpp:
+ (JSC::JIT::emitWatchdogTimerCheck):
+ * jit/JIT.h:
+ (JSC::JIT::emit_op_loop_hint):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION(void, handle_watchdog_timer)):
+ * jit/JITStubs.h:
+ * llint/LLIntExceptions.cpp:
+ (JSC::LLInt::doThrow):
+ - Factored out some common code from returnToThrow() and callToThrow().
+ (JSC::LLInt::returnToThrow):
+ (JSC::LLInt::callToThrow):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)):
+ * llint/LLIntSlowPaths.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::throwTerminatedExecutionException):
+ - Also removed the now unused InterruptedExecutionException.
+ * runtime/ExceptionHelpers.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ - Added watchdog, and removed the now obsolete Terminator.
+ * runtime/Terminator.h: Removed.
+ * runtime/Watchdog.cpp: Added.
+ (JSC::Watchdog::Watchdog):
+ (JSC::Watchdog::~Watchdog):
+ (JSC::Watchdog::setTimeLimit):
+ (JSC::Watchdog::didFire):
+ (JSC::Watchdog::isEnabled):
+ (JSC::Watchdog::fire):
+ (JSC::Watchdog::arm):
+ (JSC::Watchdog::disarm):
+ (JSC::Watchdog::startCountdownIfNeeded):
+ (JSC::Watchdog::startCountdown):
+ (JSC::Watchdog::stopCountdown):
+ (JSC::Watchdog::Scope::Scope):
+ (JSC::Watchdog::Scope::~Scope):
+ * runtime/Watchdog.h: Added.
+ (Watchdog):
+ (JSC::Watchdog::didFire):
+ (JSC::Watchdog::timerDidFireAddress):
+ (JSC::Watchdog::isArmed):
+ (Watchdog::Scope):
+ * runtime/WatchdogMac.cpp: Added.
+ (JSC::Watchdog::initTimer):
+ (JSC::Watchdog::destroyTimer):
+ (JSC::Watchdog::startTimer):
+ (JSC::Watchdog::stopTimer):
+ * runtime/WatchdogNone.cpp: Added.
+ (JSC::Watchdog::initTimer):
+ (JSC::Watchdog::destroyTimer):
+ (JSC::Watchdog::startTimer):
+ (JSC::Watchdog::stopTimer):
+
+2013-04-14 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. VS2010 Windows build fix.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
+
+2013-04-14 Roger Fong <roger_fong@apple.com>
+
+ Copy make-file-export-generator script to the the Source folders of the projects that use it.
+ <rdar://problem/13675604>
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Copied from Source/WebCore/make-export-file-generator.
+
+2013-04-17 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows, WinCairo] Stop individually building WTF files in JSC.
+ https://bugs.webkit.org/show_bug.cgi?id=114705
+
+ Reviewed by Anders Carlsson.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ Export additional String/fastMalloc symbols needed by JSC program.
+ * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build
+ WTF implementation files (a second time!) in this project.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ Export additional String/fastMalloc symbols needed by JSC program.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually
+ build WTF implementation files (a second time!) in this project.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto.
+
+2013-04-17 Mark Lam <mark.lam@apple.com>
+
+ releaseExecutableMemory() should canonicalize cell liveness data before
+ it scans the GC roots.
+ https://bugs.webkit.org/show_bug.cgi?id=114733.
+
+ Reviewed by Mark Hahnenberg.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::canonicalizeCellLivenessData):
+ * heap/Heap.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::releaseExecutableMemory):
+
+2013-04-16 Commit Queue <rniwa@webkit.org>
+
+ Unreviewed, rolling out r148576.
+ http://trac.webkit.org/changeset/148576
+ https://bugs.webkit.org/show_bug.cgi?id=114714
+
+ WebCore is building some of these same files (Requested by
+ bfulgham on #webkit).
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcproj/jsc/jsc.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters:
+
+2013-04-16 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows, WinCairo] Stop individually building WTF files in JSC.
+ https://bugs.webkit.org/show_bug.cgi?id=114705
+
+ Reviewed by Anders Carlsson.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ Export additional String/fastMalloc symbols needed by JSC program.
+ * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build
+ WTF implementation files (a second time!) in this project.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ Export additional String/fastMalloc symbols needed by JSC program.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually
+ build WTF implementation files (a second time!) in this project.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto.
+
+2013-04-16 Patrick Gansterer <paroga@webkit.org>
+
+ [CMake] Do not use JAVASCRIPTCORE_DIR in add_custom_command() of JavaScriptCore project
+ https://bugs.webkit.org/show_bug.cgi?id=114265
+
+ Reviewed by Brent Fulgham.
+
+ Use CMAKE_CURRENT_SOURCE_DIR instead, since it provides the same value and is more
+ understandable. Also move the GENERATE_HASH_LUT macro into the CMakeLists.txt
+ of JavaScriptCore to avoid the usage of JAVASCRIPTCORE_DIR there too.
+
+ * CMakeLists.txt:
+
+2013-04-16 Anders Carlsson <andersca@apple.com>
+
+ Another Windows build fix attempt.
+
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+
+2013-04-16 Anders Carlsson <andersca@apple.com>
+
+ Try to fix the Windows build.
+
+ * runtime/JSGlobalData.h:
+
+2013-04-16 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows] Unreviewed VS2010 build correction.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
+ Specify proper link library to avoid mixture of ICU 4.0 and 4.6
+ symbols during link.
+
+2013-04-15 Ryosuke Niwa <rniwa@webkit.org>
+
+ Windows clean build fix after r148479.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-15 Anders Carlsson <andersca@apple.com>
+
+ ScriptWrappable subclasses shouldn't have to include WeakInlines.h
+ https://bugs.webkit.org/show_bug.cgi?id=114641
+
+ Reviewed by Alexey Proskuryakov.
+
+ Move back the Weak constructor, destructor and clear() to Weak.h. Add a new weakClearSlowCase function
+ and put it in Weak.cpp.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * heap/Weak.cpp: Added.
+ * heap/Weak.h:
+ * heap/WeakInlines.h:
+ * heap/WeakSetInlines.h:
+
+2013-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ HeapTimer lifetime should be less complicated
+ https://bugs.webkit.org/show_bug.cgi?id=114529
+
+ Reviewed by Oliver Hunt.
+
+ Right now our HeapTimer lifetime is rather complicated. HeapTimers are "owned" by the JSGlobalData,
+ but there's an issue in that there can be races between a thread that is trying to tear down a JSGlobalData
+ and the HeapTimer's fire function. Our current code for tearing down HeapTimers is an intricate and delicate
+ dance which probably contains subtle bugs.
+
+ We can make our lives easier by changing things around a bit.
+
+ 1) We should free the API lock from being solely owned by the JSGlobalData so we don't have to worry about
+ grabbing the lock out of invalid memory when our HeapTimer callback fires.
+
+ 2) We should also make it so that we deref the JSGlobalData first, then unlock the API lock so that when we
+ have the lock, the JSGlobalData is in one of two states: fully valid or completely destroyed, and we know exactly which one.
+
+ 3) The JSLock can tell us this information by keeping a back pointer to the JSGlobalData. When the JSGlobalData's
+ destructor is called, it clears this pointer in the JSLock. Other clients of the API lock can then check
+ this pointer to determine whether or not the JSGlobalData is still around.
+
+ 4) The CFRunLoopTimer will use the API lock as its context rather than the HeapTimer itself. The only way
+ the HeapTimer's callback can get to the HeapTimer is through the API lock's JSGlobalData pointer.
+
+ 5) The CFRunLoopTimerContext struct has two fields for retain and release callbacks for the context's info field.
+ We'll provide these callbacks to ref() and deref() the JSLock as necessary. Thus, the timer becomes the other
+ owner of the JSLock apart from the JSGlobalData.
+
+ * API/APIShims.h: Remove the cruft that was required by the previous design, such as RefGlobalDataTag.
+ (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
+ (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
+ (APIEntryShimWithoutLock):
+ (JSC::APIEntryShim::APIEntryShim):
+ (JSC::APIEntryShim::~APIEntryShim): Protect the API lock with a RefPtr, deref the JSGlobalData, which could destroy it,
+ then unlock the API lock. This ordering prevents others from obtaining the API lock while the JSGlobalData is in the
+ middle of being torn down.
+ (JSC::APIEntryShim::init): We now take the lock, then ref the JSGlobalData, which is the opposite order of when we
+ tear down the shim.
+ * heap/Heap.cpp:
+ (JSC::Heap::setActivityCallback): Use PassOwnPtr now.
+ (JSC::Heap::activityCallback): Ditto.
+ (JSC::Heap::sweeper): Ditto.
+ (JSC):
+ * heap/Heap.h:
+ (Heap):
+ * heap/HeapTimer.cpp:
+ (JSC::retainAPILock): Retain callback for CFRunLoopTimerContext struct.
+ (JSC::releaseAPILock): Release callback for the CFRunLoopTimerContext struct.
+ (JSC::HeapTimer::HeapTimer): Use the API lock as the context's info field rather than the HeapTimer.
+ (JSC::HeapTimer::timerDidFire): Grab the API lock. Return early if the JSGlobalData has already been destroyed.
+ Otherwise, figure out which kind of HeapTimer we are based on the CFRunLoopTimerRef passed to the callback and
+ call the HeapTimer's callback.
+ * heap/HeapTimer.h:
+ (HeapTimer):
+ * heap/IncrementalSweeper.cpp:
+ (JSC::IncrementalSweeper::create): PassOwnPtr all the things.
+ * heap/IncrementalSweeper.h:
+ (IncrementalSweeper):
+ * jsc.cpp:
+ (jscmain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to
+ tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly.
+ * runtime/GCActivityCallback.h:
+ (DefaultGCActivityCallback):
+ (JSC::DefaultGCActivityCallback::create):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData): Notify the API lock that the JSGlobalData is being torn down.
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ (JSC::JSGlobalData::apiLock):
+ * runtime/JSLock.cpp:
+ (JSC::JSLockHolder::JSLockHolder): Ref, then lock (just like the API shim).
+ (JSC):
+ (JSC::JSLock::willDestroyGlobalData):
+ (JSC::JSLockHolder::init):
+ (JSC::JSLockHolder::~JSLockHolder): Protect, deref, then unlock (just like the API shim).
+ (JSC::JSLock::JSLock):
+ * runtime/JSLock.h: Add back pointer to the JSGlobalData and a callback for when the JSGlobalData is being
+ torn down that clears this pointer to notify other clients (i.e. timer callbacks) that the JSGlobalData is no
+ longer valid.
+ (JSLockHolder):
+ (JSLock):
+ (JSC::JSLock::globalData):
+ * testRegExp.cpp:
+ (realMain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to
+ tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly.
+
+2013-04-15 Julien Brianceau <jbrianceau@nds.com>
+
+ LLInt SH4 backend implementation
+ https://bugs.webkit.org/show_bug.cgi?id=112886
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGOperations.cpp:
+ (JSC):
+ * jit/JITStubs.cpp:
+ * llint/LLIntOfflineAsmConfig.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * offlineasm/arm.rb:
+ * offlineasm/ast.rb:
+ * offlineasm/backends.rb:
+ * offlineasm/instructions.rb:
+ * offlineasm/mips.rb:
+ * offlineasm/risc.rb:
+ * offlineasm/sh4.rb: Added.
+
+2013-04-15 Patrick Gansterer <paroga@webkit.org>
+
+ [CMake] Add WTF_USE_*_UNICODE variables
+ https://bugs.webkit.org/show_bug.cgi?id=114556
+
+ Reviewed by Brent Fulgham.
+
+ WTF_USE_ICU_UNICODE and WTF_USE_WCHAR_UNICODE are used to
+ reduce duplication in the platform specific CMake files.
+
+ * CMakeLists.txt:
+ * PlatformEfl.cmake:
+
+2013-04-13 Patrick Gansterer <paroga@webkit.org>
+
+ Add missing export macro to SymbolTableEntry::freeFatEntrySlow()
+
+ * runtime/SymbolTable.h:
+ (SymbolTableEntry):
+
+2013-04-12 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Block freeing thread should call Region::destroy instead of delete
+ https://bugs.webkit.org/show_bug.cgi?id=114544
+
+ Reviewed by Oliver Hunt.
+
+ Since Region doesn't have a virtual destructor, calling delete will not properly clean up all of
+ the state of the Region. We should call destroy() instead.
+
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::releaseFreeRegions):
+ (JSC::BlockAllocator::blockFreeingThreadMain):
+
+2013-04-11 Benjamin Poulain <bpoulain@apple.com>
+
+ Merge CharacterClassTable into CharacterClass
+ https://bugs.webkit.org/show_bug.cgi?id=114409
+
+ Reviewed by Darin Adler.
+
+ CharacterClassTable is only a pointer and a boolean.
+ It is a little overkill to make a separate allocation
+ for that.
+
+ * create_regex_tables:
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::matchCharacterClass):
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::CharacterClassConstructor::charClass):
+ * yarr/YarrPattern.h:
+ (CharacterClass):
+ (JSC::Yarr::CharacterClass::CharacterClass):
+
+2013-04-11 Michael Saboff <msaboff@apple.com>
+
+ Added UNLIKELY() suggested in https://bugs.webkit.org/show_bug.cgi?id=114366
+ after checking in the original change.
+
+ Rubber-stamped by Jessie Berlin.
+
+ * dfg/DFGOperations.cpp:
+
+2013-04-10 Benjamin Poulain <benjamin@webkit.org>
+
+ Unify JSC Parser's error and error message
+ https://bugs.webkit.org/show_bug.cgi?id=114363
+
+ Reviewed by Geoffrey Garen.
+
+ The parser kept the error state over two attributes:
+ error and errorMessage. They were changed in sync,
+ but had some discrepancy (for example, the error message
+ was always defined to something).
+
+ This patch unifies the two. There is an error if
+ if the error message is non-null or if the parsing finished
+ before the end.
+
+ This also gets rid of the allocation of the error message
+ when instantiating a parser.
+
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ (JSC::::parseInner):
+ (JSC::::parseSourceElements):
+ (JSC::::parseVarDeclaration):
+ (JSC::::parseConstDeclaration):
+ (JSC::::parseForStatement):
+ (JSC::::parseSwitchStatement):
+ (JSC::::parsePrimaryExpression):
+ * parser/Parser.h:
+ (JSC::Parser::updateErrorMessage):
+ (JSC::Parser::updateErrorWithNameAndMessage):
+ (JSC::Parser::hasError):
+ (Parser):
+
+2013-04-10 Oliver Hunt <oliver@apple.com>
+
+ Set trap is not being called for API objects
+ https://bugs.webkit.org/show_bug.cgi?id=114403
+
+ Reviewed by Anders Carlsson.
+
+ Intercept putByIndex on the callback object and add tests
+ to make sure we don't regress in future.
+
+ * API/JSCallbackObject.h:
+ (JSCallbackObject):
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::putByIndex):
+ (JSC):
+ * API/tests/testapi.c:
+ (PropertyCatchalls_setProperty):
+ * API/tests/testapi.js:
+
+2013-04-10 Benjamin Poulain <bpoulain@apple.com>
+
+ Mass remove all the empty directories
+
+ Rubberstamped by Ryosuke Niwa.
+
+ * qt/api: Removed.
+ * qt/benchmarks/qscriptengine: Removed.
+ * qt/benchmarks/qscriptvalue: Removed.
+ * qt/tests/qscriptengine: Removed.
+ * qt/tests/qscriptstring: Removed.
+ * qt/tests/qscriptvalue: Removed.
+ * qt/tests/qscriptvalueiterator: Removed.
+
+2013-04-10 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=114235
+
+ Reviewed by Filip Pizlo.
+
+ If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
+ accessible in the base object's backing store, which is bad.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getPropertyNames):
+ (JSC::JSObject::getOwnNonIndexPropertyNames):
+ * runtime/PropertyNameArray.h:
+ (JSC::PropertyNameArray::PropertyNameArray):
+ (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
+ (JSC::PropertyNameArray::setBaseObject):
+ (PropertyNameArray):
+
+2013-04-10 Patrick Gansterer <paroga@webkit.org>
+
+ Remove code duplicates from MacroAssemblerARM
+ https://bugs.webkit.org/show_bug.cgi?id=104457
+
+ Reviewed by Oliver Hunt.
+
+ Reuse some existing methods to avoid duplicated code.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::store8):
+ (JSC::MacroAssemblerARM::store32):
+ (JSC::MacroAssemblerARM::swap):
+ (JSC::MacroAssemblerARM::add32):
+ (JSC::MacroAssemblerARM::sub32):
+
+2013-04-10 Michael Saboff <msaboff@apple.com>
+
+ DFG: Negative size for new Array() interpreted as large unsigned int
+ https://bugs.webkit.org/show_bug.cgi?id=114366
+
+ Reviewed by Oliver Hunt.
+
+ Added new check in operationNewArrayWithSize() for a negative
+ size. If size is negative throw a "RangeError: Array size is not a
+ small enough positive integer" exception.
+
+ * dfg/DFGOperations.cpp:
+
+2013-04-10 peavo@outlook.com <peavo@outlook.com>
+
+ WinCairo build fails to link.
+ https://bugs.webkit.org/show_bug.cgi?id=114358
+
+ Reviewed by Brent Fulgham.
+
+ Export the symbol WTF::MD5::checksum().
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-08 Anders Carlsson <andersca@apple.com>
+
+ Remove unneeded headers from FrameLoader.h
+ https://bugs.webkit.org/show_bug.cgi?id=114223
+
+ Reviewed by Geoffrey Garen.
+
+ Update for WTF changes.
+
+ * bytecode/SpeculatedType.h:
+ * runtime/JSCJSValue.h:
+
+2013-04-09 Geoffrey Garen <ggaren@apple.com>
+
+ Removed bitrotted TimeoutChecker code
+ https://bugs.webkit.org/show_bug.cgi?id=114336
+
+ Reviewed by Alexey Proskuryakov.
+
+ This mechanism hasn't worked for a while.
+
+ MarkL is working on a new version of this feature with a distinct
+ implementation.
+
+ * API/APIShims.h:
+ (JSC::APIEntryShim::~APIEntryShim):
+ (JSC::APIEntryShim::init):
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGGPRInfo.h:
+ * jit/JIT.cpp:
+ * jit/JIT.h:
+ * jit/JITStubs.cpp:
+ * jit/JITStubs.h:
+ * jit/JSInterfaceJIT.h:
+ (JSInterfaceJIT):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+ (JSC::Walker::walk):
+ * runtime/TimeoutChecker.cpp: Removed.
+ * runtime/TimeoutChecker.h: Removed.
+
+2013-04-10 Oliver Hunt <oliver@apple.com>
+
+ REGRESSION (r148073): WebKit Nightly r148082 crashes on launch in JSObjectSetPrivate
+ https://bugs.webkit.org/show_bug.cgi?id=114341
+
+ Reviewed by Alexey Proskuryakov.
+
+ Make JSObjectSetPrivate use uncheckedToJS as some clients
+ clear their private data during finalization for some reason.
+
+ * API/JSObjectRef.cpp:
+ (JSObjectSetPrivate):
+
+2013-04-09 Oliver Hunt <oliver@apple.com>
+
+ Add liveness tests to JSC API entry points
+ https://bugs.webkit.org/show_bug.cgi?id=114318
+
+ Reviewed by Geoffrey Garen.
+
+ Add simple checks for the existence of a method table on any
+ JSCells passed across the API. This in turn forces a structure
+ validity test.
+
+ * API/APICast.h:
+ (toJS):
+ (toJSForGC):
+ (unsafeToJS):
+ * API/JSObjectRef.cpp:
+ (JSObjectGetPrivate):
+
+2013-04-09 Oliver Hunt <oliver@apple.com>
+
+ Rollout last patch as it destroyed everything
+
+ * API/APICast.h:
+ (toJS):
+ (toJSForGC):
+
+2013-04-09 Oliver Hunt <oliver@apple.com>
+
+ Add liveness tests to JSC API entry points
+ https://bugs.webkit.org/show_bug.cgi?id=114318
+
+ Reviewed by Filip Pizlo.
+
+ Add simple checks for the existence of a method table on any
+ JSCells passed across the API. This in turn forces a structure
+ validity test.
+
+ * API/APICast.h:
+ (toJS):
+ (toJSForGC):
+
+2013-04-09 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ LLInt conditional branch compilation fault on MIPS.
+ https://bugs.webkit.org/show_bug.cgi?id=114264
+
+ Reviewed by Filip Pizlo.
+
+ Fix conditional branch compilation in LLInt offlineasm.
+
+ * offlineasm/mips.rb:
+
+2013-04-08 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=114235
+
+ Reviewed by Geoffrey Garen.
+
+ Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable
+ properties causes us not to cache any properties at all. We should only cache properties on the object itself
+ since we currently don't take advantage of any sort of name caching for properties in the prototype chain.
+ This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnNonIndexPropertyNames):
+
+2013-04-09 Ryosuke Niwa <rniwa@webkit.org>
+
+ Remove yarr.gyp
+ https://bugs.webkit.org/show_bug.cgi?id=114247
+
+ Reviewed by Benjamin Poulain.
+
+ * yarr/yarr.gyp: Removed.
+
+2013-04-08 Ryosuke Niwa <rniwa@webkit.org>
+
+ Remove JavaScriptCore.gyp/gypi
+ https://bugs.webkit.org/show_bug.cgi?id=114238
+
+ Reviewed by Benjamin Poulain.
+
+ * JavaScriptCore.gyp: Removed.
+ * JavaScriptCore.gyp/.gitignore: Removed.
+ * JavaScriptCore.gypi: Removed.
+
+2013-04-08 Vahag Vardanyan <vaag@ispras.ru>
+
+ Adds fromCharCode intrinsic support.
+ https://bugs.webkit.org/show_bug.cgi?id=104807
+
+ Reviewed by Oliver Hunt.
+
+ Switch to using fromCharCode intrinsic instead of call operation in some cases.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/StringConstructor.cpp:
+ (JSC::stringFromCharCode):
+ (JSC):
+ * runtime/StringConstructor.h:
+ (JSC):
+
+2013-04-08 Benjamin Poulain <benjamin@webkit.org>
+
+ Remove HTML Notification
+ https://bugs.webkit.org/show_bug.cgi?id=114231
+
+ Reviewed by Ryosuke Niwa.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-04-05 Roger Fong <roger_fong@apple.com>
+
+ Build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should be able to inline string equality comparisons
+ https://bugs.webkit.org/show_bug.cgi?id=114224
+
+ Reviewed by Oliver Hunt.
+
+ Inline 8-bit string equality, go to slow path for 16-bit strings. 2x speed-up for string equality
+ comparisons on 8-bit strings. 20-50% speed-up on JSRegress/HashMap tests. 30% speed-up on
+ string-fasta. 2% speed-up on SunSpider overall. Some small speed-ups elsewhere.
+
+ This is a gnarly change but we have loads of test coverage already between the HashMap tests and
+ preexisting DFG string equality tests (which appear to have been designed to test OSR exits, but
+ also give us good overall coverage on string equality behavior).
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::compare):
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ (JSC::DFG::SpeculativeJIT::compileStringEquality):
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2013-04-08 Geoffrey Garen <ggaren@apple.com>
+
+ Stop #include-ing all of JavaScriptCore in every DOM-related file
+ https://bugs.webkit.org/show_bug.cgi?id=114220
+
+ Reviewed by Sam Weinig.
+
+ I separated WeakInlines.h from Weak.h so WebCore data types that need
+ to declare a Weak<T> data member don't have to #include all of the
+ infrastructure for accessing that data member.
+
+ This also required separating Weak<T> from PassWeak<T> by removing the
+ WeakImplAccessor class template and pushing code down into its subclasses.
+
+ * API/JSWeakObjectMapRefPrivate.cpp:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/UnlinkedCodeBlock.h:
+ * heap/PassWeak.h:
+ (JSC):
+ (PassWeak):
+ (JSC::::PassWeak):
+ (JSC::::operator):
+ (JSC::::get):
+ * heap/SlotVisitorInlines.h:
+ * heap/Weak.h:
+ (JSC):
+ (Weak):
+ * heap/WeakInlines.h: Copied from Source/JavaScriptCore/heap/Weak.h.
+ (JSC):
+ (JSC::::Weak):
+ (JSC::::operator):
+ (JSC::::get):
+ (JSC::::was):
+ (JSC::weakClear):
+ * jit/JITThunks.h:
+ * runtime/RegExpCache.h:
+ * runtime/Structure.h:
+ * runtime/WeakGCMap.h:
+
+2013-04-05 Roger Fong <roger_fong@apple.com>
+
+ Windows build fix fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-04-05 Roger Fong <roger_fong@apple.com>
+
+ Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-08 Oliver Hunt <oliver@apple.com>
+
+ Make resolve more robust in the face of lookup misses
+ https://bugs.webkit.org/show_bug.cgi?id=114211
+
+ Reviewed by Filip Pizlo.
+
+ This simply short circuits the resolve operations in the
+ event that we don't find a path to a property. There's no
+ repro case for this happening unfortunately.
+
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2013-04-08 Oliver Hunt <oliver@apple.com>
+
+ Build fix.
+
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+
+2013-04-08 Justin Haygood <jhaygood@reaktix.com>
+
+ Allow KeywordLookupGenerator.py to work on Windows with Windows style line endings
+ https://bugs.webkit.org/show_bug.cgi?id=63234
+
+ Reviewed by Oliver Hunt.
+
+ * KeywordLookupGenerator.py:
+ (parseKeywords):
+
+2013-04-08 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests
+ https://bugs.webkit.org/show_bug.cgi?id=114129
+ <rdar://problem/13594898>
+
+ Reviewed by Darin Adler.
+
+ The check to see if we need a cell check when simplifying a GetById or PutById needs to be hoisted to
+ above where we abstractly execute the instruction, since after we abstracting execute it, it will
+ seem like it no longer needs the cell check.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2013-04-07 Oliver Hunt <oliver@apple.com>
+
+ Add bounds checking for WTF::Vector::operator[]
+ https://bugs.webkit.org/show_bug.cgi?id=89600
+
+ Reviewed by Filip Pizlo.
+
+ Make a few JSC classes opt-out of release mode bounds checking.
+
+ * assembler/AssemblerBuffer.h:
+ (AssemblerBuffer):
+ * assembler/AssemblerBufferWithConstantPool.h:
+ (AssemblerBufferWithConstantPool):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::bytecodeOffset):
+ (JSC):
+ (JSC::replaceExistingEntries):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
+ (JSC::CodeBlock::callReturnIndexVector):
+ (JSC::CodeBlock::codeOrigins):
+ (RareData):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC::UnlinkedEvalCodeBlock::adoptVariables):
+ (UnlinkedEvalCodeBlock):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitNewArray):
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitConstruct):
+ * bytecompiler/BytecodeGenerator.h:
+ (CallArguments):
+ (JSC::BytecodeGenerator::instructions):
+ (BytecodeGenerator):
+ * bytecompiler/StaticPropertyAnalysis.h:
+ (JSC::StaticPropertyAnalysis::create):
+ (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
+ (StaticPropertyAnalysis):
+ * bytecompiler/StaticPropertyAnalyzer.h:
+ (StaticPropertyAnalyzer):
+ (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * parser/ASTBuilder.h:
+ (ASTBuilder):
+ * runtime/ArgList.h:
+ (MarkedArgumentBuffer):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSort):
+
+2013-04-07 Benjamin Poulain <benjamin@webkit.org>
+
+ Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime
+ https://bugs.webkit.org/show_bug.cgi?id=114111
+
+ Reviewed by Andreas Kling.
+
+ Almost all the code was already using Vector::reserveInitialCapacity()
+ and Vector::uncheckedAppend(). Fix the remaining parts.
+
+ * runtime/ArgList.h:
+ (MarkedArgumentBuffer): The type VectorType is unused.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncSort):
+ Move the variable closer to where it is needed.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLengthWithArrayStorage):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnPropertyNames):
+
+2013-04-07 Patrick Gansterer <paroga@webkit.org>
+
+ Remove references to Skia and V8 from CMake files
+ https://bugs.webkit.org/show_bug.cgi?id=114130
+
+ Reviewed by Geoffrey Garen.
+
+ * shell/PlatformBlackBerry.cmake:
+
+2013-04-07 David Kilzer <ddkilzer@apple.com>
+
+ Remove the rest of SVG_DOM_OBJC_BINDINGS
+ <http://webkit.org/b/114112>
+
+ Reviewed by Geoffrey Garen.
+
+ * Configurations/FeatureDefines.xcconfig:
+ - Remove ENABLE_SVG_DOM_OBJC_BINDINGS macro.
+
+2013-04-07 Oliver Hunt <oliver@apple.com>
+
+ Inspector should display information about non-object exceptions
+ https://bugs.webkit.org/show_bug.cgi?id=114123
+
+ Reviewed by Adele Peterson.
+
+ Make sure we store the right stack information, even when throwing
+ a primitive.
+
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::clearSupplementaryExceptionInfo):
+ (ExecState):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::throwException):
+
+2013-04-06 Oliver Hunt <oliver@apple.com>
+
+ Unify the many and varied stack trace mechanisms, and make the result sane.
+ https://bugs.webkit.org/show_bug.cgi?id=114072
+
+ Reviewed by Filip Pizlo.
+
+ Makes JSC::StackFrame record the bytecode offset and other necessary data
+ rather than requiring us to perform eager evaluation of the line number, etc.
+ Then remove most of the users of retrieveLastCaller, as most of them were
+ using it to create a stack trace in a fairly incomplete and inefficient way.
+
+ StackFrame now also has a couple of helpers to get the line and column info.
+
+ * API/JSContextRef.cpp:
+ (JSContextCreateBacktrace):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitDebugHook):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::unwindCallFrame):
+ (JSC::getBytecodeOffsetForCallFrame):
+ (JSC::getCallerInfo):
+ (JSC::StackFrame::line):
+ (JSC::StackFrame::column):
+ (JSC::StackFrame::expressionInfo):
+ (JSC::StackFrame::toString):
+ (JSC::Interpreter::getStackTrace):
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::retrieveCallerFromVMCode):
+ * interpreter/Interpreter.h:
+ (StackFrame):
+ (Interpreter):
+ * runtime/Error.cpp:
+ (JSC::throwError):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
+
+2013-04-06 Geoffrey Garen <ggaren@apple.com>
+
+ Removed v8 bindings hooks from IDL files
+ https://bugs.webkit.org/show_bug.cgi?id=114091
+
+ Reviewed by Anders Carlsson and Sam Weinig.
+
+ * heap/HeapStatistics.h:
+
+2013-04-03 Roger Fong <roger_fong@apple.com>
+
+ Windows VS2010 build fix.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-06 Zan Dobersek <zdobersek@igalia.com>
+
+ Remove the remaining PLATFORM(CHROMIUM) guard in JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=114082
+
+ Reviewed by Ryosuke Niwa.
+
+ * runtime/JSExportMacros.h: Remove the remaining PLATFORM(CHROMIUM) guard.
+
+2013-04-06 Ed Bartosh <bartosh@gmail.com>
+
+ --minimal build fails with error: control reaches end of non-void function
+ https://bugs.webkit.org/show_bug.cgi?id=114085
+
+ Reviewed by Oliver Hunt.
+
+ * interpreter/Interpreter.cpp: return 0 if JIT is not enabled
+ (JSC::getBytecodeOffsetForCallFrame):
+
+2013-04-06 Geoffrey Garen <ggaren@apple.com>
+
+ Try to fix the Windows build.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ Added back a symbol that is exported.
+
+2013-04-06 Geoffrey Garen <ggaren@apple.com>
+
+ Try to fix the Windows build.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ Removed symbols that aren't exported.
+
+2013-04-06 Geoffrey Garen <ggaren@apple.com>
+
+ Rolled out 147820 and 147818 because they caused plugins tests to ASSERT
+ https://bugs.webkit.org/show_bug.cgi?id=114094
+
+ Reviewed by Anders Carlsson.
+
+ * API/JSContextRef.cpp:
+ (JSContextCreateBacktrace):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitDebugHook):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::unwindCallFrame):
+ (JSC::getLineNumberForCallFrame):
+ (JSC::getCallerInfo):
+ (JSC::Interpreter::getStackTrace):
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::retrieveCallerFromVMCode):
+ * interpreter/Interpreter.h:
+ (StackFrame):
+ (JSC::StackFrame::toString):
+ (JSC::StackFrame::friendlyLineNumber):
+ (Interpreter):
+ * runtime/Error.cpp:
+ (JSC::throwError):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
+
+2013-04-06 Patrick Gansterer <paroga@webkit.org>
+
+ Unreviewed build fix after r146932.
+
+ * profiler/ProfilerDatabase.cpp:
+ (Profiler):
+
+2013-04-06 Patrick Gansterer <paroga@webkit.org>
+
+ Do not call getenv() on Windows CE where it does not exist.
+
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+2013-04-05 Benjamin Poulain <benjamin@webkit.org>
+
+ Second attempt to fix the Windows bot
+
+ Unreviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-05 Benjamin Poulain <bpoulain@apple.com>
+
+ Attempt to fix the Windows bot
+
+ Unreviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ r147825 removed the symbol for nullptr_t. Add it back.
+
+2013-04-02 Roger Fong <roger_fong@apple.com>
+
+ Build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-05 Oliver Hunt <oliver@apple.com>
+
+ Build fix.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::getBytecodeOffsetForCallFrame):
+
+2013-04-05 Oliver Hunt <oliver@apple.com>
+
+ Unify the many and varied stack trace mechanisms, and make the result sane.
+ https://bugs.webkit.org/show_bug.cgi?id=114072
+
+ Reviewed by Filip Pizlo.
+
+ Makes JSC::StackFrame record the bytecode offset and other necessary data
+ rather than requiring us to perform eager evaluation of the line number, etc.
+ Then remove most of the users of retrieveLastCaller, as most of them were
+ using it to create a stack trace in a fairly incomplete and inefficient way.
+
+ StackFrame now also has a couple of helpers to get the line and column info.
+
+ * API/JSContextRef.cpp:
+ (JSContextCreateBacktrace):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitDebugHook):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::unwindCallFrame):
+ (JSC::getBytecodeOffsetForCallFrame):
+ (JSC::getCallerInfo):
+ (JSC::StackFrame::line):
+ (JSC::StackFrame::column):
+ (JSC::StackFrame::expressionInfo):
+ (JSC::StackFrame::toString):
+ (JSC::Interpreter::getStackTrace):
+ (JSC::Interpreter::addStackTraceIfNecessary):
+ (JSC::Interpreter::retrieveCallerFromVMCode):
+ * interpreter/Interpreter.h:
+ (StackFrame):
+ (Interpreter):
+ * runtime/Error.cpp:
+ (JSC::throwError):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
+
+2013-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ tryCacheGetByID sets StructureStubInfo accessType to an incorrect value
+ https://bugs.webkit.org/show_bug.cgi?id=114068
+
+ Reviewed by Geoffrey Garen.
+
+ In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to
+ get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to
+ incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById,
+ which leads to loading a GetterSetter directly out of an object.
+
+ * jit/JITStubs.cpp:
+ (JSC::tryCacheGetByID):
+ (JSC::DEFINE_STUB_FUNCTION):
+
+2013-04-05 Filip Pizlo <fpizlo@apple.com>
+
+ If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
+ https://bugs.webkit.org/show_bug.cgi?id=114062
+
+ Reviewed by Oliver Hunt.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::canGetCodeOrigin):
+ (CodeBlock):
+ * interpreter/CallFrame.cpp:
+ (JSC::CallFrame::trueCallFrame):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::getStackTrace):
+
+2013-04-05 Geoffrey Garen <ggaren@apple.com>
+
+ Made USE(JSC) unconditional
+ https://bugs.webkit.org/show_bug.cgi?id=114058
+
+ Reviewed by Anders Carlsson.
+
+ * config.h:
+
+2013-04-05 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, rolling out http://trac.webkit.org/changeset/147729
+
+ It's causing a bunch of breakage on some more strict compilers:
+ <inline asm>:1267:2: error: ambiguous instructions require an explicit suffix (could be 'ficomps', or 'ficompl')
+
+ * offlineasm/x86.rb:
+
+2013-04-05 Roger Fong <roger_fong@apple.com>
+
+ More VS2010 solution makefile fixes.
+ <rdar://problem/13588964>
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.make:
+
+2013-04-05 Allan Sandfeld Jensen <allan.jensen@digia.com>
+
+ LLint should be able to use x87 instead of SSE for floating pointer
+
+ https://bugs.webkit.org/show_bug.cgi?id=112239
+
+ Reviewed by Filip Pizlo.
+
+ Implements LLInt floating point operations in x87, to ensure we support
+ x86 without SSE2.
+
+ X86 (except 64bit) now defaults to using x87 instructions in order to
+ support all 32bit x86 back to i686. The implementation uses the fucomi
+ instruction from i686 which sets the new minimum.
+
+ * offlineasm/x86.rb:
+
+2013-04-04 Christophe Dumez <ch.dumez@sisa.samsung.com>
+
+ Unreviewed EFL build fix.
+
+ We had undefined reference to `JSC::CodeOrigin::maximumBytecodeIndex'.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::findClosureCallForReturnPC):
+ (JSC::CodeBlock::bytecodeOffset):
+
+2013-04-04 Geoffrey Garen <ggaren@apple.com>
+
+ Stop pretending that statements return a value
+ https://bugs.webkit.org/show_bug.cgi?id=113969
+
+ Reviewed by Oliver Hunt.
+
+ Expressions have an intrinsic value, which they return to their parent
+ in the AST.
+
+ Statements just execute for effect in sequence.
+
+ This patch moves emitBytecode into the ExpressionNode and StatementNode
+ subclasses, and changes the SatementNode subclass to return void. This
+ eliminates some cruft where we used to return 0, or try to save a bogus
+ register and return it, as if a statement had a consuming parent in the
+ AST.
+
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitNode):
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitNodeInConditionContext):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ConstStatementNode::emitBytecode):
+ (JSC::BlockNode::emitBytecode):
+ (JSC::EmptyStatementNode::emitBytecode):
+ (JSC::DebuggerStatementNode::emitBytecode):
+ (JSC::ExprStatementNode::emitBytecode):
+ (JSC::VarStatementNode::emitBytecode):
+ (JSC::IfNode::emitBytecode):
+ (JSC::IfElseNode::emitBytecode):
+ (JSC::DoWhileNode::emitBytecode):
+ (JSC::WhileNode::emitBytecode):
+ (JSC::ForNode::emitBytecode):
+ (JSC::ForInNode::emitBytecode):
+ (JSC::ContinueNode::emitBytecode):
+ (JSC::BreakNode::emitBytecode):
+ (JSC::ReturnNode::emitBytecode):
+ (JSC::WithNode::emitBytecode):
+ (JSC::CaseClauseNode::emitBytecode):
+ (JSC::CaseBlockNode::emitBytecodeForBlock):
+ (JSC::SwitchNode::emitBytecode):
+ (JSC::LabelNode::emitBytecode):
+ (JSC::ThrowNode::emitBytecode):
+ (JSC::TryNode::emitBytecode):
+ (JSC::ScopeNode::emitStatementsBytecode):
+ (JSC::ProgramNode::emitBytecode):
+ (JSC::EvalNode::emitBytecode):
+ (JSC::FunctionBodyNode::emitBytecode):
+ (JSC::FuncDeclNode::emitBytecode):
+ * parser/NodeConstructors.h:
+ (JSC::PropertyListNode::PropertyListNode):
+ (JSC::ArgumentListNode::ArgumentListNode):
+ * parser/Nodes.h:
+ (Node):
+ (ExpressionNode):
+ (StatementNode):
+ (ConstStatementNode):
+ (BlockNode):
+ (EmptyStatementNode):
+ (DebuggerStatementNode):
+ (ExprStatementNode):
+ (VarStatementNode):
+ (IfNode):
+ (IfElseNode):
+ (DoWhileNode):
+ (WhileNode):
+ (ForNode):
+ (ForInNode):
+ (ContinueNode):
+ (BreakNode):
+ (ReturnNode):
+ (WithNode):
+ (LabelNode):
+ (ThrowNode):
+ (TryNode):
+ (ProgramNode):
+ (EvalNode):
+ (FunctionBodyNode):
+ (FuncDeclNode):
+ (CaseBlockNode):
+ (SwitchNode):
+
+2013-04-04 Oliver Hunt <oliver@apple.com>
+
+ Exception stack unwinding doesn't handle inline callframes correctly
+ https://bugs.webkit.org/show_bug.cgi?id=113952
+
+ Reviewed by Geoffrey Garen.
+
+ The basic problem here is that the exception stack unwinding was
+ attempting to be "clever" and avoid doing a correct stack walk
+ as it "knew" inline callframes couldn't have exception handlers.
+
+ This used to be safe as the exception handling machinery was
+ designed to fail gently and just claim that no handler existed.
+ This was "safe" and even "correct" inasmuch as we currently
+ don't run any code with exception handlers through the dfg.
+
+ This patch fixes the logic by simply making everything uniformly
+ use the safe stack walking machinery, and making the correct
+ boundary checks occur everywhere that they should.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::findClosureCallForReturnPC):
+ (JSC::CodeBlock::bytecodeOffset):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::unwindCallFrame):
+ (JSC::getCallerInfo):
+ (JSC::Interpreter::getStackTrace):
+ (JSC::Interpreter::retrieveCallerFromVMCode):
+
+2013-04-04 Geoffrey Garen <ggaren@apple.com>
+
+ Removed a defunct comment
+ https://bugs.webkit.org/show_bug.cgi?id=113948
+
+ Reviewed by Oliver Hunt.
+
+ This is also a convenient way to test the EWS.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC):
+
+2013-04-04 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] Remove the gyp build
+ https://bugs.webkit.org/show_bug.cgi?id=113942
+
+ Reviewed by Gustavo Noronha Silva.
+
+ * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Removed.
+ * JavaScriptCore.gyp/redirect-stdout.sh: Removed.
+
+2013-04-04 Geoffrey Garen <ggaren@apple.com>
+
+ Simplified bytecode generation by merging prefix and postfix nodes
+ https://bugs.webkit.org/show_bug.cgi?id=113925
+
+ Reviewed by Filip Pizlo.
+
+ PostfixNode now inherits from PrefixNode, so when we detect that we're
+ in a context where postifx and prefix are equivalent, PostFixNode can
+ just call through to PrefixNode codegen, instead of duplicating the
+ logic.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PostfixNode::emitBracket):
+ (JSC::PostfixNode::emitDot):
+ * parser/NodeConstructors.h:
+ (JSC::PostfixNode::PostfixNode):
+ * parser/Nodes.h:
+ (JSC):
+ (PrefixNode):
+ (PostfixNode):
+
+2013-04-04 Andras Becsi <andras.becsi@digia.com>
+
+ Fix the build with GCC 4.8
+ https://bugs.webkit.org/show_bug.cgi?id=113147
+
+ Reviewed by Allan Sandfeld Jensen.
+
+ Initialize JSObject* exception to suppress warnings that make
+ the build fail because of -Werror=maybe-uninitialized.
+
+ * runtime/Executable.cpp:
+ (JSC::FunctionExecutable::compileForCallInternal):
+ (JSC::FunctionExecutable::compileForConstructInternal):
+
+2013-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ get_by_pname can become confused when iterating over objects with static properties
+ https://bugs.webkit.org/show_bug.cgi?id=113831
+
+ Reviewed by Geoffrey Garen.
+
+ get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly
+ access an object's backing store. One way to fix this is to not cache any properties when iterating over
+ objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnNonIndexPropertyNames):
+ * runtime/JSPropertyNameIterator.cpp:
+ (JSC::JSPropertyNameIterator::create):
+ * runtime/PropertyNameArray.h:
+ (JSC::PropertyNameArray::PropertyNameArray):
+ (JSC::PropertyNameArray::numCacheableSlots):
+ (JSC::PropertyNameArray::setNumCacheableSlots):
+ (PropertyNameArray):
+
+2013-04-02 Geoffrey Garen <ggaren@apple.com>
+
+ DFG should compile a little sooner
+ https://bugs.webkit.org/show_bug.cgi?id=113835
+
+ Unreviewed.
+
+ Rolled out r147511 because it was based on incorrect performance
+ measurement.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::optimizationThresholdScalingFactor):
+
+2013-04-02 Geoffrey Garen <ggaren@apple.com>
+
+ DFG should compile a little sooner
+ https://bugs.webkit.org/show_bug.cgi?id=113835
+
+ Reviewed by Michael Saboff.
+
+ 2% speedup on SunSpider.
+
+ 2% speedup on JSRegress.
+
+ Neutral on Octane, v8, and Kraken.
+
+ The worst-hit single sub-test is kraken-stanford-crypto-ccm.js, which gets
+ 18% slower. Since Kraken is neutral overall in its preferred mean, I
+ think that's OK for now.
+
+ (Our array indexing speculation fails pathologically on
+ kraken-stanford-crypto-ccm.js. Compiling sooner is a regression because
+ it triggers those failures sooner. I'm going to file some follow-up bugs
+ explaining how to fix our speculations on this sub-test, at which point
+ compiling earlier should become a slight speedup on Kraken overall.)
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::optimizationThresholdScalingFactor): I experimented
+ with a few different options, including reducing the coefficient 'a'.
+ A simple linear reduction on instruction count worked best.
+
+2013-04-01 Benjamin Poulain <benjamin@webkit.org>
+
+ Use Vector::reserveInitialCapacity and Vector::uncheckedAppend for JSC's APIs
+ https://bugs.webkit.org/show_bug.cgi?id=113651
+
+ Reviewed by Andreas Kling.
+
+ This removes a bunch of branches on initialization and when
+ filling the vector.
+
+ * API/JSCallbackConstructor.cpp:
+ (JSC::constructJSCallback):
+ * API/JSCallbackFunction.cpp:
+ (JSC::JSCallbackFunction::call):
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::construct):
+ (JSC::::call):
+ * API/JSObjectRef.cpp:
+ (JSObjectCopyPropertyNames):
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Fixing borked VS 2010 project file
+
+ Unreviewed bot greening.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ One more Windows build fix
+
+ Unreviewed.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ More build fallout fixes.
+
+ Unreviewed build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add new export symbols.
+ * heap/SuperRegion.cpp: Windows didn't like "LLU".
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ r147324 broke the world
+ https://bugs.webkit.org/show_bug.cgi?id=113704
+
+ Unreviewed build fix.
+
+ Remove a bunch of unused variables and use the correctly sized types for 32-bit platforms.
+
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h:
+ (BlockAllocator):
+ * heap/Heap.cpp:
+ (JSC::Heap::Heap):
+ * heap/SuperRegion.cpp:
+ (JSC::SuperRegion::SuperRegion):
+ * heap/SuperRegion.h:
+ (SuperRegion):
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ 32-bit Windows build fix
+
+ Unreviewed build fix.
+
+ * heap/SuperRegion.cpp:
+ * heap/SuperRegion.h: Use uint64_t instead of size_t.
+ (SuperRegion):
+
+2013-04-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ EFL build fix
+
+ Unreviewed build fix.
+
+ * CMakeLists.txt:
+
+2013-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Regions should be allocated from the same contiguous segment of virtual memory
+ https://bugs.webkit.org/show_bug.cgi?id=113662
+
+ Reviewed by Filip Pizlo.
+
+ Instead of letting the OS spread our Regions all over the place, we should allocate them all within
+ some range of each other. This change will open the door to some other optimizations, e.g. doing simple
+ range checks for our write barriers and compressing JSCell pointers to 32-bits.
+
+ Added new SuperRegion class that encapsulates allocating Regions from a contiguous reserved chunk of
+ virtual address space. It functions very similarly to the FixedVMPoolExecutableAllocator class used by the JIT.
+
+ Also added two new subclasses of Region, NormalRegion and ExcessRegion.
+
+ NormalRegion is the type of Region that is normally allocated when there is available space remaining
+ in the SuperRegion. If we ever run out of space in the SuperRegion, we fall back to allocating
+ ExcessRegions, which are identical to how Regions have behaved up until now, i.e. they contain a
+ PageAllocationAligned.
+
+ We only use the SuperRegion (and NormalRegions) on 64-bit systems, since it doesn't make sense to reserve the
+ entire 4 GB address space on 32-bit systems just for the JS heap.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h:
+ (JSC):
+ (BlockAllocator):
+ (JSC::BlockAllocator::allocate):
+ (JSC::BlockAllocator::allocateCustomSize):
+ (JSC::BlockAllocator::deallocateCustomSize):
+ * heap/Heap.cpp:
+ (JSC::Heap::Heap):
+ (JSC):
+ (JSC::Heap::didExceedFixedHeapSizeLimit):
+ * heap/Heap.h:
+ (Heap):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::create):
+ * heap/Region.h:
+ (Region):
+ (JSC):
+ (NormalRegion):
+ (JSC::NormalRegion::base):
+ (JSC::NormalRegion::size):
+ (ExcessRegion):
+ (JSC::ExcessRegion::base):
+ (JSC::ExcessRegion::size):
+ (JSC::NormalRegion::NormalRegion):
+ (JSC::NormalRegion::tryCreate):
+ (JSC::NormalRegion::tryCreateCustomSize):
+ (JSC::NormalRegion::reset):
+ (JSC::ExcessRegion::ExcessRegion):
+ (JSC::ExcessRegion::~ExcessRegion):
+ (JSC::ExcessRegion::create):
+ (JSC::ExcessRegion::createCustomSize):
+ (JSC::ExcessRegion::reset):
+ (JSC::Region::Region):
+ (JSC::Region::initializeBlockList):
+ (JSC::Region::create):
+ (JSC::Region::createCustomSize):
+ (JSC::Region::~Region):
+ (JSC::Region::destroy):
+ (JSC::Region::reset):
+ (JSC::Region::deallocate):
+ (JSC::Region::base):
+ (JSC::Region::size):
+ * heap/SuperRegion.cpp: Added.
+ (JSC):
+ (JSC::SuperRegion::SuperRegion):
+ (JSC::SuperRegion::getAlignedBase):
+ (JSC::SuperRegion::allocateNewSpace):
+ (JSC::SuperRegion::notifyNeedPage):
+ (JSC::SuperRegion::notifyPageIsFree):
+ * heap/SuperRegion.h: Added.
+ (JSC):
+ (SuperRegion):
+
+2013-04-01 Benjamin Poulain <benjamin@webkit.org>
+
+ Remove an unused variable from the ARMv7 Assembler
+ https://bugs.webkit.org/show_bug.cgi?id=113653
+
+ Reviewed by Andreas Kling.
+
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+
+2013-03-31 Adam Barth <abarth@webkit.org>
+
+ [Chromium] Yarr should build using a separate GYP file from JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=113652
+
+ Reviewed by Nico Weber.
+
+ This patch moves JavaScriptCore.gyp to yarr.gyp because Chromium only
+ uses this GYP file to build yarr.
+
+ * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp:
+ * JavaScriptCore.gypi:
+ * yarr/yarr.gyp: Renamed from Source/JavaScriptCore/JavaScriptCore.gyp/JavaScriptCore.gyp.
+
+2013-03-31 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, fix a comment. While thinking about TBAA for array accesses,
+ I realized that we have to be super careful about aliasing of typed arrays.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+
+2013-03-30 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Move Region into its own header
+ https://bugs.webkit.org/show_bug.cgi?id=113617
+
+ Reviewed by Geoffrey Garen.
+
+ BlockAllocator.h is getting a little crowded. We should move the Region class into its own
+ header, since it's pretty independent from the BlockAllocator.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * heap/BlockAllocator.h:
+ (JSC):
+ * heap/Region.h: Added.
+ (JSC):
+ (DeadBlock):
+ (JSC::DeadBlock::DeadBlock):
+ (Region):
+ (JSC::Region::blockSize):
+ (JSC::Region::isFull):
+ (JSC::Region::isEmpty):
+ (JSC::Region::isCustomSize):
+ (JSC::Region::create):
+ (JSC::Region::createCustomSize):
+ (JSC::Region::Region):
+ (JSC::Region::~Region):
+ (JSC::Region::reset):
+ (JSC::Region::allocate):
+ (JSC::Region::deallocate):
+
+2013-03-29 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Remove -[JSManagedValue managedValueWithValue:owner:]
+ https://bugs.webkit.org/show_bug.cgi?id=113602
+
+ Reviewed by Geoffrey Garen.
+
+ Since we put the primary way of keeping track of external object graphs (i.e. "managed" references)
+ in JSVirtualMachine, there is some overlap in the functionality of that interface and JSManagedValue.
+ Specifically, we no longer need the methods that include an owner, since ownership is now tracked
+ by JSVirtualMachine. These JSManagedValues will become weak pointers unless they are used
+ with [JSVirtualMachine addManagedReference:withOwner:], in which case their lifetime is tied to that
+ of their owner.
+
+ * API/JSManagedValue.h:
+ * API/JSManagedValue.mm:
+ (-[JSManagedValue init]):
+ (-[JSManagedValue initWithValue:]):
+ (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
+ * API/JSVirtualMachine.mm:
+ (getInternalObjcObject):
+ * API/tests/testapi.mm:
+ (-[TextXYZ setOnclick:]):
+ (-[TextXYZ dealloc]):
+
+2013-03-29 Geoffrey Garen <ggaren@apple.com>
+
+ Simplified bytecode generation by unforking "condition context" codegen
+ https://bugs.webkit.org/show_bug.cgi?id=113554
+
+ Reviewed by Mark Hahnenberg.
+
+ Now, a node that establishes a condition context can always ask its child
+ nodes to generate into that context.
+
+ This has a few advantages:
+
+ (*) Removes a bunch of code;
+
+ (*) Optimizes a few missed cases like "if (!(x < 2))", "if (!!x)", and
+ "if (!x || !y)";
+
+ (*) Paves the way to removing more opcodes.
+
+ * bytecode/Opcode.h:
+ (JSC): Separated out the branching opcodes for clarity.
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ExpressionNode::emitBytecodeInConditionContext): All expressions
+ can be emitted in a condition context now -- the default behavior is
+ to branch based on the expression's value.
+
+ (JSC::LogicalNotNode::emitBytecodeInConditionContext):
+ (JSC::LogicalOpNode::emitBytecodeInConditionContext):
+ (JSC::ConditionalNode::emitBytecode):
+ (JSC::IfNode::emitBytecode):
+ (JSC::IfElseNode::emitBytecode):
+ (JSC::DoWhileNode::emitBytecode):
+ (JSC::WhileNode::emitBytecode):
+ (JSC::ForNode::emitBytecode):
+ * parser/Nodes.h:
+ (JSC::ExpressionNode::isSubtract):
+ (ExpressionNode):
+ (LogicalNotNode):
+ (LogicalOpNode): Removed lots of code for handling expressions
+ that couldn't generate into a condition context because all expressions
+ can now.
+
+2013-03-28 Geoffrey Garen <ggaren@apple.com>
+
+ Simplified the bytecode by removing op_loop and op_loop_if_*
+ https://bugs.webkit.org/show_bug.cgi?id=113548
+
+ Reviewed by Filip Pizlo.
+
+ Regular jumps will suffice.
+
+ These opcodes are identical to branches, except they also do timeout
+ checking. That style of timeout checking has been broken for a long
+ time, and when we add back timeout checking, it won't use these opcodes.
+
+ * JavaScriptCore.order:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/PreciseJumpTargets.cpp:
+ (JSC::computePreciseJumpTargets):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitJump):
+ (JSC::BytecodeGenerator::emitJumpIfTrue):
+ (JSC::BytecodeGenerator::emitJumpIfFalse):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ (JSC):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2013-03-28 Geoffrey Garen <ggaren@apple.com>
+
+ Simplified the bytecode by removing op_jmp_scopes
+ https://bugs.webkit.org/show_bug.cgi?id=113545
+
+ Reviewed by Filip Pizlo.
+
+ We already have op_pop_scope and op_jmp, so we don't need op_jmp_scopes.
+ Using op_jmp_scopes was also adding a "jump to self" to codegen for
+ return statements, which was pretty silly.
+
+ * JavaScriptCore.order:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/Opcode.h:
+ (JSC::padOpcodeName):
+ * bytecode/PreciseJumpTargets.cpp:
+ (JSC::computePreciseJumpTargets):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitComplexPopScopes):
+ (JSC::BytecodeGenerator::emitPopScopes):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ContinueNode::emitBytecode):
+ (JSC::BreakNode::emitBytecode):
+ (JSC::ReturnNode::emitBytecode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * jit/JIT.h:
+ * jit/JITOpcodes.cpp:
+ * jit/JITOpcodes32_64.cpp:
+ * jit/JITStubs.cpp:
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ * llint/LLIntSlowPaths.h:
+ * llint/LowLevelInterpreter.asm:
+
+2013-03-28 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Safari hangs during test262 run in CodeCache::pruneSlowCase
+ https://bugs.webkit.org/show_bug.cgi?id=113469
+
+ Reviewed by Geoffrey Garen.
+
+ We can end up hanging for quite some time if we add a lot of small keys to the CodeCache.
+ By the time we get around to pruning the cache, we have a potentially tens or hundreds of
+ thousands of small entries, which can cause a noticeable hang when pruning them.
+
+ To fix this issue we added a hard cap to the number of entries in the cache because we
+ could potentially have to remove every element in the map.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCacheMap::pruneSlowCase): We need to prune until we're both under the hard cap and the
+ capacity in bytes.
+ * runtime/CodeCache.h:
+ (CodeCacheMap):
+ (JSC::CodeCacheMap::numberOfEntries): Convenience accessor function to the number of entries in
+ the map that does the cast to size_t of m_map.size() for us.
+ (JSC::CodeCacheMap::canPruneQuickly): Checks that the total number is under the hard cap. We put this
+ check inside a function to more accurately describe why we're doing the check and to abstract out
+ the actual calculation in case we want to coalesce calls to pruneSlowCase in the future.
+ (JSC::CodeCacheMap::prune): Check the number of entries against our hard cap. If it's greater than
+ the cap then we need to drop down to pruneSlowCase.
+
+2013-03-28 Zan Dobersek <zdobersek@igalia.com>
+
+ Unreviewed build fix for the EFL and GTK ports.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCacheMap::pruneSlowCase): Pass a 0 casted to the int64_t type instead of 0LL
+ to the std::max call so the arguments' types match.
+
+2013-03-27 Geoffrey Garen <ggaren@apple.com>
+
+ Unreviewed build fix: Removed a dead field.
+
+ Pointed out by Mark Lam.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::ByteCodeParser):
+ (ByteCodeParser):
+
+2013-03-27 Geoffrey Garen <ggaren@apple.com>
+
+ Unreviewed build fix: Removed a dead field.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::ByteCodeParser):
+ (ByteCodeParser):
+
+2013-03-27 Geoffrey Garen <ggaren@apple.com>
+
+ Removed some dead code in the DFG bytecode parser
+ https://bugs.webkit.org/show_bug.cgi?id=113472
+
+ Reviewed by Sam Weinig.
+
+ Now that Phi creation and liveness analysis are separate passes, we can
+ remove the vestiges of code that used to do that in the bytecode
+ parser.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::addToGraph):
+ (JSC::DFG::ByteCodeParser::parse):
+
+2013-03-27 Filip Pizlo <fpizlo@apple.com>
+
+ JIT and DFG should NaN-check loads from Float32 arrays
+ https://bugs.webkit.org/show_bug.cgi?id=113462
+ <rdar://problem/13490804>
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+
+2013-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase
+ https://bugs.webkit.org/show_bug.cgi?id=113453
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now.
+ This prevents m_capacity from doing the same.
+
+2013-03-27 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should use CheckStructure for typed array checks whenever possible
+ https://bugs.webkit.org/show_bug.cgi?id=113374
+
+ Reviewed by Geoffrey Garen.
+
+ We used to do the right thing, but it appears that this regressed at some point. Since the
+ FixupPhase now has the ability to outright remove spurious CheckStructures on array
+ operations, it is profitable for the ByteCodeParser to insert CheckStructures whenver there
+ is a chance that it might be profitable, and when the profiling tells us what structure to
+ check.
+
+ Also added some code for doing ArrayProfile debugging.
+
+ This is a slightly speed-up. Maybe 3% on Mandreel.
+
+ * bytecode/ArrayProfile.cpp:
+ (JSC::ArrayProfile::computeUpdatedPrediction):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::benefitsFromStructureCheck):
+
+2013-03-27 Zeno Albisser <zeno@webkit.org>
+
+ [Qt] Remove Qt specific WorkQueueItem definitions.
+ https://bugs.webkit.org/show_bug.cgi?id=112891
+
+ This patch is preparation work for removing
+ WorkQueue related code from TestRunnerQt and
+ replacing it with generic TestRunner code.
+
+ Reviewed by Benjamin Poulain.
+
+ * API/JSStringRefQt.cpp:
+ (JSStringCreateWithQString):
+ Adding a convenience function to create a
+ JSStringRef from a QString.
+ * API/JSStringRefQt.h:
+
+2013-03-26 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype
+ https://bugs.webkit.org/show_bug.cgi?id=113353
+ <rdar://problem/13510778>
+
+ Reviewed by Mark Hahnenberg and Geoffrey Garen.
+
+ ToString should call speculateStringObject() even if you know that it's a string object, since
+ it calls it to also get the watchpoint. Note that even with this change, if you do
+ Phantom(Check:StringObject:@a), it might get eliminated just because we proved that @a is a
+ string object (thereby eliminating the prototype watchpoint); that's fine since ToString is
+ MustGenerate and never decays to Phantom.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+ (JSC::DFG::SpeculativeJIT::speculateStringObject):
+ (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
+
+2013-03-26 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit
+ https://bugs.webkit.org/show_bug.cgi?id=112106
+
+ Rubber stamped by Filip Pizlo.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): Get rid of the case for constants because
+ we would have done constant folding anyways on a ValueToInt32.
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): Fixed a random compile error with this flag enabled.
+
+2013-03-26 Filip Pizlo <fpizlo@apple.com>
+
+ JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere
+ https://bugs.webkit.org/show_bug.cgi?id=113144
+
+ Reviewed by Geoffrey Garen.
+
+ Forgot to include Geoff's requested change in the original commit.
+
+ * profiler/ProfilerDatabase.cpp:
+ (Profiler):
+
+2013-03-25 Filip Pizlo <fpizlo@apple.com>
+
+ JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere
+ https://bugs.webkit.org/show_bug.cgi?id=113144
+
+ Reviewed by Geoffrey Garen.
+
+ Added the ability to save profiler output with JSC_enableProfiler=true. It will save it
+ to the current directory, or JSC_PROFILER_PATH if the latter was specified.
+
+ This works by saving the Profiler::Database either when it is destroyed or atexit(),
+ whichever happens first.
+
+ This allows use of the profiler from any WebKit client.
+
+ * jsc.cpp:
+ (jscmain):
+ * profiler/ProfilerDatabase.cpp:
+ (Profiler):
+ (JSC::Profiler::Database::Database):
+ (JSC::Profiler::Database::~Database):
+ (JSC::Profiler::Database::registerToSaveAtExit):
+ (JSC::Profiler::Database::addDatabaseToAtExit):
+ (JSC::Profiler::Database::removeDatabaseFromAtExit):
+ (JSC::Profiler::Database::performAtExitSave):
+ (JSC::Profiler::Database::removeFirstAtExitDatabase):
+ (JSC::Profiler::Database::atExitCallback):
+ * profiler/ProfilerDatabase.h:
+ (JSC::Profiler::Database::databaseID):
+ (Database):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+2013-03-25 Filip Pizlo <fpizlo@apple.com>
+
+ ArrayMode should not consider SpecOther when refining the base
+ https://bugs.webkit.org/show_bug.cgi?id=113271
+
+ Reviewed by Geoffrey Garen.
+
+ 9% speed-up on Octane/pdfjs.
+
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+
+2013-03-26 Csaba Osztrogonác <ossy@webkit.org>
+
+ Fix unused parameter warnings in JITInlines.h
+ https://bugs.webkit.org/show_bug.cgi?id=112560
+
+ Reviewed by Zoltan Herczeg.
+
+ * jit/JITInlines.h:
+ (JSC::JIT::beginUninterruptedSequence):
+ (JSC::JIT::endUninterruptedSequence):
+ (JSC):
+
+2013-03-25 Kent Tamura <tkent@chromium.org>
+
+ Rename ENABLE_INPUT_TYPE_DATETIME
+ https://bugs.webkit.org/show_bug.cgi?id=113254
+
+ Reviewed by Kentaro Hara.
+
+ Rename ENABLE_INPUT_TYPE_DATETIME to ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE.
+ Actually I'd like to remove the code, but we shouldn't remove it yet
+ because we shipped products with it on some platforms.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-03-25 Mark Lam <mark.lam@apple.com>
+
+ Offlineasm cloop backend compiles op+branch incorrectly.
+ https://bugs.webkit.org/show_bug.cgi?id=113146.
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGRepatch.h:
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+ - These functions never return when the DFG is dsiabled, not just when
+ asserts are enabled. Changing the attribute from NO_RETURN_DUE_TO_ASSERT
+ to NO_RETURN.
+ * llint/LLIntOfflineAsmConfig.h:
+ - Added some #defines needed to get the cloop building again.
+ * offlineasm/cloop.rb:
+ - Fix cloopEmitOpAndBranchIfOverflow() and cloopEmitOpAndBranch() to
+ emit code that unconditionally executes the specified operation before
+ doing the conditional branch.
+
+2013-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ JSObject::enterDictionaryIndexingMode doesn't have a case for ALL_BLANK_INDEXING_TYPES
+ https://bugs.webkit.org/show_bug.cgi?id=113236
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::enterDictionaryIndexingMode): We forgot blank indexing types.
+
+2013-03-23 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ HandleSet should use HeapBlocks for storing handles
+ https://bugs.webkit.org/show_bug.cgi?id=113145
+
+ Reviewed by Geoffrey Garen.
+
+ * GNUmakefile.list.am: Build project changes.
+ * JavaScriptCore.gypi: Ditto.
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
+ * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
+ * heap/BlockAllocator.cpp: Rename the RegionSet to m_fourKBBlockRegionSet because there are
+ too many block types to include them all in the name now.
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h:
+ (BlockAllocator): Add the appropriate override for regionSetFor.
+ (JSC::WeakBlock):
+ (JSC::MarkStackSegment):
+ (JSC::HandleBlock):
+ * heap/HandleBlock.h: Added.
+ (HandleBlock): New class for HandleBlocks.
+ (JSC::HandleBlock::blockFor): Static method to get the block of the given HandleNode pointer. Allows
+ us to quickly figure out which HandleSet the HandleNode belongs to without storing the pointer to it
+ in the HandleNode.
+ (JSC::HandleBlock::handleSet): Getter.
+ * heap/HandleBlockInlines.h: Added.
+ (JSC::HandleBlock::create):
+ (JSC::HandleBlock::HandleBlock):
+ (JSC::HandleBlock::payloadEnd):
+ (JSC::HandleBlock::payload):
+ (JSC::HandleBlock::nodes):
+ (JSC::HandleBlock::nodeAtIndex):
+ (JSC::HandleBlock::nodeCapacity):
+ * heap/HandleSet.cpp:
+ (JSC::HandleSet::~HandleSet):
+ (JSC::HandleSet::grow):
+ * heap/HandleSet.h:
+ (HandleNode): Move the internal Node class from HandleSet to be its own public class so it can be
+ used by HandleBlock.
+ (HandleSet): Add a typedef so that Node refers to the new HandleNode class.
+ (JSC::HandleSet::toHandle):
+ (JSC::HandleSet::toNode):
+ (JSC::HandleSet::allocate):
+ (JSC::HandleSet::deallocate):
+ (JSC::HandleNode::HandleNode):
+ (JSC::HandleNode::slot):
+ (JSC::HandleNode::handleSet): Use the new blockFor static function to get the right HandleBlock and lookup
+ the HandleSet.
+ (JSC::HandleNode::setPrev):
+ (JSC::HandleNode::prev):
+ (JSC::HandleNode::setNext):
+ (JSC::HandleNode::next):
+ (JSC::HandleSet::forEachStrongHandle):
+ * heap/Heap.h: Friend HandleSet so that it can access the BlockAllocator when allocating HandleBlocks.
+
+2013-03-22 David Kilzer <ddkilzer@apple.com>
+
+ BUILD FIX (r145119): Make JSValue* properties default to (assign)
+ <rdar://problem/13380794>
+
+ Reviewed by Mark Hahnenberg.
+
+ Fixes the following build failures:
+
+ Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute]
+ @property JSValue *onclick;
+ ^
+ Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: default property attrib ute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute]
+ Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute]
+ @property JSValue *weakOnclick;
+ ^
+ Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: default property attribute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute]
+ 4 errors generated.
+
+ * API/tests/testapi.mm: Default to (assign) for JSValue*
+ properties.
+
+2013-03-22 Ryosuke Niwa <rniwa@webkit.org>
+
+ testLeakingPrototypesAcrossContexts added in r146682 doesn't compile on Win and fails on Mac
+ https://bugs.webkit.org/show_bug.cgi?id=113125
+
+ Reviewed by Mark Hahnenberg
+
+ Remove the test added in r146682 as it's now failing on Mac.
+ This is the test that was causing a compilation failure on Windows.
+
+ * API/tests/testapi.c:
+ (main):
+
+2013-03-22 Ryosuke Niwa <rniwa@webkit.org>
+
+ Fix the typo: WIN -> WINDOWS.
+
+ * API/tests/testapi.c:
+ (main):
+
+2013-03-22 Ryosuke Niwa <rniwa@webkit.org>
+
+ I really can't figure out what's wrong with this one.
+ Temporarily disable the test added by r146682 on Windows since it doesn't compile.
+
+ * API/tests/testapi.c:
+ (main):
+
+2013-03-22 Ryosuke Niwa <rniwa@webkit.org>
+
+ Another build fix (after r146693) for r146682.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-03-22 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. AppleWin build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
+ * JavaScriptCore.vcxproj/copy-files.cmd:
+
+2013-03-22 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ -[TinyDOMNode dealloc] should call [super dealloc] when ARC is not enabled
+ https://bugs.webkit.org/show_bug.cgi?id=113054
+
+ Reviewed by Geoffrey Garen.
+
+ * API/tests/testapi.mm:
+ (-[TinyDOMNode dealloc]):
+
+2013-03-22 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData
+ https://bugs.webkit.org/show_bug.cgi?id=113086
+
+ Reviewed by Geoffrey Garen.
+
+ opaqueJSClassData stores cached prototypes for JSClassRefs in the C API. It doesn't make sense to
+ share these prototypes within a JSGlobalData across JSGlobalObjects, and in fact doing so will cause
+ a leak of the original JSGlobalObject that these prototypes were created in. Therefore we should move
+ this cache to JSGlobalObject where it belongs and where it won't cause memory leaks.
+
+ * API/JSBase.cpp: Needed to add an extern "C" so that testapi.c can use the super secret GC function.
+ * API/JSClassRef.cpp: We now grab the cached context data from the global object rather than the global data.
+ (OpaqueJSClass::contextData):
+ * API/JSClassRef.h: Remove this header because it's unnecessary and causes circular dependencies.
+ * API/tests/testapi.c: Added a new test that makes sure that using the same JSClassRef in two different contexts
+ doesn't cause leaks of the original global object.
+ (leakFinalize):
+ (nestedAllocateObject): This is a hack to bypass the conservative scan of the GC, which was unnecessarily marking
+ objects and keeping them alive, ruining the test result.
+ (testLeakingPrototypesAcrossContexts):
+ (main):
+ * API/tests/testapi.mm: extern "C" this so we can continue using it here.
+ * runtime/JSGlobalData.cpp: Remove JSClassRef related stuff.
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSGlobalObject.h: Add the stuff that JSGlobalData had. We add it to JSGlobalObjectRareData so that
+ clients who don't use the C API don't have to pay the memory cost of this extra HashMap.
+ (JSGlobalObject):
+ (JSGlobalObjectRareData):
+ (JSC::JSGlobalObject::opaqueJSClassData):
+
+2013-03-19 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] Add support for building the WebCore bindings to the gyp build
+ https://bugs.webkit.org/show_bug.cgi?id=112638
+
+ Reviewed by Nico Weber.
+
+ * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Export all include directories to direct
+ dependents and fix the indentation of the libjavascriptcore target.
+
+2013-03-21 Filip Pizlo <fpizlo@apple.com>
+
+ Fix some minor issues in the DFG's profiling of heap accesses
+ https://bugs.webkit.org/show_bug.cgi?id=113010
+
+ Reviewed by Goeffrey Garen.
+
+ 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.
+
+ 2) If a CodeBlock clears a structure stub during GC, it should record this, and
+ the DFG should prefer to not inline that access (i.e. treat it as if it had an
+ exit site).
+
+ 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
+ but it chose not to, then assume that it will take slow path.
+
+ 4) If we frequently exited because of a structure check on a weak constant,
+ don't try to inline that access in the future.
+
+ 5) Treat all exits that were counted as being frequent.
+
+ 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC):
+ (JSC::CodeBlock::resetStubDuringGCInternal):
+ (JSC::CodeBlock::reoptimize):
+ (JSC::CodeBlock::jettison):
+ (JSC::ProgramCodeBlock::jettisonImpl):
+ (JSC::EvalCodeBlock::jettisonImpl):
+ (JSC::FunctionCodeBlock::jettisonImpl):
+ (JSC::CodeBlock::tallyFrequentExitSites):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::tallyFrequentExitSites):
+ (ProgramCodeBlock):
+ (EvalCodeBlock):
+ (FunctionCodeBlock):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeFor):
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+ * bytecode/StructureStubInfo.h:
+ (JSC::StructureStubInfo::StructureStubInfo):
+ (StructureStubInfo):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
+ * dfg/DFGOSRExit.h:
+ (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
+ (OSRExit):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * runtime/Options.h:
+ (JSC):
+
+2013-03-22 Filip Pizlo <fpizlo@apple.com>
+
+ DFG folding of PutById to SimpleReplace should consider the specialized function case
+ https://bugs.webkit.org/show_bug.cgi?id=113093
+
+ Reviewed by Geoffrey Garen and Mark Hahnenberg.
+
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+
+2013-03-22 David Kilzer <ddkilzer@apple.com>
+
+ BUILD FIX (r146558): Build testapi.mm with ARC enabled for armv7s
+ <http://webkit.org/b/112608>
+
+ Fixes the following build failure:
+
+ Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls]
+ }
+ ^
+ 1 error generated.
+
+ * Configurations/ToolExecutable.xcconfig: Enable ARC for armv7s
+ architecture.
+
+2013-03-22 David Kilzer <ddkilzer@apple.com>
+
+ Revert "BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]"
+
+ This fixes a build failure introduced by this change:
+
+ Source/JavaScriptCore/API/tests/testapi.mm:206:6: error: ARC forbids explicit message send of 'dealloc'
+ [super dealloc];
+ ^ ~~~~~~~
+ 1 error generated.
+
+ Not sure why this didn't fail locally on my Mac Pro.
+
+ * API/tests/testapi.mm:
+ (-[TinyDOMNode dealloc]): Remove call to [super dealloc].
+
+2013-03-22 David Kilzer <ddkilzer@apple.com>
+
+ BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]
+ <http://webkit.org/b/112608>
+
+ Fixes the following build failure:
+
+ Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls]
+ }
+ ^
+ 1 error generated.
+
+ * API/tests/testapi.mm:
+ (-[TinyDOMNode dealloc]): Call [super dealloc].
+
+2013-03-22 Ryosuke Niwa <rniwa@webkit.org>
+
+ Leak bots erroneously report JSC::WatchpointSet as leaking
+ https://bugs.webkit.org/show_bug.cgi?id=107781
+
+ Reviewed by Filip Pizlo.
+
+ Since leaks doesn't support tagged pointers, avoid using it by flipping the bit flag to indicate
+ the entry is "fat". We set the flag when the entry is NOT fat; i.e. slim.
+
+ Replaced FatFlag by SlimFlag and initialized m_bits with this flag to indicate that the entry is
+ initially "slim".
+
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTableEntry::copySlow): Don't set FatFlag since it has been replaced by SlimFlag.
+ (JSC::SymbolTableEntry::inflateSlow): Ditto.
+
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTableEntry::Fast::Fast): Set SlimFlag by default.
+ (JSC::SymbolTableEntry::Fast::isNull): Ignore SlimFlag.
+ (JSC::SymbolTableEntry::Fast::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag
+ is not set.
+
+ (JSC::SymbolTableEntry::SymbolTableEntry): Set SlimFlag by default.
+ (JSC::SymbolTableEntry::SymbolTableEntry::getFast): Set SlimFlag when creating Fast from a fat entry.
+ (JSC::SymbolTableEntry::isNull): Ignore SlimFlag.
+ (JSC::SymbolTableEntry::FatEntry::FatEntry): Strip SlimFlag.
+ (JSC::SymbolTableEntry::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is unset.
+ (JSC::SymbolTableEntry::fatEntry): Don't strip FatFlag as this flag doesn't exist anymore.
+ (JSC::SymbolTableEntry::pack): Preserve SlimFlag.
+
+ (JSC::SymbolTableIndexHashTraits): empty value is no longer zero so don't set emptyValueIsZero true.
+
+2013-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Need a good way to preserve custom properties on JS wrappers
+ https://bugs.webkit.org/show_bug.cgi?id=112608
+
+ Reviewed by Geoffrey Garen.
+
+ Currently, we just use a weak map, which means that garbage collection can cause a wrapper to
+ disappear if it isn't directly exported to JavaScript.
+
+ The most straightforward and safe way (with respect to garbage collection and concurrency) is to have
+ clients add and remove their external references along with their owners. Effectively, the client is
+ recording the structure of the external object graph so that the garbage collector can make sure to
+ mark any wrappers that are reachable through either the JS object graph of the external Obj-C object
+ graph. By keeping these wrappers alive, this has the effect that custom properties on these wrappers
+ will also remain alive.
+
+ The rule for if an object needs to be tracked by the runtime (and therefore whether the client should report it) is as follows:
+ For a particular object, its references to its children should be added if:
+ 1. The child is referenced from JavaScript.
+ 2. The child contains references to other objects for which (1) or (2) are true.
+
+ * API/JSAPIWrapperObject.mm:
+ (JSAPIWrapperObjectHandleOwner::finalize):
+ (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): A wrapper object is kept alive only if its JSGlobalObject
+ is marked and its corresponding Objective-C object was added to the set of opaque roots.
+ (JSC::JSAPIWrapperObject::visitChildren): We now call out to scanExternalObjectGraph, which handles adding all Objective-C
+ objects to the set of opaque roots.
+ * API/JSAPIWrapperObject.h:
+ (JSAPIWrapperObject):
+ * API/JSContext.mm: Moved dealloc to its proper place in the main implementation.
+ (-[JSContext dealloc]):
+ * API/JSVirtualMachine.h:
+ * API/JSVirtualMachine.mm:
+ (-[JSVirtualMachine initWithContextGroupRef:]):
+ (-[JSVirtualMachine dealloc]):
+ (getInternalObjcObject): Helper funciton to get the Objective-C object out of JSManagedValues or JSValues if there is one.
+ (-[JSVirtualMachine addManagedReference:withOwner:]): Adds the Objective-C object to the set of objects
+ owned by the owner object in that particular virtual machine.
+ (-[JSVirtualMachine removeManagedReference:withOwner:]): Removes the relationship between the two objects.
+ (-[JSVirtualMachine externalObjectGraph]):
+ (scanExternalObjectGraph): Does a depth-first search of the external object graph in a particular virtual machine starting at
+ the specified root. Each new object it encounters it adds to the set of opaque roots. These opaque roots will keep their
+ corresponding wrapper objects alive if they have them.
+ * API/JSManagedReferenceInternal.h: Added.
+ * API/JSVirtualMachine.mm: Added the per-JSVirtualMachine map between objects and the objects they own, which is more formally
+ known as that virtual machine's external object graph.
+ * API/JSWrapperMap.mm:
+ (-[JSWrapperMap dealloc]): We were leaking this before :-(
+ (-[JSVirtualMachine initWithContextGroupRef:]):
+ (-[JSVirtualMachine dealloc]):
+ (-[JSVirtualMachine externalObjectGraph]):
+ * API/JSVirtualMachineInternal.h:
+ * API/tests/testapi.mm: Added two new tests using the TinyDOMNode class. The first tests that a custom property added to a wrapper
+ doesn't vanish after GC, even though that wrapper isn't directly accessible to the JS garbage collector but is accessible through
+ the external Objective-C object graph. The second test makes sure that adding an object to the external object graph with the same
+ owner doesn't cause any sort of problems.
+ (+[TinyDOMNode sharedVirtualMachine]):
+ (-[TinyDOMNode init]):
+ (-[TinyDOMNode dealloc]):
+ (-[TinyDOMNode appendChild:]):
+ (-[TinyDOMNode numberOfChildren]):
+ (-[TinyDOMNode childAtIndex:]):
+ (-[TinyDOMNode removeChildAtIndex:]):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * heap/SlotVisitor.h:
+ (SlotVisitor):
+ * heap/SlotVisitorInlines.h:
+ (JSC::SlotVisitor::containsOpaqueRootTriState): Added a new method to SlotVisitor to allow scanExternalObjectGraph to have a
+ thread-safe view of opaque roots during parallel marking. The set of opaque roots available to any one SlotVisitor isn't guaranteed
+ to be 100% correct, but that just results in a small duplication of work in scanExternalObjectGraph. To indicate this change for
+ false negatives we return a TriState that's either true or mixed, but never false.
+
+2013-03-21 Mark Lam <mark.lam@apple.com>
+
+ Fix O(n^2) op_debug bytecode charPosition to column computation.
+ https://bugs.webkit.org/show_bug.cgi?id=112957.
+
+ Reviewed by Geoffrey Garen.
+
+ The previous algorithm does a linear reverse scan of the source string
+ to find the line start for any given char position. This results in a
+ O(n^2) algortithm when the source string has no line breaks.
+
+ The new algorithm computes a line start column table for a
+ SourceProvider on first use. This line start table is used to fix up
+ op_debug's charPosition operand into a column operand when an
+ UnlinkedCodeBlock is linked into a CodeBlock. The initialization of
+ the line start table is O(n), and the CodeBlock column fix up is
+ O(log(n)).
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock): - do column fix up.
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::debug): - no need to do column fixup anymore.
+ * interpreter/Interpreter.h:
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * parser/SourceProvider.cpp:
+ (JSC::SourceProvider::lineStarts):
+ (JSC::charPositionExtractor):
+ (JSC::SourceProvider::charPositionToColumnNumber):
+ - initialize line start column table if needed.
+ - look up line start for the given char position.
+ * parser/SourceProvider.h:
+
+2013-03-21 Filip Pizlo <fpizlo@apple.com>
+
+ JSC profiler should have an at-a-glance report of the success of DFG optimization
+ https://bugs.webkit.org/show_bug.cgi?id=112988
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::Compilation):
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerCompilation.h:
+ (JSC::Profiler::Compilation::noticeInlinedGetById):
+ (JSC::Profiler::Compilation::noticeInlinedPutById):
+ (JSC::Profiler::Compilation::noticeInlinedCall):
+ (Compilation):
+ * runtime/CommonIdentifiers.h:
+
+2013-03-21 Mark Lam <mark.lam@apple.com>
+
+ Fix lexer charPosition computation when "rewind"ing the lexer.
+ https://bugs.webkit.org/show_bug.cgi?id=112952.
+
+ Reviewed by Michael Saboff.
+
+ Changed the Lexer to no longer keep a m_charPosition. Instead, we compute
+ currentCharPosition() from m_code and m_codeStartPlusOffset, where
+ m_codeStartPlusOffset is the SourceProvider m_codeStart + the SourceCode
+ start offset. This ensures that the charPosition is always in sync with
+ m_code.
+
+ * parser/Lexer.cpp:
+ (JSC::::setCode):
+ (JSC::::internalShift):
+ (JSC::::shift):
+ (JSC::::lex):
+ * parser/Lexer.h:
+ (JSC::Lexer::currentCharPosition):
+ (JSC::::lexExpectIdentifier):
+
+2013-03-21 Alberto Garcia <agarcia@igalia.com>
+
+ [BlackBerry] GCActivityCallback: replace JSLock with JSLockHolder
+ https://bugs.webkit.org/show_bug.cgi?id=112448
+
+ Reviewed by Xan Lopez.
+
+ This changed in r121381.
+
+ * runtime/GCActivityCallbackBlackBerry.cpp:
+ (JSC::DefaultGCActivityCallback::doWork):
+
+2013-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: wrapperClass holds a static JSClassRef, which causes JSGlobalObjects to leak
+ https://bugs.webkit.org/show_bug.cgi?id=112856
+
+ Reviewed by Geoffrey Garen.
+
+ Through a very convoluted path that involves the caching of prototypes on the JSClassRef, we can leak
+ JSGlobalObjects when inserting an Objective-C object into multiple independent JSContexts.
+
+ * API/JSAPIWrapperObject.cpp: Removed.
+ * API/JSAPIWrapperObject.h:
+ (JSAPIWrapperObject):
+ * API/JSAPIWrapperObject.mm: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.cpp. Made this an
+ Objective-C++ file so that we can call release on the wrappedObject. Also added a WeakHandleOwner for
+ JSAPIWrapperObjects. This will also be used in a future patch for https://bugs.webkit.org/show_bug.cgi?id=112608.
+ (JSAPIWrapperObjectHandleOwner):
+ (jsAPIWrapperObjectHandleOwner):
+ (JSAPIWrapperObjectHandleOwner::finalize): This finalize replaces the old finalize that was done through
+ the C API.
+ (JSC::JSAPIWrapperObject::finishCreation): Allocate the WeakImpl. Balanced in finalize.
+ (JSC::JSAPIWrapperObject::setWrappedObject): We now do the retain of the wrappedObject here rather than in random
+ places scattered around JSWrapperMap.mm
+ * API/JSObjectRef.cpp: Added some ifdefs for platforms that don't support the Obj-C API.
+ (JSObjectGetPrivate): Ditto.
+ (JSObjectSetPrivate): Ditto.
+ (JSObjectGetPrivateProperty): Ditto.
+ (JSObjectSetPrivateProperty): Ditto.
+ (JSObjectDeletePrivateProperty): Ditto.
+ * API/JSValueRef.cpp: Ditto.
+ (JSValueIsObjectOfClass): Ditto.
+ * API/JSWrapperMap.mm: Remove wrapperClass().
+ (objectWithCustomBrand): Change to no longer use a parent class, which was only used to give the ability to
+ finalize wrapper objects.
+ (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Change to no longer use wrapperClass().
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Ditto.
+ (tryUnwrapObjcObject): We now check if the object inherits from JSAPIWrapperObject.
+ * API/tests/testapi.mm: Added a test that exports an Objective-C object to two different JSContexts and makes
+ sure that the first one is collected properly by using a weak JSManagedValue for the wrapper in the first JSContext.
+ * CMakeLists.txt: Build file modifications.
+ * GNUmakefile.list.am: Ditto.
+ * JavaScriptCore.gypi: Ditto.
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
+ * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
+ * runtime/JSGlobalObject.cpp: More ifdefs for unsupported platforms.
+ (JSC::JSGlobalObject::reset): Ditto.
+ (JSC::JSGlobalObject::visitChildren): Ditto.
+ * runtime/JSGlobalObject.h: Ditto.
+ (JSGlobalObject): Ditto.
+ (JSC::JSGlobalObject::objcCallbackFunctionStructure): Ditto.
+
+2013-03-21 Anton Muhin <antonm@chromium.org>
+
+ Unreviewed, rolling out r146483.
+ http://trac.webkit.org/changeset/146483
+ https://bugs.webkit.org/show_bug.cgi?id=111695
+
+ Breaks debug builds.
+
+ * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
+
+2013-03-21 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ Implement LLInt for CPU(ARM_TRADITIONAL)
+ https://bugs.webkit.org/show_bug.cgi?id=97589
+
+ Reviewed by Zoltan Herczeg.
+
+ Enable LLInt for ARMv5 and ARMv7 traditional as well.
+
+ * llint/LLIntOfflineAsmConfig.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * offlineasm/arm.rb:
+ * offlineasm/backends.rb:
+ * offlineasm/instructions.rb:
+
+2013-03-20 Cosmin Truta <ctruta@blackberry.com>
+
+ [QNX][ARM] REGRESSION(r135330): Various failures in Octane
+ https://bugs.webkit.org/show_bug.cgi?id=112863
+
+ Reviewed by Yong Li.
+
+ This was fixed in http://trac.webkit.org/changeset/146396 on Linux only.
+ Enable this fix on QNX.
+
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+ (JSC::ARMv7Assembler::replaceWithJump):
+ (JSC::ARMv7Assembler::maxJumpReplacementSize):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
+
+2013-03-20 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of JSString.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/JSString.h:
+
+2013-03-20 Filip Pizlo <fpizlo@apple.com>
+
+ "" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion
+ https://bugs.webkit.org/show_bug.cgi?id=112845
+
+ Reviewed by Mark Hahnenberg.
+
+ I like to do "" + x. So I decided to make DFG recognize it, and related idioms.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupToPrimitive):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::fixupToString):
+ (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::resultOfToPrimitive):
+ (DFG):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGPredictionPropagationPhase.h:
+ (DFG):
+
+2013-03-20 Zoltan Herczeg <zherczeg@webkit.org>
+
+ ARMv7 replaceWithJump ASSERT failure after r135330.
+ https://bugs.webkit.org/show_bug.cgi?id=103146
+
+ Reviewed by Filip Pizlo.
+
+ On Linux, the 24 bit distance range of jumps sometimes does not
+ enough to cover all targets addresses. This patch supports jumps
+ outside of this range using a mov/movt/bx 10 byte long sequence.
+
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+ (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
+ (JSC::ARMv7Assembler::nopw):
+ (JSC::ARMv7Assembler::label):
+ (JSC::ARMv7Assembler::replaceWithJump):
+ (JSC::ARMv7Assembler::maxJumpReplacementSize):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
+
+2013-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo:
+ https://bugs.webkit.org/show_bug.cgi?id=112832
+
+ Reviewed by Geoffrey Garen.
+
+ If either the m_constructor or m_prototype (but not both) is collected, we will call
+ allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one
+ that was collected, but at the end of the method we call release on both of them.
+ This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be
+ reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool.
+
+ * API/JSWrapperMap.mm:
+ (objectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method,
+ which autoreleases for us.
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We no longer call release on the
+ constructor or prototype JSValues.
+ * API/tests/testapi.mm: Added a new test that crashes on ToT due to over-releasing.
+
+2013-03-19 Filip Pizlo <fpizlo@apple.com>
+
+ It's called "Hash Consing" not "Hash Consting"
+ https://bugs.webkit.org/show_bug.cgi?id=112768
+
+ Rubber stamped by Mark Hahnenberg.
+
+ See http://en.wikipedia.org/wiki/Hash_consing
+
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData):
+ (JSC::GCThreadSharedData::reset):
+ * heap/GCThreadSharedData.h:
+ (GCThreadSharedData):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::SlotVisitor):
+ (JSC::SlotVisitor::setup):
+ (JSC::SlotVisitor::reset):
+ (JSC::JSString::tryHashConsLock):
+ (JSC::JSString::releaseHashConsLock):
+ (JSC::JSString::shouldTryHashCons):
+ (JSC::SlotVisitor::internalAppend):
+ * heap/SlotVisitor.h:
+ (SlotVisitor):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ (JSC::JSGlobalData::haveEnoughNewStringsToHashCons):
+ (JSC::JSGlobalData::resetNewStringsSinceLastHashCons):
+ * runtime/JSString.h:
+ (JSC::JSString::finishCreation):
+ (JSString):
+ (JSC::JSString::isHashConsSingleton):
+ (JSC::JSString::clearHashConsSingleton):
+ (JSC::JSString::setHashConsSingleton):
+
+2013-03-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG implementation of op_strcat should inline rope allocations
+ https://bugs.webkit.org/show_bug.cgi?id=112780
+
+ Reviewed by Oliver Hunt.
+
+ This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
+ take either two or three operands, and allocates a rope string with either two or
+ three fibers. (The magic choice of three children for non-VarArg nodes happens to
+ match exactly with the magic choice of three fibers for rope strings.)
+
+ ValueAdd on KnownString is replaced with MakeRope with two children.
+
+ StrCat gets replaced by an appropriate sequence of MakeRope's.
+
+ MakeRope does not do the dynamic check to see if its children are empty strings.
+ This is replaced by a static check, instead. The downside is that we may use more
+ memory if the strings passed to MakeRope turn out to dynamically be empty. The
+ upside is that we do fewer checks in the cases where either the strings are not
+ empty, or where the strings are statically known to be empty. I suspect both of
+ those cases are more common, than the case where the string is dynamically empty.
+
+ This also results in some badness for X86. MakeRope needs six registers if it is
+ allocating a three-rope. We don't have six registers to spare on X86. Currently,
+ the code side-steps this problem by just never usign three-ropes in optimized
+ code on X86. All other architectures, including X86_64, don't have this problem.
+
+ This is a shocking speed-up. 9% progressions on both V8/splay and
+ SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
+ on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGAdjacencyList.h:
+ (AdjacencyList):
+ (JSC::DFG::AdjacencyList::removeEdge):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
+ * dfg/DFGBackwardsPropagationPhase.cpp:
+ (JSC::DFG::BackwardsPropagationPhase::propagate):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGDCEPhase.cpp:
+ (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::createToString):
+ (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
+ (JSC::DFG::FixupPhase::convertStringAddUse):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::convertToMakeRope):
+ (JSC::DFG::FixupPhase::fixupMakeRope):
+ (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileMakeRope):
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::gpr):
+ (JSC::DFG::SpeculateCellOperand::use):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/JSString.h:
+ (JSRopeString):
+
+2013-03-20 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Implement and32 on MIPS platform
+ https://bugs.webkit.org/show_bug.cgi?id=112665
+
+ Reviewed by Zoltan Herczeg.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::and32): Added missing method.
+ (MacroAssemblerMIPS):
+
+2013-03-20 Mark Lam <mark.lam@apple.com>
+
+ Fix incorrect debugger column number value.
+ https://bugs.webkit.org/show_bug.cgi?id=112741.
+
+ Reviewed by Oliver Hunt.
+
+ 1. In lexer, parser, and debugger code, renamed column to charPosition.
+ 2. Convert the charPosition to the equivalent column number before
+ passing it to the debugger.
+ 3. Changed ScopeNodes to take both a startLocation and an endLocation.
+ This allows FunctionBodyNodes, ProgramNodes, and EvalNodess to emit
+ correct debug hooks with correct starting line and column numbers.
+ 4. Fixed the Lexer to not reset the charPosition (previously
+ columnNumber) in Lexer::lex().
+
+ * JavaScriptCore.order:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitDebugHook):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitExpressionInfo):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ArrayNode::toArgumentList):
+ (JSC::ConstStatementNode::emitBytecode):
+ (JSC::EmptyStatementNode::emitBytecode):
+ (JSC::DebuggerStatementNode::emitBytecode):
+ (JSC::ExprStatementNode::emitBytecode):
+ (JSC::VarStatementNode::emitBytecode):
+ (JSC::IfNode::emitBytecode):
+ (JSC::IfElseNode::emitBytecode):
+ (JSC::DoWhileNode::emitBytecode):
+ (JSC::WhileNode::emitBytecode):
+ (JSC::ForNode::emitBytecode):
+ (JSC::ForInNode::emitBytecode):
+ (JSC::ContinueNode::emitBytecode):
+ (JSC::BreakNode::emitBytecode):
+ (JSC::ReturnNode::emitBytecode):
+ (JSC::WithNode::emitBytecode):
+ (JSC::SwitchNode::emitBytecode):
+ (JSC::LabelNode::emitBytecode):
+ (JSC::ThrowNode::emitBytecode):
+ (JSC::TryNode::emitBytecode):
+ (JSC::ProgramNode::emitBytecode):
+ (JSC::EvalNode::emitBytecode):
+ (JSC::FunctionBodyNode::emitBytecode):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::debug):
+ - convert charPosition to column for the debugger.
+ * interpreter/Interpreter.h:
+ * jit/JITStubs.cpp:
+ (DEFINE_STUB_FUNCTION(void, op_debug)):
+ * llint/LLIntSlowPaths.cpp:
+ (LLINT_SLOW_PATH_DECL(slow_op_debug)):
+ * parser/ASTBuilder.h:
+ (JSC::ASTBuilder::createFunctionExpr):
+ (JSC::ASTBuilder::createFunctionBody):
+ (JSC::ASTBuilder::createGetterOrSetterProperty):
+ (JSC::ASTBuilder::createFuncDeclStatement):
+ (JSC::ASTBuilder::createBlockStatement):
+ (JSC::ASTBuilder::createExprStatement):
+ (JSC::ASTBuilder::createIfStatement):
+ (JSC::ASTBuilder::createForLoop):
+ (JSC::ASTBuilder::createForInLoop):
+ (JSC::ASTBuilder::createVarStatement):
+ (JSC::ASTBuilder::createReturnStatement):
+ (JSC::ASTBuilder::createBreakStatement):
+ (JSC::ASTBuilder::createContinueStatement):
+ (JSC::ASTBuilder::createTryStatement):
+ (JSC::ASTBuilder::createSwitchStatement):
+ (JSC::ASTBuilder::createWhileStatement):
+ (JSC::ASTBuilder::createDoWhileStatement):
+ (JSC::ASTBuilder::createWithStatement):
+ (JSC::ASTBuilder::createThrowStatement):
+ (JSC::ASTBuilder::createDebugger):
+ (JSC::ASTBuilder::createConstStatement):
+ * parser/Lexer.cpp:
+ (JSC::::setCode):
+ (JSC::::internalShift):
+ (JSC::::shift):
+ (JSC::::lex):
+ * parser/Lexer.h:
+ (JSC::Lexer::currentCharPosition):
+ (Lexer):
+ (JSC::::lexExpectIdentifier):
+ * parser/NodeConstructors.h:
+ (JSC::Node::Node):
+ * parser/Nodes.cpp:
+ (JSC::StatementNode::setLoc):
+ (JSC::ScopeNode::ScopeNode):
+ (JSC::ProgramNode::ProgramNode):
+ (JSC::ProgramNode::create):
+ (JSC::EvalNode::EvalNode):
+ (JSC::EvalNode::create):
+ (JSC::FunctionBodyNode::FunctionBodyNode):
+ (JSC::FunctionBodyNode::create):
+ * parser/Nodes.h:
+ (JSC::Node::charPosition):
+ (Node):
+ (StatementNode):
+ (JSC::StatementNode::lastLine):
+ (ScopeNode):
+ (JSC::ScopeNode::startLine):
+ (JSC::ScopeNode::startCharPosition):
+ (ProgramNode):
+ (EvalNode):
+ (FunctionBodyNode):
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ (JSC::::parseFunctionBody):
+ (JSC::::parseFunctionInfo):
+ * parser/Parser.h:
+ (JSC::::parse):
+ * parser/ParserTokens.h:
+ (JSC::JSTokenLocation::JSTokenLocation):
+ (JSTokenLocation):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::createFunctionBody):
+
+2013-03-20 Csaba Osztrogonác <ossy@webkit.org>
+
+ REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2
+ https://bugs.webkit.org/show_bug.cgi?id=112676
+
+ Rubber-stamped by Filip Pizlo.
+
+ Add one more EABI_32BIT_DUMMY_ARG to make DFG JIT ARM EABI compatible
+ again after r146089 similar to https://bugs.webkit.org/show_bug.cgi?id=84449
+
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+
+2013-03-19 Michael Saboff <msaboff@apple.com>
+
+ Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
+ https://bugs.webkit.org/show_bug.cgi?id=112694
+
+ Reviewed by Filip Pizlo.
+
+ We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
+ nodes with variable arguments. Added code to insert a Phantom node in front of all the
+ live children of a var args node. Added ASSERT not var args for convertToPhantom to
+ catch any other similar cases. Added a new convertToPhantomUnchecked() for converting
+ var arg nodes.
+
+ * dfg/DFGDCEPhase.cpp:
+ (JSC::DFG::DCEPhase::run):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
+ (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
+ (JSC::DFG::Node::convertToPhantomUnchecked):
+
+2013-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux
+ https://bugs.webkit.org/show_bug.cgi?id=112738
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixIntEdge): We shouldn't be killing this node because it could be
+ referenced by other people.
+
+2013-03-19 Oliver Hunt <oliver@apple.com>
+
+ RELEASE_ASSERT fires in exception handler lookup
+
+ RS=Geoff Garen.
+
+ Temporarily switch this RELEASE_ASSERT into a regular ASSERT
+ as currently this is producing fairly bad crashiness.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::handlerForBytecodeOffset):
+
+2013-03-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should optimize StringObject.length and StringOrStringObject.length
+ https://bugs.webkit.org/show_bug.cgi?id=112658
+
+ Reviewed by Mark Hahnenberg.
+
+ Implemented by injecting a ToString(StringObject:@a) or ToString(StringOrStringObject:@a) prior
+ to GetArrayLength with ArrayMode(Array::String) if @a is predicted StringObject or
+ StringOrStringObject.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::createToString):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
+ (JSC::DFG::FixupPhase::convertStringAddUse):
+
+2013-03-19 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ Implement and32 on ARMv7 and ARM traditional platforms
+ https://bugs.webkit.org/show_bug.cgi?id=112663
+
+ Reviewed by Zoltan Herczeg.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::and32): Add missing method.
+ (MacroAssemblerARM):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::and32): Add missing method.
+ (MacroAssemblerARMv7):
+
+2013-03-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG ToString generic cases should work correctly
+ https://bugs.webkit.org/show_bug.cgi?id=112654
+ <rdar://problem/13447250>
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-18 Michael Saboff <msaboff@apple.com>
+
+ Unreviewed build fix for 32 bit builds.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-18 Michael Saboff <msaboff@apple.com>
+
+ EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
+ https://bugs.webkit.org/show_bug.cgi?id=112609
+
+ Reviewed by Geoffrey Garen.
+
+ Created local valueFPR and scratchFPR and filled them with valueOp.fpr() and scratch.fpr()
+ respectively so that if valueOp.fpr() causes a spill during allocation, it occurs before the
+ branch and also to follow convention. Added register allocation checks to FPRTemporary.
+ Cleaned up a couple of other places to follow the "AllocatVirtualRegType foo, get machine
+ reg from foo" pattern.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::fprAllocate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::convertToDouble):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should inline binary string concatenations (i.e. ValueAdd with string children)
+ https://bugs.webkit.org/show_bug.cgi?id=112599
+
+ Reviewed by Oliver Hunt.
+
+ This does as advertised: if you do x + y where x and y are strings, you'll get
+ a fast inlined JSRopeString allocation (along with whatever checks are necessary).
+ It also does good things if either x or y (or both) are StringObjects, or some
+ other thing like StringOrStringObject. It also lays the groundwork for making this
+ fast if either x or y are numbers, or some other reasonably-cheap-to-convert
+ value.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::isStringObjectUse):
+ (JSC::DFG::FixupPhase::convertStringAddUse):
+ (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+ * runtime/JSString.h:
+ (JSC::JSString::offsetOfFlags):
+ (JSString):
+ (JSRopeString):
+ (JSC::JSRopeString::offsetOfFibers):
+
+2013-03-18 Filip Pizlo <fpizlo@apple.com>
+
+ JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else
+ https://bugs.webkit.org/show_bug.cgi?id=112639
+
+ Reviewed by Michael Saboff.
+
+ Change it to take a string instead.
+
+ * runtime/JSObject.h:
+ (JSC):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::ObjectPrototype::finishCreation):
+ * runtime/StringPrototype.cpp:
+ (JSC::StringPrototype::finishCreation):
+
+2013-03-18 Brent Fulgham <bfulgham@webkit.org>
+
+ [WinCairo] Get build working under VS2010.
+ https://bugs.webkit.org/show_bug.cgi?id=112604
+
+ Reviewed by Tim Horton.
+
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Use CFLite-specific
+ build target (standard version links against CoreFoundation.lib
+ instead of CFLite.lib).
+ * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Added.
+
+2013-03-18 Roger Fong <roger_fong@apple.com>
+
+ AppleWin VS2010 Debug configuration build fix..
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+
+2013-03-18 Brent Fulgham <bfulgham@webkit.org>
+
+ [WinCairo] Get build working under VS2010.
+ https://bugs.webkit.org/show_bug.cgi?id=112604
+
+ Reviewed by Tim Horton.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add build targets for
+ Debug_WinCairo and Release_WinCairo using CFLite.
+ * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
+ Add Debug_WinCairo and Release_WinCairo build targets to
+ make sure headers are copied to proper build folder.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Added.
+ * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
+ Add Debug_WinCairo and Release_WinCairo build targets to
+ make sure headers are copied to proper build folder.
+ * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
+ Ditto.
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
+ Ditto.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto.
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto.
+
+2013-03-18 Michael Saboff <msaboff@apple.com>
+
+ Potentially unsafe register allocations in DFG code generation
+ https://bugs.webkit.org/show_bug.cgi?id=112477
+
+ Reviewed by Geoffrey Garen.
+
+ Moved allocation of temporary GPRs to be before any generated branches in the functions below.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+
+2013-03-15 Filip Pizlo <fpizlo@apple.com>
+
+ DFG string conversions and allocations should be inlined
+ https://bugs.webkit.org/show_bug.cgi?id=112376
+
+ Reviewed by Geoffrey Garen.
+
+ This turns new String(), String(), String.prototype.valueOf(), and
+ String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
+ conversions from StringObject to JSString and vice-versa, and also gives it the
+ ability to handle cases where a variable may be either a StringObject or a JSString.
+ To do this, I added StringObject to value profiling (and removed the stale
+ distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
+ handling, using some of the new functionality but also taking advantage of the
+ existence of Identity(String:@a).
+
+ This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
+ On microbenchmarks that stress new String() this is a 14x speed-up.
+
+ * CMakeLists.txt:
+ * DerivedSources.make:
+ * DerivedSources.pri:
+ * GNUmakefile.list.am:
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::hasExitSite):
+ (JSC):
+ * bytecode/DFGExitProfile.cpp:
+ (JSC::DFG::ExitProfile::hasExitSite):
+ (DFG):
+ * bytecode/DFGExitProfile.h:
+ (ExitProfile):
+ (JSC::DFG::ExitProfile::hasExitSite):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ * bytecode/ExitKind.h:
+ * bytecode/SpeculatedType.cpp:
+ (JSC::dumpSpeculation):
+ (JSC::speculationToAbbreviatedString):
+ (JSC::speculationFromClassInfo):
+ * bytecode/SpeculatedType.h:
+ (JSC):
+ (JSC::isStringObjectSpeculation):
+ (JSC::isStringOrStringObjectSpeculation):
+ * create_hash_table:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGAbstractState.h:
+ (JSC::DFG::AbstractState::filterEdgeByUse):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::shift):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
+ (JSC::DFG::FixupPhase::observeUseKindOnNode):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::hasGlobalExitSite):
+ (Graph):
+ (JSC::DFG::Graph::hasExitSite):
+ (JSC::DFG::Graph::clobbersWorld):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToToString):
+ (Node):
+ (JSC::DFG::Node::hasStructure):
+ (JSC::DFG::Node::shouldSpeculateStringObject):
+ (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+ (JSC::DFG::SpeculativeJIT::speculateObject):
+ (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+ (JSC::DFG::SpeculativeJIT::speculateString):
+ (JSC::DFG::SpeculativeJIT::speculateStringObject):
+ (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::regExpPrototypeTable):
+ * runtime/CommonIdentifiers.h:
+ * runtime/Intrinsic.h:
+ * runtime/JSDestructibleObject.h:
+ (JSDestructibleObject):
+ (JSC::JSDestructibleObject::classInfoOffset):
+ * runtime/JSGlobalData.cpp:
+ (JSC):
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSObject.cpp:
+ * runtime/JSObject.h:
+ (JSC):
+ * runtime/JSWrapperObject.h:
+ (JSC::JSWrapperObject::allocationSize):
+ (JSWrapperObject):
+ (JSC::JSWrapperObject::internalValueOffset):
+ (JSC::JSWrapperObject::internalValueCellOffset):
+ * runtime/StringPrototype.cpp:
+ (JSC):
+ (JSC::StringPrototype::finishCreation):
+ (JSC::StringPrototype::create):
+ * runtime/StringPrototype.h:
+ (StringPrototype):
+
+2013-03-18 Filip Pizlo <fpizlo@apple.com>
+
+ ObjectPrototype properties should be eagerly created rather than lazily via static tables
+ https://bugs.webkit.org/show_bug.cgi?id=112539
+
+ Reviewed by Oliver Hunt.
+
+ This is the first part of https://bugs.webkit.org/show_bug.cgi?id=112233. Rolling this
+ in first since it's the less-likely-to-be-broken part.
+
+ * CMakeLists.txt:
+ * DerivedSources.make:
+ * DerivedSources.pri:
+ * GNUmakefile.list.am:
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::objectConstructorTable):
+ * runtime/CommonIdentifiers.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC):
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putDirectNativeFunction):
+ (JSC):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC):
+ * runtime/Lookup.cpp:
+ (JSC::setUpStaticFunctionSlot):
+ * runtime/ObjectPrototype.cpp:
+ (JSC):
+ (JSC::ObjectPrototype::finishCreation):
+ (JSC::ObjectPrototype::create):
+ * runtime/ObjectPrototype.h:
+ (ObjectPrototype):
+
+2013-03-16 Pratik Solanki <psolanki@apple.com>
+
+ Disable High DPI Canvas on iOS
+ https://bugs.webkit.org/show_bug.cgi?id=112511
+
+ Reviewed by Joseph Pecoraro.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-03-15 Andreas Kling <akling@apple.com>
+
+ Don't also clone StructureRareData when cloning Structure.
+ <http://webkit.org/b/111672>
+
+ Reviewed by Mark Hahnenberg.
+
+ We were cloning a lot of StructureRareData with only the previousID pointer set since
+ the enumerationCache is not shared between clones.
+
+ Let the Structure copy constructor decide whether it wants to clone the rare data.
+ The decision is made by StructureRareData::needsCloning() and will currently always
+ return false, since StructureRareData only holds on to caches at present.
+ This may change in the future as more members are added to StructureRareData.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ (JSC::Structure::cloneRareDataFrom):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::create):
+
+2013-03-15 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Roll out r145838
+ https://bugs.webkit.org/show_bug.cgi?id=112458
+
+ Unreviewed. Requested by Filip Pizlo.
+
+ * CMakeLists.txt:
+ * DerivedSources.make:
+ * DerivedSources.pri:
+ * GNUmakefile.list.am:
+ * dfg/DFGOperations.cpp:
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::objectPrototypeTable):
+ * jit/JITStubs.cpp:
+ (JSC::getByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::getByVal):
+ * runtime/CommonIdentifiers.h:
+ * runtime/JSCell.cpp:
+ (JSC):
+ * runtime/JSCell.h:
+ (JSCell):
+ * runtime/JSCellInlines.h:
+ (JSC):
+ (JSC::JSCell::fastGetOwnProperty):
+ * runtime/JSGlobalData.cpp:
+ (JSC):
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSObject.cpp:
+ (JSC):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC):
+ * runtime/Lookup.cpp:
+ (JSC::setUpStaticFunctionSlot):
+ * runtime/ObjectPrototype.cpp:
+ (JSC):
+ (JSC::ObjectPrototype::finishCreation):
+ (JSC::ObjectPrototype::getOwnPropertySlot):
+ (JSC::ObjectPrototype::getOwnPropertyDescriptor):
+ * runtime/ObjectPrototype.h:
+ (JSC::ObjectPrototype::create):
+ (ObjectPrototype):
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyTable::findWithString):
+ * runtime/Structure.h:
+ (Structure):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::get):
+
+2013-03-15 Michael Saboff <msaboff@apple.com>
+
+ Cleanup of DFG and Baseline JIT debugging code
+ https://bugs.webkit.org/show_bug.cgi?id=111871
+
+ Reviewed by Geoffrey Garen.
+
+ Fixed various debug related issue in baseline and DFG JITs. See below.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::dfgLinkClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
+ * dfg/DFGScratchRegisterAllocator.h: Now use ScratchBuffer::activeLengthPtr() to get
+ pointer to scratch register length.
+ (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
+ (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkConsistency): Added missing case labels for DataFormatOSRMarker,
+ DataFormatDead, and DataFormatArguments and made them RELEASE_ASSERT_NOT_REACHED();
+ * jit/JITCall.cpp:
+ (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
+ * runtime/JSGlobalData.h:
+ (JSC::ScratchBuffer::ScratchBuffer): Fixed buffer allocation alignment to
+ be on a double boundary.
+ (JSC::ScratchBuffer::setActiveLength):
+ (JSC::ScratchBuffer::activeLength):
+ (JSC::ScratchBuffer::activeLengthPtr):
+
+2013-03-15 Michael Saboff <msaboff@apple.com>
+
+ Add runtime check for improper register allocations in DFG
+ https://bugs.webkit.org/show_bug.cgi?id=112380
+
+ Reviewed by Geoffrey Garen.
+
+ Added framework to check for register allocation within a branch source - target range. All register allocations
+ are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the
+ currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
+ jumped over. This protects against the case where an allocation could have spilled register contents to free up
+ a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled
+ register may load garbage. See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
+ This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
+ The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
+ (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
+ (AbstractMacroAssembler):
+ (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a
+ jump range.
+ (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
+ (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
+ (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
+ (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets):
+ (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::allocate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-14 Oliver Hunt <oliver@apple.com>
+
+ REGRESSION(r145000): Crash loading arstechnica.com when Safari Web Inspector is open
+ https://bugs.webkit.org/show_bug.cgi?id=111868
+
+ Reviewed by Antti Koivisto.
+
+ Don't allow non-local property lookup when the debugger is enabled.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::resolve):
+
+2013-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Objective-C functions exposed to JavaScript have the wrong type (object instead of function)
+ https://bugs.webkit.org/show_bug.cgi?id=105892
+
+ Reviewed by Geoffrey Garen.
+
+ Changed ObjCCallbackFunction to subclass JSCallbackFunction which already has all of the machinery to call
+ functions using the C API. Since ObjCCallbackFunction is now a JSCell, we changed the old implementation of
+ ObjCCallbackFunction to be the internal implementation and keep track of all the proper data so that we
+ don't have to put all of that in the header, which will now be included from C++ files (e.g. JSGlobalObject.cpp).
+
+ * API/JSCallbackFunction.cpp: Change JSCallbackFunction to allow subclassing. Originally it was internally
+ passing its own Structure up the chain of constructors, but we now want to be able to pass other Structures as well.
+ (JSC::JSCallbackFunction::JSCallbackFunction):
+ (JSC::JSCallbackFunction::create):
+ * API/JSCallbackFunction.h:
+ (JSCallbackFunction):
+ * API/JSWrapperMap.mm: Changed interface to tryUnwrapBlock.
+ (tryUnwrapObjcObject):
+ * API/ObjCCallbackFunction.h:
+ (ObjCCallbackFunction): Moved into the JSC namespace, just like JSCallbackFunction.
+ (JSC::ObjCCallbackFunction::createStructure): Overridden so that the correct ClassInfo gets used since we have
+ a destructor.
+ (JSC::ObjCCallbackFunction::impl): Getter for the internal impl.
+ * API/ObjCCallbackFunction.mm:
+ (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): What used to be ObjCCallbackFunction is now
+ ObjCCallbackFunctionImpl. It handles the Objective-C specific parts of managing callback functions.
+ (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl):
+ (JSC::objCCallbackFunctionCallAsFunction): Same as the old one, but now it casts to ObjCCallbackFunction and grabs the impl
+ rather than using JSObjectGetPrivate.
+ (JSC::ObjCCallbackFunction::ObjCCallbackFunction): New bits to allow being part of the JSCell hierarchy.
+ (JSC::ObjCCallbackFunction::create):
+ (JSC::ObjCCallbackFunction::destroy):
+ (JSC::ObjCCallbackFunctionImpl::call): Handles the actual invocation, just like it used to.
+ (objCCallbackFunctionForInvocation):
+ (tryUnwrapBlock): Changed to check the ClassInfo for inheritance directly, rather than going through the C API call.
+ * API/tests/testapi.mm: Added new test to make sure that doing Function.prototype.toString.call(f) won't result in
+ an error when f is an Objective-C method or block underneath the covers.
+ * runtime/JSGlobalObject.cpp: Added new Structure for ObjCCallbackFunction.
+ (JSC::JSGlobalObject::reset):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::objcCallbackFunctionStructure):
+
+2013-03-14 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding
+ https://bugs.webkit.org/show_bug.cgi?id=112377
+
+ Reviewed by Oliver Hunt.
+
+ Accidental reassignment of the root task in the container conversion logic was causing the last
+ array or dictionary processed to be returned in the case of nested containers.
+
+ * API/JSValue.mm:
+ (containerValueToObject):
+ * API/tests/testapi.mm:
+
+2013-03-13 Filip Pizlo <fpizlo@apple.com>
+
+ JSObject fast by-string access optimizations should work even on the prototype chain, and even when the result is undefined
+ https://bugs.webkit.org/show_bug.cgi?id=112233
+
+ Reviewed by Oliver Hunt.
+
+ Extended the existing fast access path for String keys to work over the entire prototype chain,
+ not just the self access case. This will fail as soon as it sees an object that intercepts
+ getOwnPropertySlot, so this patch also ensures that ObjectPrototype does not fall into that
+ category. This is accomplished by making ObjectPrototype eagerly reify all of its properties.
+ This is safe for ObjectPrototype because it's so common and we expect all of its properties to
+ be reified for any interesting programs anyway. A new idiom for adding native functions to
+ prototypes is introduced, which ought to work well for any other prototypes that we wish to do
+ this conversion for.
+
+ This is a >60% speed-up in the case that you frequently do by-string lookups that "miss", i.e.
+ they don't turn up anything.
+
+ * CMakeLists.txt:
+ * DerivedSources.make:
+ * DerivedSources.pri:
+ * GNUmakefile.list.am:
+ * dfg/DFGOperations.cpp:
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::objectConstructorTable):
+ * jit/JITStubs.cpp:
+ (JSC::getByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::getByVal):
+ * runtime/CommonIdentifiers.h:
+ * runtime/JSCell.cpp:
+ (JSC::JSCell::getByStringSlow):
+ (JSC):
+ * runtime/JSCell.h:
+ (JSCell):
+ * runtime/JSCellInlines.h:
+ (JSC):
+ (JSC::JSCell::getByStringAndKey):
+ (JSC::JSCell::getByString):
+ * runtime/JSGlobalData.cpp:
+ (JSC):
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putDirectNativeFunction):
+ (JSC):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC):
+ * runtime/Lookup.cpp:
+ (JSC::setUpStaticFunctionSlot):
+ * runtime/ObjectPrototype.cpp:
+ (JSC):
+ (JSC::ObjectPrototype::finishCreation):
+ (JSC::ObjectPrototype::create):
+ * runtime/ObjectPrototype.h:
+ (ObjectPrototype):
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyTable::findWithString):
+ * runtime/Structure.h:
+ (Structure):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::get):
+ (JSC):
+
+2013-03-13 Filip Pizlo <fpizlo@apple.com>
+
+ DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables
+ https://bugs.webkit.org/show_bug.cgi?id=112287
+ <rdar://problem/13342340>
+
+ Reviewed by Oliver Hunt.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getLocal):
+
+2013-03-13 Ryosuke Niwa <rniwa@webkit.org>
+
+ Threaded HTML Parser is missing feature define flags in all but Chromium port's build files
+ https://bugs.webkit.org/show_bug.cgi?id=112277
+
+ Reviewed by Adam Barth.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-03-13 Csaba Osztrogonác <ossy@webkit.org>
+
+ LLINT C loop warning fix for GCC
+ https://bugs.webkit.org/show_bug.cgi?id=112145
+
+ Reviewed by Filip Pizlo.
+
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoop::execute):
+
+2013-02-13 Simon Hausmann <simon.hausmann@digia.com>
+
+ Add support for convenient conversion from JSStringRef to QString
+ https://bugs.webkit.org/show_bug.cgi?id=109694
+
+ Reviewed by Allan Sandfeld Jensen.
+
+ Add JSStringCopyQString helper function that allows for the convenient
+ extraction of a QString out of a JSStringRef.
+
+ * API/JSStringRefQt.cpp: Added.
+ (JSStringCopyQString):
+ * API/JSStringRefQt.h: Added.
+ * API/OpaqueJSString.h:
+ (OpaqueJSString):
+ (OpaqueJSString::qString):
+ (OpaqueJSString::OpaqueJSString):
+ * Target.pri:
+
+2013-03-13 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Token 'not' is ignored in the offlineasm.
+ https://bugs.webkit.org/show_bug.cgi?id=111568
+
+ Reviewed by Filip Pizlo.
+
+ * offlineasm/parser.rb: Build the Not AST node if the 'not' token is found.
+
+2013-03-12 Tim Horton <timothy_horton@apple.com>
+
+ WTF uses macros for exports. Try to fix the Windows build. Unreviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-03-12 Filip Pizlo <fpizlo@apple.com>
+
+ Array.prototype.sort should at least try to be PTIME even when the array is in some bizarre mode
+ https://bugs.webkit.org/show_bug.cgi?id=112187
+ <rdar://problem/13393550>
+
+ Reviewed by Michael Saboff and Gavin Barraclough.
+
+ If we have an array-like object in crazy mode passed into Array.prototype.sort, and its length is large,
+ then first copy all elements into a separate, compact, un-holy array and sort that. Then copy back.
+ This means that sorting will be at worst O(n^2) in the actual number of things in the array, rather than
+ O(n^2) in the array's length.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::attemptFastSort):
+ (JSC::performSlowSort):
+ (JSC):
+ (JSC::arrayProtoFuncSort):
+
+2013-03-12 Tim Horton <timothy_horton@apple.com>
+
+ Try to fix the Windows build.
+
+ Not reviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-03-12 Geoffrey Garen <ggaren@apple.com>
+
+ Try to fix the Windows build.
+
+ Not reviewed.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ Export a thing.
+
+2013-03-11 Oliver Hunt <oliver@apple.com>
+
+ Harden JSStringJoiner
+ https://bugs.webkit.org/show_bug.cgi?id=112093
+
+ Reviewed by Filip Pizlo.
+
+ Harden JSStringJoiner, make it use our CheckedArithmetic
+ class to simplify everything.
+
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::build):
+ * runtime/JSStringJoiner.h:
+ (JSStringJoiner):
+ (JSC::JSStringJoiner::JSStringJoiner):
+ (JSC::JSStringJoiner::append):
+
+2013-03-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be
+ https://bugs.webkit.org/show_bug.cgi?id=112183
+
+ Reviewed by Oliver Hunt.
+
+ Slight speed-up on string-unpack-code.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::findAndRemoveUnnecessaryStructureCheck):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+
+2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ https://bugs.webkit.org/show_bug.cgi?id=112141
+ LLInt CLoop backend misses Double2Ints() on 32bit architectures
+
+ Reviewed by Filip Pizlo.
+
+ Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures.
+
+ * llint/LowLevelInterpreter.cpp:
+ (LLInt):
+ (JSC::LLInt::Double2Ints):
+ * offlineasm/cloop.rb:
+
+2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ Making more sophisticated cache flush on ARM Linux platform
+ https://bugs.webkit.org/show_bug.cgi?id=111854
+
+ Reviewed by Zoltan Herczeg.
+
+ The cache flush on ARM Linux invalidates whole pages
+ instead of just the required area.
+
+ * assembler/ARMAssembler.h:
+ (ARMAssembler):
+ (JSC::ARMAssembler::linuxPageFlush):
+ (JSC::ARMAssembler::cacheFlush):
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+ (JSC::ARMv7Assembler::linuxPageFlush):
+ (JSC::ARMv7Assembler::cacheFlush):
+
+2013-03-12 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ Renaming the armv7.rb LLINT backend to arm.rb
+ https://bugs.webkit.org/show_bug.cgi?id=110565
+
+ Reviewed by Zoltan Herczeg.
+
+ This is the first step of a unified ARM backend for
+ all ARM 32 bit architectures in LLInt.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * LLIntOffsetsExtractor.pro:
+ * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb.
+ * offlineasm/armv7.rb: Removed.
+ * offlineasm/backends.rb:
+ * offlineasm/risc.rb:
+
+2013-03-12 Csaba Osztrogonác <ossy@webkit.org>
+
+ REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform
+ https://bugs.webkit.org/show_bug.cgi?id=112112
+
+ Reviewed by Oliver Hunt.
+
+ Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots.
+
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::build):
+ * runtime/JSStringJoiner.h:
+ (JSStringJoiner):
+ (JSC::JSStringJoiner::JSStringJoiner):
+ (JSC::JSStringJoiner::append):
+
+2013-03-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG prediction propagation phase should not rerun forward propagation if double voting has already converged
+ https://bugs.webkit.org/show_bug.cgi?id=111920
+
+ Reviewed by Oliver Hunt.
+
+ I don't know why we weren't exiting early after double voting if !m_changed.
+
+ This change also removes backwards propagation from the voting fixpoint, since at that
+ point short-circuiting loops is probably not particularly profitable. Profiling shows
+ that this reduces the time spent in prediction propagation even further.
+
+ This change appears to be a 1% SunSpider speed-up.
+
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::run):
+
+2013-03-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG overflow check elimination is too smart for its own good
+ https://bugs.webkit.org/show_bug.cgi?id=111832
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt
+ rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized.
+ It worked by always being false and always disabling the relvant optimization.
+
+ This improves overflow check elimination in three ways:
+
+ 1) It reduces the amount of time the compiler will spend doing it.
+
+ 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
+ over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
+ are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
+ that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
+ @b->children are int32's and that hence @b might produce a large enough result that doubles would
+ start chopping low bits. The specific implication of this is that for a binary operation to not
+ propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
+ of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
+ operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
+ latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
+ large won't even make it into the DFG currently.
+
+ 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
+ are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
+ NodeUsedAsNumber to either @a or @b.
+
+ This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+ * dfg/DFGBackwardsPropagationPhase.cpp: Added.
+ (DFG):
+ (BackwardsPropagationPhase):
+ (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
+ (JSC::DFG::BackwardsPropagationPhase::run):
+ (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
+ (JSC::DFG::BackwardsPropagationPhase::isNotZero):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
+ (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
+ (JSC::DFG::BackwardsPropagationPhase::propagate):
+ (JSC::DFG::performBackwardsPropagation):
+ * dfg/DFGBackwardsPropagationPhase.h: Added.
+ (DFG):
+ * dfg/DFGCPSRethreadingPhase.cpp:
+ (JSC::DFG::CPSRethreadingPhase::run):
+ (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
+ (CPSRethreadingPhase):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::dumpNodeFlags):
+ (DFG):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGUnificationPhase.cpp:
+ (JSC::DFG::UnificationPhase::run):
+ * dfg/DFGVariableAccessData.h:
+ (JSC::DFG::VariableAccessData::VariableAccessData):
+ (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
+ (VariableAccessData):
+ (JSC::DFG::VariableAccessData::setIsLoadedFrom):
+ (JSC::DFG::VariableAccessData::isLoadedFrom):
+
+2013-03-11 Oliver Hunt <oliver@apple.com>
+
+ Harden JSStringJoiner
+ https://bugs.webkit.org/show_bug.cgi?id=112093
+
+ Reviewed by Filip Pizlo.
+
+ Harden JSStringJoiner, make it use our CheckedArithmetic
+ class to simplify everything.
+
+ * runtime/JSStringJoiner.cpp:
+ (JSC::JSStringJoiner::build):
+ * runtime/JSStringJoiner.h:
+ (JSStringJoiner):
+ (JSC::JSStringJoiner::JSStringJoiner):
+ (JSC::JSStringJoiner::append):
+
+2013-03-11 Michael Saboff <msaboff@apple.com>
+
+ Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
+ https://bugs.webkit.org/show_bug.cgi?id=112067
+
+ Reviewed by Geoffrey Garen.
+
+ We weren't setting the tag in SetCallee. Therefore set it to CellTag.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-11 Oliver Hunt <oliver@apple.com>
+
+ Make SegmentedVector Noncopyable
+ https://bugs.webkit.org/show_bug.cgi?id=112059
+
+ Reviewed by Geoffrey Garen.
+
+ Copying a SegmentedVector is very expensive, and really shouldn't
+ be necessary. So I've taken the one place where we currently copy
+ and replaced it with a regular Vector, and replaced the address
+ dependent logic with a indexing ref instead.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::newLabelScope):
+ (JSC::BytecodeGenerator::emitComplexJumpScopes):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ * bytecompiler/LabelScope.h:
+ (JSC):
+ (JSC::LabelScopePtr::LabelScopePtr):
+ (LabelScopePtr):
+ (JSC::LabelScopePtr::operator=):
+ (JSC::LabelScopePtr::~LabelScopePtr):
+ (JSC::LabelScopePtr::operator*):
+ (JSC::LabelScopePtr::operator->):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::DoWhileNode::emitBytecode):
+ (JSC::WhileNode::emitBytecode):
+ (JSC::ForNode::emitBytecode):
+ (JSC::ForInNode::emitBytecode):
+ (JSC::SwitchNode::emitBytecode):
+ (JSC::LabelNode::emitBytecode):
+
+2013-03-10 Andreas Kling <akling@apple.com>
+
+ SpeculativeJIT should use OwnPtr<SlowPathGenerator>.
+ <http://webkit.org/b/111942>
+
+ Reviewed by Anders Carlsson.
+
+ There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line,
+ so let's use OwnPtr instead of raw pointers + deleteAllValues().
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2013-03-09 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r145299.
+ http://trac.webkit.org/changeset/145299
+ https://bugs.webkit.org/show_bug.cgi?id=111928
+
+ compilation failure with recent clang
+ (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of
+ constant 10 with expression of type 'bool' is always false)
+ (Requested by thorton on #webkit).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+ * dfg/DFGBackwardsPropagationPhase.cpp: Removed.
+ * dfg/DFGBackwardsPropagationPhase.h: Removed.
+ * dfg/DFGCPSRethreadingPhase.cpp:
+ (JSC::DFG::CPSRethreadingPhase::run):
+ (CPSRethreadingPhase):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::nodeFlagsAsString):
+ (DFG):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::isNotZero):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
+ * dfg/DFGUnificationPhase.cpp:
+ (JSC::DFG::UnificationPhase::run):
+ * dfg/DFGVariableAccessData.h:
+ (JSC::DFG::VariableAccessData::VariableAccessData):
+ (VariableAccessData):
+
+2013-03-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG overflow check elimination is too smart for its own good
+ https://bugs.webkit.org/show_bug.cgi?id=111832
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ This improves overflow check elimination in three ways:
+
+ 1) It reduces the amount of time the compiler will spend doing it.
+
+ 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
+ over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
+ are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
+ that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
+ @b->children are int32's and that hence @b might produce a large enough result that doubles would
+ start chopping low bits. The specific implication of this is that for a binary operation to not
+ propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
+ of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
+ operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
+ latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
+ large won't even make it into the DFG currently.
+
+ 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
+ are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
+ NodeUsedAsNumber to either @a or @b.
+
+ This is neutral on V8v7 and a slight speed-up on compile time benchmarks.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+ * dfg/DFGBackwardsPropagationPhase.cpp: Added.
+ (DFG):
+ (BackwardsPropagationPhase):
+ (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
+ (JSC::DFG::BackwardsPropagationPhase::run):
+ (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
+ (JSC::DFG::BackwardsPropagationPhase::isNotZero):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
+ (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
+ (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
+ (JSC::DFG::BackwardsPropagationPhase::propagate):
+ (JSC::DFG::performBackwardsPropagation):
+ * dfg/DFGBackwardsPropagationPhase.h: Added.
+ (DFG):
+ * dfg/DFGCPSRethreadingPhase.cpp:
+ (JSC::DFG::CPSRethreadingPhase::run):
+ (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
+ (CPSRethreadingPhase):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::dumpNodeFlags):
+ (DFG):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGUnificationPhase.cpp:
+ (JSC::DFG::UnificationPhase::run):
+ * dfg/DFGVariableAccessData.h:
+ (JSC::DFG::VariableAccessData::VariableAccessData):
+ (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
+ (VariableAccessData):
+ (JSC::DFG::VariableAccessData::setIsLoadedFrom):
+ (JSC::DFG::VariableAccessData::isLoadedFrom):
+
+2013-03-08 Roger Fong <roger_fong@apple.com>
+
+ Makefile fixes.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.make:
+
+2013-03-08 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ Cache flush problem on ARMv7 JSC
+ https://bugs.webkit.org/show_bug.cgi?id=111441
+
+ Reviewed by Zoltan Herczeg.
+
+ Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests.
+ The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712.
+ Change the cache fulsh mechanism similar to ARM traditinal and revert the
+ temporary fix.
+
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::cacheFlush):
+
+2013-03-07 Geoffrey Garen <ggaren@apple.com>
+
+ REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression
+ https://bugs.webkit.org/show_bug.cgi?id=111797
+
+ Reviewed by Oliver Hunt.
+
+ The bot's testing configuration stresses the cache's starting guess
+ of 1MB.
+
+ This patch removes any starting guess, and just uses wall clock time
+ to discover the initial working set size of an app, in code size.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go.
+
+ Also fixed a bug where pruning from 0 to 0 would hang -- that case is
+ a possibility now that we start with a capacity of 0.
+
+ * runtime/CodeCache.h:
+ (CodeCacheMap):
+ (JSC::CodeCacheMap::CodeCacheMap):
+ (JSC::CodeCacheMap::add):
+ (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of
+ discovering the working set size of an app, in code size.
+
+2013-03-07 Michael Saboff <msaboff@apple.com>
+
+ Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
+ https://bugs.webkit.org/show_bug.cgi?id=111777
+
+ Reviewed by Filip Pizlo.
+
+ Moved register allocations to be above any generated control flow so that any
+ resulting spill would be visible to all subsequently generated code.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-07 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
+ https://bugs.webkit.org/show_bug.cgi?id=111783
+
+ Reviewed by Mark Hahnenberg.
+
+ Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
+ But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
+ this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
+ Phantom node that had another Phantom node as one of its kids.
+
+ * dfg/DFGDCEPhase.cpp:
+ (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
+
+2013-03-07 Filip Pizlo <fpizlo@apple.com>
+
+ The DFG fixpoint is not strictly profitable, and should be straight-lined
+ https://bugs.webkit.org/show_bug.cgi?id=111764
+
+ Reviewed by Oliver Hunt and Geoffrey Garen.
+
+ The DFG previously ran optimizations to fixpoint because there exists a circular dependency:
+
+ CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local.
+
+ CFG simplification depends on CFA and constant folding: constant folding reveals branches on
+ constants.
+
+ CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations
+ always produce identical values.
+
+ Arguments simplification also depends on CSE, but it ought not depend on anything else.
+
+ Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA.
+
+ Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought
+ not be the case anymore: CFG simplification should not by itself lead to better CFA results.
+
+ My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you
+ CSE too much then you increase register pressure. Hence it's not clear that you always want
+ to CSE after simplifying control flow. This leads to an order of optimization as follows:
+
+ CSE -> arguments -> CFA -> folding -> CFG
+
+ This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down
+ on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5%
+ speed-up over a 0.3% V8v7 speed-up.
+
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+
+2013-03-07 Roger Fong <roger_fong@apple.com>
+
+ Build fix for AppleWin VS2010.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+
+2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Need a good way to reference event handlers without causing cycles
+ https://bugs.webkit.org/show_bug.cgi?id=111088
+
+ Reviewed by Geoffrey Garen.
+
+ JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can
+ supply an Objective-C object as its "owner". As long as the Objective-C owner object remains
+ alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by
+ the global object), the reference to the JavaScript value is strong. As soon as the Objective-C
+ owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference
+ becomes weak.
+
+ If you do not supply an owner or you use the weakValueWithValue: convenience class method, the
+ returned JSManagedValue behaves as a normal weak reference.
+
+ This new class allows clients to maintain references to JavaScript values in the Objective-C
+ heap without creating reference cycles/leaking memory.
+
+ * API/JSAPIWrapperObject.cpp: Added.
+ (JSC):
+ (JSC::::createStructure):
+ (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows
+ for the purposes of garbage collection/marking that it wraps an opaque Objective-C object.
+ (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of
+ opaque roots so that the weak handle owner for JSManagedValues can find it later.
+ * API/JSAPIWrapperObject.h: Added.
+ (JSC):
+ (JSAPIWrapperObject):
+ (JSC::JSAPIWrapperObject::wrappedObject):
+ (JSC::JSAPIWrapperObject::setWrappedObject):
+ * API/JSBase.cpp:
+ (JSSynchronousGarbageCollect):
+ * API/JSBasePrivate.h:
+ * API/JSCallbackObject.cpp:
+ (JSC):
+ * API/JSCallbackObject.h:
+ (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject.
+ * API/JSContext.mm:
+ (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to
+ the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since
+ not everyone is guaranteed to use the latter.
+ (-[JSContext initWithGlobalContextRef:]):
+ (+[JSContext contextWithGlobalContextRef:]):
+ * API/JSManagedValue.h: Added.
+ * API/JSManagedValue.mm: Added.
+ (JSManagedValueHandleOwner):
+ (managedValueHandleOwner):
+ (+[JSManagedValue weakValueWithValue:]):
+ (+[JSManagedValue managedValueWithValue:owner:]):
+ (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't
+ use ARC when building our framework.
+ (-[JSManagedValue initWithValue:]):
+ (-[JSManagedValue initWithValue:owner:]):
+ (-[JSManagedValue dealloc]):
+ (-[JSManagedValue value]):
+ (-[JSManagedValue weakOwner]):
+ (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field
+ returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the
+ JSObject to which the JSManagedObject refers is still alive.
+ * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects.
+ (JSObjectGetPrivate):
+ (JSObjectSetPrivate):
+ (JSObjectGetPrivateProperty):
+ (JSObjectSetPrivateProperty):
+ (JSObjectDeletePrivateProperty):
+ * API/JSValue.mm:
+ (objectToValueWithoutCopy):
+ * API/JSValueRef.cpp:
+ (JSValueIsObjectOfClass):
+ * API/JSVirtualMachine.mm:
+ (-[JSVirtualMachine initWithContextGroupRef:]):
+ (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
+ * API/JSWrapperMap.mm:
+ (wrapperFinalize):
+ (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API
+ version of JSCallbackObjects.
+ (createObjectWithCustomBrand):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (tryUnwrapObjcObject):
+ * API/JavaScriptCore.h:
+ * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an
+ onclick handler for an Objective-C object inserted into a JSContext.
+ (-[TextXYZ setWeakOnclick:]):
+ (-[TextXYZ setOnclick:]):
+ (-[TextXYZ weakOnclick]):
+ (-[TextXYZ onclick]):
+ (-[TextXYZ click]):
+ * CMakeLists.txt: Various build system additions.
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class.
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::objcWrapperObjectStructure):
+
+2013-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding
+ https://bugs.webkit.org/show_bug.cgi?id=111674
+
+ Reviewed by Oliver Hunt.
+
+ This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup
+ convert them to either Identity(Object:@child) if the child is predicted object, or
+ Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other.
+
+ The goal of this is to ensure that the optimization fixpoint doesn't create
+ Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up
+ but I'm hoping this will be a step towards reducing the need to rerun the fixpoint
+ so as to ultimately reduce compile times.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ * dfg/DFGAssemblyHelpers.h:
+ (AssemblyHelpers):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::observeUseKindOnNode):
+ (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::globalThisObjectFor):
+ (Graph):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::convertToIdentity):
+ (JSC::DFG::Node::convertToWeakConstant):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-03-07 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Children method in LLINT AST Not class should return [@child]
+ https://bugs.webkit.org/show_bug.cgi?id=90740
+
+ Reviewed by Filip Pizlo.
+
+ * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class.
+
+2013-03-05 Oliver Hunt <oliver@apple.com>
+
+ Bring back eager resolution of function scoped variables
+ https://bugs.webkit.org/show_bug.cgi?id=111497
+
+ Reviewed by Geoffrey Garen.
+
+ This reverts the get/put_scoped_var part of the great non-local
+ variable resolution refactoring. This still leaves all the lazy
+ variable resolution logic as it's necessary for global property
+ resolution, and i don't want to make the patch bigger than it
+ already is.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::generateFunctionCodeBlock):
+ (JSC::UnlinkedFunctionExecutable::codeBlockFor):
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC):
+ (UnlinkedFunctionExecutable):
+ (UnlinkedCodeBlock):
+ (JSC::UnlinkedCodeBlock::usesGlobalObject):
+ (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
+ (JSC::UnlinkedCodeBlock::globalObjectRegister):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitLoadGlobalObject):
+ (JSC):
+ (JSC::BytecodeGenerator::resolve):
+ (JSC::BytecodeGenerator::resolveConstDecl):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetStaticVar):
+ (JSC::BytecodeGenerator::emitPutStaticVar):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ResolveResult::lexicalResolve):
+ (JSC::ResolveResult::isStatic):
+ (JSC::ResolveResult::depth):
+ (JSC::ResolveResult::index):
+ (ResolveResult):
+ (JSC::ResolveResult::ResolveResult):
+ (BytecodeGenerator):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::isPure):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::PostfixNode::emitResolve):
+ (JSC::TypeOfResolveNode::emitBytecode):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::debugFail):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ (JSC::DFG::canInlineOpcode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC):
+ (JSC::JIT::emit_op_put_scoped_var):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC):
+ (JSC::JIT::emit_op_put_scoped_var):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::getProgramCodeBlock):
+ (JSC::CodeCache::getEvalCodeBlock):
+ * runtime/CodeCache.h:
+ (JSC):
+ (CodeCache):
+ * runtime/Executable.cpp:
+ (JSC::EvalExecutable::compileInternal):
+ (JSC::FunctionExecutable::produceCodeBlockFor):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::createEvalCodeBlock):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ * runtime/Options.cpp:
+ (JSC::Options::initialize):
+
+2013-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, roll out http://trac.webkit.org/changeset/144989
+
+ I think we want the assertion that I removed.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::merge):
+ (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+
+2013-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::AbstractState::merge() is still more complicated than it needs to be
+ https://bugs.webkit.org/show_bug.cgi?id=111619
+
+ Reviewed by Mark Hahnenberg.
+
+ This method is the one place where we still do some minimal amount of liveness pruning, but the style with
+ which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated
+ by https://bugs.webkit.org/show_bug.cgi?id=111539.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::merge):
+ (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+
+2013-03-06 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
+ https://bugs.webkit.org/show_bug.cgi?id=111536
+
+ Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+ The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
+ On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
+ Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
+ the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
+ that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
+ time spent doing load elimination after the fixpoint, since that is just wasted cycles.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::run):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+ (JSC::DFG::performCSE):
+ (DFG):
+ (JSC::DFG::performStoreElimination):
+ * dfg/DFGCSEPhase.h:
+ (DFG):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+
+2013-03-06 Andreas Kling <akling@apple.com>
+
+ Pack Structure members better.
+ <http://webkit.org/b/111593>
+ <rdar://problem/13359200>
+
+ Reviewed by Mark Hahnenberg.
+
+ Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ * runtime/Structure.h:
+ (Structure):
+
+2013-03-06 Andreas Kling <akling@apple.com>
+
+ Unreviewed, fix Windows build after r144910.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+
+2013-03-05 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not check if nodes are shouldGenerate prior to DCE
+ https://bugs.webkit.org/show_bug.cgi?id=111520
+
+ Reviewed by Geoffrey Garen.
+
+ All nodes are live before DCE. We don't need to check that they aren't, because they
+ definitely will be.
+
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::performBlockCFA):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::pureCSE):
+ (JSC::DFG::CSEPhase::int32ToDoubleCSE):
+ (JSC::DFG::CSEPhase::constantCSE):
+ (JSC::DFG::CSEPhase::weakConstantCSE):
+ (JSC::DFG::CSEPhase::getCalleeLoadElimination):
+ (JSC::DFG::CSEPhase::getArrayLengthElimination):
+ (JSC::DFG::CSEPhase::globalVarLoadElimination):
+ (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+ (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
+ (JSC::DFG::CSEPhase::globalVarStoreElimination):
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+ (JSC::DFG::CSEPhase::checkStructureElimination):
+ (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
+ (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
+ (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::checkArrayElimination):
+ (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+ (JSC::DFG::CSEPhase::getLocalLoadElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2013-03-06 Csaba Osztrogonác <ossy@webkit.org>
+
+ Fix unused parameter warnings in ARM assembler
+ https://bugs.webkit.org/show_bug.cgi?id=111433
+
+ Reviewed by Kentaro Hara.
+
+ * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346.
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM.
+ (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter.
+ (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters.
+
+2013-03-06 Andreas Kling <akling@apple.com>
+
+ Unused Structure property tables waste 14MB on Membuster.
+ <http://webkit.org/b/110854>
+ <rdar://problem/13292104>
+
+ Reviewed by Geoffrey Garen.
+
+ Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
+ 14 MB progression on Membuster3.
+
+ This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
+ The issue with the last version was that Structure::m_offset could be used uninitialized
+ when re-materializing a previously GC'd property table, causing some sanity checks to fail.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+
+ Added PropertyTable.cpp.
+
+ * runtime/PropertyTable.cpp: Added.
+ (JSC::PropertyTable::create):
+ (JSC::PropertyTable::clone):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC::PropertyTable::destroy):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::visitChildren):
+
+ Moved marking of property table values here from Structure::visitChildren().
+
+ * runtime/WriteBarrier.h:
+ (JSC::WriteBarrierBase::get):
+
+ Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
+ Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
+ zaps the property table.
+
+ * runtime/Structure.h:
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::propertyTable):
+
+ Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
+ Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
+ Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
+
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+
+ Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::visitChildren):
+
+ Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
+
+ (JSC::Structure::takePropertyTableOrCloneIfPinned):
+
+ Added for setting up the property table in a new transition, this code is now shared between
+ addPropertyTransition() and nonPropertyTransition().
+
+ * runtime/JSGlobalData.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+ Add a global propertyTableStructure.
+
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::createStructure):
+ (JSC::PropertyTable::copy):
+
+ Make PropertyTable a GC object.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::dumpStatistics):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::despecifyDictionaryFunction):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::sealTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::isSealed):
+ (JSC::Structure::isFrozen):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::pin):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::get):
+ (JSC::Structure::despecifyFunction):
+ (JSC::Structure::despecifyAllFunctions):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::remove):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::checkConsistency):
+
+2013-03-05 Filip Pizlo <fpizlo@apple.com>
+
+ Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=105624
+
+ Reviewed by Oliver Hunt.
+
+ All callers pass invert = false, which is the default value of the argument. So, get
+ rid of the argument and fold away all code that checks it.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2013-03-05 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code.
+
+ * dfg/DFGDCEPhase.cpp:
+ (JSC::DFG::DCEPhase::run):
+
+2013-03-04 Filip Pizlo <fpizlo@apple.com>
+
+ DFG DCE might eliminate checks unsoundly
+ https://bugs.webkit.org/show_bug.cgi?id=109389
+
+ Reviewed by Oliver Hunt.
+
+ This gets rid of all eager reference counting, and does all dead code elimination
+ in one phase - the DCEPhase. This phase also sets up the node reference counts,
+ which are then used not just for DCE but also register allocation and stack slot
+ allocation.
+
+ Doing this required a number of surgical changes in places that previously relied
+ on always having liveness information. For example, the structure check hoisting
+ phase must now consult whether a VariableAccessData is profitable for unboxing to
+ make sure that it doesn't try to do hoisting on set SetLocals. The arguments
+ simplification phase employs its own light-weight liveness analysis. Both phases
+ previously just used reference counts.
+
+ The largest change is that now, dead nodes get turned into Phantoms. Those
+ Phantoms will retain those child edges that are not proven. This ensures that any
+ type checks performed by a dead node remain even after the node is killed. On the
+ other hand, this Phantom conversion means that we need special handling for
+ SetLocal. I decided to make the four forms of SetLocal explicit:
+
+ MovHint(@a, rK): Just indicates that node @a contains the value that would have
+ now been placed into virtual register rK. Does not actually cause @a to be
+ stored into rK. This would have previously been a dead SetLocal with @a
+ being live. MovHints are always dead.
+
+ ZombieHint(rK): Indicates that at this point, register rK will contain a dead
+ value and OSR should put Undefined into it. This would have previously been
+ a dead SetLocal with @a being dead also. ZombieHints are always dead.
+
+ MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
+ according to whatever UseKind the edge to @a has. The type check is always a
+ forward exit. MovHintAndChecks are always live, since they are
+ NodeMustGenerate. Previously this would have been a dead SetLocal with a
+ live @a, and the check would have disappeared. This is one of the bugs that
+ this patch solves.
+
+ SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
+ live.
+
+ Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
+ ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
+ also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
+ has a type check and @a's type hasn't been proven to have that type then you get
+ a MovHintAndCheck. Otherwise you get a MovHint.
+
+ This is performance neutral.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::executeEffects):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ (ArgumentsSimplificationPhase):
+ (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
+ * dfg/DFGBasicBlock.h:
+ (BasicBlock):
+ * dfg/DFGBasicBlockInlines.h:
+ (DFG):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::addToGraph):
+ (JSC::DFG::ByteCodeParser::insertPhiNode):
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::run):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ * dfg/DFGCPSRethreadingPhase.cpp:
+ (JSC::DFG::CPSRethreadingPhase::run):
+ (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCommon.cpp:
+ (WTF::printInternal):
+ (WTF):
+ * dfg/DFGCommon.h:
+ (WTF):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
+ * dfg/DFGDCEPhase.cpp: Added.
+ (DFG):
+ (DCEPhase):
+ (JSC::DFG::DCEPhase::DCEPhase):
+ (JSC::DFG::DCEPhase::run):
+ (JSC::DFG::DCEPhase::findTypeCheckRoot):
+ (JSC::DFG::DCEPhase::countEdge):
+ (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::performDCE):
+ * dfg/DFGDCEPhase.h: Added.
+ (DFG):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ (JSC::DFG::FixupPhase::fixIntEdge):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+ (JSC::DFG::FixupPhase::truncateConstantToInt32):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dump):
+ (DFG):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::changeChild):
+ (JSC::DFG::Graph::changeEdge):
+ (JSC::DFG::Graph::compareAndSwap):
+ (JSC::DFG::Graph::clearAndDerefChild):
+ (JSC::DFG::Graph::performSubstitution):
+ (JSC::DFG::Graph::performSubstitutionForEdge):
+ (Graph):
+ (JSC::DFG::Graph::substitute):
+ * dfg/DFGInsertionSet.h:
+ (InsertionSet):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::Node):
+ (JSC::DFG::Node::convertToConstant):
+ (JSC::DFG::Node::convertToGetLocalUnlinked):
+ (JSC::DFG::Node::containsMovHint):
+ (Node):
+ (JSC::DFG::Node::hasVariableAccessData):
+ (JSC::DFG::Node::willHaveCodeGenOrOSR):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ (JSC::DFG::SpeculativeJIT::compileMovHint):
+ (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileInlineStart):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
+ (StructureCheckHoistingPhase):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+
+2013-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: JSValue should implement init and return nil in exceptional cases
+ https://bugs.webkit.org/show_bug.cgi?id=111487
+
+ Reviewed by Darin Adler.
+
+ * API/JSValue.mm:
+ (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state
+ without a JSContext.
+ (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0.
+
+2013-03-05 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r144708.
+ http://trac.webkit.org/changeset/144708
+ https://bugs.webkit.org/show_bug.cgi?id=111447
+
+ random assertion crashes in inspector tests on qt+mac bots
+ (Requested by kling on #webkit).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::copy):
+ * runtime/PropertyTable.cpp: Removed.
+ * runtime/Structure.cpp:
+ (JSC::Structure::dumpStatistics):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::despecifyDictionaryFunction):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::sealTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::isSealed):
+ (JSC::Structure::isFrozen):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::pin):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::get):
+ (JSC::Structure::despecifyFunction):
+ (JSC::Structure::despecifyAllFunctions):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::remove):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::visitChildren):
+ (JSC::Structure::checkConsistency):
+ * runtime/Structure.h:
+ (JSC):
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+ (JSC::Structure::checkOffsetConsistency):
+ (Structure):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::get):
+ * runtime/WriteBarrier.h:
+ (JSC::WriteBarrierBase::get):
+
+2013-03-05 David Kilzer <ddkilzer@apple.com>
+
+ BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac
+ <http://webkit.org/b/106742>
+
+ Fixes the following build failures:
+
+ Undefined symbols for architecture i386:
+ "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from:
+ __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
+ NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
+ "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from:
+ __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
+ ld: symbol(s) not found for architecture i386
+
+ * Configurations/FeatureDefines.xcconfig:
+ - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match
+ other FeatureDefines.xcconfig files.
+ - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform.
+
+2013-03-04 Andreas Kling <akling@apple.com>
+
+ Unused Structure property tables waste 14MB on Membuster.
+ <http://webkit.org/b/110854>
+ <rdar://problem/13292104>
+
+ Reviewed by Geoffrey Garen.
+
+ Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
+ 14 MB progression on Membuster3.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+
+ Added PropertyTable.cpp.
+
+ * runtime/PropertyTable.cpp: Added.
+ (JSC::PropertyTable::create):
+ (JSC::PropertyTable::clone):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC::PropertyTable::destroy):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::visitChildren):
+
+ Moved marking of property table values here from Structure::visitChildren().
+
+ * runtime/WriteBarrier.h:
+ (JSC::WriteBarrierBase::get):
+
+ Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
+ Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
+ zaps the property table.
+
+ * runtime/Structure.h:
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::propertyTable):
+
+ Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
+ Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
+ Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
+
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+
+ Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::visitChildren):
+
+ Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
+
+ * runtime/JSGlobalData.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+ Add a global propertyTableStructure.
+
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::createStructure):
+ (JSC::PropertyTable::copy):
+
+ Make PropertyTable a GC object.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::dumpStatistics):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::despecifyDictionaryFunction):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::sealTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::isSealed):
+ (JSC::Structure::isFrozen):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::pin):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::get):
+ (JSC::Structure::despecifyFunction):
+ (JSC::Structure::despecifyAllFunctions):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::remove):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::checkConsistency):
+
+2013-03-04 Chris Fleizach <cfleizach@apple.com>
+
+ Support WebSpeech - Speech Synthesis
+ https://bugs.webkit.org/show_bug.cgi?id=106742
+
+ Reviewed by Simon Fraser.
+
+ Enable speech synthesis for the Mac.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Remove contextInternalContext from JSContextInternal.h
+ https://bugs.webkit.org/show_bug.cgi?id=111356
+
+ Reviewed by Geoffrey Garen.
+
+ We don't need it any more since we have globalContextRef in JSContext.
+
+ * API/JSContext.mm:
+ * API/JSContextInternal.h:
+ * API/JSValue.mm:
+ (+[JSValue valueWithBool:inContext:]):
+ (+[JSValue valueWithDouble:inContext:]):
+ (+[JSValue valueWithInt32:inContext:]):
+ (+[JSValue valueWithUInt32:inContext:]):
+ (+[JSValue valueWithNewObjectInContext:]):
+ (+[JSValue valueWithNewArrayInContext:]):
+ (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
+ (+[JSValue valueWithNewErrorFromMessage:inContext:]):
+ (+[JSValue valueWithNullInContext:]):
+ (+[JSValue valueWithUndefinedInContext:]):
+ (-[JSValue toBool]):
+ (-[JSValue toDouble]):
+ (-[JSValue toNumber]):
+ (-[JSValue toString]):
+ (-[JSValue toDate]):
+ (-[JSValue toArray]):
+ (-[JSValue toDictionary]):
+ (-[JSValue valueForProperty:]):
+ (-[JSValue setValue:forProperty:]):
+ (-[JSValue deleteProperty:]):
+ (-[JSValue hasProperty:]):
+ (-[JSValue valueAtIndex:]):
+ (-[JSValue setValue:atIndex:]):
+ (-[JSValue isUndefined]):
+ (-[JSValue isNull]):
+ (-[JSValue isBoolean]):
+ (-[JSValue isNumber]):
+ (-[JSValue isString]):
+ (-[JSValue isObject]):
+ (-[JSValue isEqualToObject:]):
+ (-[JSValue isEqualWithTypeCoercionToObject:]):
+ (-[JSValue isInstanceOf:]):
+ (-[JSValue callWithArguments:]):
+ (-[JSValue constructWithArguments:]):
+ (-[JSValue invokeMethod:withArguments:]):
+ (valueToObject):
+ (objectToValueWithoutCopy):
+ (objectToValue):
+ (-[JSValue initWithValue:inContext:]):
+ (-[JSValue dealloc]):
+ (-[JSValue description]):
+ * API/JSWrapperMap.mm:
+ (createObjectWithCustomBrand):
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSWrapperMap jsWrapperForObject:]):
+ * API/ObjCCallbackFunction.mm:
+ (ObjCCallbackFunction::call):
+ (objCCallbackFunctionForInvocation):
+
+2013-03-04 Andreas Kling <akling@apple.com>
+
+ Add simple vector traits for JSC::Identifier.
+ <http://webkit.org/b/111323>
+
+ Reviewed by Geoffrey Garen.
+
+ Identifiers are really just Strings, giving them simple vector traits makes
+ Vector move them with memcpy() instead of churning the refcounts.
+
+ * runtime/Identifier.h:
+ (WTF):
+
+2013-03-04 Kunihiko Sakamoto <ksakamoto@chromium.org>
+
+ Add build flag for FontLoader
+ https://bugs.webkit.org/show_bug.cgi?id=111289
+
+ Reviewed by Benjamin Poulain.
+
+ Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default).
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-03-03 Andreas Kling <akling@apple.com>
+
+ Shrink JSC::HashTable entries.
+ <http://webkit.org/b/111275>
+ <rdar://problem/13333511>
+
+ Reviewed by Anders Carlsson.
+
+ Move the Intrinsic value out of the function-specific part of the union,
+ and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes.
+
+ 990 kB progression on Membuster3. (PTUS: 797 kB)
+
+ * runtime/Lookup.h:
+ (JSC::HashEntry::initialize):
+ (JSC::HashEntry::intrinsic):
+ (HashEntry):
+
+2013-03-01 David Kilzer <ddkilzer@apple.com>
+
+ BUILD FIX: testapi should link to Foundation, not CoreFoundation
+
+ * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
+ link to Foundation.framework instead of CoreFoundation.framework
+ since it uses NS types.
+
+2013-03-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak
+ https://bugs.webkit.org/show_bug.cgi?id=107836
+
+ Reviewed by Oliver Hunt.
+
+ We've decided to remove support for this feature from the API because there's no way to automatically manage
+ the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods,
+ but the methods must accept plain JSValues instead of Objective-C blocks.
+
+ We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments.
+
+ * API/JSBlockAdaptor.h: Removed.
+ * API/JSBlockAdaptor.mm: Removed.
+ * API/ObjCCallbackFunction.mm:
+ (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it
+ to the object from the protocol.
+ * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol
+ that have block arguments.
+ (-[TestObject bogusCallback:]):
+ * JavaScriptCore.gypi: Updated build files.
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-03-01 Filip Pizlo <fpizlo@apple.com>
+
+ DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live
+ https://bugs.webkit.org/show_bug.cgi?id=111209
+
+ Reviewed by Oliver Hunt.
+
+ Even if it is then everything will work just fine. It's not necessary to check the ref count here.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2013-03-01 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to
+ https://bugs.webkit.org/show_bug.cgi?id=111205
+
+ Reviewed by Oliver Hunt.
+
+ I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
+ is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
+ and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
+ is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
+ from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
+ the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
+ basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
+ alive by one count rather than being solely responsible for its liveness.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::eliminate):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+
+2013-03-01 Filip Pizlo <fpizlo@apple.com>
+
+ Rename MovHint to MovHintEvent so I can create a NodeType called MovHint
+
+ Rubber stamped by Mark Hahnenberg.
+
+ This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the
+ NodeType and SetLocalEvent is the VariableEventKind.
+
+ * dfg/DFGVariableEvent.cpp:
+ (JSC::DFG::VariableEvent::dump):
+ * dfg/DFGVariableEvent.h:
+ (JSC::DFG::VariableEvent::movHint):
+ (JSC::DFG::VariableEvent::id):
+ (JSC::DFG::VariableEvent::operand):
+ (VariableEvent):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::reconstruct):
+
+2013-03-01 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
+
+ [JSC] Fix sign comparison warning/error after r144340.
+ https://bugs.webkit.org/show_bug.cgi?id=111164
+
+ Reviewed by Mark Hahnenberg.
+
+ gcc (both 4.2.1 and 4.7.2) complain about comparing signed and
+ unsigned terms (clang accepts it just fine).
+
+ Work around that by casting the 1 to an uintptr_t as well.
+
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::makeWord):
+
+2013-02-28 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CFA should not do liveness pruning
+ https://bugs.webkit.org/show_bug.cgi?id=111119
+
+ Reviewed by Mark Hahnenberg.
+
+ It adds complexity and probably buys nothing. Moreover, I'm transitioning to having
+ liveness only available at the bitter end of compilation, so this will stop working
+ after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::initialize):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+
+2013-02-28 Filip Pizlo <fpizlo@apple.com>
+
+ Don't try to emit profiling if you don't have the DFG JIT.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * jit/JIT.h:
+ (JSC::JIT::shouldEmitProfiling):
+
+2013-02-28 Filip Pizlo <fpizlo@apple.com>
+
+ DFG Phantom node should be honest about the fact that it can exit
+ https://bugs.webkit.org/show_bug.cgi?id=111115
+
+ Reviewed by Mark Hahnenberg.
+
+ The chances of this having cause serious issues are low, since most clients of the
+ NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible
+ case of badness is if the ByteCodeParser inserted a Phantom with a type check in
+ between a LogicalNot and a Branch; then that peephole optimization in Fixup might
+ go slightly wrong.
+
+ * dfg/DFGNodeType.h:
+ (DFG):
+
+2013-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Add casts in DFGGPRInfo.h to suppress warnings
+ https://bugs.webkit.org/show_bug.cgi?id=111104
+
+ Reviewed by Filip Pizlo.
+
+ With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away.
+
+ * dfg/DFGGPRInfo.h:
+ (JSC::DFG::GPRInfo::toIndex):
+ (JSC::DFG::GPRInfo::debugName):
+
+2013-02-28 Filip Pizlo <fpizlo@apple.com>
+
+ It should be easy to determine if a DFG node exits forward or backward when doing type checks
+ https://bugs.webkit.org/show_bug.cgi?id=111102
+
+ Reviewed by Mark Hahnenberg.
+
+ This adds a NodeExitsForward flag, which tells you the exit directionality of
+ type checks performed by the node. Even if you convert the node to a Phantom
+ and use the Edge UseKind for type checks, you'll still get the same exit
+ directionality that the original node would have wanted.
+
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGArrayifySlowPathGenerator.h:
+ (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+ * dfg/DFGCPSRethreadingPhase.cpp:
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::eliminate):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::checkArray):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::setOpAndDefaultNonExitFlags):
+ (JSC::DFG::Node::convertToPhantom):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::nodeFlagsAsString):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+ (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+ (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
+ (JSC::DFG::SpeculativeJIT::typeCheck):
+ (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
+ (JSC::DFG::SpeculativeJIT::fillStorage):
+ (JSC::DFG::SpeculativeJIT::compile):
+ (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateIntegerOperand::gpr):
+ (SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateDoubleOperand::fpr):
+ (SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::gpr):
+ (SpeculateCellOperand):
+ (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
+ (JSC::DFG::SpeculateBooleanOperand::gpr):
+ (SpeculateBooleanOperand):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-28 Filip Pizlo <fpizlo@apple.com>
+
+ CodeBlock::valueProfile() has a bogus assertion
+ https://bugs.webkit.org/show_bug.cgi?id=111106
+ <rdar://problem/13131427>
+
+ Reviewed by Mark Hahnenberg.
+
+ This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized.
+ ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized
+ ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes
+ their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their
+ ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of
+ them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles.
+ This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile
+ you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't.
+
+ The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring
+ a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now
+ all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done
+ soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion
+ sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us
+ anything at this point.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::valueProfile):
+
+2013-02-27 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed
+ https://bugs.webkit.org/show_bug.cgi?id=110840
+
+ Reviewed by Mark Hahnenberg.
+
+ This doesn't add any observable functionality to the compiler, yet. But it does give
+ every phase that runs after CFA the ability to know, in O(1) time, whether an edge
+ will need to execute a type check.
+
+ * dfg/DFGAbstractState.h:
+ (JSC::DFG::AbstractState::filterEdgeByUse):
+ (JSC::DFG::AbstractState::filterByType):
+ * dfg/DFGCommon.cpp:
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::isProved):
+ (DFG):
+ (JSC::DFG::proofStatusForIsProved):
+ (WTF):
+ * dfg/DFGEdge.cpp:
+ (JSC::DFG::Edge::dump):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::Edge):
+ (JSC::DFG::Edge::setNode):
+ (JSC::DFG::Edge::useKindUnchecked):
+ (JSC::DFG::Edge::setUseKind):
+ (Edge):
+ (JSC::DFG::Edge::proofStatusUnchecked):
+ (JSC::DFG::Edge::proofStatus):
+ (JSC::DFG::Edge::setProofStatus):
+ (JSC::DFG::Edge::isProved):
+ (JSC::DFG::Edge::needsCheck):
+ (JSC::DFG::Edge::shift):
+ (JSC::DFG::Edge::makeWord):
+
+2013-02-28 Simon Hausmann <simon.hausmann@digia.com>
+
+ [Qt][Mac] Fix massive parallel builds
+
+ Reviewed by Tor Arne Vestbø.
+
+ There exists a race condition that LLIntDesiredOffsets.h is written to
+ by two parllel instances of the ruby script. This patch ensures that similar to the output file,
+ the generated file is also prefixed according to the build configuration.
+
+ * LLIntOffsetsExtractor.pro:
+
+2013-02-27 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r144168.
+ http://trac.webkit.org/changeset/144168
+ https://bugs.webkit.org/show_bug.cgi?id=111019
+
+ It broke the build and tronical is unavailable (Requested by
+ Ossy_night on #webkit).
+
+ * LLIntOffsetsExtractor.pro:
+
+2013-02-26 Filip Pizlo <fpizlo@apple.com>
+
+ Disable some unsound DFG DCE
+ https://bugs.webkit.org/show_bug.cgi?id=110948
+
+ Reviewed by Michael Saboff.
+
+ DCE of bitops is not sound since the bitops might call some variant of valueOf.
+
+ This used to work right because ValueToInt32 was MustGenerate. From the DFG IR
+ standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is
+ implemented entirely as a pure conversion. If we ever gave the DFG the ability to
+ do effectful bitops, we would most likely implement them as special nodes not
+ related to the ValueToInt32 and bitop nodes we have now.
+
+ This change is performance neutral.
+
+ * dfg/DFGNodeType.h:
+ (DFG):
+
+2013-02-27 Glenn Adams <glenn@skynav.com>
+
+ Add ENABLE_CSS3_TEXT_LINE_BREAK flag.
+ https://bugs.webkit.org/show_bug.cgi?id=110944
+
+ Reviewed by Dean Jackson.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-27 Julien Brianceau <jbrianceau@nds.com>
+
+ Fix build when DFG_JIT is not enabled
+ https://bugs.webkit.org/show_bug.cgi?id=110991
+
+ Reviewed by Csaba Osztrogonác.
+
+ * jit/JIT.h:
+ (JSC::JIT::canBeOptimizedOrInlined):
+
+2013-02-27 Simon Hausmann <simon.hausmann@digia.com>
+
+ [Qt][Mac] Fix massive parallel builds
+
+ Reviewed by Tor Arne Vestbø.
+
+ There exists a race condition that LLIntDesiredOffsets.h is written to
+ by two parllel instances of the ruby script. This patch ensures that similar to the output file,
+ the generated file is also prefixed according to the build configuration.
+
+ * LLIntOffsetsExtractor.pro:
+
+2013-02-26 Filip Pizlo <fpizlo@apple.com>
+
+ DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
+ https://bugs.webkit.org/show_bug.cgi?id=109036
+ <rdar://problem/13292139>
+
+ Reviewed by Gavin Barraclough.
+
+ This was a two-fold problem:
+
+ 1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit
+ assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was
+ wrong in this assumption.
+
+ 2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it
+ was doing this only for code blocks that could be totally optimized, but not code blocks that could only be
+ optimized when inlined.
+
+ This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work
+ to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR
+ entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(),
+ respectively.
+
+ This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously
+ we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks
+ that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get
+ symptoms similar to this bug.
+
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * dfg/DFGCommon.h:
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JSC::JIT::compilePatchGetArrayLength):
+ (JSC::JIT::canBeOptimizedOrInlined):
+ (JIT):
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emit_op_post_inc):
+ (JSC::JIT::emit_op_post_dec):
+ * jit/JITArithmetic32_64.cpp:
+ (JSC::JIT::emit_op_post_inc):
+ (JSC::JIT::emit_op_post_dec):
+ * jit/JITCall.cpp:
+ (JSC::JIT::emit_op_call_put_result):
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITInlines.h:
+ (JSC::JIT::emitArrayProfilingSite):
+ (JSC::JIT::map):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_mov):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePutByIdTransition):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePutByIdTransition):
+
+2013-02-26 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. AppleWin VS2010 build fix.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-02-25 Filip Pizlo <fpizlo@apple.com>
+
+ The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context
+ https://bugs.webkit.org/show_bug.cgi?id=110433
+
+ Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+ This introduces the equivalent of a liveness analysis, except for type checking.
+ A variable is said to be "profitable for unboxing" (i.e. live at a type check)
+ if there exists a type check on a GetLocal of that variable, and the type check
+ is consistent with the variable's prediction. Variables that are not profitable
+ for unboxing aren't unboxed. Previously they would have been.
+
+ This is a slight speed-up on some things but mostly neutral.
+
+ * dfg/DFGArgumentPosition.h:
+ (JSC::DFG::ArgumentPosition::ArgumentPosition):
+ (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
+ (JSC::DFG::ArgumentPosition::mergeArgumentPredictionAwareness):
+ (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
+ (ArgumentPosition):
+ (JSC::DFG::ArgumentPosition::isProfitableToUnbox):
+ (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::checkAndSet):
+ (DFG):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::run):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::alwaysUnboxSimplePrimitives):
+ (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+ * dfg/DFGVariableAccessData.h:
+ (JSC::DFG::VariableAccessData::VariableAccessData):
+ (JSC::DFG::VariableAccessData::mergeIsCaptured):
+ (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
+ (VariableAccessData):
+ (JSC::DFG::VariableAccessData::isProfitableToUnbox):
+ (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
+ (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
+ (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
+ (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
+ (JSC::DFG::VariableAccessData::mergeFlags):
+
+2013-02-26 Oliver Hunt <oliver@apple.com>
+
+ Fix windows build.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-02-26 Oliver Hunt <oliver@apple.com>
+
+ Web Inspector: REGRESSION: [JSC] SourceProvider reuses IDs
+ https://bugs.webkit.org/show_bug.cgi?id=99674
+
+ Reviewed by Gavin Barraclough.
+
+ Simple incrementing counter for SourceProvider IDs. Uses a
+ lock to incrementing the counter so we don't increment reuse
+ counter values or reassign the ID for a given SourceProvider.
+
+ * parser/SourceProvider.cpp:
+ (JSC::SourceProvider::SourceProvider):
+ (JSC):
+ (JSC::SourceProvider::getID):
+ * parser/SourceProvider.h:
+ (JSC::SourceProvider::asID):
+ (SourceProvider):
+
+2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r144074.
+ http://trac.webkit.org/changeset/144074
+ https://bugs.webkit.org/show_bug.cgi?id=110897
+
+ Causing 20+ crashes on Mac (Requested by bradee-oh on
+ #webkit).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::copy):
+ * runtime/PropertyTable.cpp: Removed.
+ * runtime/Structure.cpp:
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::visitChildren):
+ * runtime/Structure.h:
+ (JSC):
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+ (Structure):
+ * runtime/StructureInlines.h:
+
+2013-02-26 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. AppleWin VS2010 build fix.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
+
+2013-02-26 Jer Noble <jer.noble@apple.com>
+
+ Unreviewed build fix; use correct macro for platform name in FeatureDefines.xcconfig.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-26 Michael Saboff <msaboff@apple.com>
+
+ Potential crash in YARR JIT generated code when building 64 bit
+ https://bugs.webkit.org/show_bug.cgi?id=110893
+
+ Reviewed by Gavin Barraclough.
+
+ The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
+ Therefore, we zero extend both the count and length registers to assure that these unsigned values
+ don't have garbage upper bits.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateEnter):
+
+2013-02-26 Andreas Kling <akling@apple.com>
+
+ Unused Structure property tables waste 14MB on Membuster.
+ <http://webkit.org/b/110854>
+ <rdar://problem/13292104>
+
+ Reviewed by Filip Pizlo.
+
+ Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
+ 14 MB progression on Membuster3.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+
+ Added PropertyTable.cpp.
+
+ * runtime/PropertyTable.cpp: Added.
+ (JSC::PropertyTable::create):
+ (JSC::PropertyTable::clone):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC::PropertyTable::destroy):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::visitChildren):
+
+ Moved marking of property table values here from Structure::visitChildren().
+
+ * runtime/StructureInlines.h:
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+
+ Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::visitChildren):
+
+ Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
+
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ * runtime/Structure.h:
+ (Structure):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::createStructure):
+ (JSC::PropertyTable::copy):
+
+2013-02-26 Andreas Kling <akling@apple.com>
+
+ Unreviewed, rolling out r144054.
+ http://trac.webkit.org/changeset/144054
+ https://bugs.webkit.org/show_bug.cgi?id=110854
+
+ broke builds
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::copy):
+ * runtime/PropertyTable.cpp: Removed.
+ * runtime/Structure.cpp:
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ (JSC::Structure::visitChildren):
+ * runtime/Structure.h:
+ (JSC):
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+ (Structure):
+ * runtime/StructureInlines.h:
+
+2013-02-26 Andreas Kling <akling@apple.com>
+
+ Unused Structure property tables waste 14MB on Membuster.
+ <http://webkit.org/b/110854>
+ <rdar://problem/13292104>
+
+ Reviewed by Filip Pizlo.
+
+ Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
+ 14 MB progression on Membuster3.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.gypi:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+
+ Added PropertyTable.cpp.
+
+ * runtime/PropertyTable.cpp: Added.
+ (JSC::PropertyTable::create):
+ (JSC::PropertyTable::clone):
+ (JSC::PropertyTable::PropertyTable):
+ (JSC::PropertyTable::destroy):
+ (JSC::PropertyTable::~PropertyTable):
+ (JSC::PropertyTable::visitChildren):
+
+ Moved marking of property table values here from Structure::visitChildren().
+
+ * runtime/StructureInlines.h:
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::checkOffsetConsistency):
+
+ Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::visitChildren):
+
+ Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
+
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::copyPropertyTable):
+ (JSC::Structure::copyPropertyTableForPinning):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ * runtime/Structure.h:
+ (Structure):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::createStructure):
+ (JSC::PropertyTable::copy):
+
+2013-02-26 Jocelyn Turcotte <jocelyn.turcotte@digia.com>
+
+ Implement JIT on Windows 64 bits
+ https://bugs.webkit.org/show_bug.cgi?id=107965
+
+ Reviewed by Simon Hausmann.
+
+ 1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file.
+
+ 2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI.
+ Differences that we have to handle here:
+ - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9
+ - RDI and RSI must be preserved by callee
+ - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word)
+ - There is no red-zone after RIP on the stack, but instead 4 reserved words before it
+
+ * Target.pri:
+ * jit/JITStubs.cpp:
+ * jit/JITStubs.h:
+ (JSC):
+ (JITStackFrame):
+ (JSC::JITStackFrame::returnAddressSlot):
+ * jit/JITStubsMSVC64.asm: Added.
+ * jit/JSInterfaceJIT.h:
+ (JSInterfaceJIT):
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+ * yarr/YarrJIT.cpp:
+ (YarrGenerator):
+ (JSC::Yarr::YarrGenerator::generateEnter):
+ (JSC::Yarr::YarrGenerator::generateReturn):
+
+2013-02-26 Oliver Hunt <oliver@apple.com>
+
+ Kill another analyzer warning in javascriptcore
+ https://bugs.webkit.org/show_bug.cgi?id=110802
+
+ Reviewed by Benjamin Poulain.
+
+ Add null checks.
+
+ * profiler/LegacyProfiler.cpp:
+ (JSC::LegacyProfiler::startProfiling):
+ (JSC::LegacyProfiler::stopProfiling):
+
+2013-02-26 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r144004.
+ http://trac.webkit.org/changeset/144004
+ https://bugs.webkit.org/show_bug.cgi?id=110858
+
+ This iOS change is outdated (Requested by notbenjamin on
+ #webkit).
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitNode):
+ (JSC::BytecodeGenerator::emitNodeInConditionContext):
+ (BytecodeGenerator):
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ * parser/Parser.h:
+ (JSC::Parser::canRecurse):
+ (Parser):
+
+2013-02-25 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(r143654): some jquery test asserts on 32 bit debug build
+ https://bugs.webkit.org/show_bug.cgi?id=110756
+
+ Reviewed by Geoffrey Garen.
+
+ TypeOf does speculations manually, so it should mark its JSValueOperand as doing ManualOperandSpeculation.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-25 Benjamin Poulain <bpoulain@apple.com>
+
+ [JSC] Upstream iOS Stack bound checking
+ https://bugs.webkit.org/show_bug.cgi?id=110813
+
+ Reviewed by Filip Pizlo.
+
+ On iOS, the StackBounds cannot be cached because the stack
+ can be in one of two threads (the web thread or the UI thread).
+
+ We simply always consider the current stack bound when testing
+ stack boundaries.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitNode):
+ (JSC::BytecodeGenerator::emitNodeInConditionContext):
+ (BytecodeGenerator):
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ * parser/Parser.h:
+ (JSC::Parser::canRecurse):
+ (Parser):
+
+2013-02-25 Michael Saboff <msaboff@apple.com>
+
+ For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
+ https://bugs.webkit.org/show_bug.cgi?id=110828
+
+ Reviewed by Oliver Hunt.
+
+ * runtime/JSObject.h:
+ (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
+ That way this function will return the offset farthest from 0 needed to access either the payload
+ or tag.
+
+2013-02-25 Jeffrey Pfau <jpfau@apple.com>
+
+ Optionally partition cache to prevent using cache for tracking
+ https://bugs.webkit.org/show_bug.cgi?id=110269
+
+ Reviewed by Maciej Stachowiak.
+
+ * Configurations/FeatureDefines.xcconfig: Add defines for cache partitioning and public suffix list usage
+
+2013-02-25 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. VS2010 solution build fix.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
+
+2013-02-24 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler
+ https://bugs.webkit.org/show_bug.cgi?id=110722
+
+ Reviewed by Oliver Hunt.
+
+ This rolls out the DFG::Allocator part of http://trac.webkit.org/changeset/143654,
+ and changes Edge to have more room for UseKinds and possibly other things.
+
+ This is performance-neutral on both 32-bit and 64-bit. It reduces the size of
+ DFG::Node on 64-bit (by virtue of getting rid of the 16-byte alignment of Node)
+ and increases it slightly on 32-bit (by 4 bytes total - 16-byte alignment led to
+ 80 bytes, but the base size of Node plus the 12 bytes of new m_encodedWords in
+ Edge gets 84 bytes). But, it will mean that we don't have to increase Node by
+ another 16 bytes if we ever want to add more UseKinds or other things to Edge.
+
+ * dfg/DFGAllocator.h:
+ (DFG):
+ (Allocator):
+ (JSC::DFG::Allocator::Region::headerSize):
+ (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
+ (JSC::DFG::Allocator::Region::data):
+ (JSC::DFG::Allocator::Region::isInThisRegion):
+ (JSC::DFG::::Allocator):
+ (JSC::DFG::::~Allocator):
+ (JSC::DFG::::allocate):
+ (JSC::DFG::::free):
+ (JSC::DFG::::freeAll):
+ (JSC::DFG::::reset):
+ (JSC::DFG::::indexOf):
+ (JSC::DFG::::allocatorOf):
+ (JSC::DFG::::bumpAllocate):
+ (JSC::DFG::::freeListAllocate):
+ (JSC::DFG::::allocateSlow):
+ (JSC::DFG::::freeRegionsStartingAt):
+ (JSC::DFG::::startBumpingIn):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::Edge):
+ (Edge):
+ (JSC::DFG::Edge::node):
+ (JSC::DFG::Edge::setNode):
+ (JSC::DFG::Edge::useKindUnchecked):
+ (JSC::DFG::Edge::setUseKind):
+ (JSC::DFG::Edge::operator==):
+ (JSC::DFG::Edge::operator!=):
+ (JSC::DFG::Edge::makeWord):
+ * dfg/DFGNodeAllocator.h:
+ (DFG):
+
+2013-02-22 Filip Pizlo <fpizlo@apple.com>
+
+ The DFG special case checks for isCreatedThisArgument are fragile
+ https://bugs.webkit.org/show_bug.cgi?id=110535
+
+ Reviewed by Oliver Hunt.
+
+ There may be many situations in which we want to force a variable to never be
+ unboxed. Capturing is one such case, and the created this argument is another.
+ Previously all code that dealt with this issue had to query both scenarios.
+
+ Now DFG::VariableAccessData knows these things. You just have to ask
+ VariableAccessData for whether a variable should be unboxed. Anyone wishing to
+ force a variable to never be unboxed just tells VariableAccessData.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::initialize):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (DFG):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (CFGSimplificationPhase):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGUnificationPhase.cpp:
+ (JSC::DFG::UnificationPhase::run):
+ * dfg/DFGVariableAccessData.h:
+ (JSC::DFG::VariableAccessData::VariableAccessData):
+ (JSC::DFG::VariableAccessData::mergeIsCaptured):
+ (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
+ (VariableAccessData):
+ (JSC::DFG::VariableAccessData::shouldNeverUnbox):
+ (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
+ (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
+ (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
+
+2013-02-25 Geoffrey Garen <ggaren@apple.com>
+
+ Do one lookup per code cache insertion instead of two
+ https://bugs.webkit.org/show_bug.cgi?id=110674
+
+ Reviewed by Sam Weinig.
+
+ Deployed the idiomatic "add null value" trick to avoid a second hash
+ lookup when inserting an item.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCacheMap::pruneSlowCase): Factored this into a helper function
+ to improve clarity and get some code off the hot path.
+
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Use the add() API
+ to avoid two hash lookups. Be sure to remove items if parsing fails,
+ otherwise we'll leave nulls in the table. (I'm guessing that caching parse
+ errors is not a win.)
+
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeValue::SourceCodeValue):
+ (CodeCacheMap):
+ (JSC::CodeCacheMap::add): Combined find() and set() into add().
+
+ (JSC::CodeCacheMap::remove):
+ (JSC::CodeCacheMap::age):
+ (JSC::CodeCacheMap::prune): Refactored to support above changes.
+
+2013-02-25 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ [BlackBerry][ARM] Fix cast-align warnings in JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=110738
+
+ Reviewed by Rob Buis.
+
+ Use reinterpret_cast_ptr instead of reinterpret_cast for
+ pointers.
+
+ * dfg/DFGOperations.cpp:
+ * heap/CopiedBlock.h:
+ (JSC::CopiedBlock::zeroFillWilderness):
+ * heap/WeakBlock.h:
+ (JSC::WeakBlock::asWeakImpl):
+ (JSC::WeakBlock::asFreeCell):
+ (JSC::WeakBlock::weakImpls):
+ * heap/WeakImpl.h:
+ (JSC::WeakImpl::asWeakImpl):
+ * interpreter/JSStack.cpp:
+ (JSC::JSStack::disableErrorStackReserve):
+ * interpreter/JSStack.h:
+ (JSC::JSStack::reservationEnd):
+ * runtime/ArrayStorage.h:
+ (JSC::ArrayStorage::from):
+ * runtime/Butterfly.h:
+ (JSC::Butterfly::indexingPayload):
+ * runtime/IndexingHeader.h:
+ (JSC::IndexingHeader::propertyStorage):
+ * runtime/JSActivation.h:
+ (JSC::JSActivation::tearOff):
+ (JSC::JSActivation::isTornOff):
+ (JSC::JSActivation::storage):
+
+2013-02-22 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::SpeculativeJIT::speculateNumber() should just use SpeculateDoubleOperand instead of doing its own thing
+ https://bugs.webkit.org/show_bug.cgi?id=110659
+
+ Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+ This simplifies the code, and also has the effect that if speculateNumber() is called
+ prior to someone actually using the number in a double context, then the number will
+ already be up-converted to double and ready to go.
+
+ Previously if this ever came up, the subsequent use would have to again branch to see
+ if the value is tagged as int or tagged as double.
+
+ On the other hand, if you ever did speculateNumber() and then used the value as a
+ JSValue, this will be a slow down now.
+
+ I suspect that the former (speculateNumber() and then use as number) is more likely
+ than the latter (speculateNumber() and then use as JSValue).
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateNumber):
+
+2013-02-22 Filip Pizlo <fpizlo@apple.com>
+
+ DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way
+ https://bugs.webkit.org/show_bug.cgi?id=110650
+
+ Reviewed by Mark Hahnenberg.
+
+ Changes almost all calls to edge.setUseKind(kind) to be
+ setUseKindAndUnboxIfProfitable<kind>(edge). This will allow us to use the latter
+ as a hook for deciding which locals to unbox (webkit.org/b/110433).
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
+ (JSC::DFG::FixupPhase::fixIntEdge):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
+
+2013-02-22 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(r143654): some fast/js test crashes on 32 bit build
+ https://bugs.webkit.org/show_bug.cgi?id=110590
+
+ Reviewed by Mark Hahnenberg.
+
+ In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
+ r143314 due to a merge goof.
+
+ In speculateNumber, we were simply forgetting to indicate that we need a
+ ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
+ be passed whenever you will be performing the type checks yourself rather than
+ using the operand class to do it for you.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::speculateNumber):
+
+2013-02-22 Geoffrey Garen <ggaren@apple.com>
+
+ Not reviewed.
+
+ Fix the 32-bit build by using the right data type in more places.
+
+ * runtime/CodeCache.h:
+ (CodeCacheMap):
+
+2013-02-22 Geoffrey Garen <ggaren@apple.com>
+
+ Not reviewed.
+
+ Fix the 32-bit build by using the right data type.
+
+ * runtime/CodeCache.h:
+ (JSC::CodeCacheMap::find):
+
+2013-02-21 Geoffrey Garen <ggaren@apple.com>
+
+ Code cache size should adapt to workload
+ https://bugs.webkit.org/show_bug.cgi?id=110560
+
+ Reviewed by Antti Koivisto.
+
+ (*) 5% PLT arithmetic mean speedup
+ (*) 10% PLT geometric mean speedup
+ (*) 3.4X microbenchmark speedup
+ (*) Reduces initial cache capacity by 16X
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::CodeCache): Updated for interface change.
+
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeValue::SourceCodeValue):
+ (SourceCodeValue): Turned the cache value into a struct so it can track its age.
+
+ (CodeCacheMap):
+ (JSC::CodeCacheMap::CodeCacheMap):
+ (JSC::CodeCacheMap::find):
+ (JSC::CodeCacheMap::set):
+ (JSC::CodeCacheMap::clear):
+ (JSC::CodeCacheMap::pruneIfNeeded):
+ (CodeCache): Grow and shrink in response to usage.
+
+2013-02-21 Jessie Berlin <jberlin@apple.com>
+
+ Fix a typo that broke the 32 bit build.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-21 Michael Saboff <msaboff@apple.com>
+
+ 25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled
+ https://bugs.webkit.org/show_bug.cgi?id=110539
+
+ Reviewed by Filip Pizlo.
+
+ Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for
+ the 32 bit version of the interpreter.
+
+ * llint/LowLevelInterpreter32_64.asm:
+
+2013-02-21 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Add executable property to cmd file.
+ Required for executable files to maintain their executable permissions over svn.
+
+ * JavaScriptCore.vcxproj/copy-files.cmd: Added property svn:executable.
+
+2013-02-21 Filip Pizlo <fpizlo@apple.com>
+
+ Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
+ https://bugs.webkit.org/show_bug.cgi?id=110519
+ <rdar://problem/13218566>
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::allocationProfile):
+
+2013-02-21 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Build fix for VS2010 WebKit solution.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-02-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=109371
+
+ Reviewed by Oliver Hunt.
+
+ FixupPhase now locks in the speculations that each node will do. The DFG then
+ remembers those speculations, and doesn't change its mind about them even if the
+ graph is transformed - for example if a node's child is repointed to a different
+ node as part of CSE, CFG simplification, or folding. Each node ensures that it
+ executes the speculations promised by its edges. This is true even for Phantom
+ nodes.
+
+ This still leaves some craziness on the table for future work, like the
+ elimination of speculating SetLocal's due to CFG simplification
+ (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
+
+ In all, this allows for a huge simplification of the DFG. Instead of having to
+ execute the right speculation heuristic each time you want to decide what a node
+ does (for example Node::shouldSpeculateInteger(child1, child2) &&
+ node->canSpeculateInteger()), you just ask for the use kinds of its children
+ (typically node->binaryUseKind() == Int32Use). Because the use kinds are
+ discrete, you can often just switch over them. This makes many parts of the code
+ more clear than they were before.
+
+ Having UseKinds describe the speculations being performed also makes it far
+ easier to perform analyses that need to know what speculations are done. This is
+ so far only used to simplify large parts of the CFA.
+
+ To have a larger vocabulary of UseKinds, this also changes the node allocator to
+ be able to round up Node sizes to the nearest multiple of 16.
+
+ This appears to be neutral on benchmarks, except for some goofy speed-ups, like
+ 8% on Octane/box2d.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::startExecuting):
+ (DFG):
+ (JSC::DFG::AbstractState::executeEdges):
+ (JSC::DFG::AbstractState::verifyEdge):
+ (JSC::DFG::AbstractState::verifyEdges):
+ (JSC::DFG::AbstractState::executeEffects):
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+ (JSC::DFG::AbstractState::filterEdgeByUse):
+ (JSC::DFG::AbstractState::filterByType):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::filter):
+ * dfg/DFGAdjacencyList.h:
+ (JSC::DFG::AdjacencyList::AdjacencyList):
+ (JSC::DFG::AdjacencyList::child):
+ (JSC::DFG::AdjacencyList::setChild):
+ (JSC::DFG::AdjacencyList::reset):
+ (JSC::DFG::AdjacencyList::firstChild):
+ (JSC::DFG::AdjacencyList::setFirstChild):
+ (JSC::DFG::AdjacencyList::numChildren):
+ (JSC::DFG::AdjacencyList::setNumChildren):
+ (AdjacencyList):
+ * dfg/DFGAllocator.h:
+ (DFG):
+ (Allocator):
+ (JSC::DFG::Allocator::cellSize):
+ (JSC::DFG::Allocator::Region::headerSize):
+ (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
+ (JSC::DFG::Allocator::Region::payloadSize):
+ (JSC::DFG::Allocator::Region::payloadBegin):
+ (JSC::DFG::Allocator::Region::payloadEnd):
+ (JSC::DFG::Allocator::Region::isInThisRegion):
+ (JSC::DFG::::Allocator):
+ (JSC::DFG::::~Allocator):
+ (JSC::DFG::::allocate):
+ (JSC::DFG::::free):
+ (JSC::DFG::::freeAll):
+ (JSC::DFG::::reset):
+ (JSC::DFG::::indexOf):
+ (JSC::DFG::::allocatorOf):
+ (JSC::DFG::::bumpAllocate):
+ (JSC::DFG::::freeListAllocate):
+ (JSC::DFG::::allocateSlow):
+ (JSC::DFG::::freeRegionsStartingAt):
+ (JSC::DFG::::startBumpingIn):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::addToGraph):
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCommon.h:
+ (DFG):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGEdge.cpp:
+ (JSC::DFG::Edge::dump):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::useKindUnchecked):
+ (JSC::DFG::Edge::useKind):
+ (JSC::DFG::Edge::shift):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::run):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ (JSC::DFG::FixupPhase::fixIntEdge):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::truncateConstantToInt32):
+ (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
+ (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
+ * dfg/DFGGraph.cpp:
+ (DFG):
+ (JSC::DFG::Graph::refChildren):
+ (JSC::DFG::Graph::derefChildren):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::ref):
+ (JSC::DFG::Graph::deref):
+ (JSC::DFG::Graph::performSubstitution):
+ (JSC::DFG::Graph::isPredictedNumerical):
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
+ (DFG):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::Node):
+ (JSC::DFG::Node::convertToGetByOffset):
+ (JSC::DFG::Node::convertToPutByOffset):
+ (JSC::DFG::Node::willHaveCodeGenOrOSR):
+ (JSC::DFG::Node::child1):
+ (JSC::DFG::Node::child2):
+ (JSC::DFG::Node::child3):
+ (JSC::DFG::Node::binaryUseKind):
+ (Node):
+ (JSC::DFG::Node::isBinaryUseKind):
+ * dfg/DFGNodeAllocator.h:
+ (DFG):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::nodeFlagsAsString):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+ (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::typeCheck):
+ (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
+ (JSC::DFG::SpeculativeJIT::fillStorage):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileArithSub):
+ (JSC::DFG::SpeculativeJIT::compileArithNegate):
+ (JSC::DFG::SpeculativeJIT::compileArithMul):
+ (JSC::DFG::SpeculativeJIT::compileArithMod):
+ (JSC::DFG::SpeculativeJIT::compare):
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ (JSC::DFG::SpeculativeJIT::speculateInt32):
+ (JSC::DFG::SpeculativeJIT::speculateNumber):
+ (JSC::DFG::SpeculativeJIT::speculateRealNumber):
+ (JSC::DFG::SpeculativeJIT::speculateBoolean):
+ (JSC::DFG::SpeculativeJIT::speculateCell):
+ (JSC::DFG::SpeculativeJIT::speculateObject):
+ (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+ (JSC::DFG::SpeculativeJIT::speculateString):
+ (JSC::DFG::SpeculativeJIT::speculateNotCell):
+ (JSC::DFG::SpeculativeJIT::speculateOther):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
+ (JSC::DFG::SpeculativeJIT::needsTypeCheck):
+ (JSC::DFG::IntegerOperand::IntegerOperand):
+ (JSC::DFG::IntegerOperand::edge):
+ (IntegerOperand):
+ (JSC::DFG::IntegerOperand::node):
+ (JSC::DFG::IntegerOperand::gpr):
+ (JSC::DFG::IntegerOperand::use):
+ (JSC::DFG::JSValueOperand::JSValueOperand):
+ (JSValueOperand):
+ (JSC::DFG::JSValueOperand::edge):
+ (JSC::DFG::JSValueOperand::node):
+ (JSC::DFG::JSValueOperand::gpr):
+ (JSC::DFG::JSValueOperand::fill):
+ (JSC::DFG::JSValueOperand::use):
+ (JSC::DFG::StorageOperand::StorageOperand):
+ (JSC::DFG::StorageOperand::edge):
+ (StorageOperand):
+ (JSC::DFG::StorageOperand::node):
+ (JSC::DFG::StorageOperand::gpr):
+ (JSC::DFG::StorageOperand::use):
+ (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
+ (SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateIntegerOperand::edge):
+ (JSC::DFG::SpeculateIntegerOperand::node):
+ (JSC::DFG::SpeculateIntegerOperand::gpr):
+ (JSC::DFG::SpeculateIntegerOperand::use):
+ (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
+ (SpeculateStrictInt32Operand):
+ (JSC::DFG::SpeculateStrictInt32Operand::edge):
+ (JSC::DFG::SpeculateStrictInt32Operand::node):
+ (JSC::DFG::SpeculateStrictInt32Operand::gpr):
+ (JSC::DFG::SpeculateStrictInt32Operand::use):
+ (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
+ (SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateDoubleOperand::edge):
+ (JSC::DFG::SpeculateDoubleOperand::node):
+ (JSC::DFG::SpeculateDoubleOperand::fpr):
+ (JSC::DFG::SpeculateDoubleOperand::use):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::edge):
+ (JSC::DFG::SpeculateCellOperand::node):
+ (JSC::DFG::SpeculateCellOperand::gpr):
+ (JSC::DFG::SpeculateCellOperand::use):
+ (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
+ (JSC::DFG::SpeculateBooleanOperand::edge):
+ (SpeculateBooleanOperand):
+ (JSC::DFG::SpeculateBooleanOperand::node):
+ (JSC::DFG::SpeculateBooleanOperand::gpr):
+ (JSC::DFG::SpeculateBooleanOperand::use):
+ (DFG):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGUseKind.cpp: Added.
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h: Added.
+ (DFG):
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::isNumerical):
+ (WTF):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::reportValidationContext):
+
+2013-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit
+ https://bugs.webkit.org/show_bug.cgi?id=106059
+
+ Reviewed by Geoffrey Garen.
+
+ * API/JSBase.h: Renamed enable flag for API.
+ * API/JSBlockAdaptor.h: Using new flag.
+ * API/JSBlockAdaptor.mm: Ditto.
+ * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef.
+ * API/JSContext.mm:
+ (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function.
+ (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more.
+ (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef.
+ (-[JSContext dealloc]): No more m_apiData.
+ (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject.
+ (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext.
+ (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given
+ JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one.
+ * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef.
+ * API/JSExport.h: New flag.
+ * API/JSValue.h: New flag and new C API convenience method.
+ * API/JSValue.mm:
+ (-[JSValue JSValueRef]): Implementation of the C API convenience method.
+ (objectToValueWithoutCopy):
+ (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache
+ in its internal JSWrapperMap.
+ * API/JSValueInternal.h:
+ * API/JSVirtualMachine.h:
+ * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers.
+ (wrapperCacheLock):
+ (initWrapperCache):
+ (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
+ (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
+ (-[JSVirtualMachine init]):
+ (-[JSVirtualMachine initWithContextGroupRef:]):
+ (-[JSVirtualMachine dealloc]):
+ (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
+ (-[JSVirtualMachine contextForGlobalContextRef:]):
+ (-[JSVirtualMachine addContext:forGlobalContextRef:]):
+ * API/JSVirtualMachineInternal.h:
+ * API/JSWrapperMap.h:
+ * API/JSWrapperMap.mm:
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because
+ setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on
+ when it gets called.
+ (-[JSWrapperMap initWithContext:]):
+ (-[JSWrapperMap jsWrapperForObject:]):
+ (-[JSWrapperMap objcWrapperForJSValueRef:]):
+ * API/JavaScriptCore.h:
+ * API/ObjCCallbackFunction.h:
+ * API/ObjCCallbackFunction.mm:
+ (ObjCCallbackFunction::ObjCCallbackFunction): We never actually should have retained the target in the case that we had a
+ block as a callback. Blocks are initially allocated on the stack and are only moved to the heap if we call their copy method.
+ Retaining the block on the stack was a bad idea because if that stack frame ever went away and we called the block later,
+ we'd crash and burn.
+ (ObjCCallbackFunction::setContext): We need a new setter for when the weak reference to a JSContext inside an ObjCCallbackFunction
+ disappears, we can allocate a new one in its place.
+ (ObjCCallbackFunction):
+ (objCCallbackFunctionCallAsFunction): Reset the callback's context if it's ever destroyed.
+ (objCCallbackFunctionForInvocation): Again, don't set the __proto__ property because it uses black magic that can cause us to crash
+ depending on when this is called.
+ (objCCallbackFunctionForBlock): Here is where we copy the block to the heap when we're first creating the callback object for it.
+ * API/tests/testapi.c:
+ (main):
+ * API/tests/testapi.mm: We're going to get rid of the automatic block conversion, since that is causing leaks. I changed it
+ here in this test just so that it wouldn't mask any other potential leaks. Also modified some of the tests since JSContexts are
+ just lightweight wrappers now, we're not guaranteed to get the same pointer back from the call to [JSValue context] as the one
+ that the value was created in.
+ (-[TestObject callback:]):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData): No more m_apiData.
+ * runtime/JSGlobalData.h: Ditto.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::JSGlobalObject): Ditto.
+ * runtime/JSGlobalObject.h:
+
+2013-02-19 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands
+ https://bugs.webkit.org/show_bug.cgi?id=110309
+
+ Reviewed by Sam Weinig.
+
+ It used to be necessary, back when we didn't have constant folding. Now we have
+ constant folding. So we don't need it.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+
+2013-02-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG inlines Resolves that it doesn't know how to handle correctly
+ https://bugs.webkit.org/show_bug.cgi?id=110405
+
+ Reviewed by Geoffrey Garen.
+
+ Don't try to be clever: if there's a failing resolve, we can't inline it, period.
+
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineResolveOperations):
+ (JSC::DFG::canInlineOpcode):
+
+2013-02-20 Roger Fong <roger_fong@apple.com>
+
+ Get VS2010 Solution B&I ready.
+ <rdar://problem/1322988>
+
+ Rubberstamped by Timothy Horton.
+
+ Add Production configuration.
+ Add a JavaScriptCore submit solution with a DebugSuffix configuration.
+ Modify JavaScriptCore.make as necessary.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.make: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
+ * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.sln.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
+ * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
+ * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Added.
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
+ * JavaScriptCore.vcxproj/jsc/jscCommon.props:
+ * JavaScriptCore.vcxproj/jsc/jscProduction.props: Added.
+ * JavaScriptCore.vcxproj/jsc/jscRelease.props:
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
+ * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
+ * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
+
+2013-02-19 Jer Noble <jer.noble@apple.com>
+
+ EME: Enable both ENCRYPTED_MEDIA and ENCRYPTED_MEDIA_V2 until clients transition to the new API.
+ https://bugs.webkit.org/show_bug.cgi?id=110284
+
+ Reviewed by Eric Carlson.
+
+ Re-enable the ENCRYPTED_MEDIA flag.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-20 Dirk Schulze <krit@webkit.org>
+
+ Enable CANVAS_PATH flag
+ https://bugs.webkit.org/show_bug.cgi?id=108508
+
+ Reviewed by Simon Fraser.
+
+ Enable CANVAS_PATH flag on trunk.
+
+ Existing tests cover the feature.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-19 Mark Rowe <mrowe@apple.com>
+
+ Unreviewed, uninteresting change to test a theory about bad dependency handling.
+
+ * API/JSStringRefCF.cpp:
+ (JSStringCreateWithCFString): Remove an unnecessary else clause.
+
+2013-02-19 Oliver Hunt <oliver@apple.com>
+
+ Silence some analyzer warnings
+ https://bugs.webkit.org/show_bug.cgi?id=110281
+
+ Reviewed by Mark Hahnenberg.
+
+ The static analyzer believes that callerCodeBlock can be null,
+ based on other code performing null tests. This should not
+ ever be the case, but we'll add RELEASE_ASSERTs to make it
+ obvious if we're ever wrong.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::getCallerInfo):
+
+2013-02-19 Oliver Hunt <oliver@apple.com>
+
+ Don't force everything to be blinded in debug builds
+ https://bugs.webkit.org/show_bug.cgi?id=110279
+
+ Reviewed by Mark Hahnenberg.
+
+ Switch to an explicit flag for indicating that we want
+ every constant to be blinded.
+
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::shouldBlind):
+
+2013-02-19 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of Opcode.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * bytecode/Opcode.h:
+
+2013-02-19 Filip Pizlo <fpizlo@apple.com>
+
+ Moved PolymorphicAccessStructureList into its own file.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/Instruction.h:
+ (JSC):
+ * bytecode/PolymorphicAccessStructureList.h: Added.
+ (JSC):
+ (PolymorphicAccessStructureList):
+ (PolymorphicStubInfo):
+ (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
+ (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
+ (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
+ (JSC::PolymorphicAccessStructureList::visitWeak):
+ * bytecode/StructureStubInfo.h:
+
+2013-02-19 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of Instruction.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * bytecode/Instruction.h:
+
+2013-02-18 Geoffrey Garen <ggaren@apple.com>
+
+ Unreviewed, rolling in r143348.
+ http://trac.webkit.org/changeset/143348
+ https://bugs.webkit.org/show_bug.cgi?id=110242
+
+ The bug was that isEmptyValue() was returning true for the deleted value.
+ Fixed this and simplified things further by delegating to m_sourceCode
+ for both isNull() and isHashTableDeletedValue(), so they can't be out of
+ sync.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeKey::SourceCodeKey):
+ (JSC::SourceCodeKey::isHashTableDeletedValue):
+ (JSC::SourceCodeKey::hash):
+ (JSC::SourceCodeKey::length):
+ (JSC::SourceCodeKey::isNull):
+ (JSC::SourceCodeKey::operator==):
+ (SourceCodeKey):
+
+2013-02-15 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] Improve gyp build JavaScriptCore code generation
+ https://bugs.webkit.org/show_bug.cgi?id=109969
+
+ Reviewed by Dirk Pranke.
+
+ Switch away from using DerivedSources.make when building JavaScriptCore generated
+ sources. This bring a couple advantages, such as building the sources in parallel,
+ but requires us to list the generated sources more than once.
+
+ * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Add rules for generating JavaScriptCore sources.
+ * JavaScriptCore.gyp/generate-derived-sources.sh: Added.
+ * JavaScriptCore.gyp/redirect-stdout.sh: Added.
+
+2013-02-19 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r143348.
+ http://trac.webkit.org/changeset/143348
+ https://bugs.webkit.org/show_bug.cgi?id=110242
+
+ "Caused a deleted value sentinel crash on the layout tests"
+ (Requested by ggaren on #webkit).
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeKey::SourceCodeKey):
+ (JSC::SourceCodeKey::isHashTableDeletedValue):
+ (JSC::SourceCodeKey::hash):
+ (JSC::SourceCodeKey::length):
+ (JSC::SourceCodeKey::isNull):
+ (JSC::SourceCodeKey::operator==):
+ (SourceCodeKey):
+
+2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ HeapBlock::destroy should issue warning if result is unused
+ https://bugs.webkit.org/show_bug.cgi?id=110233
+
+ Reviewed by Oliver Hunt.
+
+ To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy,
+ we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses.
+
+ * heap/HeapBlock.h:
+
+2013-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ WeakSet::removeAllocator leaks WeakBlocks
+ https://bugs.webkit.org/show_bug.cgi?id=110228
+
+ Reviewed by Geoffrey Garen.
+
+ We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.
+
+ * heap/WeakSet.cpp:
+ (JSC::WeakSet::removeAllocator):
+
+2013-02-18 Geoffrey Garen <ggaren@apple.com>
+
+ Save space on keys in the CodeCache
+ https://bugs.webkit.org/show_bug.cgi?id=110179
+
+ Reviewed by Oliver Hunt.
+
+ Share the SourceProvider's string instead of making our own copy. This
+ chops off 16MB - 32MB from the CodeCache's memory footprint when full.
+ (It's 16MB when the strings are LChar, and 32MB when they're UChar.)
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ * runtime/CodeCache.h: Removed a defunct enum value.
+
+ (JSC::SourceCodeKey::SourceCodeKey):
+ (JSC::SourceCodeKey::isHashTableDeletedValue):
+ (SourceCodeKey):
+ (JSC::SourceCodeKey::hash):
+ (JSC::SourceCodeKey::length):
+ (JSC::SourceCodeKey::isNull):
+ (JSC::SourceCodeKey::string):
+ (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String
+ so we can share our string with our SourceProvider. Cache our hash so
+ we don't have to re-decode our string just to re-hash the table.
+
+2013-02-19 Zoltan Herczeg <zherczeg@webkit.org>
+
+ revertBranchPtrWithPatch is incorrect on ARM traditional
+ https://bugs.webkit.org/show_bug.cgi?id=110201
+
+ Reviewed by Oliver Hunt.
+
+ Revert two instructions back to their original value.
+
+ * assembler/ARMAssembler.h:
+ (JSC::ARMAssembler::revertBranchPtrWithPatch):
+ (ARMAssembler):
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::branchPtrWithPatch):
+ (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
+
+2013-02-19 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
+ https://bugs.webkit.org/show_bug.cgi?id=110184
+
+ Reviewed by Zoltan Herczeg.
+
+ 32-bit backend was making all sorts of crazy assumptions, which happened to mostly
+ not break things prior to http://trac.webkit.org/changeset/143241. This brings the
+ 32-bit backend's type speculation fully into compliance with what the 64-bit
+ backend does.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+
+2013-02-18 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Unreviewed build fix for Apple Windows. Second stage.
+ Add missed export statement.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-02-18 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-02-18 Darin Adler <darin@apple.com>
+
+ Remove unneeded explicit function template arguments.
+ https://bugs.webkit.org/show_bug.cgi?id=110043
+
+ Reviewed by Ryosuke Niwa.
+
+ * runtime/Identifier.cpp:
+ (JSC::IdentifierASCIIStringTranslator::hash): Let the compiler deduce the type
+ when calling computeHashAndMaskTop8Bits.
+ (JSC::IdentifierLCharFromUCharTranslator::hash): Ditto.
+ * runtime/Identifier.h:
+ (JSC::IdentifierCharBufferTranslator::hash): Ditto.
+2013-02-18 Geoffrey Garen <ggaren@apple.com>
+
+ Shrank the SourceProvider cache
+ https://bugs.webkit.org/show_bug.cgi?id=110158
+
+ Reviewed by Oliver Hunt.
+
+ CodeCache is now our primary source cache, so a long-lived SourceProvider
+ cache is a waste. I measured this as a 10MB Membuster win; with more
+ precise instrumentation, Andreas estimated it as up to 30MB.
+
+ I didn't eliminate the SourceProvider cache because it's still useful
+ in speeding up uncached parsing of scripts with large nested functions
+ (i.e., all scripts).
+
+ * heap/Heap.cpp:
+ (JSC::Heap::collect): Discard all source provider caches after GC. This
+ is a convenient place to do so because it's reasonably soon after initial
+ parsing without being immediate.
+
+ * parser/Parser.cpp:
+ (JSC::::Parser): Updated for interface change: The heap now owns the
+ source provider cache, since most SourceProviders are not expected to
+ have one by default, and the heap is responsible for throwing them away.
+
+ (JSC::::parseInner): No need to update statistics on cache size, since
+ we're going to throw it away no matter what.
+
+ (JSC::::parseFunctionInfo): Reduced the minimum function size to 16. This
+ is a 27% win on a new parsing micro-benchmark I've added. Now that the
+ cache is temporary, we don't have to worry so much about its memory
+ footprint.
+
+ * parser/Parser.h:
+ (Parser): Updated for interface changes.
+
+ * parser/SourceProvider.cpp:
+ (JSC::SourceProvider::SourceProvider):
+ (JSC::SourceProvider::~SourceProvider):
+ * parser/SourceProvider.h:
+ (JSC):
+ (SourceProvider): SourceProvider doesn't own its cache anymore because
+ the cache is temporary.
+
+ * parser/SourceProviderCache.cpp:
+ (JSC::SourceProviderCache::clear):
+ (JSC::SourceProviderCache::add):
+ * parser/SourceProviderCache.h:
+ (JSC::SourceProviderCache::SourceProviderCache):
+ (SourceProviderCache):
+ * parser/SourceProviderCacheItem.h:
+ (SourceProviderCacheItem): No need to update statistics on cache size,
+ since we're going to throw it away no matter what.
+
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::addSourceProviderCache):
+ (JSC):
+ (JSC::JSGlobalData::clearSourceProviderCaches):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData): Moved the cache here so it's easier to throw away.
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG backend Branch handling has duplicate code and dead code
+ https://bugs.webkit.org/show_bug.cgi?id=110162
+
+ Reviewed by Mark Hahnenberg.
+
+ Streamline the code, and make the 64 backend's optimizations make more sense
+ (i.e. not be dead code).
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-18 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows] Unreviewed VS2010 build correction after r143273.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing source
+ file SourceProvider.cpp.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Add missing exports.
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
+ https://bugs.webkit.org/show_bug.cgi?id=110155
+ <rdar://problem/13233773>
+
+ Reviewed by Mark Rowe.
+
+ This was a rookie mistake. It was doing:
+
+ for (blah) {
+ m_offset = foo // foo's monotonically increase in the loop
+ }
+
+ as a way of computing max offset for all of the properties. Except what if the loop doesn't
+ execute because there are no properties? Well, then, you're going to have a bogus m_offset.
+
+ The solution is to initialize m_offset at the top of the loop.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure):
+
+2013-02-18 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ MIPS DFG implementation.
+ https://bugs.webkit.org/show_bug.cgi?id=101328
+
+ Reviewed by Oliver Hunt.
+
+ DFG implementation for MIPS.
+
+ * assembler/MIPSAssembler.h:
+ (JSC::MIPSAssembler::MIPSAssembler):
+ (JSC::MIPSAssembler::sllv):
+ (JSC::MIPSAssembler::movd):
+ (MIPSAssembler):
+ (JSC::MIPSAssembler::negd):
+ (JSC::MIPSAssembler::labelForWatchpoint):
+ (JSC::MIPSAssembler::label):
+ (JSC::MIPSAssembler::vmov):
+ (JSC::MIPSAssembler::linkDirectJump):
+ (JSC::MIPSAssembler::maxJumpReplacementSize):
+ (JSC::MIPSAssembler::revertJumpToMove):
+ (JSC::MIPSAssembler::replaceWithJump):
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::poke):
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::add32):
+ (MacroAssemblerMIPS):
+ (JSC::MacroAssemblerMIPS::and32):
+ (JSC::MacroAssemblerMIPS::lshift32):
+ (JSC::MacroAssemblerMIPS::mul32):
+ (JSC::MacroAssemblerMIPS::or32):
+ (JSC::MacroAssemblerMIPS::rshift32):
+ (JSC::MacroAssemblerMIPS::urshift32):
+ (JSC::MacroAssemblerMIPS::sub32):
+ (JSC::MacroAssemblerMIPS::xor32):
+ (JSC::MacroAssemblerMIPS::store32):
+ (JSC::MacroAssemblerMIPS::jump):
+ (JSC::MacroAssemblerMIPS::branchAdd32):
+ (JSC::MacroAssemblerMIPS::branchMul32):
+ (JSC::MacroAssemblerMIPS::branchSub32):
+ (JSC::MacroAssemblerMIPS::branchNeg32):
+ (JSC::MacroAssemblerMIPS::call):
+ (JSC::MacroAssemblerMIPS::loadDouble):
+ (JSC::MacroAssemblerMIPS::moveDouble):
+ (JSC::MacroAssemblerMIPS::swapDouble):
+ (JSC::MacroAssemblerMIPS::subDouble):
+ (JSC::MacroAssemblerMIPS::mulDouble):
+ (JSC::MacroAssemblerMIPS::divDouble):
+ (JSC::MacroAssemblerMIPS::negateDouble):
+ (JSC::MacroAssemblerMIPS::branchEqual):
+ (JSC::MacroAssemblerMIPS::branchNotEqual):
+ (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
+ (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
+ (JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
+ (JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
+ (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
+ (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
+ (JSC::MacroAssemblerMIPS::invert):
+ (JSC::MacroAssemblerMIPS::replaceWithJump):
+ (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
+ * dfg/DFGAssemblyHelpers.h:
+ (AssemblyHelpers):
+ (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
+ (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
+ (JSC::DFG::AssemblyHelpers::debugCall):
+ * dfg/DFGCCallHelpers.h:
+ (CCallHelpers):
+ (JSC::DFG::CCallHelpers::setupArguments):
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ * dfg/DFGFPRInfo.h:
+ (DFG):
+ (FPRInfo):
+ (JSC::DFG::FPRInfo::toRegister):
+ (JSC::DFG::FPRInfo::toIndex):
+ (JSC::DFG::FPRInfo::debugName):
+ * dfg/DFGGPRInfo.h:
+ (DFG):
+ (GPRInfo):
+ (JSC::DFG::GPRInfo::toRegister):
+ (JSC::DFG::GPRInfo::toIndex):
+ (JSC::DFG::GPRInfo::debugName):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * jit/JSInterfaceJIT.h:
+ (JSInterfaceJIT):
+ * runtime/JSGlobalData.h:
+ (JSC::ScratchBuffer::allocationSize):
+ (ScratchBuffer):
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things
+ https://bugs.webkit.org/show_bug.cgi?id=110092
+
+ Reviewed by Geoffrey Garen.
+
+ These methods were previously using GenerationInfo and other things to try to
+ gain information that the CFA could give away for free, if you asked kindly
+ enough.
+
+ Also fixed CallLinkStatus's dump() method since it was making an invalid
+ assertion: we most certainly can have a status where the structure is non-null
+ and the executable is null, like if we're dealing with an InternalFunction.
+
+ Also removed calls to isKnownNotXYZ from fillSpeculateABC methods in 32_64. I
+ don't know why that was there. But it was causing asserts if the value was
+ empty - i.e. we had already exited unconditionally but we didn't know it. I
+ could have fixed this by introducing another form of isKnownNotXYZ which was
+ tolerant of empty values, but I didn't feel like fixing code that I knew to be
+ unnecessary. (More deeply, isKnownNotCell, for example, really asks: "do you
+ know that this value can never be a cell?" while some of the previous uses
+ wanted to ask: "do you know that this is a value that is not a cell?". The
+ former is "true" if the value is a contradiction [i.e. BOTTOM], while the
+ latter is "false" for contradictions, since contradictions are not values.)
+
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::dump):
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::isKnownInteger):
+ (JSC::DFG::SpeculativeJIT::isKnownCell):
+ (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
+ (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
+ (JSC::DFG::SpeculativeJIT::isKnownNotCell):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::dump):
+
+2013-02-17 Filip Pizlo <fpizlo@apple.com>
+
+ Get rid of DFG::DoubleOperand and simplify ValueToInt32
+ https://bugs.webkit.org/show_bug.cgi?id=110072
+
+ Reviewed by Geoffrey Garen.
+
+ ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after
+ the side-effect would lead to the side-effect re-executing. I got rid of that path
+ and replaced it with an optimization for the case where the input is speculated
+ number-or-other. This makes idioms like null|0 and true|0 work as expected, and
+ get optimized appropriately.
+
+ Also got rid of DoubleOperand. Replaced all remaining uses of it with
+ SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse
+ edge and the remaining uses of DoubleOperand are all for untyped uses, I worked
+ around the assertion by setting the UseKind to DoubleUse by force. This is sound,
+ since all existing assertions for DoubleUse are actually asserting that we're not
+ converting a value to double unexpectedly. But all of these calls to
+ SpeculateDoubleOperand are when the operand is already known to be represented as
+ double, so there is no conversion.
+
+ This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a
+ little. Mostly, this is intended to delete a bunch of code. DoubleOperand was
+ equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it
+ involved a _lot_ more code.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (DFG):
+ (FPRTemporary):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (DFG):
+
+2013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu>
+
+ [Qt] Mountain Lion buildfix after r143147.
+
+ Reviewed by Csaba Osztrogonác.
+
+ * runtime/DateConstructor.cpp:
+
+2013-02-18 Zan Dobersek <zdobersek@igalia.com>
+
+ Stop placing std::isfinite and std::signbit inside the global scope
+ https://bugs.webkit.org/show_bug.cgi?id=109817
+
+ Reviewed by Darin Adler.
+
+ Prefix calls to the isfinite and signbit methods with std:: as the two
+ methods are no longer being imported into the global scope.
+
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::shouldBlindDouble):
+ * offlineasm/cloop.rb:
+ * runtime/BigInteger.h:
+ (JSC::BigInteger::BigInteger):
+ * runtime/DateConstructor.cpp:
+ (JSC::constructDate):
+ * runtime/DatePrototype.cpp:
+ (JSC::fillStructuresUsingTimeArgs):
+ (JSC::fillStructuresUsingDateArgs):
+ (JSC::dateProtoFuncToISOString):
+ (JSC::dateProtoFuncSetYear):
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::JSValue):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncIsFinite):
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::appendStringifiedValue):
+ * runtime/MathObject.cpp:
+ (JSC::mathProtoFuncMax): Also include an opportunistic style fix.
+ (JSC::mathProtoFuncMin): Ditto.
+ * runtime/NumberPrototype.cpp:
+ (JSC::toStringWithRadix):
+ (JSC::numberProtoFuncToExponential):
+ (JSC::numberProtoFuncToFixed):
+ (JSC::numberProtoFuncToPrecision):
+ (JSC::numberProtoFuncToString):
+ * runtime/Uint16WithFraction.h:
+ (JSC::Uint16WithFraction::Uint16WithFraction):
+
+2013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu>
+
+ [Qt] Mountain Lion buildfix after r143147.
+
+ Reviewed by Csaba Osztrogonác.
+
+ * runtime/DateInstance.cpp:
+
+2013-02-18 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Unreviewed speculative build fix for Apple Win bots.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of StructureStubInfo.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * bytecode/StructureStubInfo.h:
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of JSGlobalObject.h and JSGlobalObjectFunctions.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/JSGlobalObject.h:
+ * runtime/JSGlobalObjectFunctions.h:
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indention of Operations.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/Operations.h:
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere.
+
+ Rubber stamped by Andy Estes.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere.
+
+ Rubber stampted by Andy Estes.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2013-02-18 Filip Pizlo <fpizlo@apple.com>
+
+ Remove dead code for ValueToNumber from the DFG.
+
+ Rubber stamped by Andy Estes.
+
+ We killed ValueToNumber at some point, but forgot to kill all of the backend support
+ for it.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ * dfg/DFGSpeculativeJIT64.cpp:
+
+2013-02-17 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviewed buildfix for JSVALUE32_64 builds after r143147.
+
+ * jit/JIT.h:
+
+2013-02-17 Filip Pizlo <fpizlo@apple.com>
+
+ Move all Structure out-of-line inline methods to StructureInlines.h
+ https://bugs.webkit.org/show_bug.cgi?id=110024
+
+ Rubber stamped by Mark Hahnenberg and Sam Weinig.
+
+ This was supposed to be easy.
+
+ But, initially, there was a Structure inline method in CodeBlock.h, and moving that
+ into StructureInlines.h meant that Operations.h included CodeBlock.h. This would
+ cause WebCore build failures, because CodeBlock.h transitively included the JSC
+ parser (via many, many paths), and the JSC parser defines tokens using enumeration
+ elements that CSSGrammar.cpp (generated by bison) would #define. For example,
+ bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before
+ including anything interesting. The JSC parser would have an enum that included
+ FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have
+ a token element called FUNCTION declared in an enumeration, but FUNCTION was
+ #define'd to 123, leading to a parser error.
+
+ Wow.
+
+ So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I
+ believe I was able to do so without out-of-lining anything interesting or performance
+ critical. This is probably a purely good thing to have done: it will be nice to be
+ able to make changes to the parser without having to compile the universe.
+
+ Of course, doing this caused a bunch of other things to not compile, since a bunch of
+ headers relied on things being implicitly included for them when they transitively
+ included the parser. I fixed a lot of that.
+
+ Finally, I ended up removing the method that depended on CodeBlock.h from
+ StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this
+ was a waste of time, except that I suspect it was a worthwhile forcing function for
+ cleaning up a bunch of cruft.
+
+ * API/JSCallbackFunction.cpp:
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CodeBlock.h:
+ (JSC):
+ * bytecode/EvalCodeCache.h:
+ * bytecode/SamplingTool.h:
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedFunctionExecutable::parameterCount):
+ (JSC):
+ * bytecode/UnlinkedCodeBlock.h:
+ (UnlinkedFunctionExecutable):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/Label.h:
+ (JSC):
+ * dfg/DFGByteCodeParser.cpp:
+ * dfg/DFGByteCodeParser.h:
+ * dfg/DFGFPRInfo.h:
+ * dfg/DFGRegisterBank.h:
+ * heap/HandleStack.cpp:
+ * jit/JITWriteBarrier.h:
+ * parser/Nodes.h:
+ (JSC):
+ * parser/Parser.h:
+ * parser/ParserError.h: Added.
+ (JSC):
+ (JSC::ParserError::ParserError):
+ (ParserError):
+ (JSC::ParserError::toErrorObject):
+ * parser/ParserModes.h:
+ * parser/SourceProvider.cpp: Added.
+ (JSC):
+ (JSC::SourceProvider::SourceProvider):
+ (JSC::SourceProvider::~SourceProvider):
+ * parser/SourceProvider.h:
+ (JSC):
+ (SourceProvider):
+ * runtime/ArrayPrototype.cpp:
+ * runtime/DatePrototype.cpp:
+ * runtime/Executable.h:
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObject.h:
+ (JSC):
+ * runtime/Operations.h:
+ * runtime/Structure.cpp:
+ (JSC::Structure::prototypeForLookup):
+ (JSC):
+ * runtime/Structure.h:
+ (JSC):
+ * runtime/StructureInlines.h: Added.
+ (JSC):
+ (JSC::Structure::create):
+ (JSC::Structure::createStructure):
+ (JSC::Structure::get):
+ (JSC::Structure::masqueradesAsUndefined):
+ (JSC::SlotVisitor::internalAppend):
+ (JSC::Structure::transitivelyTransitionedFrom):
+ (JSC::Structure::setEnumerationCache):
+ (JSC::Structure::enumerationCache):
+ (JSC::Structure::prototypeForLookup):
+ (JSC::Structure::prototypeChain):
+ (JSC::Structure::isValid):
+ * runtime/StructureRareData.cpp:
+
+2013-02-17 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Windows build fix.
+
+ * runtime/CodeCache.h:
+ (CodeCacheMap):
+
+2013-02-16 Geoffrey Garen <ggaren@apple.com>
+
+ Code cache should be explicit about what it caches
+ https://bugs.webkit.org/show_bug.cgi?id=110039
+
+ Reviewed by Oliver Hunt.
+
+ This patch makes the code cache more explicit in two ways:
+
+ (1) The cache caches top-level scripts. Any sub-functions executed as a
+ part of a script are cached with it and evicted with it.
+
+ This simplifies things by eliminating out-of-band sub-function tracking,
+ and fixes pathological cases where functions for live scripts would be
+ evicted in favor of functions for dead scripts, and/or high probability
+ functions executed early in script lifetime would be evicted in favor of
+ low probability functions executed late in script lifetime, due to LRU.
+
+ Statistical data from general browsing and PLT confirms that caching
+ functions independently of scripts is not profitable.
+
+ (2) The cache tracks script size, not script count.
+
+ This reduces the worst-case cache size by a factor of infinity.
+
+ Script size is a reasonable first-order estimate of in-memory footprint
+ for a cached script because there are no syntactic constructs that have
+ super-linear memory footprint.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::generateFunctionCodeBlock): Moved this function out of the cache
+ because it does not consult the cache, and is not managed by it.
+
+ (JSC::UnlinkedFunctionExecutable::visitChildren): Visit our code blocks
+ because they are strong references now, rather than weak, a la (1).
+
+ (JSC::UnlinkedFunctionExecutable::codeBlockFor): Updated for interface changes.
+
+ * bytecode/UnlinkedCodeBlock.h:
+ (UnlinkedFunctionExecutable):
+ (UnlinkedFunctionCodeBlock): Strong now, not weak, a la (1).
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::CodeCache):
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeKey::length):
+ (SourceCodeKey):
+ (CodeCacheMap):
+ (JSC::CodeCacheMap::CodeCacheMap):
+ (JSC::CodeCacheMap::find):
+ (JSC::CodeCacheMap::set):
+ (JSC::CodeCacheMap::clear):
+ (CodeCache):
+ (JSC::CodeCache::clear): Removed individual function tracking, due to (1).
+ Added explicit character counting, for (2).
+
+ You might think 16000000 characters is a lot. It is. But this patch
+ didn't establish that limit -- it just took the existing limit and
+ made it more visible. I intend to reduce the size of the cache in a
+ future patch.
+
+2013-02-16 Filip Pizlo <fpizlo@apple.com>
+
+ Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while.
+ https://bugs.webkit.org/show_bug.cgi?id=110035
+
+ Rubber stamped by Andreas Kling.
+
+ There are other ways of achieving the same effect, like adding print statements to the bytecode generator.
+ The fact that this feature doesn't build and nobody noticed implies that it's probably not a popular
+ feature. As well, the amount of wiring that was required for it was quite big considering its relatively
+ modest utility.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC):
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecode/Comment.h: Removed.
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::emitOpcode):
+ (JSC):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::symbolTable):
+
+2013-02-16 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows] Unreviewed Visual Studio 2010 build fix after r143117
+
+ * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Reference new path to property sheets.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+ Build correction after new operator == added.
+
+2013-02-16 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of Structure.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/Structure.h:
+
+2013-02-16 Christophe Dumez <ch.dumez@sisa.samsung.com>
+
+ Unreviewed build fix.
+
+ Export symbol for new CString operator== operator to fix Windows build.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-02-15 Filip Pizlo <fpizlo@apple.com>
+
+ Structure should be more methodical about the relationship between m_offset and m_propertyTable
+ https://bugs.webkit.org/show_bug.cgi?id=109978
+
+ Reviewed by Mark Hahnenberg.
+
+ Allegedly, the previous relationship was that either m_propertyTable or m_offset
+ would be set, and if m_propertyTable was not set you could rebuild it. In reality,
+ we would sometimes "reset" both: some transitions wouldn't set m_offset, and other
+ transitions would clear the previous structure's m_propertyTable. So, in a
+ structure transition chain of A->B->C you could have:
+
+ A transitions to B: B doesn't copy m_offset but does copy m_propertyTable, because
+ that seemed like a good idea at the time (this was a common idiom in the code).
+ B transitions to C: C steals B's m_propertyTable, leaving B with neither a
+ m_propertyTable nor a m_offset.
+
+ Then we would ask for the size of the property storage of B and get the answer
+ "none". That's not good.
+
+ Now, there is a new relationship, which, hopefully, should fix things: m_offset is
+ always set and always refers to the maximum offset ever used by the property table.
+ From this, you can infer both the inline and out-of-line property size, and
+ capacity. This is accomplished by having PropertyTable::add() take a
+ PropertyOffset reference, which must be Structure::m_offset. It will update this
+ offset. As well, all transitions now copy m_offset. And we frequently assert
+ (using RELEASE_ASSERT) that the m_offset matches what m_propertyTable would tell
+ you. Hence if you ever modify the m_propertyTable, you'll also update the offset.
+ If you ever copy the property table, you'll also copy the offset. Life should be
+ good, I think.
+
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyTable::add):
+ * runtime/Structure.cpp:
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::removePropertyTransition):
+ (JSC::Structure::changePrototypeTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::attributeChangeTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::sealTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::checkConsistency):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::createPropertyMap):
+ (JSC::PropertyTable::checkConsistency):
+ * runtime/Structure.h:
+ (JSC):
+ (JSC::Structure::putWillGrowOutOfLineStorage):
+ (JSC::Structure::outOfLineCapacity):
+ (JSC::Structure::outOfLineSize):
+ (JSC::Structure::isEmpty):
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+ (Structure):
+ (JSC::Structure::checkOffsetConsistency):
+
+2013-02-15 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] Spread the gyp build files throughout the tree
+ https://bugs.webkit.org/show_bug.cgi?id=109960
+
+ Reviewed by Dirk Pranke.
+
+ * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Renamed from Source/WebKit/gtk/gyp/JavaScriptCore.gyp.
+ * JavaScriptCore.gyp/generate-derived-sources.sh: Renamed from Source/WebKit/gtk/gyp/generate-derived-sources.sh.
+
+2013-02-15 Filip Pizlo <fpizlo@apple.com>
+
+ DFG SpeculativeJIT64 should be more precise about when it's dealing with a cell (even though it probably doesn't matter)
+ https://bugs.webkit.org/show_bug.cgi?id=109625
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-15 Geoffrey Garen <ggaren@apple.com>
+
+ Merged the global function cache into the source code cache
+ https://bugs.webkit.org/show_bug.cgi?id=108660
+
+ Reviewed by Sam Weinig.
+
+ Responding to review comments by Darin Adler.
+
+ * runtime/CodeCache.h:
+ (JSC::SourceCodeKey::SourceCodeKey): Don't initialize m_name and m_flags
+ in the hash table deleted value because they're meaningless.
+
+2013-02-14 Filip Pizlo <fpizlo@apple.com>
+
+ DFG AbstractState should filter operands to NewArray more precisely
+ https://bugs.webkit.org/show_bug.cgi?id=109900
+
+ Reviewed by Mark Hahnenberg.
+
+ NewArray for primitive indexing types speculates that the inputs are the appropriate
+ primitives. Now, the CFA filters the abstract state accordingly, as well.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+
+2013-02-15 Andreas Kling <akling@apple.com>
+
+ Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer.
+ <http://webkit.org/b/109218>
+
+ Reviewed by Benjamin Poulain.
+
+ - Let classes that manage lifetime of other objects hold on to them with OwnPtr instead of raw pointers.
+ - Placed some strategic Vector::shrinkToFit(), ::reserveInitialCapacity() and ::swap().
+
+ 668 kB progression on Membuster3.
+
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
+ (JSC::Yarr::ByteCompiler::emitDisjunction):
+ (ByteCompiler):
+ * yarr/YarrInterpreter.h:
+ (JSC::Yarr::BytecodePattern::BytecodePattern):
+ (BytecodePattern):
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+ (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
+ (JSC::Yarr::YarrGenerator::opCompileBody):
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::CharacterClassConstructor::charClass):
+ (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
+ (JSC::Yarr::YarrPatternConstructor::reset):
+ (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
+ (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
+ (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
+ (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
+ (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
+ (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
+ (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
+ (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
+ * yarr/YarrPattern.h:
+ (JSC::Yarr::PatternDisjunction::addNewAlternative):
+ (PatternDisjunction):
+ (YarrPattern):
+ (JSC::Yarr::YarrPattern::reset):
+ (JSC::Yarr::YarrPattern::newlineCharacterClass):
+ (JSC::Yarr::YarrPattern::digitsCharacterClass):
+ (JSC::Yarr::YarrPattern::spacesCharacterClass):
+ (JSC::Yarr::YarrPattern::wordcharCharacterClass):
+ (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
+ (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
+ (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
+
+2013-02-14 Geoffrey Garen <ggaren@apple.com>
+
+ Merged the global function cache into the source code cache
+ https://bugs.webkit.org/show_bug.cgi?id=108660
+
+ Reviewed by Sam Weinig.
+
+ This has a few benefits:
+
+ (*) Saves a few kB by removing a second cache data structure.
+
+ (*) Reduces the worst case memory usage of the cache by 1.75X. (Heavy
+ use of 'new Function' and other techniques could cause us to fill
+ both root caches, and they didn't trade off against each other.)
+
+ (*) Paves the way for future improvements based on a non-trivial
+ cache key (for example, shrinkable pointer to the key string, and
+ more precise cache size accounting).
+
+ Also cleaned up the cache implementation and simplified it a bit.
+
+ * heap/Handle.h:
+ (HandleBase):
+ * heap/Strong.h:
+ (Strong): Build!
+
+ * runtime/CodeCache.cpp:
+ (JSC):
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::generateFunctionCodeBlock):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ (JSC::CodeCache::usedFunctionCode): Updated for three interface changes:
+
+ (*) SourceCodeKey is a class, not a pair.
+
+ (*) Table values are abstract pointers, since they can be executables
+ or code blocks. (In a future patch, I'd like to change this so we
+ always store only code blocks. But that's too much for one patch.)
+
+ (*) The cache function is named "set" because it always overwrites
+ unconditionally.
+
+ * runtime/CodeCache.h:
+ (CacheMap):
+ (JSC::CacheMap::find):
+ (JSC::CacheMap::set):
+ (JSC::CacheMap::clear): Added support for specifying hash traits, so we
+ can use a SourceCodeKey.
+
+ Removed side table and random number generator to save space and reduce
+ complexity. Hash tables are already random, so we don't need another source
+ of randomness.
+
+ (SourceCodeKey):
+ (JSC::SourceCodeKey::SourceCodeKey):
+ (JSC::SourceCodeKey::isHashTableDeletedValue):
+ (JSC::SourceCodeKey::hash):
+ (JSC::SourceCodeKey::isNull):
+ (JSC::SourceCodeKey::operator==):
+ (JSC::SourceCodeKeyHash::hash):
+ (JSC::SourceCodeKeyHash::equal):
+ (SourceCodeKeyHash):
+ (SourceCodeKeyHashTraits):
+ (JSC::SourceCodeKeyHashTraits::isEmptyValue): A SourceCodeKey is just a
+ fancy triplet: source code string; function name (or null, for non-functions);
+ and flags. Flags and function name distinguish between functions and programs
+ with identical code, so they can live in the same cache.
+
+ I chose to use the source code string as the primary hashing reference
+ because it's likely to be unique. We can use profiling to choose another
+ technique in future, if collisions between functions and programs prove
+ to be hot. I suspect they won't.
+
+ (JSC::CodeCache::clear):
+ (CodeCache): Removed the second cache.
+
+ * heap/Handle.h:
+ (HandleBase):
+ * heap/Strong.h:
+ (Strong):
+ * runtime/CodeCache.cpp:
+ (JSC):
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::generateFunctionCodeBlock):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ (JSC::CodeCache::usedFunctionCode):
+ * runtime/CodeCache.h:
+ (JSC):
+ (CacheMap):
+ (JSC::CacheMap::find):
+ (JSC::CacheMap::set):
+ (JSC::CacheMap::clear):
+ (SourceCodeKey):
+ (JSC::SourceCodeKey::SourceCodeKey):
+ (JSC::SourceCodeKey::isHashTableDeletedValue):
+ (JSC::SourceCodeKey::hash):
+ (JSC::SourceCodeKey::isNull):
+ (JSC::SourceCodeKey::operator==):
+ (JSC::SourceCodeKeyHash::hash):
+ (JSC::SourceCodeKeyHash::equal):
+ (SourceCodeKeyHash):
+ (SourceCodeKeyHashTraits):
+ (JSC::SourceCodeKeyHashTraits::isEmptyValue):
+ (JSC::CodeCache::clear):
+ (CodeCache):
+
+2013-02-14 Tony Chang <tony@chromium.org>
+
+ Unreviewed, set svn:eol-style native for .sln, .vcproj, and .vsprops files.
+ https://bugs.webkit.org/show_bug.cgi?id=96934
+
+ * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
+ * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added property svn:eol-style.
+ * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added property svn:eol-style.
+
+2013-02-14 Tony Chang <tony@chromium.org>
+
+ Unreviewed, set svn:eol-style CRLF for .sln files.
+
+ * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
+ * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
+
+2013-02-14 David Kilzer <ddkilzer@apple.com>
+
+ [Mac] Clean up WARNING_CFLAGS
+ <http://webkit.org/b/109747>
+ <rdar://problem/13208373>
+
+ Reviewed by Mark Rowe.
+
+ * Configurations/Base.xcconfig: Use
+ GCC_WARN_64_TO_32_BIT_CONVERSION to enable and disable
+ -Wshorten-64-to-32 rather than WARNING_CFLAGS.
+
+ * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
+ * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
+
+2013-02-13 Anders Carlsson <andersca@apple.com>
+
+ Better build fix.
+
+ * API/tests/testapi.c:
+ (assertEqualsAsNumber):
+ (main):
+
+2013-02-13 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Build fix.
+
+ * API/tests/testapi.c:
+ (assertEqualsAsNumber):
+ (main):
+
+2013-02-13 Oliver Hunt <oliver@apple.com>
+
+ Yet another build fix
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2013-02-13 Zan Dobersek <zdobersek@igalia.com>
+
+ The 'global isinf/isnan' compiler quirk required when using clang with libstdc++
+ https://bugs.webkit.org/show_bug.cgi?id=109325
+
+ Reviewed by Anders Carlsson.
+
+ Prefix calls to the isinf and isnan methods with std::, declaring we want to use the
+ two methods as they're provided by the C++ standard library being used.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeNumber):
+ * JSCTypedArrayStubs.h:
+ (JSC):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitLoad):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::constantNaN):
+ * offlineasm/cloop.rb:
+ * runtime/DateConstructor.cpp:
+ (JSC::dateUTC): Also include an opportunistic style fix.
+ * runtime/DateInstance.cpp:
+ (JSC::DateInstance::calculateGregorianDateTime):
+ (JSC::DateInstance::calculateGregorianDateTimeUTC):
+ * runtime/DatePrototype.cpp:
+ (JSC::dateProtoFuncGetMilliSeconds):
+ (JSC::dateProtoFuncGetUTCMilliseconds):
+ (JSC::setNewValueFromTimeArgs):
+ (JSC::setNewValueFromDateArgs):
+ (JSC::dateProtoFuncSetYear):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::toInteger):
+ * runtime/JSDateMath.cpp:
+ (JSC::getUTCOffset):
+ (JSC::parseDateFromNullTerminatedCharacters):
+ (JSC::parseDate):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncIsNaN):
+ * runtime/MathObject.cpp:
+ (JSC::mathProtoFuncMax):
+ (JSC::mathProtoFuncMin):
+ (JSC::mathProtoFuncPow):
+ * runtime/PropertyDescriptor.cpp:
+ (JSC::sameValue):
+
+2013-02-13 Filip Pizlo <fpizlo@apple.com>
+
+ Change another use of (SpecCell & ~SpecString) to SpecObject.
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+
+2013-02-13 Filip Pizlo <fpizlo@apple.com>
+
+ ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
+ https://bugs.webkit.org/show_bug.cgi?id=109726
+
+ Reviewed by Mark Hahnenberg.
+
+ If you add it to the list of relevant node types, you also need to make sure
+ it's listed as either hasChild or one of the other kinds. Otherwise you get
+ an assertion. This is causing test failures in run-javascriptcore-tests.
+
+ * dfg/DFGMinifiedNode.h:
+ (JSC::DFG::MinifiedNode::hasChild):
+
+2013-02-13 Oliver Hunt <oliver@apple.com>
+
+ Build fix.
+
+ Rearranged the code somewhat to reduce the number of
+ DFG related ifdefs.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2013-02-13 Filip Pizlo <fpizlo@apple.com>
+
+ ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
+ https://bugs.webkit.org/show_bug.cgi?id=109726
+
+ Reviewed by Gavin Barraclough.
+
+ This is asymptomatic because ForwardInt32ToDouble is only used in SetLocals, in
+ which case the value is already stored to the stack. Still, we should fix this.
+
+ * dfg/DFGMinifiedNode.h:
+ (JSC::DFG::belongsInMinifiedGraph):
+
+2013-02-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting
+ https://bugs.webkit.org/show_bug.cgi?id=109489
+
+ Reviewed by Mark Hahnenberg.
+
+ If things can exit between the LogicalNot and the Branch then don't peephole.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2013-02-13 Oliver Hunt <oliver@apple.com>
+
+ Remove unnecessary indirection to non-local variable access operations
+ https://bugs.webkit.org/show_bug.cgi?id=109724
+
+ Reviewed by Filip Pizlo.
+
+ Linked bytecode now stores a direct pointer to the resolve operation
+ vectors, so the interpreter no longer needs a bunch of indirection to
+ to perform non-local lookup.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecode/Instruction.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGGraph.h:
+ (ResolveGlobalData):
+ (ResolveOperationData):
+ (PutToBaseOperationData):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC::JIT::emit_op_resolve):
+ (JSC::JIT::emitSlow_op_resolve):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emitSlow_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emitSlow_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_put_to_base):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LowLevelInterpreter.asm:
+
+2013-02-13 Zoltan Herczeg <zherczeg@webkit.org>
+
+ replaceWithJump should not decrease the offset by 1 on ARM traditional.
+ https://bugs.webkit.org/show_bug.cgi?id=109689
+
+ Reviewed by Oliver Hunt.
+
+ * assembler/ARMAssembler.h:
+ (JSC::ARMAssembler::replaceWithJump):
+
+2013-02-12 Joseph Pecoraro <pecoraro@apple.com>
+
+ [iOS] Enable PAGE_VISIBILITY_API
+ https://bugs.webkit.org/show_bug.cgi?id=109399
+
+ Reviewed by David Kilzer.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-12 Filip Pizlo <fpizlo@apple.com>
+
+ Renamed SpecObjectMask to SpecObject.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ "SpecObjectMask" is a weird name considering that a bunch of the other speculated
+ types are also masks, but don't have "Mask" in the name.
+
+ * bytecode/SpeculatedType.h:
+ (JSC):
+ (JSC::isObjectSpeculation):
+ (JSC::isObjectOrOtherSpeculation):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+
+2013-02-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CFA doesn't filter precisely enough for CompareStrictEq
+ https://bugs.webkit.org/show_bug.cgi?id=109618
+
+ Reviewed by Mark Hahnenberg.
+
+ The backend speculates object for this case, but the CFA was filtering on
+ (SpecCell & ~SpecString) | SpecOther.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+
+2013-02-12 Martin Robinson <mrobinson@igalia.com>
+
+ Fix the gyp build of JavaScriptCore.
+
+ * JavaScriptCore.gypi: Added some missing DFG files to the source list.
+
+2013-02-12 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r142387.
+ http://trac.webkit.org/changeset/142387
+ https://bugs.webkit.org/show_bug.cgi?id=109601
+
+ caused all layout and jscore tests on windows to fail
+ (Requested by kling on #webkit).
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (UnlinkedCodeBlock):
+
+2013-02-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CompareEq optimization should be retuned
+ https://bugs.webkit.org/show_bug.cgi?id=109545
+
+ Reviewed by Mark Hahnenberg.
+
+ - Made the object-to-object equality case work again by hoisting the if statement
+ for it. Previously, object-to-object equality would be compiled as
+ object-to-object-or-other.
+
+ - Added AbstractState guards for most of the type checks that the object equality
+ code uses.
+
+ Looks like a hint of a speed-up on all of the things.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::compare):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+
+2013-02-12 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ JSC asserting with long parameter list functions in debug mode on ARM traditional
+ https://bugs.webkit.org/show_bug.cgi?id=109565
+
+ Reviewed by Zoltan Herczeg.
+
+ Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80.
+
+ * jit/JIT.h:
+
+2013-02-11 Oliver Hunt <oliver@apple.com>
+
+ Make JSC API more NULL tolerant
+ https://bugs.webkit.org/show_bug.cgi?id=109515
+
+ Reviewed by Mark Hahnenberg.
+
+ We do so much marshalling for the C API these days anyway that a single null
+ check isn't a performance issue. Yet the existing "null is unsafe" behaviour
+ leads to crashes in embedding applications whenever there's an untested code
+ path, so it seems having defined behaviour is superior.
+
+ * API/APICast.h:
+ (toJS):
+ (toJSForGC):
+ * API/JSObjectRef.cpp:
+ (JSObjectIsFunction):
+ (JSObjectCallAsFunction):
+ (JSObjectIsConstructor):
+ (JSObjectCallAsConstructor):
+ * API/tests/testapi.c:
+ (main):
+
+2013-02-11 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, adding a FIXME to remind ourselves of a bug.
+ https://bugs.webkit.org/show_bug.cgi?id=109487
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
+
+2013-02-11 Filip Pizlo <fpizlo@apple.com>
+
+ Strange bug in DFG OSR in JSC
+ https://bugs.webkit.org/show_bug.cgi?id=109491
+
+ Reviewed by Mark Hahnenberg.
+
+ Int32ToDouble was being injected after a side-effecting operation and before a SetLocal. Anytime we
+ inject something just before a SetLocal we should be aware that the previous operation may have been
+ a side-effect associated with the current code origin. Hence, we should use a forward exit.
+ Int32ToDouble does not do forward exits by default.
+
+ This patch adds a forward-exiting form of Int32ToDouble, for use in SetLocal Int32ToDouble injections.
+ Changed the CSE and other things to treat these nodes identically, but for the exit strategy to be
+ distinct (Int32ToDouble -> backward, ForwardInt32ToDouble -> forward). The use of the NodeType for
+ signaling exit direction is not "great" but it's what we use in other places already (like
+ ForwardCheckStructure).
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::int32ToDoubleCSE):
+ (CSEPhase):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCommon.h:
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::willHaveCodeGenOrOSR):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::reconstruct):
+
+2013-02-11 Filip Pizlo <fpizlo@apple.com>
+
+ NonStringCell and Object are practically the same thing for the purpose of speculation
+ https://bugs.webkit.org/show_bug.cgi?id=109492
+
+ Reviewed by Mark Hahnenberg.
+
+ Removed isNonStringCellSpeculation, and made all callers use isObjectSpeculation.
+
+ Changed isNonStringCellOrOtherSpeculation to be isObjectOrOtherSpeculation.
+
+ I believe this is correct because even weird object types like JSNotAnObject end up
+ being "objects" from the standpoint of our typesystem. Anyway, the assumption that
+ "is cell but not a string" equates to "object" is an assumption that is already made
+ in other places in the system so there's little value in being paranoid about it.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isObjectSpeculation):
+ (JSC::isObjectOrOtherSpeculation):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::shouldSpeculateObjectOrOther):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::compare):
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-10 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
+ https://bugs.webkit.org/show_bug.cgi?id=109387
+
+ Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+ Lock in the decision to use a non-speculative constant comparison as early as possible
+ and don't let the CFA change it by folding constants. This might be a performance
+ penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
+ the other hand it completely side-steps the unsoundness that the bug speaks of.
+
+ Rolling back in after adding 32-bit path.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-10 Filip Pizlo <fpizlo@apple.com>
+
+ DFG TypeOf implementation should have its backend code aligned to what the CFA does
+ https://bugs.webkit.org/show_bug.cgi?id=109385
+
+ Reviewed by Sam Weinig.
+
+ The problem was that if we ended up trying to constant fold, but didn't succeed
+ because of prediction mismatches, then we would also fail to do filtration.
+
+ Rearranged the control flow in the CFA to fix that.
+
+ As far as I know, this is asymptomatic - it's sort of OK for the CFA to prove less
+ things, which is what the bug was.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+
+2013-02-11 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r142491.
+ http://trac.webkit.org/changeset/142491
+ https://bugs.webkit.org/show_bug.cgi?id=109470
+
+ broke the 32 bit build (Requested by jessieberlin on #webkit).
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-10 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
+ https://bugs.webkit.org/show_bug.cgi?id=109387
+
+ Reviewed by Oliver Hunt.
+
+ Lock in the decision to use a non-speculative constant comparison as early as possible
+ and don't let the CFA change it by folding constants. This might be a performance
+ penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
+ the other hand it completely side-steps the unsoundness that the bug speaks of.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-11 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviewed fix after r13954 for !ENABLE(JIT) builds.
+
+ * llint/LowLevelInterpreter.cpp:
+
+2013-02-11 Gabor Rapcsanyi <rgabor@webkit.org>
+
+ JSC build failing with verbose debug mode
+ https://bugs.webkit.org/show_bug.cgi?id=109441
+
+ Reviewed by Darin Adler.
+
+ Fixing some verbose messages which caused build errors.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::performBlockCFA):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::eliminate):
+ * dfg/DFGPredictionInjectionPhase.cpp:
+ (JSC::DFG::PredictionInjectionPhase::run):
+
+2013-02-10 Martin Robinson <mrobinson@igalia.com>
+
+ Fix the GTK+ gyp build
+
+ * JavaScriptCore.gypi: Update the source list to accurately
+ reflect what's in the repository and remove the offsets extractor
+ from the list of JavaScriptCore files. It's only used to build
+ the extractor binary.
+
+2013-02-09 Andreas Kling <akling@apple.com>
+
+ Shrink-wrap UnlinkedCodeBlock members.
+ <http://webkit.org/b/109368>
+
+ Reviewed by Oliver Hunt.
+
+ Rearrange the members of UnlinkedCodeBlock to avoid unnecessary padding on 64-bit.
+ Knocks ~600 KB off of the Membuster3 peak.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (UnlinkedCodeBlock):
+
+2013-02-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should allow phases to break Phi's and then have one phase to rebuild them
+ https://bugs.webkit.org/show_bug.cgi?id=108414
+
+ Reviewed by Mark Hahnenberg.
+
+ Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in
+ detail in DFGCommon.h.
+
+ Consequently, DFG phases no longer have to worry about preserving data flow
+ links between basic blocks. It is generally always safe to request that the
+ graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where
+ the data flow is implicit. In this form, only liveness-at-head needs to be
+ preserved.
+
+ All of the machinery for "threading" the graph to introduce data flow between
+ blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase.
+ All phases that previously did this maintenance themselves now just rely on
+ being able to dethread the graph. The one exception is the structure check
+ hoising phase, which operates over a threaded graph and preserves it, for the
+ sake of performance.
+
+ Also moved two other things into their own phases: unification (previously found
+ in the parser) and prediction injection (previously found in various places).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/Operands.h:
+ (Operands):
+ (JSC::Operands::sizeFor):
+ (JSC::Operands::atFor):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+ * dfg/DFGAllocator.h:
+ (JSC::DFG::::allocateSlow):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGBasicBlockInlines.h:
+ (DFG):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::getArgument):
+ (JSC::DFG::ByteCodeParser::flushDirect):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::parse):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::killUnreachable):
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ (CFGSimplificationPhase):
+ (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+ * dfg/DFGCPSRethreadingPhase.cpp: Added.
+ (DFG):
+ (CPSRethreadingPhase):
+ (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
+ (JSC::DFG::CPSRethreadingPhase::run):
+ (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
+ (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail):
+ (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
+ (JSC::DFG::CPSRethreadingPhase::addPhi):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
+ (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
+ (JSC::DFG::CPSRethreadingPhase::propagatePhis):
+ (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry):
+ (PhiStackEntry):
+ (JSC::DFG::CPSRethreadingPhase::phiStackFor):
+ (JSC::DFG::performCPSRethreading):
+ * dfg/DFGCPSRethreadingPhase.h: Added.
+ (DFG):
+ * dfg/DFGCSEPhase.cpp:
+ (CSEPhase):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCommon.cpp:
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::logCompilationChanges):
+ (DFG):
+ (WTF):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::dethread):
+ (JSC::DFG::Graph::collectGarbage):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::performSubstitution):
+ (Graph):
+ (JSC::DFG::Graph::performSubstitutionForEdge):
+ (JSC::DFG::Graph::convertToConstant):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToPhantomLocal):
+ (Node):
+ (JSC::DFG::Node::convertToGetLocal):
+ (JSC::DFG::Node::hasVariableAccessData):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPhase.cpp:
+ (JSC::DFG::Phase::beginPhase):
+ * dfg/DFGPhase.h:
+ (JSC::DFG::runAndLog):
+ * dfg/DFGPredictionInjectionPhase.cpp: Added.
+ (DFG):
+ (PredictionInjectionPhase):
+ (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase):
+ (JSC::DFG::PredictionInjectionPhase::run):
+ (JSC::DFG::performPredictionInjection):
+ * dfg/DFGPredictionInjectionPhase.h: Added.
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::run):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGUnificationPhase.cpp: Added.
+ (DFG):
+ (UnificationPhase):
+ (JSC::DFG::UnificationPhase::UnificationPhase):
+ (JSC::DFG::UnificationPhase::run):
+ (JSC::DFG::performUnification):
+ * dfg/DFGUnificationPhase.h: Added.
+ (DFG):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::dumpGraphIfAppropriate):
+ * dfg/DFGVirtualRegisterAllocationPhase.cpp:
+ (JSC::DFG::VirtualRegisterAllocationPhase::run):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::setUpCall):
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::dump):
+ * runtime/JSString.h:
+ (JSString):
+ * runtime/Options.h:
+ (JSC):
+
+2013-02-08 Jer Noble <jer.noble@apple.com>
+
+ Bring WebKit up to speed with latest Encrypted Media spec.
+ https://bugs.webkit.org/show_bug.cgi?id=97037
+
+ Reviewed by Eric Carlson.
+
+ Define the ENABLE_ENCRYPTED_MEDIA_V2 setting.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-08 Gavin Barraclough <barraclough@apple.com>
+
+ Objective-C API for JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=105889
+
+ Reviewed by Joseph Pecoraro
+
+ Following up on review comments, mostly typos.
+
+ * API/JSBlockAdaptor.h:
+ * API/JSBlockAdaptor.mm:
+ (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
+ * API/JSContext.h:
+ * API/JSExport.h:
+ * API/JSValue.h:
+ * API/JSValue.mm:
+ * API/JSWrapperMap.mm:
+ (selectorToPropertyName):
+ (-[JSWrapperMap classInfoForClass:]):
+ (-[JSWrapperMap wrapperForObject:]):
+
+2013-02-08 Martin Robinson <mrobinson@igalia.com>
+
+ [GTK] Add an experimental gyp build
+ https://bugs.webkit.org/show_bug.cgi?id=109003
+
+ Reviewed by Gustavo Noronha Silva.
+
+ * JavaScriptCore.gypi: Update the list of source files to include those
+ necessary for the GTK+ build.
+
+2013-02-08 Andreas Kling <akling@apple.com>
+
+ JSC: Lower minimum PropertyTable size.
+ <http://webkit.org/b/109247>
+
+ Reviewed by Darin Adler.
+
+ Lower the minimum table size for PropertyTable from 16 to 8.
+ 3.32 MB progression on Membuster3 (a ~13% reduction in memory used by PropertyTables.)
+
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable):
+ (JSC::PropertyTable::sizeForCapacity):
+
+2013-02-07 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. More VS2010 WebKit solution touchups.
+ Make JavaScriptCoreExports.def.in be treated as a custom build file so that changes to it cause the exports to be rebuilt.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+
+2013-02-07 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: testapi.mm should use ARC
+ https://bugs.webkit.org/show_bug.cgi?id=107838
+
+ Reviewed by Mark Rowe.
+
+ Removing the changes to the Xcode project file and moving the equivalent flags into
+ the ToolExecutable xcconfig file.
+
+ * Configurations/ToolExecutable.xcconfig:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-02-07 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows] Unreviewed Visual Studio 2010 build fixes after r142179.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Correct changed symbols
+ * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Removed autogenerated file.
+
+2013-02-05 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint
+ https://bugs.webkit.org/show_bug.cgi?id=109000
+
+ Reviewed by Oliver Hunt.
+
+ Previously our source parser's ASTBuilder did some surgical constant folding, but it
+ didn't cover some cases. It was particularly incapable of doing constant folding for
+ cases where we do some minimal loop peeling in the bytecode generator - since it
+ didn't "see" those constants prior to the peeling. Example:
+
+ for (var i = 0; i < 4; ++i)
+ things;
+
+ This will get peeled just a bit by the bytecode generator, so that the "i < 4" is
+ duplicated both at the top of the loop and the bottom. This means that we have a
+ constant comparison: "0 < 4", which the bytecode generator emits without any further
+ thought.
+
+ The DFG optimization fixpoint of course folds this and simplifies the CFG
+ accordingly, but this incurs a compile-time cost. The purpose of this change is to
+ do some surgical constant folding in the DFG's bytecode parser, so that such
+ constructs reduce load on the CFG simplifier and the optimization fixpoint. The goal
+ is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful
+ sparse conditional constant propagation that we can always fall back on. Instead the
+ goal is to cover enough cases that for common small functions we don't have to
+ perform such transformations, thereby reducing compile times.
+
+ This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call
+ and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these
+ things are used by the folder.
+
+ As well, care has been taken to make sure that the bytecode parser only does folding
+ that is statically provable, and that doesn't arise out of speculation. This means
+ we cannot fold on data flow that crosses inlining boundaries. On the other hand, the
+ folding that the bytecode parser uses doesn't require phantoming anything. Such is
+ the trade-off: for anything that we do need phantoming, we defer it to the
+ optimization fixpoint.
+
+ Slight SunSpider speed-up.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::get):
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::setLocal):
+ (JSC::DFG::ByteCodeParser::flushDirect):
+ (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
+ (JSC::DFG::ByteCodeParser::toInt32):
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::inlineCallFrame):
+ (JSC::DFG::ByteCodeParser::currentCodeOrigin):
+ (JSC::DFG::ByteCodeParser::canFold):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::getScope):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::isStronglyProvedConstantIn):
+ (Node):
+ * runtime/JSCJSValue.h:
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::pureToBoolean):
+ (JSC):
+
+2013-02-07 Zoltan Herczeg <zherczeg@webkit.org>
+
+ Invalid code is generated for storing constants with baseindex addressing modes on ARM traditional.
+ https://bugs.webkit.org/show_bug.cgi?id=109050
+
+ Reviewed by Oliver Hunt.
+
+ The S! scratch register is reused, but it should contain the constant value.
+
+ * assembler/ARMAssembler.cpp:
+ (JSC::ARMAssembler::baseIndexTransfer32):
+ (JSC::ARMAssembler::baseIndexTransfer16):
+
+2013-02-07 Andras Becsi <andras.becsi@digia.com>
+
+ [Qt] Use GNU ar's thin archive format for intermediate static libs
+ https://bugs.webkit.org/show_bug.cgi?id=109052
+
+ Reviewed by Jocelyn Turcotte.
+
+ Adjust project files that used activeBuildConfig()
+ to use targetSubDir().
+
+ * JavaScriptCore.pri:
+ * LLIntOffsetsExtractor.pro:
+ * Target.pri:
+
+2013-02-06 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Touchups to VS2010 WebKit solution.
+ Fix an export generator script, modify some property sheets, add resouce file.
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
+ * JavaScriptCore.vcxproj/resource.h: Added.
+
+2013-02-06 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Web Inspector: Native Memory Instrumentation: assign class name to the heap graph node automatically
+ https://bugs.webkit.org/show_bug.cgi?id=107262
+
+ Reviewed by Yury Semikhatsky.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-02-06 Mike West <mkwst@chromium.org>
+
+ Add an ENABLE_NOSNIFF feature flag.
+ https://bugs.webkit.org/show_bug.cgi?id=109029
+
+ Reviewed by Jochen Eisinger.
+
+ This new flag will control the behavior of 'X-Content-Type-Options: nosniff'
+ when processing script and other resource types.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ put_to_base should emit a Phantom for "value" across the ForceOSRExit
+ https://bugs.webkit.org/show_bug.cgi?id=108998
+
+ Reviewed by Oliver Hunt.
+
+ Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile): Ditto.
+
+2013-02-05 Michael Saboff <msaboff@apple.com>
+
+ Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
+ https://bugs.webkit.org/show_bug.cgi?id=108991
+
+ Reviewed by Oliver Hunt.
+
+ Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
+ may step on calleeGPR is it happen to be nonArgGPR2.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::dfgLinkClosureCall):
+
+2013-02-05 Roger Fong <roger_fong@apple.com>
+
+ Add a JavaScriptCore Export Generator project.
+ https://bugs.webkit.org/show_bug.cgi?id=108971.
+
+ Reviewed by Brent Fulgham.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.sln:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Added.
+
+2013-02-04 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should have a precise view of jump targets
+ https://bugs.webkit.org/show_bug.cgi?id=108868
+
+ Reviewed by Oliver Hunt.
+
+ Previously, the DFG relied entirely on the CodeBlock's jump targets list for
+ determining when to break basic blocks. This worked great, except sometimes it
+ would be too conservative since the CodeBlock just says where the bytecode
+ generator inserted labels.
+
+ This change keeps the old jump target list in CodeBlock since it is still
+ valuable to the baseline JIT, but switches the DFG to use its own jump target
+ calculator. This ought to reduce pressure on the DFG simplifier, which would
+ previously do a lot of work to try to merge redundantly created basic blocks.
+ It appears to be a 1% progression on SunSpider.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/PreciseJumpTargets.cpp: Added.
+ (JSC):
+ (JSC::addSimpleSwitchTargets):
+ (JSC::computePreciseJumpTargets):
+ * bytecode/PreciseJumpTargets.h: Added.
+ (JSC):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+
+2013-02-01 Roger Fong <roger_fong@apple.com>
+
+ Make ConfigurationBuildDir include directories precede WebKitLibraries in JSC.
+ https://bugs.webkit.org/show_bug.cgi?id=108693.
+
+ Rubberstamped by Timothy Horton.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
+
+2013-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Structure::m_outOfLineCapacity is unnecessary
+ https://bugs.webkit.org/show_bug.cgi?id=108206
+
+ Reviewed by Darin Adler.
+
+ Simplifying the utility functions that we use since we don't need a
+ bunch of fancy templates for this one specific call site.
+
+ * runtime/Structure.h:
+ (JSC::Structure::outOfLineCapacity):
+
+2013-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: testapi.mm should use ARC
+ https://bugs.webkit.org/show_bug.cgi?id=107838
+
+ Reviewed by Oliver Hunt.
+
+ In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs.
+ We should enable ARC, since that is what most of our clients will be using. We use Xcode project
+ settings to make sure we don't try to compile ARC on 32-bit.
+
+ * API/tests/testapi.mm:
+ (+[TestObject testObject]):
+ (testObjectiveCAPI):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-02-05 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows] Unreviewed VS2010 Build Correction after r141651
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
+ StructureRareData.h and StructureRareData.cpp files.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
+
+2013-02-05 Michael Saboff <msaboff@apple.com>
+
+ r141788 won't build due to not having all changes needed by Node* change
+ https://bugs.webkit.org/show_bug.cgi?id=108944
+
+ Reviewed by David Kilzer.
+
+ Fixed three instances of integerResult(..., m_compileIndex) to be integerResult(..., node).
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileSoftModulo):
+ (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
+
+2013-02-04 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r141809.
+ http://trac.webkit.org/changeset/141809
+ https://bugs.webkit.org/show_bug.cgi?id=108860
+
+ ARC isn't supported on 32-bit. (Requested by mhahnenberg on
+ #webkit).
+
+ * API/tests/testapi.mm:
+ (+[TestObject testObject]):
+ (testObjectiveCAPI):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: testapi.mm should use ARC
+ https://bugs.webkit.org/show_bug.cgi?id=107838
+
+ Reviewed by Oliver Hunt.
+
+ In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs.
+ We should enable ARC, since that is what most of our clients will be using.
+
+ * API/tests/testapi.mm:
+ (-[TestObject init]):
+ (-[TestObject dealloc]):
+ (+[TestObject testObject]):
+ (testObjectiveCAPI):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation
+ https://bugs.webkit.org/show_bug.cgi?id=108843
+
+ Reviewed by Darin Adler.
+
+ Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do
+ this to prevent crashes when trying to invoke a callback later on.
+
+ * API/ObjCCallbackFunction.mm:
+ (ObjCCallbackFunction::ObjCCallbackFunction):
+ (ObjCCallbackFunction::~ObjCCallbackFunction):
+
+2013-02-04 Martin Robinson <mrobinson@igalia.com>
+
+ Fix GTK+ 'make dist' in preparation for the 1.11.5 release.
+
+ * GNUmakefile.list.am: Update the source lists.
+
+2013-02-04 Michael Saboff <msaboff@apple.com>
+
+ For ARMv7s use integer divide instruction for divide and modulo when possible
+ https://bugs.webkit.org/show_bug.cgi?id=108840
+
+ Reviewed in person by Filip Pizlo.
+
+ Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
+ This is patterned after the similar code for X86. Also added modulo power of 2 optimization
+ that uses logical and. Added sdiv and udiv to the ARMv7 disassembler. Put all the changes
+ behind #if CPU(APPLE_ARMV7S).
+
+ * assembler/ARMv7Assembler.h:
+ (ARMv7Assembler):
+ (JSC::ARMv7Assembler::sdiv):
+ (JSC::ARMv7Assembler::udiv):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::isARMv7s):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileSoftModulo):
+ (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-02-04 David Kilzer <ddkilzer@apple.com>
+
+ Check PrivateHeaders/JSBasePrivate.h for inappropriate macros
+ <http://webkit.org/b/108749>
+
+ Reviewed by Joseph Pecoraro.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj: Add
+ PrivateHeaders/JSBasePrivate.h to list of headers to check in
+ "Check for Inappropriate Macros in External Headers" build phase
+ script.
+
+2013-02-04 David Kilzer <ddkilzer@apple.com>
+
+ Remove duplicate entries from JavaScriptCore Xcode project
+
+ $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R
+ patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+
+ * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates.
+
+2013-02-04 David Kilzer <ddkilzer@apple.com>
+
+ Sort JavaScriptCore Xcode project file
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-02-03 David Kilzer <ddkilzer@apple.com>
+
+ Upstream ENABLE_PDFKIT_PLUGIN settting
+ <http://webkit.org/b/108792>
+
+ Reviewed by Tim Horton.
+
+ * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN
+ on iOS since PDFKit is a Mac-only framework.
+
+2013-02-02 Andreas Kling <akling@apple.com>
+
+ Vector should consult allocator about ideal size when choosing capacity.
+ <http://webkit.org/b/108410>
+ <rdar://problem/13124002>
+
+ Reviewed by Benjamin Poulain.
+
+ Remove assertion about Vector capacity that won't hold anymore since capacity()
+ may not be what you passed to reserveCapacity().
+ Also export WTF::fastMallocGoodSize() for Windows builds.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2013-02-02 Patrick Gansterer <paroga@webkit.org>
+
+ [CMake] Adopt the WinCE port to new CMake
+ https://bugs.webkit.org/show_bug.cgi?id=108754
+
+ Reviewed by Laszlo Gombos.
+
+ * os-win32/WinMain.cpp: Removed.
+ * shell/PlatformWinCE.cmake: Removed.
+
+2013-02-02 Mark Rowe <mrowe@apple.com>
+
+ <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us
+
+ Reviewed by Sam Weinig.
+
+ * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use
+ of the generated file moved to WTF.
+
+2013-02-02 David Kilzer <ddkilzer@apple.com>
+
+ Upstream iOS FeatureDefines
+ <http://webkit.org/b/108753>
+
+ Reviewed by Anders Carlsson.
+
+ * Configurations/FeatureDefines.xcconfig:
+ - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
+ - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
+ - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO. Add
+ PLATFORM_NAME variant to reduce future merge conflicts.
+
+2013-02-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Structure::m_enumerationCache should be moved to StructureRareData
+ https://bugs.webkit.org/show_bug.cgi?id=108723
+
+ Reviewed by Oliver Hunt.
+
+ m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this
+ field and it can therefore be moved safely to StructureRareData to help with memory savings.
+
+ * runtime/JSPropertyNameIterator.h:
+ (JSPropertyNameIterator):
+ (JSC::Register::propertyNameIterator):
+ (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
+ (JSC::StructureRareData::setEnumerationCache): Ditto.
+ * runtime/Structure.cpp:
+ (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
+ (JSC::Structure::removePropertyWithoutTransition): Ditto.
+ (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
+ * runtime/Structure.h:
+ (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of
+ the JSPropertyNameIterator type.
+ (JSC::Structure::enumerationCache): Ditto.
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
+ * runtime/StructureRareData.h: Add new functions/fields.
+ (StructureRareData):
+
+2013-02-01 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. JavaScriptCore VS2010 project cleanup.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
+
+2013-02-01 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r141662.
+ http://trac.webkit.org/changeset/141662
+ https://bugs.webkit.org/show_bug.cgi?id=108738
+
+ it's an incorrect change since processPhiStack will
+ dereference dangling BasicBlock pointers (Requested by pizlo
+ on #webkit).
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parse):
+
+2013-02-01 Filip Pizlo <fpizlo@apple.com>
+
+ Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
+ https://bugs.webkit.org/show_bug.cgi?id=108717
+
+ Reviewed by Mark Hahnenberg.
+
+ I think this makes the code clearer. It doesn't change behavior.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parse):
+
+2013-02-01 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Structure should have a StructureRareData field to save space
+ https://bugs.webkit.org/show_bug.cgi?id=108659
+
+ Reviewed by Oliver Hunt.
+
+ Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must
+ pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially
+ many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to
+ refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.
+
+ To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we
+ can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and
+ can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union
+ with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has
+ a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData
+ if it has one. There could be some potential for optimizing this process, but the initial implementation will
+ be dumb since we'd be paying these overhead costs for each Structure anyways.
+
+ Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll
+ continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our
+ Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from
+ Structures (and into StructureRareData).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGRepatch.cpp: Includes for linking purposes.
+ * jit/JITStubs.cpp:
+ * jsc.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ * runtime/JSCellInlines.h: Added ifdef guards.
+ * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSGlobalObject.h:
+ * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
+ (JSC::TypeInfo::flags):
+ (JSC::TypeInfo::structureHasRareData):
+ * runtime/ObjectPrototype.cpp:
+ * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
+ (JSC::Structure::dumpStatistics):
+ (JSC::Structure::Structure):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::pin):
+ (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
+ (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure
+ transitions.
+ (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
+ * runtime/Structure.h:
+ (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
+ (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
+ (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function
+ call to it.
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
+ (Structure):
+ (JSC::Structure::clearPreviousID): Ditto.
+ (JSC::Structure::create):
+ * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved
+ from Structure and the functions required to access/modify those fields as Structure would have done.
+ (JSC):
+ (JSC::StructureRareData::createStructure):
+ (JSC::StructureRareData::create):
+ (JSC::StructureRareData::clone):
+ (JSC::StructureRareData::StructureRareData):
+ (JSC::StructureRareData::visitChildren):
+ * runtime/StructureRareData.h: Added.
+ (JSC):
+ (StructureRareData):
+ * runtime/StructureRareDataInlines.h: Added.
+ (JSC):
+ (JSC::StructureRareData::previousID):
+ (JSC::StructureRareData::setPreviousID):
+ (JSC::StructureRareData::clearPreviousID):
+ (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
+ (JSC::Structure::rareData): Ditto.
+ (JSC::StructureRareData::objectToStringValue):
+ (JSC::StructureRareData::setObjectToStringValue):
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGRepatch.cpp:
+ * jit/JITStubs.cpp:
+ * jsc.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ * runtime/JSCellInlines.h:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/JSGlobalObject.h:
+ * runtime/JSTypeInfo.h:
+ (JSC):
+ (JSC::TypeInfo::flags):
+ (JSC::TypeInfo::structureHasRareData):
+ * runtime/ObjectPrototype.cpp:
+ * runtime/Structure.cpp:
+ (JSC::Structure::dumpStatistics):
+ (JSC::Structure::Structure):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::pin):
+ (JSC::Structure::allocateRareData):
+ (JSC):
+ (JSC::Structure::cloneRareDataFrom):
+ (JSC::Structure::visitChildren):
+ * runtime/Structure.h:
+ (JSC::Structure::previousID):
+ (JSC::Structure::objectToStringValue):
+ (JSC::Structure::setObjectToStringValue):
+ (JSC::Structure::materializePropertyMapIfNecessary):
+ (JSC::Structure::setPreviousID):
+ (Structure):
+ (JSC::Structure::clearPreviousID):
+ (JSC::Structure::previous):
+ (JSC::Structure::rareData):
+ (JSC::Structure::create):
+ * runtime/StructureRareData.cpp: Added.
+ (JSC):
+ (JSC::StructureRareData::createStructure):
+ (JSC::StructureRareData::create):
+ (JSC::StructureRareData::clone):
+ (JSC::StructureRareData::StructureRareData):
+ (JSC::StructureRareData::visitChildren):
+ * runtime/StructureRareData.h: Added.
+ (JSC):
+ (StructureRareData):
+ * runtime/StructureRareDataInlines.h: Added.
+ (JSC):
+ (JSC::StructureRareData::previousID):
+ (JSC::StructureRareData::setPreviousID):
+ (JSC::StructureRareData::clearPreviousID):
+ (JSC::StructureRareData::objectToStringValue):
+ (JSC::StructureRareData::setObjectToStringValue):
+
+2013-02-01 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ offlineasm BaseIndex handling is broken on ARM due to MIPS changes
+ https://bugs.webkit.org/show_bug.cgi?id=108261
+
+ Reviewed by Filip Pizlo.
+
+ offlineasm BaseIndex handling fix on MIPS.
+
+ * offlineasm/mips.rb:
+ * offlineasm/risc.rb:
+
+2013-02-01 Geoffrey Garen <ggaren@apple.com>
+
+ Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
+ https://bugs.webkit.org/show_bug.cgi?id=108657
+
+ Reviewed by Anders Carlsson.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+
+2013-02-01 Geoffrey Garen <ggaren@apple.com>
+
+ Added TriState to WTF and started using it in one place
+ https://bugs.webkit.org/show_bug.cgi?id=108628
+
+ Reviewed by Beth Dakin.
+
+ * runtime/PrototypeMap.h:
+ (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
+ response to review feedback, this is an attempt to clarify that our
+ 'true' condition is actually just a 'maybe'.
+
+ * runtime/PrototypeMap.h:
+ (PrototypeMap):
+ (JSC::PrototypeMap::isPrototype):
+
+2013-02-01 Alexis Menard <alexis@webkit.org>
+
+ Enable unprefixed CSS transitions by default.
+ https://bugs.webkit.org/show_bug.cgi?id=108216
+
+ Reviewed by Dean Jackson.
+
+ Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
+ to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to
+ guard the unprefixing work for CSS Transforms and animations.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-31 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
+ https://bugs.webkit.org/show_bug.cgi?id=108580
+
+ Reviewed by Oliver Hunt.
+
+ This is a harmless bug in that it only results in us keeping a bit too many things
+ for OSR. But it's worth fixing so that the code is consistent.
+
+ keepOperandAlive() is called when block A has a branch to blocks B and C, but the
+ A->B edge is proven to never be taken and we want to optimize the code to have A
+ unconditionally jump to C. In that case, for the purposes of OSR, we need to
+ preserve the knowledge that the state that B expected to be live incoming from A
+ ought still to be live up to the point of where the A->B,C branch used to be. The
+ way we keep things alive is by using the variablesAtTail of A (i.e., we use the
+ knowledge of in what manner A made state available to B and C). The way we choose
+ which state should be kept alive ought to be chosen by the variablesAtHead of B
+ (i.e. the things B says it needs from its predecessors, including A), except that
+ keepOperandAlive() was previously just using variablesAtTail of A for this
+ purpose.
+
+ The fix is to have keepOperandAlive() use both liveness and availability in its
+ logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
+ alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
+ keep it alive.
+
+ This might be a microscopic win on some programs, but it's mainly intended to be
+ a code clean-up so that I don't end up scratching my head in confusion the next
+ time I look at this code.
+
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+
+2013-01-31 Geoffrey Garen <ggaren@apple.com>
+
+ REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
+ https://bugs.webkit.org/show_bug.cgi?id=108576
+
+ Reviewed by Filip Pizlo.
+
+ This was a long-standing bug. The DFG would destructively reuse a register
+ in op_convert_this, but:
+
+ * The bug only presented during speculation failure for type Other
+
+ * The bug presented by removing the low bits of a pointer, which
+ used to be harmless, since all objects were so aligned anyway.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
+ our scratch register. The whole point of our scratch register is to
+ avoid destructively modifying our this register. I'm pretty sure this
+ was a copy-paste error.
+
+2013-01-31 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-01-31 Jessie Berlin <jberlin@apple.com>
+
+ Rolling out r141407 because it is causing crashes under
+ WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2013-01-31 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: JSContext exception property causes reference cycle
+ https://bugs.webkit.org/show_bug.cgi?id=107778
+
+ Reviewed by Darin Adler.
+
+ JSContext has a (retain) JSValue * exception property which, when non-null, creates a
+ reference cycle (since the JSValue * holds a strong reference back to the JSContext *).
+
+ * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
+ (-[JSContext initWithVirtualMachine:]):
+ (-[JSContext setException:]):
+ (-[JSContext exception]):
+
+2013-01-31 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed build fix. Win7 port.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-01-31 Joseph Pecoraro <pecoraro@apple.com>
+
+ Disable ENABLE_FULLSCREEN_API on iOS
+ https://bugs.webkit.org/show_bug.cgi?id=108250
+
+ Reviewed by Benjamin Poulain.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-31 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Fix insertion of values greater than the max index allowed by the spec
+ https://bugs.webkit.org/show_bug.cgi?id=108264
+
+ Reviewed by Oliver Hunt.
+
+ Fixed a bug, added a test to the API tests, cleaned up some code.
+
+ * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that
+ setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
+ * API/JSValue.mm:
+ (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
+ (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
+ (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
+ * API/tests/testapi.mm:
+
+2013-01-30 Andreas Kling <akling@apple.com>
+
+ Vector should consult allocator about ideal size when choosing capacity.
+ <http://webkit.org/b/108410>
+ <rdar://problem/13124002>
+
+ Reviewed by Benjamin Poulain.
+
+ Remove assertion about Vector capacity that won't hold anymore since capacity()
+ may not be what you passed to reserveCapacity().
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2013-01-30 Filip Pizlo <fpizlo@apple.com>
+
+ DFG bytecode parser should have more assertions about the status of local accesses
+ https://bugs.webkit.org/show_bug.cgi?id=108417
+
+ Reviewed by Mark Hahnenberg.
+
+ Assert some things that we already know to be true, just to reassure ourselves that they are true.
+ This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
+ make these rules even stricter.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::getArgument):
+
+2013-01-30 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
+ https://bugs.webkit.org/show_bug.cgi?id=107978
+
+ Reviewed by Filip Pizlo.
+
+ We need to add the Identifier table save/restore in JSContextGroupRelease so that we
+ have the correct table if we end up destroying the JSGlobalData/Heap.
+
+ * API/JSContextRef.cpp:
+ (JSContextGroupRelease):
+
+2013-01-30 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: exceptionHandler needs to be released in JSContext dealloc
+ https://bugs.webkit.org/show_bug.cgi?id=108378
+
+ Reviewed by Filip Pizlo.
+
+ JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc.
+ That sounds like the potential for a leak. It should be released.
+
+ * API/JSContext.mm:
+ (-[JSContext dealloc]):
+
+2013-01-30 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
+ https://bugs.webkit.org/show_bug.cgi?id=108366
+
+ Reviewed by Geoffrey Garen and Mark Hahnenberg.
+
+ This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
+ Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
+ when comparing a possibly redundant node to its possible replacement. It was doing this
+ by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
+ just those flag bits that correspond to actual node behavior and not auxiliary things.
+ Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
+ This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
+ very high probability that matching nodes would also have completely identical flag bits
+ (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
+ r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
+ access. These bits would be mutated as the CSE ran over a basic block, in such a way that
+ there was a very high probability that the possible replacement would already have the
+ bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
+ returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
+ almost every time.
+
+ The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
+ flags that are relevant to arithmetic behavior. This patch introduces a new mask that
+ represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
+ used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
+ the other flags are relevant to Node::arithNodeFlags() since they either correspond to
+ information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
+ NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
+ the result that the node will produce or any of the queries performed on the result of
+ Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
+
+ This is a 10% speed-up on Kraken, undoing the regression from r140504.
+
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::arithNodeFlags):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+
+2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Structure::m_outOfLineCapacity is unnecessary
+ https://bugs.webkit.org/show_bug.cgi?id=108206
+
+ Reviewed by Geoffrey Garen.
+
+ We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
+ According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
+ better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our
+ benchmarks.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ (JSC):
+ (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::addPropertyWithoutTransition):
+ * runtime/Structure.h:
+ (Structure):
+ (JSC::Structure::outOfLineCapacity):
+ (JSC::Structure::totalStorageCapacity):
+
+2013-01-29 Geoffrey Garen <ggaren@apple.com>
+
+ Be a little more conservative about emitting table-based switches
+ https://bugs.webkit.org/show_bug.cgi?id=108292
+
+ Reviewed by Filip Pizlo.
+
+ Profiling shows we're using op_switch in cases where it's a regression.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC):
+ (JSC::length):
+ (JSC::CaseBlockNode::tryTableSwitch):
+ (JSC::CaseBlockNode::emitBytecodeForBlock):
+ * parser/Nodes.h:
+ (CaseBlockNode):
+
+2013-01-29 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r140983.
+ http://trac.webkit.org/changeset/140983
+ https://bugs.webkit.org/show_bug.cgi?id=108277
+
+ Unfortunately, this API has one last client (Requested by
+ abarth on #webkit).
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
+ https://bugs.webkit.org/show_bug.cgi?id=107839
+
+ Reviewed by Geoffrey Garen.
+
+ Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and
+ m_constructor that they were based on.
+
+ * API/JSWrapperMap.mm:
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
+ fields that are null (i.e. have been collected or have never been allocated to begin with).
+ (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're
+ reallocating one or both of the prototype/constructor combo.
+ (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
+ (-[JSObjCClassInfo constructor]): Ditto.
+
+2013-01-29 Geoffrey Garen <ggaren@apple.com>
+
+ Make precise size classes more precise
+ https://bugs.webkit.org/show_bug.cgi?id=108270
+
+ Reviewed by Mark Hahnenberg.
+
+ Size inference makes this profitable.
+
+ I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
+ byte increments might be better.
+
+ * heap/Heap.h:
+ (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.
+
+ * heap/MarkedBlock.h:
+ (MarkedBlock): Updated constants.
+
+ * heap/MarkedSpace.h:
+ (MarkedSpace):
+ (JSC): Also reduced the maximum precise size class because my testing
+ has shown that the smaller size classes are much more common. This
+ offsets some of the size class explosion caused by reducing the precise
+ increment.
+
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
+ because we don't rely on firstAllocatorWithoutDestructors anymore, since
+ we pick size classes dynamically now.
+
+2013-01-29 Oliver Hunt <oliver@apple.com>
+
+ Add some hardening to methodTable()
+ https://bugs.webkit.org/show_bug.cgi?id=108253
+
+ Reviewed by Mark Hahnenberg.
+
+ When accessing methodTable() we now always make sure that our
+ structure _could_ be valid. Added a separate method to get a
+ classes methodTable during destruction as it's not possible to
+ validate the structure at that point. This separation might
+ also make it possible to improve the performance of methodTable
+ access more generally in future.
+
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::callDestructor):
+ * runtime/JSCell.h:
+ (JSCell):
+ * runtime/JSCellInlines.h:
+ (JSC::JSCell::methodTableForDestruction):
+ (JSC):
+ (JSC::JSCell::methodTable):
+
+2013-01-29 Filip Pizlo <fpizlo@apple.com>
+
+ offlineasm BaseIndex handling is broken on ARM due to MIPS changes
+ https://bugs.webkit.org/show_bug.cgi?id=108261
+
+ Reviewed by Oliver Hunt.
+
+ Backends shouldn't override each other's methods. That's not cool.
+
+ * offlineasm/mips.rb:
+
+2013-01-29 Filip Pizlo <fpizlo@apple.com>
+
+ cloop.rb shouldn't use a method called 'dump' for code generation
+ https://bugs.webkit.org/show_bug.cgi?id=108251
+
+ Reviewed by Mark Hahnenberg.
+
+ Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
+
+ Also made trivial build fixes for !ENABLE(JIT).
+
+ * offlineasm/cloop.rb:
+ * runtime/Executable.h:
+ (ExecutableBase):
+ (JSC::ExecutableBase::intrinsicFor):
+ * runtime/JSGlobalData.h:
+
+2013-01-29 Geoffrey Garen <ggaren@apple.com>
+
+ Removed GGC because it has been disabled for a long time
+ https://bugs.webkit.org/show_bug.cgi?id=108245
+
+ Reviewed by Filip Pizlo.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::emitPutReplaceStub):
+ (JSC::DFG::emitPutTransitionStub):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::writeBarrier):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * heap/CardSet.h: Removed.
+ * heap/Heap.cpp:
+ (JSC::Heap::markRoots):
+ (JSC::Heap::collect):
+ * heap/Heap.h:
+ (Heap):
+ (JSC::Heap::shouldCollect):
+ (JSC::Heap::isWriteBarrierEnabled):
+ (JSC):
+ (JSC::Heap::writeBarrier):
+ * heap/MarkedBlock.h:
+ (MarkedBlock):
+ (JSC):
+ * heap/MarkedSpace.cpp:
+ (JSC):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitWriteBarrier):
+
+2013-01-29 Filip Pizlo <fpizlo@apple.com>
+
+ Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
+ https://bugs.webkit.org/show_bug.cgi?id=108247
+
+ Reviewed by Oliver Hunt.
+
+ Makes offlineasm dumping easier to read and less likely to cause assertion failures.
+ Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
+ but cloop.rb was winning.
+
+ * offlineasm/cloop.rb:
+
+2013-01-29 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
+ https://bugs.webkit.org/show_bug.cgi?id=107839
+
+ Reviewed by Oliver Hunt.
+
+ JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that
+ are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and
+ m_constructor, which in turn have strong references to the JSContext, creating a reference cycle.
+ We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference
+ to the JSContext and also prevents clients from accidentally creating reference cycles by assigning
+ to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will
+ reallocate them.
+
+ * API/JSContext.mm:
+ (-[JSContext wrapperMap]):
+ * API/JSContextInternal.h:
+ * API/JSWrapperMap.mm:
+ (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
+ (-[JSObjCClassInfo dealloc]):
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+ (-[JSObjCClassInfo allocateConstructorAndPrototype]):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSObjCClassInfo constructor]):
+
+2013-01-29 Oliver Hunt <oliver@apple.com>
+
+ REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
+ https://bugs.webkit.org/show_bug.cgi?id=108097
+
+ Reviewed by Geoffrey Garen.
+
+ LiteralParser was accepting a bogus 'var a.b = c' statement
+
+ * runtime/LiteralParser.cpp:
+ (JSC::::tryJSONPParse):
+
+2013-01-29 Oliver Hunt <oliver@apple.com>
+
+ Force debug builds to do bounds checks on contiguous property storage
+ https://bugs.webkit.org/show_bug.cgi?id=108212
+
+ Reviewed by Mark Hahnenberg.
+
+ Add a ContiguousData type that we use to represent contiguous property
+ storage. In release builds it is simply a pointer to the correct type,
+ but in debug builds it also carries the data length and performs bounds
+ checks. This means we don't have to add as many manual bounds assertions
+ when performing operations over contiguous data.
+
+ * dfg/DFGOperations.cpp:
+ * runtime/ArrayStorage.h:
+ (ArrayStorage):
+ (JSC::ArrayStorage::vector):
+ * runtime/Butterfly.h:
+ (JSC::ContiguousData::ContiguousData):
+ (ContiguousData):
+ (JSC::ContiguousData::operator[]):
+ (JSC::ContiguousData::data):
+ (JSC::ContiguousData::length):
+ (JSC):
+ (JSC::Butterfly::contiguousInt32):
+ (Butterfly):
+ (JSC::Butterfly::contiguousDouble):
+ (JSC::Butterfly::contiguous):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::sortNumericVector):
+ (ContiguousTypeAccessor):
+ (JSC::ContiguousTypeAccessor::getAsValue):
+ (JSC::ContiguousTypeAccessor::setWithValue):
+ (JSC::ContiguousTypeAccessor::replaceDataReference):
+ (JSC):
+ (JSC::JSArray::sortCompactedVector):
+ (JSC::JSArray::sort):
+ (JSC::JSArray::fillArgList):
+ (JSC::JSArray::copyToArguments):
+ * runtime/JSArray.h:
+ (JSArray):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly):
+ (JSC::JSObject::visitButterfly):
+ (JSC::JSObject::createInitialInt32):
+ (JSC::JSObject::createInitialDouble):
+ (JSC::JSObject::createInitialContiguous):
+ (JSC::JSObject::convertUndecidedToInt32):
+ (JSC::JSObject::convertUndecidedToDouble):
+ (JSC::JSObject::convertUndecidedToContiguous):
+ (JSC::JSObject::convertInt32ToDouble):
+ (JSC::JSObject::convertInt32ToContiguous):
+ (JSC::JSObject::genericConvertDoubleToContiguous):
+ (JSC::JSObject::convertDoubleToContiguous):
+ (JSC::JSObject::rageConvertDoubleToContiguous):
+ (JSC::JSObject::ensureInt32Slow):
+ (JSC::JSObject::ensureDoubleSlow):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::rageEnsureContiguousSlow):
+ (JSC::JSObject::ensureLengthSlow):
+ * runtime/JSObject.h:
+ (JSC::JSObject::ensureInt32):
+ (JSC::JSObject::ensureDouble):
+ (JSC::JSObject::ensureContiguous):
+ (JSC::JSObject::rageEnsureContiguous):
+ (JSObject):
+ (JSC::JSObject::indexingData):
+ (JSC::JSObject::currentIndexingData):
+
+2013-01-29 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows, WinCairo] Unreviewed build fix after r141050
+
+ * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
+ to match JavaScriptCore.vcproj version.
+
+2013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com>
+
+ [Qt] Implement GCActivityCallback
+ https://bugs.webkit.org/show_bug.cgi?id=103998
+
+ Reviewed by Simon Hausmann.
+
+ Implements the activity triggered garbage collector.
+
+ * runtime/GCActivityCallback.cpp:
+ (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
+ (JSC::DefaultGCActivityCallback::scheduleTimer):
+ (JSC::DefaultGCActivityCallback::cancelTimer):
+ * runtime/GCActivityCallback.h:
+ (GCActivityCallback):
+ (DefaultGCActivityCallback):
+
+2013-01-29 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
+
+ Compilation warning in JSC
+ https://bugs.webkit.org/show_bug.cgi?id=108178
+
+ Reviewed by Kentaro Hara.
+
+ Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+
+2013-01-29 Jocelyn Turcotte <jocelyn.turcotte@digia.com>
+
+ [Qt] Fix the JSC build on Mac
+
+ Unreviewed, build fix.
+
+ * heap/HeapTimer.h:
+ Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.
+
+2013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com>
+
+ [Qt] Implement IncrementalSweeper and HeapTimer
+ https://bugs.webkit.org/show_bug.cgi?id=103996
+
+ Reviewed by Simon Hausmann.
+
+ Implements the incremental sweeping garbage collection for the Qt platform.
+
+ * heap/HeapTimer.cpp:
+ (JSC::HeapTimer::HeapTimer):
+ (JSC::HeapTimer::~HeapTimer):
+ (JSC::HeapTimer::timerEvent):
+ (JSC::HeapTimer::synchronize):
+ (JSC::HeapTimer::invalidate):
+ (JSC::HeapTimer::didStartVMShutdown):
+ * heap/HeapTimer.h:
+ (HeapTimer):
+ * heap/IncrementalSweeper.cpp:
+ (JSC::IncrementalSweeper::IncrementalSweeper):
+ (JSC::IncrementalSweeper::scheduleTimer):
+ * heap/IncrementalSweeper.h:
+ (IncrementalSweeper):
+
+2013-01-28 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
+ https://bugs.webkit.org/show_bug.cgi?id=106868
+
+ Reviewed by Oliver Hunt.
+
+ This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
+ uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
+ for debugging (Node::index(), which is not guaranteed to be O(1)).
+
+ 1% speed-up on SunSpider, presumably because this improves compile times.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/DataFormat.h:
+ (JSC::dataFormatToString):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::initialize):
+ (JSC::DFG::AbstractState::booleanResult):
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
+ (JSC::DFG::AbstractState::dump):
+ * dfg/DFGAbstractState.h:
+ (DFG):
+ (JSC::DFG::AbstractState::forNode):
+ (AbstractState):
+ (JSC::DFG::AbstractState::speculateInt32Unary):
+ (JSC::DFG::AbstractState::speculateNumberUnary):
+ (JSC::DFG::AbstractState::speculateBooleanUnary):
+ (JSC::DFG::AbstractState::speculateInt32Binary):
+ (JSC::DFG::AbstractState::speculateNumberBinary):
+ (JSC::DFG::AbstractState::trySetConstant):
+ * dfg/DFGAbstractValue.h:
+ (AbstractValue):
+ * dfg/DFGAdjacencyList.h:
+ (JSC::DFG::AdjacencyList::AdjacencyList):
+ (JSC::DFG::AdjacencyList::initialize):
+ * dfg/DFGAllocator.h: Added.
+ (DFG):
+ (Allocator):
+ (JSC::DFG::Allocator::Region::size):
+ (JSC::DFG::Allocator::Region::headerSize):
+ (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
+ (JSC::DFG::Allocator::Region::data):
+ (JSC::DFG::Allocator::Region::isInThisRegion):
+ (JSC::DFG::Allocator::Region::regionFor):
+ (Region):
+ (JSC::DFG::::Allocator):
+ (JSC::DFG::::~Allocator):
+ (JSC::DFG::::allocate):
+ (JSC::DFG::::free):
+ (JSC::DFG::::freeAll):
+ (JSC::DFG::::reset):
+ (JSC::DFG::::indexOf):
+ (JSC::DFG::::allocatorOf):
+ (JSC::DFG::::bumpAllocate):
+ (JSC::DFG::::freeListAllocate):
+ (JSC::DFG::::allocateSlow):
+ (JSC::DFG::::freeRegionsStartingAt):
+ (JSC::DFG::::startBumpingIn):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
+ (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
+ (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
+ (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
+ (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::originalArrayStructure):
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ * dfg/DFGArrayMode.h:
+ (ArrayMode):
+ * dfg/DFGArrayifySlowPathGenerator.h:
+ (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
+ * dfg/DFGBasicBlock.h:
+ (JSC::DFG::BasicBlock::node):
+ (JSC::DFG::BasicBlock::isInPhis):
+ (JSC::DFG::BasicBlock::isInBlock):
+ (BasicBlock):
+ * dfg/DFGBasicBlockInlines.h:
+ (DFG):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getDirect):
+ (JSC::DFG::ByteCodeParser::get):
+ (JSC::DFG::ByteCodeParser::setDirect):
+ (JSC::DFG::ByteCodeParser::set):
+ (JSC::DFG::ByteCodeParser::setPair):
+ (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
+ (JSC::DFG::ByteCodeParser::getLocal):
+ (JSC::DFG::ByteCodeParser::setLocal):
+ (JSC::DFG::ByteCodeParser::getArgument):
+ (JSC::DFG::ByteCodeParser::setArgument):
+ (JSC::DFG::ByteCodeParser::flushDirect):
+ (JSC::DFG::ByteCodeParser::getToInt32):
+ (JSC::DFG::ByteCodeParser::toInt32):
+ (JSC::DFG::ByteCodeParser::getJSConstantForValue):
+ (JSC::DFG::ByteCodeParser::getJSConstant):
+ (JSC::DFG::ByteCodeParser::getCallee):
+ (JSC::DFG::ByteCodeParser::getThis):
+ (JSC::DFG::ByteCodeParser::setThis):
+ (JSC::DFG::ByteCodeParser::isJSConstant):
+ (JSC::DFG::ByteCodeParser::isInt32Constant):
+ (JSC::DFG::ByteCodeParser::valueOfJSConstant):
+ (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
+ (JSC::DFG::ByteCodeParser::constantUndefined):
+ (JSC::DFG::ByteCodeParser::constantNull):
+ (JSC::DFG::ByteCodeParser::one):
+ (JSC::DFG::ByteCodeParser::constantNaN):
+ (JSC::DFG::ByteCodeParser::cellConstant):
+ (JSC::DFG::ByteCodeParser::addToGraph):
+ (JSC::DFG::ByteCodeParser::insertPhiNode):
+ (JSC::DFG::ByteCodeParser::addVarArgChild):
+ (JSC::DFG::ByteCodeParser::addCall):
+ (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
+ (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+ (JSC::DFG::ByteCodeParser::getPrediction):
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+ (JSC::DFG::ByteCodeParser::makeSafe):
+ (JSC::DFG::ByteCodeParser::makeDivSafe):
+ (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
+ (ConstantRecord):
+ (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
+ (PhiStackEntry):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::setIntrinsicResult):
+ (JSC::DFG::ByteCodeParser::handleMinMax):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (JSC::DFG::ByteCodeParser::handleGetById):
+ (JSC::DFG::ByteCodeParser::getScope):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::processPhiStack):
+ (JSC::DFG::ByteCodeParser::linkBlock):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ (JSC::DFG::ByteCodeParser::parse):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::performBlockCFA):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
+ (JSC::DFG::CFGSimplificationPhase::fixPhis):
+ (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
+ (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
+ (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
+ (OperandSubstitution):
+ (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
+ (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
+ (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::canonicalize):
+ (JSC::DFG::CSEPhase::endIndexForPureCSE):
+ (JSC::DFG::CSEPhase::pureCSE):
+ (JSC::DFG::CSEPhase::constantCSE):
+ (JSC::DFG::CSEPhase::weakConstantCSE):
+ (JSC::DFG::CSEPhase::getCalleeLoadElimination):
+ (JSC::DFG::CSEPhase::getArrayLengthElimination):
+ (JSC::DFG::CSEPhase::globalVarLoadElimination):
+ (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+ (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
+ (JSC::DFG::CSEPhase::globalVarStoreElimination):
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+ (JSC::DFG::CSEPhase::checkFunctionElimination):
+ (JSC::DFG::CSEPhase::checkExecutableElimination):
+ (JSC::DFG::CSEPhase::checkStructureElimination):
+ (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
+ (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
+ (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::checkArrayElimination):
+ (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+ (JSC::DFG::CSEPhase::getLocalLoadElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::performSubstitution):
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::eliminate):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+ (CSEPhase):
+ * dfg/DFGCommon.cpp: Added.
+ (DFG):
+ (JSC::DFG::NodePointerTraits::dump):
+ * dfg/DFGCommon.h:
+ (DFG):
+ (JSC::DFG::NodePointerTraits::defaultValue):
+ (NodePointerTraits):
+ (JSC::DFG::verboseCompilationEnabled):
+ (JSC::DFG::shouldDumpGraphAtEachPhase):
+ (JSC::DFG::validationEnabled):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::Disassembler):
+ (JSC::DFG::Disassembler::createDumpList):
+ (JSC::DFG::Disassembler::dumpDisassembly):
+ * dfg/DFGDisassembler.h:
+ (JSC::DFG::Disassembler::setForNode):
+ (Disassembler):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGEdge.cpp: Added.
+ (DFG):
+ (JSC::DFG::Edge::dump):
+ * dfg/DFGEdge.h:
+ (JSC::DFG::Edge::Edge):
+ (JSC::DFG::Edge::node):
+ (JSC::DFG::Edge::operator*):
+ (JSC::DFG::Edge::operator->):
+ (Edge):
+ (JSC::DFG::Edge::setNode):
+ (JSC::DFG::Edge::useKind):
+ (JSC::DFG::Edge::setUseKind):
+ (JSC::DFG::Edge::isSet):
+ (JSC::DFG::Edge::shift):
+ (JSC::DFG::Edge::makeWord):
+ (JSC::DFG::operator==):
+ (JSC::DFG::operator!=):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupBlock):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ (JSC::DFG::FixupPhase::fixIntEdge):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+ (FixupPhase):
+ * dfg/DFGGenerationInfo.h:
+ (JSC::DFG::GenerationInfo::GenerationInfo):
+ (JSC::DFG::GenerationInfo::initConstant):
+ (JSC::DFG::GenerationInfo::initInteger):
+ (JSC::DFG::GenerationInfo::initJSValue):
+ (JSC::DFG::GenerationInfo::initCell):
+ (JSC::DFG::GenerationInfo::initBoolean):
+ (JSC::DFG::GenerationInfo::initDouble):
+ (JSC::DFG::GenerationInfo::initStorage):
+ (GenerationInfo):
+ (JSC::DFG::GenerationInfo::node):
+ (JSC::DFG::GenerationInfo::noticeOSRBirth):
+ (JSC::DFG::GenerationInfo::use):
+ (JSC::DFG::GenerationInfo::appendFill):
+ (JSC::DFG::GenerationInfo::appendSpill):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::~Graph):
+ (DFG):
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ (JSC::DFG::Graph::amountOfNodeWhiteSpace):
+ (JSC::DFG::Graph::printNodeWhiteSpace):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::dumpBlockHeader):
+ (JSC::DFG::Graph::refChildren):
+ (JSC::DFG::Graph::derefChildren):
+ (JSC::DFG::Graph::predictArgumentTypes):
+ (JSC::DFG::Graph::collectGarbage):
+ (JSC::DFG::Graph::determineReachability):
+ (JSC::DFG::Graph::resetExitStates):
+ * dfg/DFGGraph.h:
+ (Graph):
+ (JSC::DFG::Graph::ref):
+ (JSC::DFG::Graph::deref):
+ (JSC::DFG::Graph::changeChild):
+ (JSC::DFG::Graph::compareAndSwap):
+ (JSC::DFG::Graph::clearAndDerefChild):
+ (JSC::DFG::Graph::clearAndDerefChild1):
+ (JSC::DFG::Graph::clearAndDerefChild2):
+ (JSC::DFG::Graph::clearAndDerefChild3):
+ (JSC::DFG::Graph::convertToConstant):
+ (JSC::DFG::Graph::getJSConstantSpeculation):
+ (JSC::DFG::Graph::addSpeculationMode):
+ (JSC::DFG::Graph::valueAddSpeculationMode):
+ (JSC::DFG::Graph::arithAddSpeculationMode):
+ (JSC::DFG::Graph::addShouldSpeculateInteger):
+ (JSC::DFG::Graph::mulShouldSpeculateInteger):
+ (JSC::DFG::Graph::negateShouldSpeculateInteger):
+ (JSC::DFG::Graph::isConstant):
+ (JSC::DFG::Graph::isJSConstant):
+ (JSC::DFG::Graph::isInt32Constant):
+ (JSC::DFG::Graph::isDoubleConstant):
+ (JSC::DFG::Graph::isNumberConstant):
+ (JSC::DFG::Graph::isBooleanConstant):
+ (JSC::DFG::Graph::isCellConstant):
+ (JSC::DFG::Graph::isFunctionConstant):
+ (JSC::DFG::Graph::isInternalFunctionConstant):
+ (JSC::DFG::Graph::valueOfJSConstant):
+ (JSC::DFG::Graph::valueOfInt32Constant):
+ (JSC::DFG::Graph::valueOfNumberConstant):
+ (JSC::DFG::Graph::valueOfBooleanConstant):
+ (JSC::DFG::Graph::valueOfFunctionConstant):
+ (JSC::DFG::Graph::valueProfileFor):
+ (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+ (JSC::DFG::Graph::numSuccessors):
+ (JSC::DFG::Graph::successor):
+ (JSC::DFG::Graph::successorForCondition):
+ (JSC::DFG::Graph::isPredictedNumerical):
+ (JSC::DFG::Graph::byValIsPure):
+ (JSC::DFG::Graph::clobbersWorld):
+ (JSC::DFG::Graph::varArgNumChildren):
+ (JSC::DFG::Graph::numChildren):
+ (JSC::DFG::Graph::varArgChild):
+ (JSC::DFG::Graph::child):
+ (JSC::DFG::Graph::voteNode):
+ (JSC::DFG::Graph::voteChildren):
+ (JSC::DFG::Graph::substitute):
+ (JSC::DFG::Graph::substituteGetLocal):
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
+ (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
+ * dfg/DFGInsertionSet.h:
+ (JSC::DFG::Insertion::Insertion):
+ (JSC::DFG::Insertion::element):
+ (Insertion):
+ (JSC::DFG::InsertionSet::insert):
+ (InsertionSet):
+ * dfg/DFGJITCompiler.cpp:
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::setForNode):
+ (JSC::DFG::JITCompiler::addressOfDoubleConstant):
+ (JSC::DFG::JITCompiler::noticeOSREntry):
+ * dfg/DFGLongLivedState.cpp: Added.
+ (DFG):
+ (JSC::DFG::LongLivedState::LongLivedState):
+ (JSC::DFG::LongLivedState::~LongLivedState):
+ (JSC::DFG::LongLivedState::shrinkToFit):
+ * dfg/DFGLongLivedState.h: Added.
+ (DFG):
+ (LongLivedState):
+ * dfg/DFGMinifiedID.h:
+ (JSC::DFG::MinifiedID::MinifiedID):
+ (JSC::DFG::MinifiedID::node):
+ * dfg/DFGMinifiedNode.cpp:
+ (JSC::DFG::MinifiedNode::fromNode):
+ * dfg/DFGMinifiedNode.h:
+ (MinifiedNode):
+ * dfg/DFGNode.cpp: Added.
+ (DFG):
+ (JSC::DFG::Node::index):
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGNode.h:
+ (DFG):
+ (JSC::DFG::Node::Node):
+ (Node):
+ (JSC::DFG::Node::convertToGetByOffset):
+ (JSC::DFG::Node::convertToPutByOffset):
+ (JSC::DFG::Node::ref):
+ (JSC::DFG::Node::shouldSpeculateInteger):
+ (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
+ (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
+ (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
+ (JSC::DFG::Node::shouldSpeculateNumber):
+ (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
+ (JSC::DFG::Node::shouldSpeculateFinalObject):
+ (JSC::DFG::Node::shouldSpeculateArray):
+ (JSC::DFG::Node::dumpChildren):
+ (WTF):
+ * dfg/DFGNodeAllocator.h: Added.
+ (DFG):
+ (operator new ):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ (SpeculationFailureDebugInfo):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGPhase.cpp:
+ (DFG):
+ (JSC::DFG::Phase::beginPhase):
+ (JSC::DFG::Phase::endPhase):
+ * dfg/DFGPhase.h:
+ (Phase):
+ (JSC::DFG::runAndLog):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::setPrediction):
+ (JSC::DFG::PredictionPropagationPhase::mergePrediction):
+ (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
+ (JSC::DFG::PredictionPropagationPhase::isNotZero):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
+ (JSC::DFG::PredictionPropagationPhase::propagateForward):
+ (JSC::DFG::PredictionPropagationPhase::propagateBackward):
+ (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGScoreBoard.h:
+ (JSC::DFG::ScoreBoard::ScoreBoard):
+ (JSC::DFG::ScoreBoard::use):
+ (JSC::DFG::ScoreBoard::useIfHasResult):
+ (ScoreBoard):
+ * dfg/DFGSilentRegisterSavePlan.h:
+ (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
+ (JSC::DFG::SilentRegisterSavePlan::node):
+ (SilentRegisterSavePlan):
+ * dfg/DFGSlowPathGenerator.h:
+ (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
+ (JSC::DFG::SlowPathGenerator::generate):
+ (SlowPathGenerator):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
+ (JSC::DFG::SpeculativeJIT::silentSpill):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ (JSC::DFG::SpeculativeJIT::fillStorage):
+ (JSC::DFG::SpeculativeJIT::useChildren):
+ (JSC::DFG::SpeculativeJIT::isStrictInt32):
+ (JSC::DFG::SpeculativeJIT::isKnownInteger):
+ (JSC::DFG::SpeculativeJIT::isKnownNumeric):
+ (JSC::DFG::SpeculativeJIT::isKnownCell):
+ (JSC::DFG::SpeculativeJIT::isKnownNotCell):
+ (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
+ (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
+ (JSC::DFG::SpeculativeJIT::writeBarrier):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
+ (JSC::DFG::GPRTemporary::GPRTemporary):
+ (JSC::DFG::FPRTemporary::FPRTemporary):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
+ (JSC::DFG::SpeculativeJIT::compileMovHint):
+ (JSC::DFG::SpeculativeJIT::compile):
+ (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+ (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+ (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+ (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+ (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
+ (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+ (JSC::DFG::SpeculativeJIT::compileSoftModulo):
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileArithSub):
+ (JSC::DFG::SpeculativeJIT::compileArithNegate):
+ (JSC::DFG::SpeculativeJIT::compileArithMul):
+ (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
+ (JSC::DFG::SpeculativeJIT::compileArithMod):
+ (JSC::DFG::SpeculativeJIT::compare):
+ (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
+ (JSC::DFG::SpeculativeJIT::compileStrictEq):
+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
+ (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
+ (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
+ (JSC::DFG::SpeculativeJIT::compileRegExpExec):
+ (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::canReuse):
+ (JSC::DFG::SpeculativeJIT::isFilled):
+ (JSC::DFG::SpeculativeJIT::isFilledDouble):
+ (JSC::DFG::SpeculativeJIT::use):
+ (JSC::DFG::SpeculativeJIT::isConstant):
+ (JSC::DFG::SpeculativeJIT::isJSConstant):
+ (JSC::DFG::SpeculativeJIT::isInt32Constant):
+ (JSC::DFG::SpeculativeJIT::isDoubleConstant):
+ (JSC::DFG::SpeculativeJIT::isNumberConstant):
+ (JSC::DFG::SpeculativeJIT::isBooleanConstant):
+ (JSC::DFG::SpeculativeJIT::isFunctionConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
+ (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
+ (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
+ (JSC::DFG::SpeculativeJIT::isNullConstant):
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
+ (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::integerResult):
+ (JSC::DFG::SpeculativeJIT::noResult):
+ (JSC::DFG::SpeculativeJIT::cellResult):
+ (JSC::DFG::SpeculativeJIT::booleanResult):
+ (JSC::DFG::SpeculativeJIT::jsValueResult):
+ (JSC::DFG::SpeculativeJIT::storageResult):
+ (JSC::DFG::SpeculativeJIT::doubleResult):
+ (JSC::DFG::SpeculativeJIT::initConstantInfo):
+ (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
+ (JSC::DFG::SpeculativeJIT::isInteger):
+ (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
+ (JSC::DFG::SpeculativeJIT::setNodeForOperand):
+ (JSC::DFG::IntegerOperand::IntegerOperand):
+ (JSC::DFG::IntegerOperand::node):
+ (JSC::DFG::IntegerOperand::gpr):
+ (JSC::DFG::IntegerOperand::use):
+ (IntegerOperand):
+ (JSC::DFG::DoubleOperand::DoubleOperand):
+ (JSC::DFG::DoubleOperand::node):
+ (JSC::DFG::DoubleOperand::fpr):
+ (JSC::DFG::DoubleOperand::use):
+ (DoubleOperand):
+ (JSC::DFG::JSValueOperand::JSValueOperand):
+ (JSC::DFG::JSValueOperand::node):
+ (JSC::DFG::JSValueOperand::gpr):
+ (JSC::DFG::JSValueOperand::fill):
+ (JSC::DFG::JSValueOperand::use):
+ (JSValueOperand):
+ (JSC::DFG::StorageOperand::StorageOperand):
+ (JSC::DFG::StorageOperand::node):
+ (JSC::DFG::StorageOperand::gpr):
+ (JSC::DFG::StorageOperand::use):
+ (StorageOperand):
+ (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateIntegerOperand::node):
+ (JSC::DFG::SpeculateIntegerOperand::gpr):
+ (JSC::DFG::SpeculateIntegerOperand::use):
+ (SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
+ (JSC::DFG::SpeculateStrictInt32Operand::node):
+ (JSC::DFG::SpeculateStrictInt32Operand::gpr):
+ (JSC::DFG::SpeculateStrictInt32Operand::use):
+ (SpeculateStrictInt32Operand):
+ (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateDoubleOperand::node):
+ (JSC::DFG::SpeculateDoubleOperand::fpr):
+ (JSC::DFG::SpeculateDoubleOperand::use):
+ (SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::node):
+ (JSC::DFG::SpeculateCellOperand::gpr):
+ (JSC::DFG::SpeculateCellOperand::use):
+ (SpeculateCellOperand):
+ (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
+ (JSC::DFG::SpeculateBooleanOperand::node):
+ (JSC::DFG::SpeculateBooleanOperand::gpr):
+ (JSC::DFG::SpeculateBooleanOperand::use):
+ (SpeculateBooleanOperand):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
+ (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
+ (JSC::DFG::SpeculativeJIT::compileValueAdd):
+ (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
+ (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
+ (JSC::DFG::SpeculativeJIT::compileValueAdd):
+ (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureAbstractValue.h:
+ (StructureAbstractValue):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGValidate.cpp:
+ (DFG):
+ (Validate):
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::reportValidationContext):
+ * dfg/DFGValidate.h:
+ * dfg/DFGValueSource.cpp:
+ (JSC::DFG::ValueSource::dump):
+ * dfg/DFGValueSource.h:
+ (JSC::DFG::ValueSource::ValueSource):
+ * dfg/DFGVirtualRegisterAllocationPhase.cpp:
+ (JSC::DFG::VirtualRegisterAllocationPhase::run):
+ * runtime/FunctionExecutableDump.cpp: Added.
+ (JSC):
+ (JSC::FunctionExecutableDump::dump):
+ * runtime/FunctionExecutableDump.h: Added.
+ (JSC):
+ (FunctionExecutableDump):
+ (JSC::FunctionExecutableDump::FunctionExecutableDump):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (DFG):
+ (JSGlobalData):
+ * runtime/Options.h:
+ (JSC):
+
+2013-01-28 Laszlo Gombos <l.gombos@samsung.com>
+
+ Collapse testing for a list of PLATFORM() into OS() and USE() tests
+ https://bugs.webkit.org/show_bug.cgi?id=108018
+
+ Reviewed by Eric Seidel.
+
+ No functional change as "OS(DARWIN) && USE(CF)" equals to the
+ following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
+ is not using JavaScriptCore.
+
+ * runtime/DatePrototype.cpp:
+ (JSC):
+
+2013-01-28 Geoffrey Garen <ggaren@apple.com>
+
+ Static size inference for JavaScript objects
+ https://bugs.webkit.org/show_bug.cgi?id=108093
+
+ Reviewed by Phil Pizlo.
+
+ * API/JSObjectRef.cpp:
+ * JavaScriptCore.order:
+ * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
+ have an extra inferredInlineCapacity argument. This is the statically
+ inferred inline capacity, just from analyzing source text. op_new_object
+ also gets a pointer to an allocation profile. (For op_create_this, the
+ profile is in the construtor function.)
+
+ (JSC::CodeBlock::CodeBlock): Link op_new_object.
+
+ (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
+
+ * bytecode/CodeBlock.h:
+ (CodeBlock): Removed some dead code. Added object allocation profiles.
+
+ * bytecode/Instruction.h:
+ (JSC): New union type, since an instruction operand may point to an
+ object allocation profile now.
+
+ * bytecode/ObjectAllocationProfile.h: Added.
+ (JSC):
+ (ObjectAllocationProfile):
+ (JSC::ObjectAllocationProfile::offsetOfAllocator):
+ (JSC::ObjectAllocationProfile::offsetOfStructure):
+ (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
+ (JSC::ObjectAllocationProfile::isNull):
+ (JSC::ObjectAllocationProfile::initialize):
+ (JSC::ObjectAllocationProfile::structure):
+ (JSC::ObjectAllocationProfile::inlineCapacity):
+ (JSC::ObjectAllocationProfile::clear):
+ (JSC::ObjectAllocationProfile::visitAggregate):
+ (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
+ for tracking a prediction about object allocation: structure, inline
+ capacity, allocator to use.
+
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName): Updated instruction sizes.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC):
+ (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
+ (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
+ (UnlinkedCodeBlock): Unlinked support for allocation profiles.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
+ end of codegen, since this is our last opportunity.
+
+ (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
+ analyzer to bytecode generation. It tracks initializing assignments and
+ makes a guess about how many will happen.
+
+ (JSC::BytecodeGenerator::newObjectAllocationProfile):
+ (JSC):
+ (JSC::BytecodeGenerator::emitProfiledOpcode):
+ (JSC::BytecodeGenerator::emitMove):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetById):
+ (JSC::BytecodeGenerator::emitPutById):
+ (JSC::BytecodeGenerator::emitDirectPutById):
+ (JSC::BytecodeGenerator::emitPutGetterSetter):
+ (JSC::BytecodeGenerator::emitGetArgumentByVal):
+ (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
+ analyzer, so it can observe allocations and stores.
+
+ (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
+ function because it was a significant amount of logic, and I wanted to
+ add to it.
+
+ (JSC::BytecodeGenerator::emitNewObject):
+ (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitCallVarargs):
+ (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
+ to track their stores, in case a store kills a profiled allocation. Since
+ profiled opcodes are basically the only interesting stores we do, this
+ is a convenient place to notice any store that might kill an allocation.
+
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator): As above.
+
+ * bytecompiler/StaticPropertyAnalysis.h: Added.
+ (JSC):
+ (StaticPropertyAnalysis):
+ (JSC::StaticPropertyAnalysis::create):
+ (JSC::StaticPropertyAnalysis::addPropertyIndex):
+ (JSC::StaticPropertyAnalysis::record):
+ (JSC::StaticPropertyAnalysis::propertyIndexCount):
+ (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
+ class for tracking allocations and stores.
+
+ * bytecompiler/StaticPropertyAnalyzer.h: Added.
+ (StaticPropertyAnalyzer):
+ (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
+ (JSC::StaticPropertyAnalyzer::createThis):
+ (JSC::StaticPropertyAnalyzer::newObject):
+ (JSC::StaticPropertyAnalyzer::putById):
+ (JSC::StaticPropertyAnalyzer::mov):
+ (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
+ and stores and making an inline capacity guess. The heuristics here are
+ intentionally minimal because we don't want this one class to try to
+ re-create something like a DFG or a runtime analysis. If we discover that
+ we need those kinds of analyses, we should just replace this class with
+ something else.
+
+ This class tracks multiple registers that alias the same object -- that
+ happens a lot, when moving locals into temporary registers -- but it
+ doesn't track control flow or multiple objects that alias the same register.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute): Updated for rename.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
+ allocation profile.
+
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasInlineCapacity):
+ (Node):
+ (JSC::DFG::Node::inlineCapacity):
+ (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
+ inline capacity for an allocation.
+
+ * dfg/DFGNodeType.h:
+ (DFG): Updated for rename.
+
+ * dfg/DFGOperations.cpp: Updated for interface change.
+
+ * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
+ an argument. This is the simplest way, since it's stored as a bytecode operand.
+
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
+ appears when doing an inline cached load for property number 64 on a 32-bit
+ system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
+ offset of the 64bit JSValue -- but we'll actually issue two loads, one for
+ the payload at that offset, and one for the tag at that offset + 4. We need
+ to ensure that both loads have a compact representation, or we'll corrupt
+ the instruction stream.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
+ passing an allocator to our allocation function, and/or passing a Structure
+ as a register instead of an immediate.
+
+ * heap/MarkedAllocator.h:
+ (DFG):
+ (MarkedAllocator):
+ (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
+ JIT code generation of allocation from an arbitrary allocator.
+
+ * jit/JIT.h:
+ (JSC):
+ * jit/JITInlines.h:
+ (JSC):
+ (JSC::JIT::emitAllocateJSObject):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_new_object):
+ (JSC::JIT::emitSlow_op_new_object):
+ (JSC::JIT::emit_op_create_this):
+ (JSC::JIT::emitSlow_op_create_this):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_new_object):
+ (JSC::JIT::emitSlow_op_new_object):
+ (JSC::JIT::emit_op_create_this):
+ (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
+
+ * jit/JITStubs.cpp:
+ (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
+
+ (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
+
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions): Updated for interface changes.
+
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
+
+ * profiler/ProfilerBytecode.cpp:
+ * profiler/ProfilerBytecodes.cpp:
+ * profiler/ProfilerCompilation.cpp:
+ * profiler/ProfilerCompiledBytecode.cpp:
+ * profiler/ProfilerDatabase.cpp:
+ * profiler/ProfilerOSRExit.cpp:
+ * profiler/ProfilerOrigin.cpp:
+ * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
+ because that's where createEmptyObject() lives now.
+
+ * runtime/Executable.h:
+ (JSC::JSFunction::JSFunction): Updated for rename.
+
+ * runtime/JSCellInlines.h:
+ (JSC::allocateCell): Updated to match the allocator selection code in
+ the JIT, so it's clearer that both are correct.
+
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::JSFunction):
+ (JSC::JSFunction::createAllocationProfile):
+ (JSC::JSFunction::visitChildren):
+ (JSC::JSFunction::getOwnPropertySlot):
+ (JSC::JSFunction::put):
+ (JSC::JSFunction::defineOwnProperty):
+ (JSC::JSFunction::getConstructData):
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::offsetOfScopeChain):
+ (JSC::JSFunction::offsetOfExecutable):
+ (JSC::JSFunction::offsetOfAllocationProfile):
+ (JSC::JSFunction::allocationProfile):
+ (JSFunction):
+ (JSC::JSFunction::tryGetAllocationProfile):
+ (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
+ data member to be an ObjectAllocationProfile, which includes a pointer
+ to the desired allocator. This simplifies JIT code, since we don't have
+ to compute the allocator on the fly. I verified by code inspection that
+ JSFunction is still only 64 bytes.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
+ object structure anymore, because now clients need to specify how much
+ inline capacity they want.
+
+ * runtime/JSONObject.cpp:
+ * runtime/JSObject.h:
+ (JSC):
+ (JSFinalObject):
+ (JSC::JSFinalObject::defaultInlineCapacity):
+ (JSC::JSFinalObject::maxInlineCapacity):
+ (JSC::JSFinalObject::createStructure): A little refactoring to try to
+ clarify where some of these constants derive from.
+
+ (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
+
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setTarget): Ugly, but effective.
+
+ * runtime/LiteralParser.cpp:
+ * runtime/ObjectConstructor.cpp:
+ (JSC::constructObject):
+ (JSC::constructWithObjectConstructor):
+ (JSC::callObjectConstructor):
+ (JSC::objectConstructorCreate): Updated for interface changes.
+
+ * runtime/ObjectConstructor.h:
+ (JSC::constructEmptyObject): Clarified your options for how to allocate
+ an empty object, to emphasize what things can actually vary.
+
+ * runtime/PropertyOffset.h: These constants have moved because they're
+ really higher level concepts to do with the layout of objects and the
+ collector. PropertyOffset is just an abstract number line, independent
+ of those things.
+
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+ (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
+ * runtime/PrototypeMap.h:
+ (PrototypeMap): The map key is now a pair of prototype and inline capacity,
+ since Structure encodes inline capacity.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::copyPropertyTableForPinning):
+ * runtime/Structure.h:
+ (Structure):
+ (JSC::Structure::totalStorageSize):
+ (JSC::Structure::transitionCount):
+ (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
+ up after enabling variable-sized inline capacities: we were passing our
+ type info where our inline capacity was expected. The compiler didn't
+ notice because both have type int :(.
+
+2013-01-28 Oliver Hunt <oliver@apple.com>
+
+ Add more assertions to the property storage use in arrays
+ https://bugs.webkit.org/show_bug.cgi?id=107728
+
+ Reviewed by Filip Pizlo.
+
+ Add a bunch of assertions to array and object butterfly
+ usage. This should make debugging somewhat easier.
+
+ I also converted a couple of assertions to release asserts
+ as they were so low cost it seemed a sensible thing to do.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::sortVector):
+ (JSC::JSArray::compactForSorting):
+ * runtime/JSObject.h:
+ (JSC::JSObject::getHolyIndexQuickly):
+
+2013-01-28 Adam Barth <abarth@webkit.org>
+
+ Remove webkitNotifications.createHTMLNotification
+ https://bugs.webkit.org/show_bug.cgi?id=107598
+
+ Reviewed by Benjamin Poulain.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-28 Michael Saboff <msaboff@apple.com>
+
+ Cleanup ARM version of debugName() in DFGFPRInfo.h
+ https://bugs.webkit.org/show_bug.cgi?id=108090
+
+ Reviewed by David Kilzer.
+
+ Fixed debugName() so it will compile by adding static_cast<int> and missing commas.
+
+ * dfg/DFGFPRInfo.h:
+ (JSC::DFG::FPRInfo::debugName):
+
+2013-01-27 Andreas Kling <akling@apple.com>
+
+ JSC: FunctionParameters are memory hungry.
+ <http://webkit.org/b/108033>
+ <rdar://problem/13094803>
+
+ Reviewed by Sam Weinig.
+
+ Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
+ with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
+ roughly in half.
+
+ 2.73 MB progression on Membuster3.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedFunctionExecutable::paramString):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * parser/Nodes.cpp:
+ (JSC::FunctionParameters::create):
+ (JSC::FunctionParameters::FunctionParameters):
+ (JSC::FunctionParameters::~FunctionParameters):
+ * parser/Nodes.h:
+ (FunctionParameters):
+ (JSC::FunctionParameters::size):
+ (JSC::FunctionParameters::at):
+ (JSC::FunctionParameters::identifiers):
+
+2013-01-27 Andreas Kling <akling@apple.com>
+
+ JSC: SourceProviderCache is memory hungry.
+ <http://webkit.org/b/108029>
+ <rdar://problem/13094806>
+
+ Reviewed by Sam Weinig.
+
+ Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
+ Since the lists never change after the object is created, there's no need to keep them in Vectors
+ and we can instead create the whole cache item in a single allocation.
+
+ 13.37 MB progression on Membuster3.
+
+ * parser/Parser.cpp:
+ (JSC::::parseFunctionInfo):
+ * parser/Parser.h:
+ (JSC::Scope::copyCapturedVariablesToVector):
+ (JSC::Scope::fillParametersForSourceProviderCache):
+ (JSC::Scope::restoreFromSourceProviderCache):
+ * parser/SourceProviderCacheItem.h:
+ (SourceProviderCacheItemCreationParameters):
+ (SourceProviderCacheItem):
+ (JSC::SourceProviderCacheItem::approximateByteSize):
+ (JSC::SourceProviderCacheItem::usedVariables):
+ (JSC::SourceProviderCacheItem::writtenVariables):
+ (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
+ (JSC::SourceProviderCacheItem::create):
+ (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
+
+2013-01-27 Zoltan Arvai <zarvai@inf.u-szeged.hu>
+
+ Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
+ https://bugs.webkit.org/show_bug.cgi?id=106740
+
+ Reviewed by Benjamin Poulain.
+
+ * config.h:
+
+2013-01-25 Filip Pizlo <fpizlo@apple.com>
+
+ DFG variable event stream shouldn't use NodeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=107996
+
+ Reviewed by Oliver Hunt.
+
+ Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
+ Internally it currently uses a NodeIndex, but we could change this without having
+ to recode all of the users of MinifiedID. This effectively decouples the OSR exit
+ compiler's way of identifying nodes from the speculative JIT's way of identifying
+ nodes, and should make it easier to make changes to the speculative JIT's internals
+ in the future.
+
+ Also changed variable event stream logging to exclude information about births and
+ deaths of constants, since the OSR exit compiler never cares about which register
+ holds a constant; if a value is constant then the OSR exit compiler can reify it.
+
+ Also changed the variable event stream's value recovery computation to use a
+ HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
+
+ This appears to be performance-neutral. It's primarily meant as a small step
+ towards https://bugs.webkit.org/show_bug.cgi?id=106868.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGGenerationInfo.h:
+ (JSC::DFG::GenerationInfo::GenerationInfo):
+ (JSC::DFG::GenerationInfo::initConstant):
+ (JSC::DFG::GenerationInfo::initInteger):
+ (JSC::DFG::GenerationInfo::initJSValue):
+ (JSC::DFG::GenerationInfo::initCell):
+ (JSC::DFG::GenerationInfo::initBoolean):
+ (JSC::DFG::GenerationInfo::initDouble):
+ (JSC::DFG::GenerationInfo::initStorage):
+ (JSC::DFG::GenerationInfo::noticeOSRBirth):
+ (JSC::DFG::GenerationInfo::use):
+ (JSC::DFG::GenerationInfo::appendFill):
+ (JSC::DFG::GenerationInfo::appendSpill):
+ (GenerationInfo):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGMinifiedGraph.h:
+ (JSC::DFG::MinifiedGraph::at):
+ (MinifiedGraph):
+ * dfg/DFGMinifiedID.h: Added.
+ (DFG):
+ (MinifiedID):
+ (JSC::DFG::MinifiedID::MinifiedID):
+ (JSC::DFG::MinifiedID::operator!):
+ (JSC::DFG::MinifiedID::nodeIndex):
+ (JSC::DFG::MinifiedID::operator==):
+ (JSC::DFG::MinifiedID::operator!=):
+ (JSC::DFG::MinifiedID::operator<):
+ (JSC::DFG::MinifiedID::operator>):
+ (JSC::DFG::MinifiedID::operator<=):
+ (JSC::DFG::MinifiedID::operator>=):
+ (JSC::DFG::MinifiedID::hash):
+ (JSC::DFG::MinifiedID::dump):
+ (JSC::DFG::MinifiedID::isHashTableDeletedValue):
+ (JSC::DFG::MinifiedID::invalidID):
+ (JSC::DFG::MinifiedID::otherInvalidID):
+ (JSC::DFG::MinifiedID::fromBits):
+ (JSC::DFG::MinifiedIDHash::hash):
+ (JSC::DFG::MinifiedIDHash::equal):
+ (MinifiedIDHash):
+ (WTF):
+ * dfg/DFGMinifiedNode.cpp:
+ (JSC::DFG::MinifiedNode::fromNode):
+ * dfg/DFGMinifiedNode.h:
+ (JSC::DFG::MinifiedNode::id):
+ (JSC::DFG::MinifiedNode::child1):
+ (JSC::DFG::MinifiedNode::getID):
+ (JSC::DFG::MinifiedNode::compareByNodeIndex):
+ (MinifiedNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileMovHint):
+ (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
+ * dfg/DFGValueSource.cpp:
+ (JSC::DFG::ValueSource::dump):
+ * dfg/DFGValueSource.h:
+ (JSC::DFG::ValueSource::ValueSource):
+ (JSC::DFG::ValueSource::isSet):
+ (JSC::DFG::ValueSource::kind):
+ (JSC::DFG::ValueSource::id):
+ (ValueSource):
+ (JSC::DFG::ValueSource::idFromKind):
+ (JSC::DFG::ValueSource::kindFromID):
+ * dfg/DFGVariableEvent.cpp:
+ (JSC::DFG::VariableEvent::dump):
+ (JSC::DFG::VariableEvent::dumpFillInfo):
+ (JSC::DFG::VariableEvent::dumpSpillInfo):
+ * dfg/DFGVariableEvent.h:
+ (JSC::DFG::VariableEvent::fillGPR):
+ (JSC::DFG::VariableEvent::fillPair):
+ (JSC::DFG::VariableEvent::fillFPR):
+ (JSC::DFG::VariableEvent::spill):
+ (JSC::DFG::VariableEvent::death):
+ (JSC::DFG::VariableEvent::movHint):
+ (JSC::DFG::VariableEvent::id):
+ (VariableEvent):
+ * dfg/DFGVariableEventStream.cpp:
+ (DFG):
+ (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * dfg/DFGVariableEventStream.h:
+ (VariableEventStream):
+
+2013-01-25 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.sln:
+ * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
+ * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.
+
+2013-01-24 Roger Fong <roger_fong@apple.com>
+
+ VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
+ https://bugs.webkit.org/show_bug.cgi?id=106987
+
+ Reviewed by Brent Fulgham.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
+ * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+ * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
+ * JavaScriptCore.vcxproj/jsc/jscCommon.props:
+ * JavaScriptCore.vcxproj/jsc/jscDebug.props:
+ * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
+ * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
+ * JavaScriptCore.vcxproj/testRegExp: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
+ * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
+ * JavaScriptCore.vcxproj/testapi: Added.
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
+ * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.
+
+2013-01-24 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Windows build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+
+2013-01-24 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
+ https://bugs.webkit.org/show_bug.cgi?id=107860
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGJITCompiler.h:
+ (JITCompiler):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+
+2013-01-24 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
+ https://bugs.webkit.org/show_bug.cgi?id=107327
+
+ Reviewed by Filip Pizlo.
+
+ We're renaming these two files, so we have to replace the names everywhere.
+
+ * API/APICast.h:
+ * API/APIJSValue.h: Removed.
+ * API/JSBlockAdaptor.mm:
+ * API/JSStringRefCF.cpp:
+ * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
+ * API/JSValue.mm:
+ * API/JSValueInternal.h:
+ * API/JSValueRef.cpp:
+ * API/JSWeakObjectMapRefPrivate.cpp:
+ * API/JavaScriptCore.h:
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CallLinkStatus.h:
+ * bytecode/CodeBlock.cpp:
+ * bytecode/MethodOfGettingAValueProfile.h:
+ * bytecode/ResolveGlobalStatus.cpp:
+ * bytecode/ResolveGlobalStatus.h:
+ * bytecode/SpeculatedType.h:
+ * bytecode/ValueRecovery.h:
+ * dfg/DFGByteCodeParser.cpp:
+ * dfg/DFGJITCompiler.cpp:
+ * dfg/DFGNode.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ * heap/CopiedBlock.h:
+ * heap/HandleStack.cpp:
+ * heap/HandleTypes.h:
+ * heap/WeakImpl.h:
+ * interpreter/Interpreter.h:
+ * interpreter/Register.h:
+ * interpreter/VMInspector.h:
+ * jit/HostCallReturnValue.cpp:
+ * jit/HostCallReturnValue.h:
+ * jit/JITCode.h:
+ * jit/JITExceptions.cpp:
+ * jit/JITExceptions.h:
+ * jit/JSInterfaceJIT.h:
+ * llint/LLIntCLoop.h:
+ * llint/LLIntData.h:
+ * llint/LLIntSlowPaths.cpp:
+ * profiler/ProfilerBytecode.h:
+ * profiler/ProfilerBytecodeSequence.h:
+ * profiler/ProfilerBytecodes.h:
+ * profiler/ProfilerCompilation.h:
+ * profiler/ProfilerCompiledBytecode.h:
+ * profiler/ProfilerDatabase.h:
+ * profiler/ProfilerOSRExit.h:
+ * profiler/ProfilerOSRExitSite.h:
+ * profiler/ProfilerOrigin.h:
+ * profiler/ProfilerOriginStack.h:
+ * runtime/ArgList.cpp:
+ * runtime/CachedTranscendentalFunction.h:
+ * runtime/CallData.h:
+ * runtime/Completion.h:
+ * runtime/ConstructData.h:
+ * runtime/DateConstructor.cpp:
+ * runtime/DateInstance.cpp:
+ * runtime/DatePrototype.cpp:
+ * runtime/JSAPIValueWrapper.h:
+ * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
+ * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
+ (JSValue):
+ * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
+ * runtime/JSGlobalData.h:
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObjectFunctions.h:
+ * runtime/JSStringJoiner.h:
+ * runtime/JSValue.cpp: Removed.
+ * runtime/JSValue.h: Removed.
+ * runtime/JSValueInlines.h: Removed.
+ * runtime/LiteralParser.h:
+ * runtime/Operations.h:
+ * runtime/PropertyDescriptor.h:
+ * runtime/PropertySlot.h:
+ * runtime/Protect.h:
+ * runtime/RegExpPrototype.cpp:
+ * runtime/Structure.h:
+
+2013-01-23 Oliver Hunt <oliver@apple.com>
+
+ Harden JSC a bit with RELEASE_ASSERT
+ https://bugs.webkit.org/show_bug.cgi?id=107766
+
+ Reviewed by Mark Hahnenberg.
+
+ Went through and replaced a pile of ASSERTs that were covering
+ significantly important details (bounds checks, etc) where
+ having the checks did not impact release performance in any
+ measurable way.
+
+ * API/JSContextRef.cpp:
+ (JSContextCreateBacktrace):
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::branchAdd32):
+ (JSC::MacroAssembler::branchMul32):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::handlerForBytecodeOffset):
+ (JSC::CodeBlock::lineNumberForBytecodeOffset):
+ (JSC::CodeBlock::bytecodeOffset):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
+ (JSC::CodeBlock::bytecodeOffset):
+ (JSC::CodeBlock::exceptionHandler):
+ (JSC::CodeBlock::codeOrigin):
+ (JSC::CodeBlock::immediateSwitchJumpTable):
+ (JSC::CodeBlock::characterSwitchJumpTable):
+ (JSC::CodeBlock::stringSwitchJumpTable):
+ (JSC::CodeBlock::setIdentifiers):
+ (JSC::baselineCodeBlockForInlineCallFrame):
+ (JSC::ExecState::uncheckedR):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::CodeOrigin::inlineStack):
+ * bytecode/CodeOrigin.h:
+ (JSC::CodeOrigin::CodeOrigin):
+ * dfg/DFGCSEPhase.cpp:
+ * dfg/DFGOSRExit.cpp:
+ * dfg/DFGScratchRegisterAllocator.h:
+ (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
+ (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::allocate):
+ (JSC::DFG::SpeculativeJIT::spill):
+ (JSC::DFG::SpeculativeJIT::integerResult):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGValueSource.h:
+ (JSC::DFG::dataFormatToValueSourceKind):
+ (JSC::DFG::ValueSource::ValueSource):
+ * dfg/DFGVirtualRegisterAllocationPhase.cpp:
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ (JSC::BlockAllocator::releaseFreeRegions):
+ (JSC::BlockAllocator::blockFreeingThreadMain):
+ * heap/Heap.cpp:
+ (JSC::Heap::lastChanceToFinalize):
+ (JSC::Heap::collect):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ * jit/GCAwareJITStubRoutine.cpp:
+ (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JITExceptions.cpp:
+ (JSC::genericThrow):
+ * jit/JITInlines.h:
+ (JSC::JIT::emitLoad):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_end):
+ (JSC::JIT::emit_resolve_operations):
+ * jit/JITStubRoutine.cpp:
+ (JSC::JITStubRoutine::observeZeroRefCount):
+ * jit/JITStubs.cpp:
+ (JSC::returnToThrowTrampoline):
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::getOwnPropertySlot):
+ (JSC::Arguments::getOwnPropertyDescriptor):
+ (JSC::Arguments::deleteProperty):
+ (JSC::Arguments::defineOwnProperty):
+ (JSC::Arguments::didTearOffActivation):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::shift):
+ (JSC::unshift):
+ (JSC::arrayProtoFuncLastIndexOf):
+ * runtime/ButterflyInlines.h:
+ (JSC::Butterfly::growPropertyStorage):
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ * runtime/CodeCache.h:
+ (JSC::CacheMap::add):
+ * runtime/Completion.cpp:
+ (JSC::checkSyntax):
+ (JSC::evaluate):
+ * runtime/Executable.cpp:
+ (JSC::FunctionExecutable::FunctionExecutable):
+ (JSC::EvalExecutable::unlinkCalls):
+ (JSC::ProgramExecutable::compileOptimized):
+ (JSC::ProgramExecutable::unlinkCalls):
+ (JSC::ProgramExecutable::initializeGlobalProperties):
+ (JSC::FunctionExecutable::baselineCodeBlockFor):
+ (JSC::FunctionExecutable::compileOptimizedForCall):
+ (JSC::FunctionExecutable::compileOptimizedForConstruct):
+ (JSC::FunctionExecutable::compileForCallInternal):
+ (JSC::FunctionExecutable::compileForConstructInternal):
+ (JSC::FunctionExecutable::unlinkCalls):
+ (JSC::NativeExecutable::hashFor):
+ * runtime/Executable.h:
+ (JSC::EvalExecutable::compile):
+ (JSC::ProgramExecutable::compile):
+ (JSC::FunctionExecutable::compileForCall):
+ (JSC::FunctionExecutable::compileForConstruct):
+ * runtime/IndexingHeader.h:
+ (JSC::IndexingHeader::setVectorLength):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::pop):
+ (JSC::JSArray::shiftCountWithArrayStorage):
+ (JSC::JSArray::shiftCountWithAnyIndexingType):
+ (JSC::JSArray::unshiftCountWithArrayStorage):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::jsStrDecimalLiteral):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly):
+ (JSC::JSObject::defineOwnIndexedProperty):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::getIndexSlowCase):
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):
+
+2013-01-23 Filip Pizlo <fpizlo@apple.com>
+
+ Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
+ https://bugs.webkit.org/show_bug.cgi?id=107750
+ <rdar://problem/12387265>
+
+ Reviewed by Mark Hahnenberg.
+
+ The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
+ for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
+ GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
+ checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
+ GetLocal we are eliminating, then we allow redundant GetLocals.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (ConstantFoldingPhase):
+ (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
+
+2013-01-23 Oliver Hunt <oliver@apple.com>
+
+ Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
+ https://bugs.webkit.org/show_bug.cgi?id=107736
+
+ Reviewed by Mark Hahnenberg.
+
+ Mechanical change with no performance impact.
+
+ * API/JSBlockAdaptor.mm:
+ (BlockArgumentTypeDelegate::typeVoid):
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::construct):
+ (JSC::::call):
+ * API/JSScriptRef.cpp:
+ * API/ObjCCallbackFunction.mm:
+ (ArgumentTypeDelegate::typeVoid):
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::link):
+ (JSC::ARMv7Assembler::replaceWithLoad):
+ (JSC::ARMv7Assembler::replaceWithAddressComputation):
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::invert):
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::countLeadingZeros32):
+ (JSC::MacroAssemblerARM::divDouble):
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::absDouble):
+ (JSC::MacroAssemblerMIPS::replaceWithJump):
+ (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::absDouble):
+ (JSC::MacroAssemblerSH4::replaceWithJump):
+ (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::shllImm8r):
+ (JSC::SH4Assembler::shlrImm8r):
+ (JSC::SH4Assembler::cmplRegReg):
+ (JSC::SH4Assembler::branch):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::replaceWithLoad):
+ (JSC::X86Assembler::replaceWithAddressComputation):
+ * bytecode/CallLinkInfo.cpp:
+ (JSC::CallLinkInfo::unlink):
+ * bytecode/CodeBlock.cpp:
+ (JSC::debugHookName):
+ (JSC::CodeBlock::printGetByIdOp):
+ (JSC::CodeBlock::printGetByIdCacheStatus):
+ (JSC::CodeBlock::visitAggregate):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::usesOpcode):
+ * bytecode/DataFormat.h:
+ (JSC::needDataFormatConversion):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ (JSC::exitKindIsCountable):
+ * bytecode/MethodOfGettingAValueProfile.cpp:
+ (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
+ * bytecode/Opcode.h:
+ (JSC::opcodeLength):
+ * bytecode/PolymorphicPutByIdList.cpp:
+ (JSC::PutByIdAccess::fromStructureStubInfo):
+ (JSC::PutByIdAccess::visitWeak):
+ * bytecode/StructureStubInfo.cpp:
+ (JSC::StructureStubInfo::deref):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC::BytecodeGenerator::emitGetLocalVar):
+ (JSC::BytecodeGenerator::beginSwitch):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::BinaryOpNode::emitBytecode):
+ (JSC::emitReadModifyAssignment):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::makeSafe):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
+ (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::canHandleOpcodes):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::useKindToString):
+ * dfg/DFGDoubleFormatState.h:
+ (JSC::DFG::mergeDoubleFormatStates):
+ (JSC::DFG::doubleFormatStateToString):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::clobbersWorld):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::valueOfJSConstant):
+ (JSC::DFG::Node::successor):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::nodeFlagsAsString):
+ * dfg/DFGNodeType.h:
+ (JSC::DFG::defaultFlags):
+ * dfg/DFGRepatch.h:
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+ * dfg/DFGSlowPathGenerator.h:
+ (JSC::DFG::SlowPathGenerator::call):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (JSC::DFG::SpeculativeJIT::silentSpill):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::bitOp):
+ (JSC::DFG::SpeculativeJIT::shiftOp):
+ (JSC::DFG::SpeculativeJIT::integerResult):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGValueSource.h:
+ (JSC::DFG::ValueSource::valueRecovery):
+ * dfg/DFGVariableEvent.cpp:
+ (JSC::DFG::VariableEvent::dump):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * heap/BlockAllocator.h:
+ (JSC::BlockAllocator::regionSetFor):
+ * heap/GCThread.cpp:
+ (JSC::GCThread::gcThreadMain):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::sweepHelper):
+ * heap/MarkedBlock.h:
+ (JSC::MarkedBlock::isLive):
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::inlineCallFrame):
+ * interpreter/Interpreter.cpp:
+ (JSC::getCallerInfo):
+ (JSC::getStackFrameCodeType):
+ (JSC::Interpreter::execute):
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+ (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ (JSC::JIT::privateCompile):
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emitSlow_op_mod):
+ * jit/JITArithmetic32_64.cpp:
+ (JSC::JIT::emitBinaryDoubleOp):
+ (JSC::JIT::emitSlow_op_mod):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::isDirectPutById):
+ * jit/JITStubs.cpp:
+ (JSC::getPolymorphicAccessStructureListSlot):
+ (JSC::DEFINE_STUB_FUNCTION):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::jitCompileAndSetHeuristics):
+ * parser/Lexer.cpp:
+ (JSC::::lex):
+ * parser/Nodes.h:
+ (JSC::ExpressionNode::emitBytecodeInConditionContext):
+ * parser/Parser.h:
+ (JSC::Parser::getTokenName):
+ (JSC::Parser::updateErrorMessageSpecialCase):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::operatorStackPop):
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::tearOffForInlineCallFrame):
+ * runtime/DatePrototype.cpp:
+ (JSC::formatLocaleDate):
+ * runtime/Executable.cpp:
+ (JSC::samplingDescription):
+ * runtime/Executable.h:
+ (JSC::ScriptExecutable::unlinkCalls):
+ * runtime/Identifier.cpp:
+ (JSC):
+ * runtime/InternalFunction.cpp:
+ (JSC::InternalFunction::getCallData):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::push):
+ (JSC::JSArray::sort):
+ * runtime/JSCell.cpp:
+ (JSC::JSCell::defaultValue):
+ (JSC::JSCell::getOwnPropertyNames):
+ (JSC::JSCell::getOwnNonIndexPropertyNames):
+ (JSC::JSCell::className):
+ (JSC::JSCell::getPropertyNames):
+ (JSC::JSCell::customHasInstance):
+ (JSC::JSCell::putDirectVirtual):
+ (JSC::JSCell::defineOwnProperty):
+ (JSC::JSCell::getOwnPropertyDescriptor):
+ * runtime/JSCell.h:
+ (JSCell):
+ * runtime/JSNameScope.cpp:
+ (JSC::JSNameScope::put):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnPropertySlotByIndex):
+ (JSC::JSObject::putByIndex):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC::JSObject::deletePropertyByIndex):
+ (JSC::JSObject::getOwnPropertyNames):
+ (JSC::JSObject::putByIndexBeyondVectorLength):
+ (JSC::JSObject::putDirectIndexBeyondVectorLength):
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ * runtime/JSObject.h:
+ (JSC::JSObject::canGetIndexQuickly):
+ (JSC::JSObject::getIndexQuickly):
+ (JSC::JSObject::tryGetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuicklyForPutDirect):
+ (JSC::JSObject::setIndexQuickly):
+ (JSC::JSObject::initializeIndex):
+ (JSC::JSObject::hasSparseMap):
+ (JSC::JSObject::inSparseIndexingMode):
+ * runtime/JSScope.cpp:
+ (JSC::JSScope::isDynamicScope):
+ * runtime/JSSymbolTableObject.cpp:
+ (JSC::JSSymbolTableObject::putDirectVirtual):
+ * runtime/JSSymbolTableObject.h:
+ (JSSymbolTableObject):
+ * runtime/LiteralParser.cpp:
+ (JSC::::parse):
+ * runtime/RegExp.cpp:
+ (JSC::RegExp::compile):
+ (JSC::RegExp::compileMatchOnly):
+ * runtime/StructureTransitionTable.h:
+ (JSC::newIndexingType):
+ * tools/CodeProfile.cpp:
+ (JSC::CodeProfile::sample):
+ * yarr/YarrCanonicalizeUCS2.h:
+ (JSC::Yarr::getCanonicalPair):
+ (JSC::Yarr::areCanonicallyEquivalent):
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::matchCharacterClass):
+ (JSC::Yarr::Interpreter::matchBackReference):
+ (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
+ (JSC::Yarr::Interpreter::matchParentheses):
+ (JSC::Yarr::Interpreter::backtrackParentheses):
+ (JSC::Yarr::Interpreter::matchDisjunction):
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generateTerm):
+ (JSC::Yarr::YarrGenerator::backtrackTerm):
+ * yarr/YarrParser.h:
+ (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
+ (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
+
+2013-01-23 Tony Chang <tony@chromium.org>
+
+ Unreviewed, set svn:eol-style to CRLF on Windows .sln files.
+
+ * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
+ * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
+
+2013-01-23 Oliver Hunt <oliver@apple.com>
+
+ Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
+ https://bugs.webkit.org/show_bug.cgi?id=107726
+
+ Reviewed by Filip Pizlo.
+
+ Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);
+
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::branchAdd32):
+ (JSC::MacroAssembler::branchMul32):
+ * bytecode/CodeBlockHash.cpp:
+ (JSC::CodeBlockHash::CodeBlockHash):
+ * heap/BlockAllocator.h:
+ (JSC::Region::create):
+ (JSC::Region::createCustomSize):
+ * heap/GCAssertions.h:
+ * heap/HandleSet.cpp:
+ (JSC::HandleSet::visitStrongHandles):
+ (JSC::HandleSet::writeBarrier):
+ * heap/HandleSet.h:
+ (JSC::HandleSet::allocate):
+ * heap/Heap.cpp:
+ (JSC::Heap::collect):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::validate):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ * jit/ExecutableAllocator.cpp:
+ (JSC::DemandExecutableAllocator::allocateNewSpace):
+ (JSC::ExecutableAllocator::allocate):
+ * jit/ExecutableAllocator.h:
+ (JSC::roundUpAllocationSize):
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+ (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
+ (JSC::ExecutableAllocator::allocate):
+ * runtime/ButterflyInlines.h:
+ (JSC::Butterfly::createUninitialized):
+ * runtime/Completion.cpp:
+ (JSC::evaluate):
+ * runtime/JSArray.h:
+ (JSC::constructArray):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::slowValidateCell):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+ (JSC::JSObject::createArrayStorage):
+ * tools/TieredMMapArray.h:
+ (JSC::TieredMMapArray::append):
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::Interpreter::allocDisjunctionContext):
+ (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
+ (JSC::Yarr::Interpreter::InputStream::readChecked):
+ (JSC::Yarr::Interpreter::InputStream::uncheckInput):
+ (JSC::Yarr::Interpreter::InputStream::atEnd):
+ (JSC::Yarr::Interpreter::interpret):
+
+2013-01-22 Filip Pizlo <fpizlo@apple.com>
+
+ Convert CSE phase to not rely too much on NodeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=107616
+
+ Reviewed by Geoffrey Garen.
+
+ - Instead of looping over the graph (which assumes that you can simply loop over all
+ nodes without considering blocks first) to reset node.replacement, do that in the
+ loop that sets up relevantToOSR, just before running CSE on the block.
+
+ - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
+ NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
+ some reshuffling to fit it in.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+ (CSEPhase):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGNodeType.h:
+ (DFG):
+
+2013-01-21 Kentaro Hara <haraken@chromium.org>
+
+ Implement UIEvent constructor
+ https://bugs.webkit.org/show_bug.cgi?id=107430
+
+ Reviewed by Adam Barth.
+
+ Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm
+
+ UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
+ which is enabled on Safari and Chromium for now.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-22 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed VS2010 build fix following r140259.
+
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+
+2013-01-22 Roger Fong <roger_fong@apple.com>
+
+ JavaScriptCore property sheets, project files and modified build scripts.
+ https://bugs.webkit.org/show_bug.cgi?id=106987
+
+ Reviewed by Brent Fulgham.
+
+ * JavaScriptCore.vcxproj: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
+ * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
+ * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
+ * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
+ * JavaScriptCore.vcxproj/copy-files.cmd: Added.
+ * JavaScriptCore.vcxproj/jsc: Added.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
+ * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
+ * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
+ * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
+ * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
+ * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
+ * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
+ * config.h:
+
+2013-01-22 Joseph Pecoraro <pecoraro@apple.com>
+
+ [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
+ https://bugs.webkit.org/show_bug.cgi?id=107230
+
+ Reviewed by David Kilzer.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-22 Tobias Netzel <tobias.netzel@googlemail.com>
+
+ Yarr JIT isn't big endian compatible
+ https://bugs.webkit.org/show_bug.cgi?id=102897
+
+ Reviewed by Oliver Hunt.
+
+ This patch was tested in the current mozilla codebase only and has passed the regexp tests there.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
+
+2013-01-22 David Kilzer <ddkilzer@apple.com>
+
+ Fix DateMath.cpp to compile with -Wshorten-64-to-32
+ <http://webkit.org/b/107503>
+
+ Reviewed by Darin Adler.
+
+ * runtime/JSDateMath.cpp:
+ (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
+ static_cast<int>().
+
+2013-01-22 Tim Horton <timothy_horton@apple.com>
+
+ PDFPlugin: Build PDFPlugin everywhere, enable at runtime
+ https://bugs.webkit.org/show_bug.cgi?id=107117
+
+ Reviewed by Alexey Proskuryakov.
+
+ Since PDFLayerController SPI is all forward-declared, the plugin should build
+ on all Mac platforms, and can be enabled at runtime.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-21 Justin Schuh <jschuh@chromium.org>
+
+ [CHROMIUM] Suppress c4267 build warnings for Win64 targets
+ https://bugs.webkit.org/show_bug.cgi?id=107499
+
+ Reviewed by Abhishek Arya.
+
+ * JavaScriptCore.gyp/JavaScriptCore.gyp:
+
+2013-01-21 Dirk Schulze <dschulze@adobe.com>
+
+ Add build flag for Canvas's Path object (disabled by default)
+ https://bugs.webkit.org/show_bug.cgi?id=107473
+
+ Reviewed by Dean Jackson.
+
+ Add CANVAS_PATH build flag to build systems.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-20 Geoffrey Garen <ggaren@apple.com>
+
+ Weak GC maps should be easier to use
+ https://bugs.webkit.org/show_bug.cgi?id=107312
+
+ Reviewed by Sam Weinig.
+
+ Follow-up fix.
+
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
+ ASSERT, which was disabled because of a bug in WeakGCMap.
+
+ * runtime/WeakGCMap.h:
+ (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
+ a PassWeak() clears itself when passed to another function. So, we pass
+ nullptr instead, and fix things up afterwards.
+
+2013-01-20 Geoffrey Garen <ggaren@apple.com>
+
+ Unreviewed.
+
+ Temporarily disabling this ASSERT to get the bots green
+ while I investigate a fix.
+
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+
+2013-01-20 Filip Pizlo <fpizlo@apple.com>
+
+ Inserting a node into the DFG graph should not require five lines of code
+ https://bugs.webkit.org/show_bug.cgi?id=107381
+
+ Reviewed by Sam Weinig.
+
+ This adds fairly comprehensive support for inserting a node into a DFG graph in one
+ method call. A common example of this is:
+
+ m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
+
+ The arguments to insert() specify what reference counting you need to have happen
+ (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
+ that was created), the prediction to set (SpecNone is a common default), followed by
+ the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
+ (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
+ function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
+ non-recursively ref() the node being created if the flags say NodeMustGenerate.
+
+ In all, this new mechanism retains the flexibility of the old approach (you get to
+ manage ref counts yourself, albeit in less code) while ensuring that most code that adds
+ nodes to the graph now needs less code to do it.
+
+ In the future, we should revisit the reference counting methodology in the DFG: we could
+ do like most compilers and get rid of it entirely, or we could make it automatic. This
+ patch doesn't attempt to make any such major changes, and only seeks to simplify the
+ technique we were already using (manual ref counting).
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/Operands.h:
+ (JSC::dumpOperands):
+ * dfg/DFGAdjacencyList.h:
+ (AdjacencyList):
+ (JSC::DFG::AdjacencyList::kind):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGBasicBlock.h:
+ (DFG):
+ (BasicBlock):
+ * dfg/DFGBasicBlockInlines.h: Added.
+ (DFG):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
+ * dfg/DFGCommon.h:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
+ (ConstantFoldingPhase):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::FixupPhase):
+ (JSC::DFG::FixupPhase::fixupBlock):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::ref):
+ (Graph):
+ * dfg/DFGInsertionSet.h:
+ (DFG):
+ (JSC::DFG::Insertion::Insertion):
+ (JSC::DFG::Insertion::element):
+ (Insertion):
+ (JSC::DFG::InsertionSet::InsertionSet):
+ (JSC::DFG::InsertionSet::insert):
+ (InsertionSet):
+ (JSC::DFG::InsertionSet::execute):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::Node):
+ (Node):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGVariadicFunction.h: Added.
+
+2013-01-19 Geoffrey Garen <ggaren@apple.com>
+
+ Track inheritance structures in a side table, instead of using a private
+ name in each prototype
+ https://bugs.webkit.org/show_bug.cgi?id=107378
+
+ Reviewed by Sam Weinig and Phil Pizlo.
+
+ This is a step toward object size inference.
+
+ Using a side table frees us to use a more complex key (a pair of
+ prototype and expected inline capacity).
+
+ It also avoids ruining inline caches for prototypes. (Adding a new private
+ name for a new inline capacity would change the prototype's structure,
+ possibly firing watchpoints, making inline caches go polymorphic, and
+ generally causing us to have a bad time.)
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri: Buildage.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.
+
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.
+
+ (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
+ forgot to visit one of its data members (m_cachedInheritorID). This
+ wasn't a user-visible problem before because JSFunction would always
+ visit its .prototype property, which visited its m_cachedInheritorID.
+ But now, function.prototype only weakly owns function.m_cachedInheritorID.
+
+ * runtime/JSGlobalData.h:
+ (JSGlobalData): Added the map, taking care to make sure that its
+ destructor would run after the heap destructor.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset): Updated to use new side table API.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+ (JSC::JSObject::setPrototype):
+ * runtime/JSObject.h:
+ (JSObject): Updated to use new side table API, and removed lots of code
+ that used to manage the per-object private name.
+
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setTarget):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorCreate):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.
+
+ * runtime/PrototypeMap.cpp: Added.
+ (JSC):
+ (JSC::PrototypeMap::addPrototype):
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+ * runtime/PrototypeMap.h: Added.
+ (PrototypeMap):
+ (JSC::PrototypeMap::isPrototype):
+ (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
+ This is a simple weak map, mapping an object to the structure you should
+ use when inheriting from that object. (In future, inline capacity will
+ be a part of the mapping.)
+
+ I used two maps to preserve existing behavior that allowed us to speculate
+ about an object becoming a prototype, even if it wasn't one at the moment.
+ However, I suspect that behavior can be removed without harm.
+
+ * runtime/WeakGCMap.h:
+ (JSC::WeakGCMap::contains):
+ (WeakGCMap): I would rate myself a 6 / 10 in C++.
+
+2013-01-18 Dan Bernstein <mitz@apple.com>
+
+ Removed duplicate references to two headers in the project files.
+
+ Rubber-stamped by Mark Rowe.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
+ Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.
+
+ * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
+ https://bugs.webkit.org/show_bug.cgi?id=107340
+
+ Reviewed by Filip Pizlo.
+
+ Due to the change landed in r140201, more nodes might end up
+ generating Int32ToDouble nodes. Therefore, changed the JSVALUE64
+ constant path of compileInt32ToDouble() to use the more
+ restrictive isInt32Constant() check on the input. This check was
+ the same as the existing ASSERT() so the ASSERT was eliminated.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+
+2013-01-18 Viatcheslav Ostapenko <sl.ostapenko@samsung.com>
+
+ Weak GC maps should be easier to use
+ https://bugs.webkit.org/show_bug.cgi?id=107312
+
+ Reviewed by Ryosuke Niwa.
+
+ Build fix for linux platforms after r140194.
+
+ * runtime/WeakGCMap.h:
+ (WeakGCMap):
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
+ https://bugs.webkit.org/show_bug.cgi?id=107321
+
+ Reviewed by Filip Pizlo.
+
+ Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
+ an ArithDiv node with integer inputs and output for platforms that don't have integer division.
+ Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
+ without any further checks.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ (FixupPhase):
+ (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Fix up of ArithDiv nodes for non-x86 CPUs is broken
+ https://bugs.webkit.org/show_bug.cgi?id=107309
+
+ Reviewed by Filip Pizlo.
+
+ Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+
+2013-01-18 Dan Bernstein <mitz@apple.com>
+
+ Tried to fix the build after r140194.
+
+ * API/JSWrapperMap.mm:
+ (-[JSWrapperMap wrapperForObject:]):
+
+2013-01-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Update documentation for JSValue and JSContext
+ https://bugs.webkit.org/show_bug.cgi?id=107313
+
+ Reviewed by Geoffrey Garen.
+
+ After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.
+
+ * API/APIJSValue.h:
+ * API/JSContext.h:
+
+2013-01-18 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ r134080 causes heap problem on linux systems where PAGESIZE != 4096
+ https://bugs.webkit.org/show_bug.cgi?id=102828
+
+ Reviewed by Mark Hahnenberg.
+
+ Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+ * heap/MarkStack.cpp:
+ (JSC):
+ (JSC::MarkStackArray::MarkStackArray):
+ (JSC::MarkStackArray::expand):
+ (JSC::MarkStackArray::donateSomeCellsTo):
+ (JSC::MarkStackArray::stealSomeCellsFrom):
+ * heap/MarkStack.h:
+ (JSC::MarkStackSegment::data):
+ (CapacityFromSize):
+ (MarkStackArray):
+ * heap/MarkStackInlines.h:
+ (JSC::MarkStackArray::setTopForFullSegment):
+ (JSC::MarkStackArray::append):
+ (JSC::MarkStackArray::isEmpty):
+ (JSC::MarkStackArray::size):
+ * runtime/Options.h:
+ (JSC):
+
+2013-01-18 Geoffrey Garen <ggaren@apple.com>
+
+ Weak GC maps should be easier to use
+ https://bugs.webkit.org/show_bug.cgi?id=107312
+
+ Reviewed by Sam Weinig.
+
+ This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
+ items from the map, and to instead have the map automatically remove
+ stale items itself upon insertion. This has a few advantages:
+
+ (1) WeakGCMap is now compatible with all the specializations you would
+ use for HashMap.
+
+ (2) There's no need for clients to write special finalization munging
+ functions.
+
+ (3) Clients can specify custom value finalizers if they like.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!
+
+ * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
+ data, since we've reduced interdependency.
+
+ * heap/Handle.h: No more need to forward declare, since we've reduced
+ interdependency.
+
+ * heap/Weak.h:
+ (Weak): Use explicit so we can assign directly to a weak map iterator
+ without ambiguity between Weak<T> and PassWeak<T>.
+
+ * runtime/Structure.cpp:
+ (JSC::StructureTransitionTable::add): See above.
+
+ * runtime/Structure.h:
+ (JSC):
+ * runtime/StructureTransitionTable.h:
+ (StructureTransitionTable): Bad code goes away, programmer happy.
+
+ * runtime/WeakGCMap.h:
+ (JSC):
+ (WeakGCMap):
+ (JSC::WeakGCMap::WeakGCMap):
+ (JSC::WeakGCMap::set):
+ (JSC::WeakGCMap::add):
+ (JSC::WeakGCMap::find):
+ (JSC::WeakGCMap::contains):
+ (JSC::WeakGCMap::gcMap):
+ (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
+ function that might observe a Weak<T> that has died, just enough to
+ make such items appear as if they are not in the table.
+
+2013-01-18 Michael Saboff <msaboff@apple.com>
+
+ Refactor isPowerOf2() and add getLSBSet()
+ https://bugs.webkit.org/show_bug.cgi?id=107306
+
+ Reviewed by Filip Pizlo.
+
+ Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.
+
+ * runtime/PropertyMapHashTable.h:
+ (JSC::isPowerOf2):
+
+2013-01-17 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Clean up JSValue.mm
+ https://bugs.webkit.org/show_bug.cgi?id=107163
+
+ Reviewed by Darin Adler.
+
+ m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send
+ on every API call. In the head of just about every method in JSValue.mm we're doing:
+
+ JSContext *context = [self context];
+ if (!context)
+ return nil;
+
+ This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.
+ We can just delete all these lines from all functions doing this, and where they were referring to the local
+ variable 'context', instead we can just access m_context directly.
+
+ Since we're already going to be modifying most of JSValue.mm, we'll also do the following:
+
+ 1) context @property is no longer weak – the context property is declared as:
+
+ @property(readonly, weak) JSContext *context;
+
+ This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading.
+ We should change it to:
+
+ @property(readonly, retain) JSContext *context;
+
+ 2) the JSContext ivar and accessor can be automatically generated. Since we're no longer doing anything
+ special with m_context, we can just let the compiler handle the ivar for us. We'll delete:
+
+ JSContext *m_context;
+
+ and:
+
+ - (JSContext *)context
+ {
+ return m_context;
+
+ }
+
+ and find&replace "m_context" to "_context" in JSValue.mm.
+
+ * API/APIJSValue.h:
+ * API/JSValue.mm:
+ (-[JSValue toObject]):
+ (-[JSValue toBool]):
+ (-[JSValue toDouble]):
+ (-[JSValue toNumber]):
+ (-[JSValue toString]):
+ (-[JSValue toDate]):
+ (-[JSValue toArray]):
+ (-[JSValue toDictionary]):
+ (-[JSValue valueForProperty:]):
+ (-[JSValue setValue:forProperty:]):
+ (-[JSValue deleteProperty:]):
+ (-[JSValue hasProperty:]):
+ (-[JSValue defineProperty:descriptor:]):
+ (-[JSValue valueAtIndex:]):
+ (-[JSValue setValue:atIndex:]):
+ (-[JSValue isUndefined]):
+ (-[JSValue isNull]):
+ (-[JSValue isBoolean]):
+ (-[JSValue isNumber]):
+ (-[JSValue isString]):
+ (-[JSValue isObject]):
+ (-[JSValue isEqualToObject:]):
+ (-[JSValue isEqualWithTypeCoercionToObject:]):
+ (-[JSValue isInstanceOf:]):
+ (-[JSValue callWithArguments:]):
+ (-[JSValue constructWithArguments:]):
+ (-[JSValue invokeMethod:withArguments:]):
+ (-[JSValue objectForKeyedSubscript:]):
+ (-[JSValue setObject:forKeyedSubscript:]):
+ (-[JSValue initWithValue:inContext:]):
+ (-[JSValue dealloc]):
+ (-[JSValue description]):
+
+2013-01-17 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C API: Clean up JSValue
+ https://bugs.webkit.org/show_bug.cgi?id=107156
+
+ Reviewed by Oliver Hunt.
+
+ JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.
+ These exist to handle the context going away before the value does; the context needs to be able to unprotect
+ values early. Since the value is now keeping the context alive there is no longer any danger of this happening;
+ instead we should just protect/unprotect the value in JSValue's init/dealloc methods.
+
+ * API/JSContext.mm:
+ (-[JSContext dealloc]):
+ * API/JSContextInternal.h:
+ * API/JSValue.mm:
+ (-[JSValue initWithValue:inContext:]):
+ (-[JSValue dealloc]):
+
+2013-01-17 Filip Pizlo <fpizlo@apple.com>
+
+ DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants
+ https://bugs.webkit.org/show_bug.cgi?id=107147
+
+ Reviewed by Mark Hahnenberg.
+
+ This small refactoring will enable a world where ref() returns Node*, which is useful for
+ https://bugs.webkit.org/show_bug.cgi?id=106868. Also, while this refactoring does lead to
+ slightly less terse code, it's also slightly more self-explanatory. I could never quite
+ remember what the meaning of the bool return from ref() and deref() was.
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::collectGarbage):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::ref):
+ (JSC::DFG::Graph::deref):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::ref):
+ (Node):
+ (JSC::DFG::Node::postfixRef):
+ (JSC::DFG::Node::deref):
+ (JSC::DFG::Node::postfixDeref):
+
+2013-01-17 Alexey Proskuryakov <ap@apple.com>
+
+ Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up
+ in svn stat.
+
+ * disassembler/udis86: Added property svn:ignore.
+
+2013-01-16 Filip Pizlo <fpizlo@apple.com>
+
+ DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
+ https://bugs.webkit.org/show_bug.cgi?id=107081
+
+ Reviewed by Michael Saboff.
+
+ This bug led to the 32_64 backend emitting contiguous allocation code to allocate
+ ArrayStorage arrays. This then led to all manner of heap corruption, since
+ subsequent array accesses would be accessing the contiguous array "as if" it was
+ an arraystorage array.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-01-16 Jonathan Liu <net147@gmail.com>
+
+ Add missing sys/mman.h include on Mac
+ https://bugs.webkit.org/show_bug.cgi?id=98089
+
+ Reviewed by Darin Adler.
+
+ The madvise function and MADV_FREE constant require sys/mman.h.
+
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+
+2013-01-15 Michael Saboff <msaboff@apple.com>
+
+ DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
+ https://bugs.webkit.org/show_bug.cgi?id=106978
+
+ Reviewed by Filip Pizlo.
+
+ Changed the numerator equal to -2^31 check to just return if we expect an integer
+ result, since the check is after we have determined that the denominator is -1.
+ The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
+
+2013-01-15 Levi Weintraub <leviw@chromium.org>
+
+ Unreviewed, rolling out r139792.
+ http://trac.webkit.org/changeset/139792
+ https://bugs.webkit.org/show_bug.cgi?id=106970
+
+ Broke the windows build.
+
+ * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
+
+2013-01-15 Pratik Solanki <psolanki@apple.com>
+
+ Use MADV_FREE_REUSABLE to return JIT memory to OS
+ https://bugs.webkit.org/show_bug.cgi?id=106830
+ <rdar://problem/11437701>
+
+ Reviewed by Geoffrey Garen.
+
+ Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug
+ fixed.
+
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+ (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
+
+2013-01-15 Levi Weintraub <leviw@chromium.org>
+
+ Unreviewed, rolling out r139790.
+ http://trac.webkit.org/changeset/139790
+ https://bugs.webkit.org/show_bug.cgi?id=106948
+
+ The patch is failing its own test.
+
+ * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.
+
+2013-01-15 Zan Dobersek <zandobersek@gmail.com>
+
+ [Autotools] Unify JavaScriptCore sources list, regardless of target OS
+ https://bugs.webkit.org/show_bug.cgi?id=106007
+
+ Reviewed by Gustavo Noronha Silva.
+
+ Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target
+ in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED
+ feature define. This define is only used on 64-bit architecture and indirectly depends
+ on enabling either JIT or YARR JIT feature. Both of these defines are disabled on
+ Windows OS when using 64-bit architecture so there's no need to add this target to
+ sources only when the target OS is Windows.
+
+ * GNUmakefile.list.am:
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value
+ https://bugs.webkit.org/show_bug.cgi?id=106727
+
+ Reviewed by Oliver Hunt.
+
+ The problem was this statement:
+
+ if (m_value != other.m_value)
+ m_value = JSValue();
+
+ This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other
+ abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its
+ claim that it has been proven to be constant. But this misses the special case that if the other abstract value is
+ completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change
+ this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it
+ didn't have to.
+
+ This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently
+ precise as often as possible.
+
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::merge):
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ Python implementation reports "MemoryError" instead of doing things
+ https://bugs.webkit.org/show_bug.cgi?id=106690
+
+ Reviewed by Oliver Hunt.
+
+ The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to
+ be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it
+ doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the
+ variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the
+ variable is used in the next block then the next block will have a reference to the last mention in our block unless
+ that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that
+ the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible
+ refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the
+ variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us.
+ Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible
+ for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if
+ there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the
+ parser.
+
+ This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't
+ matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in
+ the next block, so we must merge it no matter what.
+
+ Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next
+ to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps
+ that involve a lot of variables.
+
+ * bytecode/Operands.h:
+ (JSC::dumpOperands):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+
+2013-01-14 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+
+2013-01-13 Filip Pizlo <fpizlo@apple.com>
+
+ DFG phases that store per-node information should store it in Node itself rather than using a secondary vector
+ https://bugs.webkit.org/show_bug.cgi?id=106753
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::AbstractState):
+ (JSC::DFG::AbstractState::beginBasicBlock):
+ (JSC::DFG::AbstractState::dump):
+ * dfg/DFGAbstractState.h:
+ (JSC::DFG::AbstractState::forNode):
+ (AbstractState):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::performSubstitution):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (CSEPhase):
+ * dfg/DFGNode.h:
+ (Node):
+
+2013-01-12 Tim Horton <timothy_horton@apple.com>
+
+ Unreviewed build fix.
+
+ * API/JSBlockAdaptor.mm:
+ * API/JSContext.mm:
+ * API/JSValue.mm:
+
+2013-01-12 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviewed 64 bit buildfix after r139496.
+
+ * dfg/DFGOperations.cpp:
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, speculative build fix.
+
+ * API/JSWrapperMap.mm:
+
+2013-01-10 Filip Pizlo <fpizlo@apple.com>
+
+ JITThunks should not compile only because of luck
+ https://bugs.webkit.org/show_bug.cgi?id=105696
+
+ Rubber stamped by Sam Weinig and Geoffrey Garen.
+
+ This patch was supposed to just move JITThunks into its own file. But then I
+ realized that there is a horrible circular dependency chain between JSCell,
+ JSGlobalData, CallFrame, and Weak, which only works because of magical include
+ order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
+ before it includes JSCell or JSValue.
+
+ I first tried to just get JITThunks.h to just magically do the same pointless
+ includes that JITStubs.h had, but then I decided to actually fix the underflying
+ problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
+ JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
+ Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
+ also gave me an opportunity to move JSValue inline methods from JSCell.h into
+ JSValueInlines.h. But to make this really work, I needed to remove includes of
+ *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
+ which defeats the whole entire purpose of having an Inlines.h file), and I needed
+ to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
+ having .cpp files include Operations.h. In future, if you're adding a .cpp file
+ to JSC, you'll almost certainly have to include Operations.h unless you enjoy
+ link errors.
+
+ * API/JSBase.cpp:
+ * API/JSCallbackConstructor.cpp:
+ * API/JSCallbackFunction.cpp:
+ * API/JSCallbackObject.cpp:
+ * API/JSClassRef.cpp:
+ * API/JSContextRef.cpp:
+ * API/JSObjectRef.cpp:
+ * API/JSScriptRef.cpp:
+ * API/JSWeakObjectMapRefPrivate.cpp:
+ * JSCTypedArrayStubs.h:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/ArrayAllocationProfile.cpp:
+ * bytecode/CodeBlock.cpp:
+ * bytecode/GetByIdStatus.cpp:
+ * bytecode/LazyOperandValueProfile.cpp:
+ * bytecode/ResolveGlobalStatus.cpp:
+ * bytecode/SpeculatedType.cpp:
+ * bytecode/UnlinkedCodeBlock.cpp:
+ * bytecompiler/BytecodeGenerator.cpp:
+ * debugger/Debugger.cpp:
+ * debugger/DebuggerActivation.cpp:
+ * debugger/DebuggerCallFrame.cpp:
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ * dfg/DFGArrayMode.cpp:
+ * dfg/DFGByteCodeParser.cpp:
+ * dfg/DFGConstantFoldingPhase.cpp:
+ * dfg/DFGDriver.cpp:
+ * dfg/DFGFixupPhase.cpp:
+ * dfg/DFGGraph.cpp:
+ * dfg/DFGJITCompiler.cpp:
+ * dfg/DFGOSREntry.cpp:
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ * dfg/DFGOSRExitCompiler64.cpp:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
+ (JSC::DFG::SpeculativeJIT::silentSpill):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ * dfg/DFGVariableEventStream.cpp:
+ * heap/CopiedBlock.h:
+ * heap/CopiedSpace.cpp:
+ * heap/HandleSet.cpp:
+ * heap/Heap.cpp:
+ * heap/HeapStatistics.cpp:
+ * heap/SlotVisitor.cpp:
+ * heap/WeakBlock.cpp:
+ * interpreter/CallFrame.cpp:
+ * interpreter/CallFrame.h:
+ * jit/ClosureCallStubRoutine.cpp:
+ * jit/GCAwareJITStubRoutine.cpp:
+ * jit/JIT.cpp:
+ * jit/JITArithmetic.cpp:
+ * jit/JITArithmetic32_64.cpp:
+ * jit/JITCall.cpp:
+ * jit/JITCall32_64.cpp:
+ * jit/JITCode.h:
+ * jit/JITExceptions.cpp:
+ * jit/JITStubs.h:
+ * jit/JITThunks.h:
+ * jsc.cpp:
+ * llint/LLIntExceptions.cpp:
+ * profiler/LegacyProfiler.cpp:
+ * profiler/ProfileGenerator.cpp:
+ * profiler/ProfilerBytecode.cpp:
+ * profiler/ProfilerBytecodeSequence.cpp:
+ * profiler/ProfilerBytecodes.cpp:
+ * profiler/ProfilerCompilation.cpp:
+ * profiler/ProfilerCompiledBytecode.cpp:
+ * profiler/ProfilerDatabase.cpp:
+ * profiler/ProfilerOSRExit.cpp:
+ * profiler/ProfilerOSRExitSite.cpp:
+ * profiler/ProfilerOrigin.cpp:
+ * profiler/ProfilerOriginStack.cpp:
+ * profiler/ProfilerProfiledBytecodes.cpp:
+ * runtime/ArgList.cpp:
+ * runtime/Arguments.cpp:
+ * runtime/ArrayConstructor.cpp:
+ * runtime/BooleanConstructor.cpp:
+ * runtime/BooleanObject.cpp:
+ * runtime/BooleanPrototype.cpp:
+ * runtime/CallData.cpp:
+ * runtime/CodeCache.cpp:
+ * runtime/Completion.cpp:
+ * runtime/ConstructData.cpp:
+ * runtime/DateConstructor.cpp:
+ * runtime/DateInstance.cpp:
+ * runtime/DatePrototype.cpp:
+ * runtime/Error.cpp:
+ * runtime/ErrorConstructor.cpp:
+ * runtime/ErrorInstance.cpp:
+ * runtime/ErrorPrototype.cpp:
+ * runtime/ExceptionHelpers.cpp:
+ * runtime/Executable.cpp:
+ * runtime/FunctionConstructor.cpp:
+ * runtime/FunctionPrototype.cpp:
+ * runtime/GetterSetter.cpp:
+ * runtime/Identifier.cpp:
+ * runtime/InternalFunction.cpp:
+ * runtime/JSActivation.cpp:
+ * runtime/JSBoundFunction.cpp:
+ * runtime/JSCell.cpp:
+ * runtime/JSCell.h:
+ (JSC):
+ * runtime/JSCellInlines.h: Added.
+ (JSC):
+ (JSC::JSCell::JSCell):
+ (JSC::JSCell::finishCreation):
+ (JSC::JSCell::structure):
+ (JSC::JSCell::visitChildren):
+ (JSC::allocateCell):
+ (JSC::isZapped):
+ (JSC::JSCell::isObject):
+ (JSC::JSCell::isString):
+ (JSC::JSCell::isGetterSetter):
+ (JSC::JSCell::isProxy):
+ (JSC::JSCell::isAPIValueWrapper):
+ (JSC::JSCell::setStructure):
+ (JSC::JSCell::methodTable):
+ (JSC::JSCell::inherits):
+ (JSC::JSCell::fastGetOwnPropertySlot):
+ (JSC::JSCell::fastGetOwnProperty):
+ (JSC::JSCell::toBoolean):
+ * runtime/JSDateMath.cpp:
+ * runtime/JSFunction.cpp:
+ * runtime/JSFunction.h:
+ (JSC):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData):
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObjectFunctions.cpp:
+ * runtime/JSLock.cpp:
+ * runtime/JSNameScope.cpp:
+ * runtime/JSNotAnObject.cpp:
+ * runtime/JSONObject.cpp:
+ * runtime/JSObject.h:
+ (JSC):
+ * runtime/JSProxy.cpp:
+ * runtime/JSScope.cpp:
+ * runtime/JSSegmentedVariableObject.cpp:
+ * runtime/JSString.h:
+ (JSC):
+ * runtime/JSStringJoiner.cpp:
+ * runtime/JSSymbolTableObject.cpp:
+ * runtime/JSValue.cpp:
+ * runtime/JSValueInlines.h:
+ (JSC::JSValue::toInt32):
+ (JSC::JSValue::toUInt32):
+ (JSC):
+ (JSC::JSValue::isUInt32):
+ (JSC::JSValue::asUInt32):
+ (JSC::JSValue::asNumber):
+ (JSC::jsNaN):
+ (JSC::JSValue::JSValue):
+ (JSC::JSValue::encode):
+ (JSC::JSValue::decode):
+ (JSC::JSValue::operator bool):
+ (JSC::JSValue::operator==):
+ (JSC::JSValue::operator!=):
+ (JSC::JSValue::isEmpty):
+ (JSC::JSValue::isUndefined):
+ (JSC::JSValue::isNull):
+ (JSC::JSValue::isUndefinedOrNull):
+ (JSC::JSValue::isCell):
+ (JSC::JSValue::isInt32):
+ (JSC::JSValue::isDouble):
+ (JSC::JSValue::isTrue):
+ (JSC::JSValue::isFalse):
+ (JSC::JSValue::tag):
+ (JSC::JSValue::payload):
+ (JSC::JSValue::asInt32):
+ (JSC::JSValue::asDouble):
+ (JSC::JSValue::asCell):
+ (JSC::JSValue::isNumber):
+ (JSC::JSValue::isBoolean):
+ (JSC::JSValue::asBoolean):
+ (JSC::reinterpretDoubleToInt64):
+ (JSC::reinterpretInt64ToDouble):
+ (JSC::JSValue::isString):
+ (JSC::JSValue::isPrimitive):
+ (JSC::JSValue::isGetterSetter):
+ (JSC::JSValue::isObject):
+ (JSC::JSValue::getString):
+ (JSC::::getString):
+ (JSC::JSValue::getObject):
+ (JSC::JSValue::getUInt32):
+ (JSC::JSValue::toPrimitive):
+ (JSC::JSValue::getPrimitiveNumber):
+ (JSC::JSValue::toNumber):
+ (JSC::JSValue::toObject):
+ (JSC::JSValue::isFunction):
+ (JSC::JSValue::inherits):
+ (JSC::JSValue::toThisObject):
+ (JSC::JSValue::get):
+ (JSC::JSValue::put):
+ (JSC::JSValue::putByIndex):
+ (JSC::JSValue::structureOrUndefined):
+ (JSC::JSValue::equal):
+ (JSC::JSValue::equalSlowCaseInline):
+ (JSC::JSValue::strictEqualSlowCaseInline):
+ (JSC::JSValue::strictEqual):
+ * runtime/JSVariableObject.cpp:
+ * runtime/JSWithScope.cpp:
+ * runtime/JSWrapperObject.cpp:
+ * runtime/LiteralParser.cpp:
+ * runtime/Lookup.cpp:
+ * runtime/NameConstructor.cpp:
+ * runtime/NameInstance.cpp:
+ * runtime/NamePrototype.cpp:
+ * runtime/NativeErrorConstructor.cpp:
+ * runtime/NativeErrorPrototype.cpp:
+ * runtime/NumberConstructor.cpp:
+ * runtime/NumberObject.cpp:
+ * runtime/ObjectConstructor.cpp:
+ * runtime/ObjectPrototype.cpp:
+ * runtime/Operations.h:
+ (JSC):
+ * runtime/PropertySlot.cpp:
+ * runtime/RegExp.cpp:
+ * runtime/RegExpCache.cpp:
+ * runtime/RegExpCachedResult.cpp:
+ * runtime/RegExpConstructor.cpp:
+ * runtime/RegExpMatchesArray.cpp:
+ * runtime/RegExpObject.cpp:
+ * runtime/RegExpPrototype.cpp:
+ * runtime/SmallStrings.cpp:
+ * runtime/SparseArrayValueMap.cpp:
+ * runtime/StrictEvalActivation.cpp:
+ * runtime/StringConstructor.cpp:
+ * runtime/StringObject.cpp:
+ * runtime/StringRecursionChecker.cpp:
+ * runtime/Structure.h:
+ (JSC):
+ * runtime/StructureChain.cpp:
+ * runtime/TimeoutChecker.cpp:
+ * testRegExp.cpp:
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
+ https://bugs.webkit.org/show_bug.cgi?id=106724
+
+ Reviewed by Oliver Hunt.
+
+ In cases where we were getting it wrong, I think it was benign because we would either already have an
+ OSR exit prior to there, or the operand would be a constant. But still, it's good to get this right.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ Phantom(GetLocal) should be treated as relevant to OSR
+ https://bugs.webkit.org/show_bug.cgi?id=106715
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performBlockCSE):
+
+2013-01-11 Pratik Solanki <psolanki@apple.com>
+
+ Fix function name typo ProgramExecutable::initalizeGlobalProperties()
+ https://bugs.webkit.org/show_bug.cgi?id=106701
+
+ Reviewed by Geoffrey Garen.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ * runtime/Executable.cpp:
+ (JSC::ProgramExecutable::initializeGlobalProperties):
+ * runtime/Executable.h:
+
+2013-01-11 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ testapi is failing with a block-related error in the Objc API
+ https://bugs.webkit.org/show_bug.cgi?id=106055
+
+ Reviewed by Filip Pizlo.
+
+ Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool.
+
+ * API/ObjCCallbackFunction.mm:
+ (blockSignatureContainsClass):
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ Add a run-time option to print bytecode at DFG compile time
+ https://bugs.webkit.org/show_bug.cgi?id=106704
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * runtime/Options.h:
+ (JSC):
+
+2013-01-11 Filip Pizlo <fpizlo@apple.com>
+
+ It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state
+ https://bugs.webkit.org/show_bug.cgi?id=106700
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGAssemblyHelpers.h:
+ (DFG):
+ (JSC::DFG::AssemblyHelpers::debugCall):
+ * dfg/DFGCommon.h:
+ * dfg/DFGOSRExit.h:
+ (DFG):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * runtime/Options.h:
+ (JSC):
+
+2013-01-11 Geoffrey Garen <ggaren@apple.com>
+
+ Removed getDirectLocation and offsetForLocation and all their uses
+ https://bugs.webkit.org/show_bug.cgi?id=106692
+
+ Reviewed by Filip Pizlo.
+
+ getDirectLocation() and its associated offsetForLocation() relied on
+ detailed knowledge of the rules of PropertyOffset, JSObject, and
+ Structure, which is a hard thing to reverse-engineer reliably. Luckily,
+ it wasn't needed, and all clients either wanted a true value or a
+ PropertyOffset. So, I refactored accordingly.
+
+ * dfg/DFGOperations.cpp: Renamed putDirectOffset to putDirect, to clarify
+ that we are not putting an offset.
+
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::getOwnPropertySlot): Get a value instead of a value
+ pointer, since we never wanted a pointer to begin with.
+
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::getOwnPropertySlot): Use a PropertyOffset instead of a pointer,
+ so we don't have to reverse-engineer the offset from the pointer.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::put):
+ (JSC::JSObject::resetInheritorID):
+ (JSC::JSObject::inheritorID):
+ (JSC::JSObject::removeDirect):
+ (JSC::JSObject::fillGetterPropertySlot):
+ (JSC::JSObject::getOwnPropertyDescriptor): Renamed getDirectOffset and
+ putDirectOffset, as explaind above. We want to use the name "getDirectOffset"
+ for when the thing you're getting is the offset.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::getDirect):
+ (JSC::JSObject::getDirectOffset): Changed getDirectLocation to getDirectOffset,
+ since clients really wants PropertyOffsets and not locations.
+
+ (JSObject::offsetForLocation): Removed this function because it was hard
+ to get right.
+
+ (JSC::JSObject::putDirect):
+ (JSC::JSObject::putDirectUndefined):
+ (JSC::JSObject::inlineGetOwnPropertySlot):
+ (JSC::JSObject::putDirectInternal):
+ (JSC::JSObject::putDirectWithoutTransition):
+ * runtime/JSScope.cpp:
+ (JSC::executeResolveOperations):
+ (JSC::JSScope::resolvePut):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::putToPrimitive): Updated for renames.
+
+ * runtime/Lookup.cpp:
+ (JSC::setUpStaticFunctionSlot): Use a PropertyOffset instead of a pointer,
+ so we don't have to reverse-engineer the offset from the pointer.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure): Updated for renames.
+
+2013-01-11 Geoffrey Garen <ggaren@apple.com>
+
+ Removed an unused version of getDirectLocation
+ https://bugs.webkit.org/show_bug.cgi?id=106691
+
+ Reviewed by Gavin Barraclough.
+
+ getDirectLocation is a weird operation. Removing the unused version is
+ the easy part.
+
+ * runtime/JSObject.h:
+ (JSObject):
+
+2013-01-11 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Objective-C objects that are passed to JavaScript leak (until the JSContext is destroyed)
+ https://bugs.webkit.org/show_bug.cgi?id=106056
+
+ Reviewed by Darin Adler.
+
+ * API/APIJSValue.h:
+ * API/JSValue.mm: Make the reference to the JSContext strong.
+ (-[JSValue context]):
+ (-[JSValue initWithValue:inContext:]):
+ (-[JSValue dealloc]):
+ * API/JSWrapperMap.mm: Make the reference back from wrappers to Obj-C objects weak instead of strong.
+ Also add an explicit WeakGCMap in the JSWrapperMap rather than using Obj-C associated object API which
+ was causing memory leaks.
+ (wrapperClass):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSWrapperMap initWithContext:]):
+ (-[JSWrapperMap dealloc]):
+ (-[JSWrapperMap wrapperForObject:]):
+
+2013-01-11 Geoffrey Garen <ggaren@apple.com>
+
+ Fixed some bogus PropertyOffset ASSERTs
+ https://bugs.webkit.org/show_bug.cgi?id=106686
+
+ Reviewed by Gavin Barraclough.
+
+ The ASSERTs were passing a JSType instead of an inlineCapacity, due to
+ an incomplete refactoring.
+
+ The compiler didn't catch this because both types are int underneath.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::getDirect):
+ (JSC::JSObject::getDirectLocation):
+ (JSC::JSObject::offsetForLocation):
+ * runtime/Structure.cpp:
+ (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
+ our inline capacity, as we intended.
+
+2013-01-11 Geoffrey Garen <ggaren@apple.com>
+
+ Rename propertyOffsetFor => offsetForPropertyNumber
+ https://bugs.webkit.org/show_bug.cgi?id=106685
+
+ Reviewed by Gavin Barraclough.
+
+ Since the argument is just a typedef and not an object, I wanted to clarify the meaning.
+
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyTable::nextOffset): Updated for rename.
+
+ * runtime/PropertyOffset.h:
+ (JSC::offsetForPropertyNumber): Renamed. Also changed some PropertyOffset variables
+ to plain ints, because they're not actually on the PropertyOffsets number line.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::flattenDictionaryStructure):
+ * runtime/Structure.h:
+ (JSC::Structure::lastValidOffset): Updated for rename.
+
+2013-01-10 Zan Dobersek <zandobersek@gmail.com>
+
+ Remove the ENABLE_ANIMATION_API feature define occurences
+ https://bugs.webkit.org/show_bug.cgi?id=106544
+
+ Reviewed by Simon Fraser.
+
+ The Animation API code was removed in r137243. The ENABLE_ANIMATION_API
+ feature define handling still lingers in various build systems and configurations
+ but is of no use, so it should be removed.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-09 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Just move the JavaScriptCore exports file around in the vcproj to make things clearer.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+
+2013-01-09 Filip Pizlo <fpizlo@apple.com>
+
+ Dont use a node reference after appending to the graph.
+ https://bugs.webkit.org/show_bug.cgi?id=103305
+ <rdar://problem/12753096>
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+
+2013-01-09 Roger Fong <roger_fong@apple.com>
+
+ Rename export files to make them more easily findable.
+ https://bugs.webkit.org/show_bug.cgi?id=98695.
+
+ Reviewed by Timothy Horton.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed.
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def.
+
+2013-01-09 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ Unreviewed. Fix make distcheck.
+
+ * GNUmakefile.list.am: Add mips.rb to offlineasm_nosources.
+
+2013-01-08 Oliver Hunt <oliver@apple.com>
+
+ Support op_typeof in the DFG
+ https://bugs.webkit.org/show_bug.cgi?id=98898
+
+ Reviewed by Filip Pizlo.
+
+ Adds a TypeOf node to the DFG to support op_typeof.
+
+ To avoid adding too much GC horror, this also makes the
+ common strings portion of the SmallString cache strongly
+ referenced.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ We try to determine the result early here, and substitute in a constant.
+ Otherwise we leave the node intact, and set the result type to SpecString.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ Parse op_typeof
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ TypeOf nodes can be subjected to pure CSE
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ We can handle typeof.
+ * dfg/DFGNodeType.h:
+ (DFG):
+ Define the node.
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ Add operationTypeOf to support the non-trivial cases.
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ Actual codegen
+ * runtime/Operations.cpp:
+ (JSC::jsTypeStringForValue):
+ (JSC):
+ * runtime/Operations.h:
+ (JSC):
+ Some refactoring to allow us to get the type string for an
+ object without needing a callframe.
+
+
+2013-01-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments
+ https://bugs.webkit.org/show_bug.cgi?id=106398
+ <rdar://problem/12439776>
+
+ Reviewed by Mark Hahnenberg.
+
+ This is a possible optimization for inlined calls, and fixes crashes for inlined constructors, in the case
+ that the inlined code used arguments. The problem was that assuming that 'this' was captured implies the
+ assumption that it was initialized by the caller, which is wrong for constructors and this.
+
+ Also added a pretty essential DFG IR validation rule: we shouldn't have any live locals at the top of the
+ root block. This helps to catch this bug: our assumption that 'this' was captured in an inlined constructor
+ that used arguments led to liveness for the temporary that would have held 'this' in the caller being
+ propagated all the way up to the entrypoint of the function.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::isCaptured):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::reportValidationContext):
+ (Validate):
+ (JSC::DFG::Validate::dumpGraphIfAppropriate):
+
+2013-01-08 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION (r138921): Crash in JSC::Arguments::create
+ https://bugs.webkit.org/show_bug.cgi?id=106329
+ <rdar://problem/12974196>
+
+ Reviewed by Mark Hahnenberg.
+
+ Arguments::finishCreation() that takes an InlineCallFrame* needs to understand that the callee can
+ be unset, indicating that the callee needs to be loaded from the true call frame. This adds a
+ method to InlineCallFrame to do just that.
+
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::calleeForCallFrame):
+ * bytecode/CodeOrigin.h:
+ (InlineCallFrame):
+ * runtime/Arguments.h:
+ (JSC::Arguments::finishCreation):
+
+2013-01-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape
+ https://bugs.webkit.org/show_bug.cgi?id=106365
+
+ Reviewed by Mark Hahnenberg.
+
+ Use the fact that Phantom means that things escaped, and just insert Phantoms for all
+ of the operands.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall):
+
+2013-01-08 Filip Pizlo <fpizlo@apple.com>
+
+ If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized
+ https://bugs.webkit.org/show_bug.cgi?id=106363
+
+ Reviewed by Mark Hahnenberg.
+
+ * runtime/JSArray.h:
+ (JSC::JSArray::tryCreateUninitialized):
+
+2013-01-07 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should backwards-propagate NodeUsedAsValue for Phantom
+ https://bugs.webkit.org/show_bug.cgi?id=106299
+
+ Reviewed by Mark Hahnenberg.
+
+ This is currently benign because Phantom is only inserted by the bytecode parser for
+ things that already happen to be used in contexts that backwards propagate
+ NodeUsedAsValue. But that doesn't change the fact that the semantics of Phantom are
+ that the value can be arbitrarily used by the baseline JIT.
+
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2013-01-07 Filip Pizlo <fpizlo@apple.com>
+
+ Rationalize closure call heuristics and profiling
+ https://bugs.webkit.org/show_bug.cgi?id=106270
+
+ Reviewed by Oliver Hunt.
+
+ Did a number of things:
+
+ - CallLinkInfo now remembers if it was ever a closure call, and CallLinkStatus uses
+ this. Reduces the likelihood that we will inline a closure call as if it was a
+ normal call.
+
+ - Made InlineCallFrame print inferred function names, and refactored
+ CodeBlock::inferredName() to better use FunctionExecutable's API.
+
+ - Made bytecode dumping print frequent exit sites that led to recompilation.
+
+ - Made bytecode dumping for op_call and op_construct print what the CallLinkStatus
+ saw.
+
+ * bytecode/CallLinkInfo.h:
+ (JSC::CallLinkInfo::CallLinkInfo):
+ (CallLinkInfo):
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::computeFor):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::inferredName):
+ (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
+ (JSC::CodeBlock::printCallOp):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::CodeOrigin::dump):
+ (JSC::InlineCallFrame::inferredName):
+ (JSC):
+ (JSC::InlineCallFrame::dumpBriefFunctionInformation):
+ (JSC::InlineCallFrame::dump):
+ * bytecode/CodeOrigin.h:
+ (InlineCallFrame):
+ * bytecode/DFGExitProfile.cpp:
+ (JSC::DFG::ExitProfile::exitSitesFor):
+ (DFG):
+ * bytecode/DFGExitProfile.h:
+ (ExitProfile):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+
+2013-01-07 Ryosuke Niwa <rniwa@webkit.org>
+
+ Sorted the xcodeproj file.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-01-07 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, it should be possible to build JSC on ARM.
+
+ * API/JSBase.h:
+ * jit/JITStubs.cpp:
+ (JSC::performPlatformSpecificJITAssertions):
+ (JSC):
+ * jit/JITStubs.h:
+ (JSC):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::JITThunks):
+ * jit/JITThunks.h:
+ (JITThunks):
+ * offlineasm/armv7.rb:
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+2013-01-07 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ MIPS LLInt implementation.
+ https://bugs.webkit.org/show_bug.cgi?id=99706
+
+ Reviewed by Filip Pizlo.
+
+ LLInt implementation for MIPS.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::jump):
+ * dfg/DFGOperations.cpp:
+ (JSC):
+ * jit/JITStubs.cpp:
+ (JSC):
+ * jit/JITStubs.h:
+ (JITStackFrame):
+ * llint/LLIntOfflineAsmConfig.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * offlineasm/backends.rb:
+ * offlineasm/instructions.rb:
+ * offlineasm/mips.rb: Added.
+
+2013-01-07 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ testapi is failing with a block-related error in the Objc API
+ https://bugs.webkit.org/show_bug.cgi?id=106055
+
+ Reviewed by Geoffrey Garen.
+
+ Casting a block to a bool will always return true, which isn't the behavior that is intended here.
+ Instead we need to call the block, but C semantics don't allow this, so we need to change
+ testapi.m to be Objective-C++ and therefore testapi.mm.
+
+ * API/tests/testapi.m: Removed.
+ * API/tests/testapi.mm: Copied from Source/JavaScriptCore/API/tests/testapi.m.
+ (blockSignatureContainsClass):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-01-06 Filip Pizlo <fpizlo@apple.com>
+
+ Simplify slow case profiling
+ https://bugs.webkit.org/show_bug.cgi?id=106208
+
+ Reviewed by Mark Rowe.
+
+ Removing the minimum execution ratio portion of slow case profiling, which allows
+ the removal of a field from CodeBlock. This appears to be performance neutral,
+ implying that the complexity incurred by the previous heuristic was purely
+ harmful: it made the code more complicated, and it made CodeBlock larger, without
+ resulting in any measurable benefits.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::likelyToTakeSlowCase):
+ (JSC::CodeBlock::couldTakeSlowCase):
+ (JSC::CodeBlock::likelyToTakeSpecialFastCase):
+ (JSC::CodeBlock::couldTakeSpecialFastCase):
+ (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
+ (JSC::CodeBlock::likelyToTakeAnySlowCase):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * runtime/Options.h:
+
+2013-01-05 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should inline closure calls
+ https://bugs.webkit.org/show_bug.cgi?id=106067
+
+ Reviewed by Gavin Barraclough.
+
+ This adds initial support for inlining closure calls to the DFG. A call is considered
+ to be a closure call when the JSFunction* varies, but always has the same executable.
+ We already have closure call inline caching in both JITs, which works by checking that
+ the callee has an expected structure (as a cheap way of detecting that it is in fact
+ a JSFunction) and an expected executable. Closure call inlining uses profiling data
+ aggregated by CallLinkStatus to decide when to specialize the call to the particular
+ structure/executable, and inline the call rather than emitting a call sequence. When
+ we choose to do a closure inline rather than an ordinary inline, a number of things
+ change about how inlining is performed:
+
+ - The inline is guarded by a CheckStructure/CheckExecutable rather than a
+ CheckFunction.
+
+ - Instead of propagating a constant value for the scope, we emit GetMyScope every time
+ that the scope is needed, which loads the scope from a local variable. We do similar
+ things for the callee.
+
+ - The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly
+ plant the scope and callee into the "true call frame", i.e. the place on the stack
+ where the call frame would have been if the call had been actually performed. This
+ allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It
+ also allows for trivial handling of scope and callee for call frame reconstruction
+ upon stack introspection and during OSR.
+
+ - A new node called GetScope is introduced, which just gets the scope of a function.
+ This node has the expected CSE support. This allows for the
+ SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame.
+
+ - GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that
+ the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE,
+ if we can prove that it is safe to do so.
+
+ - Inlining heuristics are adjusted to grok the cost of inlining a closure. We are
+ less likely to inline a closure call than we are to inline a normal call, since we
+ end up emitting more code for closures due to CheckStructure, CheckExecutable,
+ GetScope, SetMyScope, and SetCallee.
+
+ Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to
+ plant Undefined into the true call frames. This was previously a harmless oversight,
+ but it becomes quite bad if OSR is relying on the scope/callee already having been
+ set and not subsequently clobbered by the OSR itself.
+
+ This is a ~60% speed-up on programs that frequently make calls to closures. It's
+ neutral on V8v7 and other major benchmark suites.
+
+ The lack of a definite speed-up is likely due the fact that closure inlining currently
+ does not do any cardinality [1] optimizations. We don't observe when a closure was
+ constructed within its caller, and so used the scope from its caller; and furthermore
+ we have no facility to detect when the scope is single. All scoped variable accesses
+ are assumed to be multiple instead. A subsequent step will be to ensure that closure
+ call inlining will be single and loving it.
+
+ [1] Single and loving it: Must-alias analysis for higher-order languages. Suresh
+ Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98.
+
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::dump):
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::isClosureCall):
+ (CallLinkStatus):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::globalObjectFor):
+ (JSC):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::dump):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::pureCSE):
+ (CSEPhase):
+ (JSC::DFG::CSEPhase::getCalleeLoadElimination):
+ (JSC::DFG::CSEPhase::checkExecutableElimination):
+ (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::mightInlineFunctionForClosureCall):
+ * dfg/DFGCapabilities.h:
+ (DFG):
+ (JSC::DFG::mightInlineFunctionForClosureCall):
+ (JSC::DFG::canInlineFunctionForClosureCall):
+ (JSC::DFG::canInlineFunctionFor):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::hasExecutable):
+ (JSC::DFG::Node::executable):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * runtime/Options.h:
+ (JSC):
+
+2013-01-05 Filip Pizlo <fpizlo@apple.com>
+
+ Data flow paths that carry non-numbers, non-undefined, non-null values should not cause subtractions and arithmetic additions (i.e. ++) to speculate double
+ https://bugs.webkit.org/show_bug.cgi?id=106190
+
+ Reviewed by Sam Weinig.
+
+ The problem is that the DFG logic for deciding when to speculate integer was
+ confusing the special case of ValueAdd (where non-numeric values should cause us
+ to not speculate integer, because we want to fall off into the generic case) with
+ the more normal case of ArithAdd and ArithSub (where we want to speculate integer
+ unless we have evidence that the operands are doubles, since the DFG doesn't have
+ generic handling of non-numeric arithmetic). Prior to this change doing a - b where
+ either a or b were possibly non-numeric would always force the subtraction to be
+ done using doubles.
+
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::addSpeculationMode):
+ (Graph):
+ (JSC::DFG::Graph::valueAddSpeculationMode):
+ (JSC::DFG::Graph::arithAddSpeculationMode):
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
+
+2013-01-04 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should trust array profiling over value profiling
+ https://bugs.webkit.org/show_bug.cgi?id=106155
+
+ Reviewed by Gavin Barraclough.
+
+ The real problem is that prediction propagation is not flow-sensitive. We had code
+ like:
+
+ var a = (some load from memory); // returns either an array or false
+ if (a)
+ a[i] = v;
+
+ Because 'a' could be 'false', we were emitting a fully generic unoptimized PutByVal.
+ This patch changes ArrayMode to ignore the type of the base of an array access, if
+ array profiling tells us that the array access can be optimized.
+
+ In the future, we could probably make this work even better with some flow
+ sensitivity in the prediction propagator, but I also tend to think that this is a
+ more robust overall solution. If we ever did want to support array accesses on
+ array-or-false then we should change the array profiler to be able to tell us that
+ this is what is going on.
+
+ 3.7% speed-up on V8/earley.
+
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+
+2013-01-04 Filip Pizlo <fpizlo@apple.com>
+
+ Rationalize exit site profiling for calls
+ https://bugs.webkit.org/show_bug.cgi?id=106150
+
+ Reviewed by Sam Weinig.
+
+ This adds two new exit kinds for calls: BadFunction and BadExecutable. The latter is not used
+ yet, but is already integrated with profiling. CheckFunction uses a BadFunction speculation
+ instead of BadCache, now. This allows CallLinkStatus to turn itself into a closure call status
+ if we had a BadFunction exit site but the CallLinkInfo told us to use a non-closure call. This
+ might happen if we had call unlinking that led to information loss along the way.
+
+ No performance impact. This is meant as another step towards inlining closure calls.
+
+ * bytecode/CallLinkStatus.cpp:
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::setIsProved):
+ (JSC::CallLinkStatus::setHasBadFunctionExitSite):
+ (CallLinkStatus):
+ (JSC::CallLinkStatus::setHasBadCacheExitSite):
+ (JSC::CallLinkStatus::setHasBadExecutableExitSite):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ * bytecode/ExitKind.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2013-01-03 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not elide CheckStructure if it's needed to perform a cell check
+ https://bugs.webkit.org/show_bug.cgi?id=106074
+
+ Reviewed by Ryosuke Niwa.
+
+ The problem here was that the constant folding phase was misinterpreting the meaning of the sets
+ in DFG::AbstractValue. AbstractValue describes a constraint on the values that a variable (i.e.
+ a DFG Node, or a virtual register, i.e. local or argument) may have. It does so by containing
+ four sets: the set of JSValues (either empty, the singleton set containing one JSValue, or the
+ set of all JSValues); the set of "current known" structures, i.e. the set of structures that you
+ already know that this value may have right now (also either empty, the singleton set, or the set
+ of all structures); the set of "future possible" structures, i.e. the set of structures that this
+ value could have in the future if none of the structure transition watchpoints for those
+ structures had fired (also empty, singleton, or all); and the set of types, which is a
+ SpeculatedType bitmask. The correct way to interpret the sets is to think of the AbstractValue as
+ the intersection of these three sets of values:
+
+ - The set of JSValues that have a type that belongs to the m_type set.
+ - If m_value is not the empty value then: the set of all JSValues that are == m_value;
+ else: the set of all JSValues.
+ where '==' is as defined by JSValue::operator==.
+ - Union of { the set of all cells that have a structure that belongs to m_currentKnownStructure }
+ and { the set of all JSValues that are not cells }.
+
+ You can then further intersect this set with the following set, if you guard the code with
+ watchpoints on all structures in the m_futurePossibleStructure:
+
+ - Union of { the set of all cells that have a structure that belongs to m_futurePossibleStructure }
+ and { the set of all JSValues that are not cells }.
+
+ One way to think of this is that m_currentKnownStructure is filtered by m_futurePossibleStructure
+ (i.e. is set to the intersection of m_currentKnownStructure and m_futurePossibleStructure), if the
+ code for which you're doing this is always preceded by watchpoints on all structures in
+ m_futurePossibleStructure, and is always before any side-effects that could change the structures
+ of objects.
+
+ The incorrect optimization related to CheckStructure. CheckStructure checks that the value is a
+ cell, and that it has a particular structure. It was incorrectly assuming that you could eliminate
+ the CheckStructure, if m_currentKnownStructure contained the structure that CheckStructure was
+ checking. But this is not the case, since m_currentKnownStructure does not prove that the value is
+ a cell with a particular structure; it only proves that if the value was a cell then it would have
+ a particular structure. Hence, to eliminate CheckStructure, it is also necessary to check that
+ AbstractValue::m_type contains only cells (i.e. isCellSpeculation(m_type) == true).
+
+ It wasn't doing that, and this changes makes sure that it does do that.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2013-01-04 Adam Klein <adamk@chromium.org>
+
+ Remove ENABLE_MUTATION_OBSERVERS #define
+ https://bugs.webkit.org/show_bug.cgi?id=105459
+
+ Reviewed by Ryosuke Niwa.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2013-01-03 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently
+ https://bugs.webkit.org/show_bug.cgi?id=106058
+
+ Reviewed by Michael Saboff.
+
+ All baseline code blocks now always have bytecode, so the bytecode cache's ability to minimize the
+ number of times that the DFG produces bytecode sequences for code blocks is superfluous.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGByteCodeCache.h: Removed.
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ * runtime/Executable.cpp:
+ (JSC):
+ * runtime/Executable.h:
+ (FunctionExecutable):
+
+2013-01-03 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, fix build for DFG JIT disabled.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpValueProfiling):
+ (JSC::CodeBlock::dumpArrayProfiling):
+ * runtime/Executable.cpp:
+ (JSC):
+ (JSC::ExecutableBase::intrinsic):
+
+2013-01-03 Filip Pizlo <fpizlo@apple.com>
+
+ CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls
+ https://bugs.webkit.org/show_bug.cgi?id=106027
+
+ Reviewed by Mark Hahnenberg.
+
+ Previously, the DFG bytecode parser had its own internal notion of exactly what CallLinkStatus was
+ meant to do, in the form of a CallType, expectedFunction, intrinsic, etc. This change makes CallLinkStatus
+ smart enough to do all of that, and also gives it the ability to understand closure calls.
+
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ (JSC):
+ (JSC::CallLinkStatus::function):
+ (JSC::CallLinkStatus::internalFunction):
+ (JSC::CallLinkStatus::intrinsicFor):
+ (JSC::CallLinkStatus::setIsProved):
+ (JSC::CallLinkStatus::computeFromLLInt):
+ (JSC::CallLinkStatus::computeFor):
+ (JSC::CallLinkStatus::dump):
+ * bytecode/CallLinkStatus.h:
+ (JSC):
+ (JSC::CallLinkStatus::CallLinkStatus):
+ (CallLinkStatus):
+ (JSC::CallLinkStatus::takesSlowPath):
+ (JSC::CallLinkStatus::isSet):
+ (JSC::CallLinkStatus::isClosureCall):
+ (JSC::CallLinkStatus::callTarget):
+ (JSC::CallLinkStatus::executable):
+ (JSC::CallLinkStatus::structure):
+ (JSC::CallLinkStatus::isProved):
+ (JSC::CallLinkStatus::canOptimize):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::valueOfFunctionConstant):
+
+2013-01-02 Simon Hausmann <simon.hausmann@digia.com>
+
+ [MinGW-w64] Centralize workaround for pow() implementation
+ https://bugs.webkit.org/show_bug.cgi?id=105925
+
+ Reviewed by Sam Weinig.
+
+ As suggested by Sam, move the MinGW-w64 workaround into MathExtras.h
+ away from the JSC usage.
+
+ * runtime/MathObject.cpp:
+ (JSC::mathPow):
+
+2013-01-02 Gavin Barraclough <barraclough@apple.com>
+
+ Objective-C API for JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=105889
+
+ Reviewed by Geoff Garen.
+
+ Fixes for more issues raised by Darin.
+
+ * API/JSBlockAdaptor.mm:
+ (BlockArgument):
+ (BlockArgumentStruct::BlockArgumentStruct):
+ (BlockArgumentTypeDelegate::typeStruct):
+ (BlockResult):
+ (BlockResultStruct::BlockResultStruct):
+ (buildBlockSignature):
+ (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
+ (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
+ - fix * position for Objective-C types
+ * API/JSContext.h:
+ - fix * position for Objective-C types
+ * API/JSContext.mm:
+ (-[JSContext initWithVirtualMachine:]):
+ (-[JSContext virtualMachine]):
+ (contextInternalContext):
+ - fix * position for Objective-C types
+ (-[JSContext dealloc]):
+ (-[JSContext protect:]):
+ (-[JSContext unprotect:]):
+ - HashMap<JSValueRef, size_t> -> HashCountedSet<JSValueRef>
+ * API/JSContextInternal.h:
+ (WeakContextRef):
+ - fix * position for Objective-C types
+ * API/JSValue.mm:
+ (valueToString):
+ - fix * position for Objective-C types
+ (isNSBoolean):
+ - Added helper to check for booleans.
+ (objectToValueWithoutCopy):
+ - Added contextRef
+ - fix * position for Objective-C types
+ - Remove @YES, @NO literal usage, use isNSBoolean instead
+ (objectToValue):
+ - Added contextRef
+ (+[JSValue valueWithValue:inContext:]):
+ (-[JSValue initWithValue:inContext:]):
+ - fix * position for Objective-C types
+ (createStructHandlerMap):
+ (handerForStructTag):
+ - getStructTagHandler -> handerForStructTag
+ - Split out createStructHandlerMap
+ - strncmp -> memcmp
+ - String(type).impl() -> StringImpl::create(type)
+ (+[JSValue selectorForStructToValue:]):
+ (+[JSValue selectorForValueToStruct:]):
+ - getStructTagHandler -> handerForStructTag
+ (typeToValueInvocationFor):
+ (valueToTypeInvocationFor):
+ - fix * position for Objective-C types
+ * API/JSValueInternal.h:
+ - fix * position for Objective-C types
+ * API/JSVirtualMachineInternal.h:
+ - fix * position for Objective-C types
+ * API/JSWrapperMap.h:
+ - fix * position for Objective-C types
+ * API/JSWrapperMap.mm:
+ (selectorToPropertyName):
+ (createObjectWithCustomBrand):
+ (createRenameMap):
+ (putNonEnumerable):
+ (copyMethodsToObject):
+ (copyPrototypeProperties):
+ (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
+ (-[JSWrapperMap initWithContext:]):
+ (-[JSWrapperMap wrapperForObject:]):
+ (getJSExportProtocol):
+ - fix * position for Objective-C types
+ * API/ObjCCallbackFunction.h:
+ - fix * position for Objective-C types
+ * API/ObjCCallbackFunction.mm:
+ (CallbackArgument):
+ (CallbackArgumentStruct::CallbackArgumentStruct):
+ - fix * position for Objective-C types
+ (CallbackArgumentBlockCallback::createAdoptingJSBlockAdaptor):
+ - Added to make adopt explicit
+ (CallbackArgumentBlockCallback):
+ (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback):
+ (ArgumentTypeDelegate::typeBlock):
+ - Call createAdoptingJSBlockAdaptor
+ (ArgumentTypeDelegate::typeStruct):
+ (CallbackResult):
+ (CallbackResultStruct::CallbackResultStruct):
+ (ResultTypeDelegate::typeStruct):
+ (ObjCCallbackFunction::ObjCCallbackFunction):
+ (ObjCCallbackFunction::context):
+ (objCCallbackFunctionForInvocation):
+ (objCCallbackFunctionForMethod):
+ (objCCallbackFunctionForBlock):
+ - fix * position for Objective-C types
+ * API/ObjcRuntimeExtras.h:
+ (protocolImplementsProtocol):
+ (forEachProtocolImplementingProtocol):
+ (forEachMethodInProtocol):
+ (forEachPropertyInProtocol):
+ - fix * position for Objective-C types
+ * API/tests/testapi.m:
+ (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]):
+ (testObjectiveCAPI):
+ - fix * position for Objective-C types
+
+2013-01-02 Geoffrey Garen <ggaren@apple.com>
+
+ Some renaming in the CodeCache
+ https://bugs.webkit.org/show_bug.cgi?id=105966
+
+ Reviewed by Gavin Barraclough.
+
+ CodeBlockKey => SourceCodeKey because the key is not a CodeBlock.
+
+ m_recentlyUsedFunctionCode => m_recentlyUsedFunctions to match other names.
+
+ GlobalFunctionKey => FunctionKey because the key is not unique to globalness.
+
+ m_cachedGlobalFunctions => m_globalFunctions because "cached" is redundant
+ for data members in an object called "CodeCache".
+
+ kMaxRootCodeBlockEntries => kMaxRootEntries because there are no non-CodeBlock
+ entries in a CodeBlock cache.
+
+ kMaxFunctionCodeBlocks => kMaxChildFunctionEntries to clarify that this
+ number models a parent-child relationship.
+
+ Also removed the initial "k" from enum constants. That's an interesting
+ style for calling out constants, but it's not the WebKit style.
+
+ Finally, a behavior change: Use MaxRootEntries for the limit on global
+ functions, and not MaxChildFunctionEntries. Previously, there was an
+ unused constant that seemed to have been intended for this purpose.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::makeSourceCodeKey):
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::generateFunctionCodeBlock):
+ (JSC::CodeCache::makeFunctionKey):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ (JSC::CodeCache::usedFunctionCode):
+ * runtime/CodeCache.h:
+ (JSC::CodeCache::clear):
+
+2013-01-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG inlining machinery should be robust against the inline callee varying while the executable stays the same
+ https://bugs.webkit.org/show_bug.cgi?id=105953
+
+ Reviewed by Mark Hahnenberg.
+
+ This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already
+ been stored into the true call frame (i.e. the place where the call frame of the inlined call would have
+ been) and so any attempt to access the callee or scope should do a load instead of assuming that the value
+ is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler
+ optimization phases and backends.
+
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::dump):
+ * bytecode/CodeOrigin.h:
+ (CodeOrigin):
+ (InlineCallFrame):
+ (JSC::InlineCallFrame::isClosureCall):
+ (JSC::CodeOrigin::stackOffset):
+ (JSC):
+ * dfg/DFGAssemblyHelpers.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::get):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::getScope):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCSEPhase.cpp:
+ (CSEPhase):
+ (JSC::DFG::CSEPhase::genericPureCSE):
+ (JSC::DFG::CSEPhase::pureCSE):
+ (JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame):
+ (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * interpreter/CallFrame.cpp:
+ (JSC::CallFrame::trueCallFrame):
+
+2013-01-02 Gavin Barraclough <barraclough@apple.com>
+
+ Objective-C API for JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=105889
+
+ Reviewed by Geoff Garen.
+
+ Fixes for a number of issues raised by Darin.
+
+ * API/APIJSValue.h:
+ - Fix typos in comment
+ - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
+ - cls -> expectedClass
+ - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
+ * API/JSBase.h:
+ - JS_OBJC_API_ENABLED no longer implies __OBJC__
+ * API/JSBlockAdaptor.mm:
+ (BlockArgumentStruct::BlockArgumentStruct):
+ (BlockArgumentStruct):
+ - mark virtual functions as virtual, override, and private
+ - refactor out buffer allocation for struct types
+ (BlockArgumentTypeDelegate::typeVoid):
+ (BlockArgumentTypeDelegate::typeBlock):
+ (BlockArgumentTypeDelegate::typeStruct):
+ - return nil -> return 0
+ (BlockResultStruct::BlockResultStruct):
+ (BlockResultStruct):
+ - mark virtual functions as virtual, override, and private
+ - refactor out buffer allocation for struct types
+ (buildBlockSignature):
+ - %lu is not an appropriate format specifier for NSInteger
+ (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
+ - nil check [super init]
+ (-[JSBlockAdaptor blockMatchesSignature:]):
+ (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
+ - ctx -> contextRef
+ * API/JSContext.h:
+ - Fix typos in comment
+ - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
+ - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
+ * API/JSContext.mm:
+ (-[JSContext initWithVirtualMachine:]):
+ - nil check [super init]
+ (+[JSContext currentArguments]):
+ - args -> argumentArray
+ (-[JSContext setObject:forKeyedSubscript:]):
+ - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
+ (-[JSContext dealloc]):
+ (-[JSContext protect:]):
+ (-[JSContext unprotect:]):
+ - m_protected -> m_protectCounts
+ * API/JSValue.mm:
+ (-[JSValue toObjectOfClass:]):
+ - cls -> expectedClass
+ (-[JSValue toBool]):
+ (-[JSValue deleteProperty:]):
+ (-[JSValue hasProperty:]):
+ (-[JSValue isUndefined]):
+ (-[JSValue isNull]):
+ (-[JSValue isBoolean]):
+ (-[JSValue isNumber]):
+ (-[JSValue isString]):
+ (-[JSValue isObject]):
+ (-[JSValue isEqualToObject:]):
+ (-[JSValue isEqualWithTypeCoercionToObject:]):
+ (-[JSValue isInstanceOf:]):
+ - removed ? YES : NO
+ (-[JSValue callWithArguments:]):
+ (-[JSValue constructWithArguments:]):
+ (-[JSValue invokeMethod:withArguments:]):
+ - args -> argumentArray
+ (+[JSValue valueWithPoint:inContext:]):
+ (+[JSValue valueWithRange:inContext:]):
+ (+[JSValue valueWithRect:inContext:]):
+ (+[JSValue valueWithSize:inContext:]):
+ - [NSNumber numberWithFloat:] -> @()
+ (-[JSValue objectForKeyedSubscript:]):
+ (-[JSValue setObject:forKeyedSubscript:]):
+ - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
+ (JSContainerConvertor):
+ (JSContainerConvertor::isWorkListEmpty):
+ (JSContainerConvertor::convert):
+ (ObjcContainerConvertor):
+ (ObjcContainerConvertor::isWorkListEmpty):
+ - remove WTF::
+ - isWorkListEmpty is const
+ (objectToValue):
+ - use fast enumeration
+ (-[JSValue initWithValue:inContext:]):
+ - nil check [super init]
+ (getStructTagHandler):
+ - m_structHandlers -> structHandlers
+ * API/JSVirtualMachine.h:
+ - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
+ * API/JSVirtualMachine.mm:
+ (-[JSVirtualMachine init]):
+ - nil check [super init]
+ * API/JSWrapperMap.mm:
+ (selectorToPropertyName):
+ (copyPrototypeProperties):
+ - remove WTF::
+ - use static_cast
+ (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
+ (-[JSWrapperMap initWithContext:]):
+ - nil check [super init]
+ (-[JSWrapperMap wrapperForObject:]):
+ (tryUnwrapObjcObject):
+ - enable ASSERT
+ (getJSExportProtocol):
+ (getNSBlockClass):
+ - remove if check on initializing static
+ * API/JavaScriptCore.h:
+ - JS_OBJC_API_ENABLED no longer implies __OBJC__
+ * API/ObjCCallbackFunction.mm:
+ (CallbackArgumentOfClass):
+ (CallbackArgumentOfClass::~CallbackArgumentOfClass):
+ (CallbackArgumentStruct::CallbackArgumentStruct):
+ (CallbackArgumentStruct):
+ (CallbackArgumentBlockCallback):
+ - mark virtual functions as virtual, override, and private
+ - refactor out buffer allocation for struct types
+ (ArgumentTypeDelegate::typeVoid):
+ (ArgumentTypeDelegate::typeOfClass):
+ (ArgumentTypeDelegate::typeStruct):
+ - return nil -> return 0
+ (CallbackResultStruct::CallbackResultStruct):
+ (CallbackResultStruct):
+ - mark virtual functions as virtual, override, and private
+ - refactor out buffer allocation for struct types
+ (ResultTypeDelegate::typeStruct):
+ - return nil -> return 0
+ (ObjCCallbackFunction):
+ - remove WTF::
+ (objCCallbackFunctionFinalize):
+ - use static_cast
+ (objCCallbackFunctionCallAsFunction):
+ - Fix typos in comment
+ (createObjCCallbackFunctionClass):
+ (objCCallbackFunctionClass):
+ - Split out createObjCCallbackFunctionClass from objCCallbackFunctionClass
+ (ObjCCallbackFunction::call):
+ - ctx -> contextRef
+ (blockSignatureContainsClass):
+ - Remove tri-state enum.
+ (skipNumber):
+ - isdigit -> isASCIIDigit
+ (objCCallbackFunctionForInvocation):
+ - clean up & comment blockSignatureContainsClass() usage
+ (tryUnwrapBlock):
+ - use static_cast
+ * API/ObjcRuntimeExtras.h:
+ (forEachProtocolImplementingProtocol):
+ (forEachMethodInClass):
+ (forEachMethodInProtocol):
+ (forEachPropertyInProtocol):
+ - Remove WTF::
+ - Remove if (count) checks
+ (skipPair):
+ - NSUInteger -> size_t
+ (StringRange):
+ (StringRange::operator const char*):
+ (StringRange::get):
+ (StructBuffer):
+ (StructBuffer::StructBuffer):
+ (StructBuffer::~StructBuffer):
+ (StructBuffer::operator void*):
+ - Added helper for creating an aligned buffer, used by struct conversion invocations.
+ (parseObjCType):
+ - *(position++) -> *position++
+ * API/tests/testapi.c:
+ - PLATFORM(MAC) -> JS_OBJC_API_ENABLED
+ * API/tests/testapi.m:
+ (blockSignatureContainsClass):
+ - Remove tri-state enum.
+ (testObjectiveCAPI):
+ - Added more result type checks.
+
+2013-01-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not use the InlineCallFrame's callee when it could have used the executable istead
+ https://bugs.webkit.org/show_bug.cgi?id=105947
+
+ Reviewed by Mark Hahnenberg.
+
+ We shouldn't use the callee to get the executable when we have the executable already. Not only
+ does this make the logic more clear, but it also allows for a world where the executable is known
+ but the callee isn't.
+
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::strictModeFor):
+
+2013-01-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code
+ https://bugs.webkit.org/show_bug.cgi?id=105938
+
+ Reviewed by Mark Hahnenberg.
+
+ This simplifies a bunch of code for referring to the callee. It also ought to simplify how we do
+ closure call inlining: for inlined closure call frames we will simply require that the callee is
+ already stashed on the stack in the Callee slot in the inline call frame header.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getDirect):
+ (JSC::DFG::ByteCodeParser::get):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parse):
+
+2013-01-02 Ryosuke Niwa <rniwa@webkit.org>
+
+ Another Windows port build fix attempt. Try not exporting this symbol from JSC
+ since it's also compiled in WebCore.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2013-01-02 Csaba Osztrogonác <ossy@webkit.org>
+
+ One more unreviewed buildfix after r138609.
+
+ * jit/JITCall.cpp: Add a missing include.
+
+2013-01-02 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviewed buildfix after r138609.
+
+ * jit/JITCall32_64.cpp: Add a missing include.
+
+2013-01-01 Filip Pizlo <fpizlo@apple.com>
+
+ Baseline JIT should have closure call caching
+ https://bugs.webkit.org/show_bug.cgi?id=105900
+
+ Reviewed by Gavin Barraclough.
+
+ This is not a speed-up by itself, but is meant to allow the DFG inliner to
+ accurately discern between closure calls and non-closure calls, so that it can
+ do closure call inlining in the future.
+
+ * bytecode/CallLinkStatus.cpp:
+ (JSC::CallLinkStatus::computeFromLLInt):
+ (JSC::CallLinkStatus::computeFor):
+ * bytecode/CallLinkStatus.h:
+ (JSC::CallLinkStatus::CallLinkStatus):
+ (JSC::CallLinkStatus::isClosureCall):
+ (CallLinkStatus):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleCall):
+ * jit/JIT.cpp:
+ (JSC::JIT::linkFor):
+ (JSC::JIT::linkSlowCall):
+ * jit/JIT.h:
+ (JSC::JIT::compileClosureCall):
+ * jit/JITCall.cpp:
+ (JSC::JIT::privateCompileClosureCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::privateCompileClosureCall):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * jit/JITStubs.h:
+ * jit/ThunkGenerators.cpp:
+ (JSC::linkClosureCallGenerator):
+ * jit/ThunkGenerators.h:
+
+2013-01-01 Dan Bernstein <mitz@apple.com>
+
+ <rdar://problem/12942239> Update copyright strings
+
+ Reviewed by Sam Weinig.
+
+ * Info.plist:
+
+2012-12-31 Gavin Barraclough <barraclough@apple.com>
+
+ Objective-C API for JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=105889
+
+ Reviewed by Filip Pizlo.
+
+ For a detailed description of the API implemented here, see:
+ JSContext.h
+ APIJSValue.h
+ JSVirtualMachine.h
+ JSExport.h
+ Still to do -
+ (1) Shoud rename APIJSValue.h -> JSValue.h (but we'll have to rename JSValue.h first).
+ (2) Numerous FIXMEs, all with separate bugs filed.
+
+ * API/APIJSValue.h: Added.
+ - this Objective-C class is used to reference a JavaScript object.
+ * API/JSBase.h:
+ - added JS_OBJC_API_ENABLED macro to control ObjC API support.
+ * API/JSBlockAdaptor.h: Added.
+ - this Objective-C class is used in creating a special NSBlock proxying a JavaScript function.
+ * API/JSBlockAdaptor.mm: Added.
+ (BlockArgument):
+ (BlockArgument::~BlockArgument):
+ (BlockArgumentBoolean):
+ (BlockArgumentBoolean::get):
+ (BlockArgumentNumeric):
+ (BlockArgumentNumeric::get):
+ (BlockArgumentId):
+ (BlockArgumentId::get):
+ (BlockArgumentStruct):
+ (BlockArgumentStruct::BlockArgumentStruct):
+ (BlockArgumentStruct::~BlockArgumentStruct):
+ (BlockArgumentStruct::get):
+ - decoded arguent type information of a JSBlockAdaptor.
+ (BlockArgumentTypeDelegate):
+ (BlockArgumentTypeDelegate::typeInteger):
+ (BlockArgumentTypeDelegate::typeDouble):
+ (BlockArgumentTypeDelegate::typeBool):
+ (BlockArgumentTypeDelegate::typeVoid):
+ (BlockArgumentTypeDelegate::typeId):
+ (BlockArgumentTypeDelegate::typeOfClass):
+ (BlockArgumentTypeDelegate::typeBlock):
+ (BlockArgumentTypeDelegate::typeStruct):
+ - delegate for use in conjunction with parseObjCType.
+ (BlockResult):
+ (BlockResult::~BlockResult):
+ (BlockResultVoid):
+ (BlockResultVoid::set):
+ (BlockResultInteger):
+ (BlockResultInteger::set):
+ (BlockResultDouble):
+ (BlockResultDouble::set):
+ (BlockResultBoolean):
+ (BlockResultBoolean::set):
+ (BlockResultStruct):
+ (BlockResultStruct::BlockResultStruct):
+ (BlockResultStruct::~BlockResultStruct):
+ (BlockResultStruct::set):
+ - decoded result type information of a JSBlockAdaptor.
+ (buildBlockSignature):
+ - partial step in constructing a signature with stack offset information from one without.
+ (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
+ - constructor.
+ (-[JSBlockAdaptor blockMatchesSignature:]):
+ - check whether signature strings match, where only one contains stack frame offsets.
+ (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
+ - use the adaptor to create a special forwarding block.
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::inherits):
+ - add missing braces to multiline for statement.
+ * API/JSContext.h: Added.
+ - this Objective-C class is used to reference a JavaScript context.
+ * API/JSContext.mm: Added.
+ (-[JSContext init]):
+ - constructor.
+ (-[JSContext initWithVirtualMachine:]):
+ - construct in a given VM (JSGlobalData).
+ (-[JSContext evaluateScript:]):
+ (-[JSContext globalObject]):
+ - evaluate a script, global object accessor.
+ (+[JSContext currentContext]):
+ (+[JSContext currentThis]):
+ (+[JSContext currentArguments]):
+ - These methods obtain context, this, arguments from within a callback.
+ (-[JSContext virtualMachine]):
+ - implementation for .virtualMachine property.
+ (-[JSContext objectForKeyedSubscript:]):
+ (-[JSContext setObject:forKeyedSubscript:]):
+ - support for subscript property access.
+ (contextInternalContext):
+ - internal accessor to m_context.
+ (-[JSContext dealloc]):
+ - desctructor.
+ (-[JSContext notifyException:]):
+ (-[JSContext valueFromNotifyException:]):
+ (-[JSContext boolFromNotifyException:]):
+ - internal method to record an exception was thrown.
+ (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]):
+ (-[JSContext endCallbackWithData:]):
+ - internal methods to push/pop a callback record.
+ (-[JSContext protect:]):
+ (-[JSContext unprotect:]):
+ - internal methods to add a value to a protect set (used to protect the internal property of JSValue).
+ (-[JSContext wrapperForObject:]):
+ - internal method to create a wrapper object.
+ (WeakContextRef::WeakContextRef):
+ (WeakContextRef::~WeakContextRef):
+ (WeakContextRef::get):
+ (WeakContextRef::set):
+ - Helper class to implement a weak reference to a JSContext.
+ * API/JSContextInternal.h: Added.
+ (CallbackData):
+ (WeakContextRef):
+ - see API/JSContext.mm for description of internal methods.
+ * API/JSExport.h: Added.
+ - Provides JSExport protocol & JSExportAs macro.
+ * API/JSValue.mm: Added.
+ (+[JSValue valueWithObject:inContext:]):
+ (+[JSValue valueWithBool:inContext:]):
+ (+[JSValue valueWithDouble:inContext:]):
+ (+[JSValue valueWithInt32:inContext:]):
+ (+[JSValue valueWithUInt32:inContext:]):
+ (+[JSValue valueWithNewObjectInContext:]):
+ (+[JSValue valueWithNewArrayInContext:]):
+ (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
+ (+[JSValue valueWithNewErrorFromMessage:inContext:]):
+ (+[JSValue valueWithNullInContext:]):
+ (+[JSValue valueWithUndefinedInContext:]):
+ - Constructors.
+ (-[JSValue toObject]):
+ (-[JSValue toObjectOfClass:]):
+ (-[JSValue toBool]):
+ (-[JSValue toDouble]):
+ (-[JSValue toInt32]):
+ (-[JSValue toUInt32]):
+ (-[JSValue toNumber]):
+ (-[JSValue toString]):
+ (-[JSValue toDate]):
+ (-[JSValue toArray]):
+ (-[JSValue toDictionary]):
+ - Conversion to Objective-C types.
+ (-[JSValue valueForProperty:]):
+ (-[JSValue setValue:forProperty:]):
+ (-[JSValue deleteProperty:]):
+ (-[JSValue hasProperty:]):
+ (-[JSValue defineProperty:descriptor:]):
+ - Property access by property name.
+ (-[JSValue valueAtIndex:]):
+ (-[JSValue setValue:atIndex:]):
+ - Property access by index.
+ (-[JSValue isUndefined]):
+ (-[JSValue isNull]):
+ (-[JSValue isBoolean]):
+ (-[JSValue isNumber]):
+ (-[JSValue isString]):
+ (-[JSValue isObject]):
+ - Test JavaScript type.
+ (-[JSValue isEqualToObject:]):
+ (-[JSValue isEqualWithTypeCoercionToObject:]):
+ (-[JSValue isInstanceOf:]):
+ - ===, ==, instanceof operators.
+ (-[JSValue callWithArguments:]):
+ (-[JSValue constructWithArguments:]):
+ (-[JSValue invokeMethod:withArguments:]):
+ - Call & construct.
+ (-[JSValue context]):
+ - implementation for .context property.
+ (-[JSValue toPoint]):
+ (-[JSValue toRange]):
+ (-[JSValue toRect]):
+ (-[JSValue toSize]):
+ (+[JSValue valueWithPoint:inContext:]):
+ (+[JSValue valueWithRange:inContext:]):
+ (+[JSValue valueWithRect:inContext:]):
+ (+[JSValue valueWithSize:inContext:]):
+ - Support for NS struct types.
+ (-[JSValue objectForKeyedSubscript:]):
+ (-[JSValue objectAtIndexedSubscript:]):
+ (-[JSValue setObject:forKeyedSubscript:]):
+ (-[JSValue setObject:atIndexedSubscript:]):
+ - support for subscript property access.
+ (isDate):
+ (isArray):
+ - internal helper functions to check for instances of JS Date, Array types.
+ (JSContainerConvertor):
+ (Task):
+ (JSContainerConvertor::JSContainerConvertor):
+ (JSContainerConvertor::isWorkListEmpty):
+ (JSContainerConvertor::convert):
+ (JSContainerConvertor::add):
+ (JSContainerConvertor::take):
+ - helper class for tracking state while converting to Array/Dictionary objects.
+ (valueToObjectWithoutCopy):
+ (containerValueToObject):
+ (valueToObject):
+ (valueToNumber):
+ (valueToString):
+ (valueToDate):
+ (valueToArray):
+ (valueToDictionary):
+ - function for converting JavaScript values to Objective-C objects.
+ (ObjcContainerConvertor):
+ (ObjcContainerConvertor::ObjcContainerConvertor):
+ (ObjcContainerConvertor::isWorkListEmpty):
+ (ObjcContainerConvertor::convert):
+ (ObjcContainerConvertor::add):
+ (ObjcContainerConvertor::take):
+ - helper class for tracking state while converting to Array/Dictionary values.
+ (objectToValueWithoutCopy):
+ (objectToValue):
+ (valueInternalValue):
+ - function for converting Objective-C objects to JavaScript values.
+ (+[JSValue valueWithValue:inContext:]):
+ (-[JSValue initWithValue:inContext:]):
+ - internal constructors.
+ (StructTagHandler):
+ (getStructTagHandler):
+ (+[JSValue selectorForStructToValue:]):
+ (+[JSValue selectorForValueToStruct:]):
+ - methods to tracking struct types that support conversion to/from JSValue.
+ (-[JSValue dealloc]):
+ - destructor.
+ (-[JSValue description]):
+ - Objective-C to-NSString conversion.
+ (typeToValueInvocationFor):
+ (valueToTypeInvocationFor):
+ - create invocation objects for conversion to/from JSValue.
+ * API/JSValueInternal.h: Added.
+ - see API/JSValue.mm for description of internal methods.
+ * API/JSVirtualMachine.h: Added.
+ - this Objective-C class is used to reference a JavaScript virtual machine (JSGlobalData).
+ * API/JSVirtualMachine.mm: Added.
+ (-[JSVirtualMachine init]):
+ (-[JSVirtualMachine dealloc]):
+ - constructor & destructor.
+ (getGroupFromVirtualMachine):
+ - internal accessor for m_group property.
+ * API/JSVirtualMachineInternal.h: Added.
+ - see API/JSVirtualMachine.mm for description of internal methods.
+ * API/JSWrapperMap.h: Added.
+ * API/JSWrapperMap.mm: Added.
+ (wrapperClass):
+ - singleton root for detction (& unwrapping) of wrapper objects.
+ (selectorToPropertyName):
+ - default selector to property name conversion.
+ (createObjectWithCustomBrand):
+ - creates a JSObject with a custom NativeBrand (class name).
+ (createRenameMap):
+ - parse @optional properties of a JSExport protocol.
+ (putNonEnumerable):
+ - property put with enumerable=false.
+ (copyMethodsToObject):
+ - iterate methods in a protocol; add functions to a JSObject.
+ (parsePropertyAttributes):
+ - examine protocol property metadata.
+ (makeSetterName):
+ - "foo" -> "setFoo"
+ (copyPrototypeProperties):
+ - create properties on a Protocol object reflecting the instance methods & properties of a protocol.
+ (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
+ (-[JSObjCClassInfo dealloc]):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSObjCClassInfo constructor]):
+ - cache the Protocol/Constructor objects for an Objective-C type.
+ (-[JSWrapperMap initWithContext:]):
+ (-[JSWrapperMap dealloc]):
+ - constructor & desctructor.
+ (-[JSWrapperMap classInfoForClass:]):
+ - maps Class -> JSObjCClassInfo.
+ (-[JSWrapperMap wrapperForObject:]):
+ - cretae or retrieve a cached wrapper value for an object.
+ (tryUnwrapObjcObject):
+ - check whether a value is a wrapper object; unwrap if so.
+ * API/JavaScriptCore.h:
+ - Added includes for new API headers.
+ * API/ObjCCallbackFunction.h: Added.
+ - this class is used to wrap Objective-C instance methods, class methods & blocks as JSFunction objects.
+ * API/ObjCCallbackFunction.mm: Added.
+ (CallbackArgument):
+ (CallbackArgument::~CallbackArgument):
+ (CallbackArgumentBoolean):
+ (CallbackArgumentBoolean::set):
+ (CallbackArgumentInteger):
+ (CallbackArgumentInteger::set):
+ (CallbackArgumentDouble):
+ (CallbackArgumentDouble::set):
+ (CallbackArgumentJSValue):
+ (CallbackArgumentJSValue::set):
+ (CallbackArgumentId):
+ (CallbackArgumentId::set):
+ (CallbackArgumentOfClass):
+ (CallbackArgumentOfClass::CallbackArgumentOfClass):
+ (CallbackArgumentOfClass::~CallbackArgumentOfClass):
+ (CallbackArgumentOfClass::set):
+ (CallbackArgumentNSNumber):
+ (CallbackArgumentNSNumber::set):
+ (CallbackArgumentNSString):
+ (CallbackArgumentNSString::set):
+ (CallbackArgumentNSDate):
+ (CallbackArgumentNSDate::set):
+ (CallbackArgumentNSArray):
+ (CallbackArgumentNSArray::set):
+ (CallbackArgumentNSDictionary):
+ (CallbackArgumentNSDictionary::set):
+ (CallbackArgumentStruct):
+ (CallbackArgumentStruct::CallbackArgumentStruct):
+ (CallbackArgumentStruct::~CallbackArgumentStruct):
+ (CallbackArgumentStruct::set):
+ (CallbackArgumentBlockCallback):
+ (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback):
+ (CallbackArgumentBlockCallback::~CallbackArgumentBlockCallback):
+ (CallbackArgumentBlockCallback::set):
+ - decoded arguent type information of a ObjCCallbackFunction.
+ (ArgumentTypeDelegate):
+ (ArgumentTypeDelegate::typeInteger):
+ (ArgumentTypeDelegate::typeDouble):
+ (ArgumentTypeDelegate::typeBool):
+ (ArgumentTypeDelegate::typeVoid):
+ (ArgumentTypeDelegate::typeId):
+ (ArgumentTypeDelegate::typeOfClass):
+ (ArgumentTypeDelegate::typeBlock):
+ (ArgumentTypeDelegate::typeStruct):
+ - delegate for use in conjunction with parseObjCType.
+ (CallbackResult):
+ (CallbackResult::~CallbackResult):
+ (CallbackResultVoid):
+ (CallbackResultVoid::get):
+ (CallbackResultId):
+ (CallbackResultId::get):
+ (CallbackResultNumeric):
+ (CallbackResultNumeric::get):
+ (CallbackResultBoolean):
+ (CallbackResultBoolean::get):
+ (CallbackResultStruct):
+ (CallbackResultStruct::CallbackResultStruct):
+ (CallbackResultStruct::~CallbackResultStruct):
+ (CallbackResultStruct::get):
+ - decoded result type information of a ObjCCallbackFunction.
+ (ResultTypeDelegate):
+ (ResultTypeDelegate::typeInteger):
+ (ResultTypeDelegate::typeDouble):
+ (ResultTypeDelegate::typeBool):
+ (ResultTypeDelegate::typeVoid):
+ (ResultTypeDelegate::typeId):
+ (ResultTypeDelegate::typeOfClass):
+ (ResultTypeDelegate::typeBlock):
+ (ResultTypeDelegate::typeStruct):
+ - delegate for use in conjunction with parseObjCType.
+ (ObjCCallbackFunction):
+ (ObjCCallbackFunction::ObjCCallbackFunction):
+ (ObjCCallbackFunction::~ObjCCallbackFunction):
+ - constructor & destructor.
+ (ObjCCallbackFunction::context):
+ - accessor.
+ (ObjCCallbackFunction::wrappedBlock):
+ - attemmpt to unwrap a block object.
+ (objCCallbackFunctionFinalize):
+ (objCCallbackFunctionCallAsFunction):
+ (objCCallbackFunctionClass):
+ - JSClassRef used to represent ObjCCallbackFunction objects.
+ (ObjCCallbackFunction::call):
+ (blockSignatureContainsClass):
+ - helper function to determine if we're running on a recent Clang.
+ (skipNumber):
+ - helper used in parsing signature strings.
+ (objCCallbackFunctionForInvocation):
+ (objCCallbackFunctionForMethod):
+ (objCCallbackFunctionForBlock):
+ - functions to try to create ObjCCallbackFunction instances for methods/blocks.
+ (tryUnwrapBlock):
+ - attemmpt to unwrap a block object.
+ * API/ObjcRuntimeExtras.h: Added.
+ (protocolImplementsProtocol):
+ (forEachProtocolImplementingProtocol):
+ (forEachMethodInClass):
+ (forEachMethodInProtocol):
+ (forEachPropertyInProtocol):
+ - functions used in reflecting on Objective-C types.
+ (skipPair):
+ - parsing helper used by parseObjCType, scans for matching parentheses.
+ (StringRange):
+ (StringRange::StringRange):
+ (StringRange::~StringRange):
+ (StringRange::operator const char*):
+ (StringRange::get):
+ - Helper class - create a c string copy of a range of an existing string.
+ (parseObjCType):
+ - function to parse Objective-C type strings, makes callbacks to a deleagte.
+ * API/tests/testapi.c:
+ (main):
+ - added call to testObjectiveCAPI (in testapi.m).
+ * API/tests/testapi.m: Added.
+ (+[ParentObject parentTest]):
+ (+[TestObject testObject]):
+ (+[TestObject classTest]):
+ (-[TestObject getString]):
+ (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]):
+ (-[TestObject callback:]):
+ (-[TextXYZ test:]):
+ - test object, used in various test vases.
+ (checkResult):
+ - helper function.
+ (blockSignatureContainsClass):
+ - helper function to determine if we're running on a recent Clang.
+ (testObjectiveCAPI):
+ - new test cases.
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ - added new files.
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ - added m_apiData - provide convenient storage for use by the API.
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::JSGlobalObject):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ - added m_apiData - provide convenient storage for use by the API.
+
+2012-12-27 Csaba Osztrogonác <ossy@webkit.org>
+
+ One more unreviwed holiday MIPS and SH4 buildfixes after r138516.
+
+ * jit/ThunkGenerators.cpp:
+
+2012-12-27 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviwed holiday ARM and SH4 buildfixes after r138516.
+
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+
+2012-12-26 Filip Pizlo <fpizlo@apple.com>
+
+ All JIT stubs should go through the getCTIStub API
+ https://bugs.webkit.org/show_bug.cgi?id=105750
+
+ Reviewed by Sam Weinig.
+
+ Previously JITThunks had two sets of thunks: one static set stored in a struct,
+ which was filled by JIT::privateCompileCTITrampolines, and another set stored in
+ a HashMap. Moreover, the code to generate the code for the CTI trampoline struct
+ had loads of copy-paste between JSVALUE32_64 and JSVALUE64, and was total
+ unmodular with respect to calls versus constructors, among other things.
+
+ This changeset removes this struct and rationalizes the code that generates those
+ thunks. All of thunks are now generated through the getCTIStub HashMap API. All
+ thunks for the baseline JIT now use the JSInterfaceJIT and have their codegen
+ located in ThunkGenerators.cpp. All thunks now share as much code as possible -
+ it turns out that they are almost 100% identical between 32_64 and 64, so that
+ works out great. A bunch of call vs. construct duplication was eliminated. And,
+ most of the call link versus virtual call duplication was also eliminated.
+
+ This does not change behavior but it does make it easier to add more thunks in
+ the future.
+
+ * bytecode/CallLinkInfo.cpp:
+ (JSC::CallLinkInfo::unlink):
+ * jit/JIT.cpp:
+ (JSC::JIT::linkFor):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCallSlowCase):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCallSlowCase):
+ * jit/JITInlines.h:
+ (JSC):
+ * jit/JITOpcodes.cpp:
+ (JSC):
+ (JSC::JIT::privateCompileCTINativeCall):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC):
+ * jit/JITStubs.cpp:
+ (JSC::tryCacheGetByID):
+ * jit/JITThunks.cpp:
+ (JSC::JITThunks::JITThunks):
+ (JSC::JITThunks::ctiNativeCall):
+ (JSC::JITThunks::ctiNativeConstruct):
+ (JSC):
+ (JSC::JITThunks::hostFunctionStub):
+ * jit/JITThunks.h:
+ (JSC):
+ (JITThunks):
+ * jit/JSInterfaceJIT.h:
+ (JSInterfaceJIT):
+ (JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
+ (JSC):
+ (JSC::JSInterfaceJIT::emitFastArithIntToImmNoCheck):
+ (JSC::JSInterfaceJIT::emitJumpIfNotType):
+ (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr):
+ (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
+ (JSC::JSInterfaceJIT::emitPutImmediateToCallFrameHeader):
+ (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
+ (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
+ (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
+ (JSC::JSInterfaceJIT::restoreArgumentReference):
+ * jit/ThunkGenerators.cpp:
+ (JSC::generateSlowCaseFor):
+ (JSC):
+ (JSC::linkForGenerator):
+ (JSC::linkCallGenerator):
+ (JSC::linkConstructGenerator):
+ (JSC::virtualForGenerator):
+ (JSC::virtualCallGenerator):
+ (JSC::virtualConstructGenerator):
+ (JSC::stringLengthTrampolineGenerator):
+ (JSC::nativeForGenerator):
+ (JSC::nativeCallGenerator):
+ (JSC::nativeConstructGenerator):
+ (JSC::charCodeAtThunkGenerator):
+ (JSC::charAtThunkGenerator):
+ (JSC::fromCharCodeThunkGenerator):
+ (JSC::sqrtThunkGenerator):
+ (JSC::floorThunkGenerator):
+ (JSC::ceilThunkGenerator):
+ (JSC::roundThunkGenerator):
+ (JSC::expThunkGenerator):
+ (JSC::logThunkGenerator):
+ (JSC::absThunkGenerator):
+ (JSC::powThunkGenerator):
+ * jit/ThunkGenerators.h:
+ (JSC):
+ * runtime/Executable.h:
+ (NativeExecutable):
+ (JSC::NativeExecutable::nativeFunctionFor):
+ (JSC::NativeExecutable::offsetOfNativeFunctionFor):
+
+2012-12-25 Gyuyoung Kim <gyuyoung.kim@samsung.com>
+
+ [CMAKE] Remove header files in JavaScriptCore/CMakeLists.txt
+ https://bugs.webkit.org/show_bug.cgi?id=105753
+
+ Reviewed by Laszlo Gombos.
+
+ * CMakeLists.txt: Remove header files in source list.
+
+2012-12-25 Filip Pizlo <fpizlo@apple.com>
+
+ JITThunks should be in its own file
+ https://bugs.webkit.org/show_bug.cgi?id=105744
+
+ Rubber stamped by Sam Weinig.
+
+ Moved JITThunks into its own file and removed some static methods from it
+ that were not related to what JITThunks currently does. Performed various
+ pagan rituals to get it to build - apparently there is a circular dependency
+ between JSCell, Weak, and JITThunks, which magically resolves itself if you
+ make sure to first include Register.h. Making it so that fewer pagan rituals
+ need to be performed if this code changes in the future is covered by
+ https://bugs.webkit.org/show_bug.cgi?id=105696.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * jit/JITStubs.cpp:
+ (JSC::tryCachePutByID):
+ (JSC::tryCacheGetByID):
+ * jit/JITStubs.h:
+ (JSC::JITStackFrame::returnAddressSlot):
+ (JSC::returnAddressIsInCtiTrampoline):
+ * jit/JITThunks.cpp: Added.
+ (JSC::JITThunks::JITThunks):
+ (JSC::JITThunks::~JITThunks):
+ (JSC::JITThunks::ctiStub):
+ (JSC::JITThunks::hostFunctionStub):
+ (JSC::JITThunks::clearHostFunctionStubs):
+ * jit/JITThunks.h: Added.
+ (JSC::JITThunks::ctiStringLengthTrampoline):
+ (JSC::JITThunks::ctiVirtualCallLink):
+ (JSC::JITThunks::ctiVirtualConstructLink):
+ (JSC::JITThunks::ctiVirtualCall):
+ (JSC::JITThunks::ctiVirtualConstruct):
+ (JSC::JITThunks::ctiNativeCall):
+ (JSC::JITThunks::ctiNativeConstruct):
+ * jit/ThunkGenerator.h: Added.
+ * jit/ThunkGenerators.cpp:
+ * jit/ThunkGenerators.h:
+ * runtime/JSGlobalData.h:
+
+2012-12-25 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Unreviewed follow-up for r138455.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-12-24 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Unreviewed compilation fix for r138452.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-12-24 Laszlo Gombos <l.gombos@samsung.com>
+
+ Remove wtf/Platform.h includes from {c|cpp} files
+ https://bugs.webkit.org/show_bug.cgi?id=105678
+
+ Reviewed by Kentaro Hara.
+
+ Remove wtf/Platform.h from the include list as it is already
+ included in config.h.
+
+ * disassembler/udis86/udis86.c:
+ * disassembler/udis86/udis86_decode.c:
+ * disassembler/udis86/udis86_input.c:
+ * disassembler/udis86/udis86_itab_holder.c:
+ * disassembler/udis86/udis86_syn-att.c:
+ * disassembler/udis86/udis86_syn-intel.c:
+ * disassembler/udis86/udis86_syn.c:
+ * heap/VTableSpectrum.cpp:
+
+2012-12-21 Filip Pizlo <fpizlo@apple.com>
+
+ DFG Arrayify slow path should be out-of-line
+ https://bugs.webkit.org/show_bug.cgi?id=105400
+
+ Reviewed by Gavin Barraclough.
+
+ The interesting bit of this change is allowing out-of-line slow path generators
+ to emit speculation checks. This is accomplished by having a version of
+ speculationCheck() that returns a jump placeholder instead of taking a jump (or
+ jump list) as an argument. You can then fill in that jump placeholder at a
+ later time, so long as you do it before OSR exit linking. Slow path generators
+ run before linking, so that just naturally ends up working.
+
+ This isn't really a big win, but we know that out-of-lining slow paths is
+ generally a good thing to do, so it's fair to assume that this is a move in the
+ right direction.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * dfg/DFGArrayifySlowPathGenerator.h: Added.
+ (DFG):
+ (ArrayifySlowPathGenerator):
+ (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
+ (JSC::DFG::ArrayifySlowPathGenerator::generateInternal):
+ * dfg/DFGOSRExitJumpPlaceholder.cpp: Added.
+ (DFG):
+ (JSC::DFG::OSRExitJumpPlaceholder::fill):
+ * dfg/DFGOSRExitJumpPlaceholder.h: Added.
+ (DFG):
+ (OSRExitJumpPlaceholder):
+ (JSC::DFG::OSRExitJumpPlaceholder::OSRExitJumpPlaceholder):
+ (JSC::DFG::OSRExitJumpPlaceholder::operator!):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+
+2012-12-20 Oliver Hunt <oliver@apple.com>
+
+ Finally found the problem. Using the wrong JSContextGroup.
+
+ * API/tests/testapi.c:
+ (main):
+
+2012-12-20 Oliver Hunt <oliver@apple.com>
+
+ Try to convince bots to be happy with testapi.
+
+ * API/JSScriptRefPrivate.h:
+
+2012-12-20 Michael Saboff <msaboff@apple.com>
+
+ JIT: Change uninitialized pointer value -1 to constant
+ https://bugs.webkit.org/show_bug.cgi?id=105576
+
+ Rubber stamped by Gavin Barraclough.
+
+ Changed the use of -1 as a pointer value in the JITs to be the constant unusedPointer defined in the
+ new file jit/UnusedPointer.h. Made it's value 0xd1e7beef, which is a bad pointer on most architectures
+ because it is odd, and to distinguish it from other common values.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::cachedGetById):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::cachedGetById):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ * jit/JIT.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::resetPatchGetById):
+ (JSC::JIT::resetPatchPutById):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::resetPatchGetById):
+ (JSC::JIT::resetPatchPutById):
+ * jit/JITWriteBarrier.h:
+ (JSC::JITWriteBarrierBase::clearToUnusedPointer):
+ (JSC::JITWriteBarrierBase::get):
+ * jit/UnusedPointer.h: Added.
+
+2012-12-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to
+ https://bugs.webkit.org/show_bug.cgi?id=105577
+
+ Reviewed by Mark Hahnenberg.
+
+ I don't know why this wasn't there from the beginning.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+
+2012-12-19 Filip Pizlo <fpizlo@apple.com>
+
+ DFG speculation checks that take JumpList should consolidate OSRExits
+ https://bugs.webkit.org/show_bug.cgi?id=105401
+
+ Reviewed by Oliver Hunt.
+
+ Change OSRExitCompilationInfo to always contain a JumpList, and change JumpList
+ to be more compact. This way, a speculationCheck that takes a JumpList only has
+ to emit one OSRExit structure, and one OSRExit landing pad.
+
+ The downside is that we get less precise information about *where* we exited
+ from. So, this also includes changes to the profiler to be more relaxed about
+ what an ExitSite is.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JumpList):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::linkOSRExits):
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGJITCompiler.h:
+ (DFG):
+ (JSC::DFG::JITCompiler::appendExitInfo):
+ (JITCompiler):
+ * dfg/DFGOSRExitCompilationInfo.h:
+ (OSRExitCompilationInfo):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+ (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::addOSRExitSite):
+ * profiler/ProfilerCompilation.h:
+ (Compilation):
+ * profiler/ProfilerOSRExitSite.cpp:
+ (JSC::Profiler::OSRExitSite::toJS):
+ * profiler/ProfilerOSRExitSite.h:
+ (JSC::Profiler::OSRExitSite::OSRExitSite):
+ (JSC::Profiler::OSRExitSite::codeAddress):
+ (OSRExitSite):
+
+2012-12-19 Oliver Hunt <oliver@apple.com>
+
+ Fix some incorrect tests in testapi.c
+
+ Reviewed by Simon Fraser.
+
+ * API/tests/testapi.c:
+ (main):
+
+2012-12-19 Filip Pizlo <fpizlo@apple.com>
+
+ JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object
+ https://bugs.webkit.org/show_bug.cgi?id=105468
+
+ Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough.
+
+ Changed JSObject::ensure<IndexingType> methods to gracefully handle
+ InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning
+ null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it
+ by entering dictionary indexing mode, which forces the object to behave correctly even if there
+ is proxying or weird prototype stuff going on.
+
+ Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal
+ with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case
+ since we'd try to resize a butterfly on a JSString, but JSString has something other than
+ m_butterfly at that offset.
+
+ Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code
+ since those are now redundant.
+
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::enterDictionaryIndexingMode):
+ (JSC::JSObject::ensureInt32Slow):
+ (JSC::JSObject::ensureDoubleSlow):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+ * runtime/JSObject.h:
+ (JSObject):
+
+2012-12-19 Oliver Hunt <oliver@apple.com>
+
+ Tidy up JSScriptRef API
+ https://bugs.webkit.org/show_bug.cgi?id=105470
+
+ Reviewed by Anders Carlsson.
+
+ People found the API's use of a context confusing, so we'll switch to a JSContextGroup based
+ API, and drop a number of the unnecessary uses of contexts.
+
+ * API/JSScriptRef.cpp:
+ (OpaqueJSScript::globalData):
+ (parseScript):
+ * API/JSScriptRefPrivate.h:
+ * API/tests/testapi.c:
+ (main):
+
+2012-12-19 Alexis Menard <alexis@webkit.org>
+
+ Implement CSS parsing for CSS transitions unprefixed.
+ https://bugs.webkit.org/show_bug.cgi?id=104804
+
+ Reviewed by Dean Jackson.
+
+ Add a new flag ENABLE_CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
+ to cover the work of unprefixing Transforms, Animations and
+ Transitions. It will let the possibility of each ports to turn it off
+ in their release branches until we're confident that these CSS
+ properties are ready to be unprefixed.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-12-18 Filip Pizlo <fpizlo@apple.com>
+
+ Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
+ https://bugs.webkit.org/show_bug.cgi?id=105379
+
+ Reviewed by Gavin Barraclough.
+
+ Forgetting to set this flag led to the DFG trying to ensure array storage on a proxy. I've
+ now hardened the code with a release assertion as well as fixing the bug. A release assertion
+ is appropriate here since this is slow-path code.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::enterDictionaryIndexingMode):
+ (JSC::JSObject::ensureInt32Slow):
+ (JSC::JSObject::ensureDoubleSlow):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::ensureArrayStorageSlowNoCheck):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+ * runtime/JSObject.h:
+ (JSObject):
+ * runtime/JSProxy.h:
+ (JSProxy):
+
+2012-12-18 Oliver Hunt <oliver@apple.com>
+
+ Add a JSScriptRef API to JSC so that we can allow API users to avoid the full cost of reparsing everytime the execute a script.
+ https://bugs.webkit.org/show_bug.cgi?id=105340
+
+ Reviewed by Gavin Barraclough.
+
+ This patch adds a (currently private) API to allow users of the JSC API to create a JSScript object
+ that references a reusable version of the script that they wish to evaluate. This can help us avoid
+ numeorus copies that are otherwise induced by our existing API and gives us an opaque object that we
+ can hang various caches off. Currently this is simply a simple SourceProvider, but in future we may
+ be able to add more caching without requiring new/replacement APIs.
+
+ * API/JSScriptRef.cpp: Added.
+ * API/JSScriptRefPrivate.h: Added.
+ * API/tests/testapi.c:
+ Add tests for new APIs.
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2012-12-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when it should be checking for array array storage
+ https://bugs.webkit.org/show_bug.cgi?id=105365
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+
+2012-12-18 Filip Pizlo <fpizlo@apple.com>
+
+ SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time
+ https://bugs.webkit.org/show_bug.cgi?id=105335
+
+ Reviewed by Geoffrey Garen.
+
+ The first thing I did was restructure the logic of canInlineResolveOperations(),
+ because I didn't understand it. This was relevant because the OSR exits are
+ caused by a resolve that the DFG cannot handle.
+
+ I was then going to make it so that we didn't compile the resolve at all, but
+ realized that this would not be the best fix: it didn't seem sensible to me to
+ be optimizing these evals after only 60 invocations. Evals should have a higher
+ threshold, since they often contain code for which the baseline JIT does a
+ pretty good job already (if all you've got is a single heap access or a single
+ hard-to-inline call, then the baseline JIT has got you covered), and typically
+ if we see one eval code block we expect to see more (from the same eval site):
+ so our typical low threshold could lead to a *lot* of compilation. As such, the
+ main effect of this patch is to introduce an evalThresholdMultiplier, which is
+ now set to 10.
+
+ This is a ~5% speed-up on data-format-tofte. No regressions anywhere as far as
+ I can see.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::codeTypeThresholdMultiplier):
+ (JSC):
+ (JSC::CodeBlock::optimizationThresholdScalingFactor):
+ (JSC::CodeBlock::exitCountThresholdForReoptimization):
+ (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineResolveOperations):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * runtime/Options.h:
+ (JSC):
+
+2012-12-18 Filip Pizlo <fpizlo@apple.com>
+
+ Convert indexingTypeToString to IndexingTypeDump
+ https://bugs.webkit.org/show_bug.cgi?id=105351
+
+ Reviewed by Mark Hahnenberg.
+
+ This gets rid of another case of static char buffer[thingy].
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * runtime/IndexingType.cpp:
+ (JSC::dumpIndexingType):
+ * runtime/IndexingType.h:
+ (JSC):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::dump):
+
+2012-12-18 Beth Dakin <bdakin@apple.com>
+
+ https://bugs.webkit.org/show_bug.cgi?id=102579
+ [mac] Enable scaled cursors
+
+ Reviewed by Dean Jackson.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-12-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Restrictions on oversize CopiedBlock allocations should be relaxed
+ https://bugs.webkit.org/show_bug.cgi?id=105339
+
+ Reviewed by Filip Pizlo.
+
+ Currently the DFG has a single branch in the inline allocation path for property/array storage where
+ it checks to see if the number of bytes requested will fit in the current block. This does not match
+ what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then
+ if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations
+ that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when
+ the collector tries to perform some operation on a CopiedBlock.
+
+ To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that
+ oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find
+ the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and
+ we should figure out if a block is oversize by some other method than just whatever the JSObject says
+ it is. One way we could record this info Region of the block, since we allocate a one-off Region for
+ oversize blocks.
+
+ * heap/BlockAllocator.h:
+ (JSC::Region::isCustomSize):
+ (Region):
+ (JSC::Region::createCustomSize):
+ (JSC::Region::Region):
+ (JSC::BlockAllocator::deallocateCustomSize):
+ * heap/CopiedBlock.h:
+ (CopiedBlock):
+ (JSC::CopiedBlock::isOversize):
+ (JSC):
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::tryAllocateOversize):
+ (JSC::CopiedSpace::tryReallocate):
+ (JSC::CopiedSpace::tryReallocateOversize):
+ * heap/CopiedSpace.h:
+ (CopiedSpace):
+ * heap/CopiedSpaceInlines.h:
+ (JSC::CopiedSpace::contains):
+ (JSC::CopiedSpace::tryAllocate):
+ (JSC):
+ * heap/CopyVisitor.h:
+ (CopyVisitor):
+ * heap/CopyVisitorInlines.h:
+ (JSC::CopyVisitor::checkIfShouldCopy):
+ (JSC::CopyVisitor::didCopy):
+ * heap/SlotVisitorInlines.h:
+ (JSC::SlotVisitor::copyLater):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly):
+
+2012-12-18 Joseph Pecoraro <pecoraro@apple.com>
+
+ [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros)
+ https://bugs.webkit.org/show_bug.cgi?id=104279
+
+ Reviewed by David Kilzer.
+
+ Add a build phase to check the public JavaScriptCore headers for
+ inappropriate macros.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2012-12-18 Michael Saboff <msaboff@apple.com>
+
+ [Qt] Fix the ARMv7 build after r137976
+ https://bugs.webkit.org/show_bug.cgi?id=105270
+
+ Reviewed by Csaba Osztrogonác.
+
+ Add default value for Jump parameter to fix build.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::Jump::Jump):
+
+2012-12-17 Geoffrey Garen <ggaren@apple.com>
+
+ Constant fold !{number} in the parser
+ https://bugs.webkit.org/show_bug.cgi?id=105232
+
+ Reviewed by Filip Pizlo.
+
+ Typically, we wait for hot execution and constant fold in the DFG.
+ However, !0 and !1 are common enough in minifiers that it can be good
+ to get them out of the way early, for faster/smaller parsing and startup.
+
+ * parser/ASTBuilder.h:
+ (JSC::ASTBuilder::createLogicalNot): !{literal} is super simple, especially
+ since there's no literal form of NaN or Inf.
+
+2012-12-17 Filip Pizlo <fpizlo@apple.com>
+
+ DFG is too aggressive eliding overflow checks for additions involving large constants
+ https://bugs.webkit.org/show_bug.cgi?id=105239
+
+ Reviewed by Gavin Barraclough.
+
+ If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate,
+ then make sure that the non-constant child of the addition knows that he's got to do an overflow
+ check, by flowing the UsedAsNumber property at him.
+
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::addSpeculationMode):
+ (Graph):
+ (JSC::DFG::Graph::addShouldSpeculateInteger):
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2012-12-17 Michael Saboff <msaboff@apple.com>
+
+ DFG: Refactor DFGCorrectableJumpPoint to reduce size of OSRExit data
+ https://bugs.webkit.org/show_bug.cgi?id=105237
+
+ Reviewed by Filip Pizlo.
+
+ Replaced DFGCorrectableJumpPoint with OSRExitCompilationInfo which is used and kept alive only while we are
+ compiling in the DFG. Moved the patchable branch offset directly into OSRExit.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/AbstractMacroAssembler.h:
+ * dfg/DFGCorrectableJumpPoint.cpp: Removed.
+ * dfg/DFGCorrectableJumpPoint.h: Removed.
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::linkOSRExits):
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::appendExitJump):
+ (JITCompiler):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ (JSC::DFG::OSRExit::setPatchableCodeOffset):
+ (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump):
+ (JSC::DFG::OSRExit::codeLocationForRepatch):
+ (JSC::DFG::OSRExit::correctJump):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompilationInfo.h: Added.
+ (OSRExitCompilationInfo):
+ (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
+ (JSC::DFG::OSRExitCompilationInfo::failureJump):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+
+2012-12-17 Filip Pizlo <fpizlo@apple.com>
+
+ DFG is too aggressive with eliding overflow checks in loops
+ https://bugs.webkit.org/show_bug.cgi?id=105226
+
+ Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+ If we see a variable's live range cross basic block boundaries, conservatively assume that it may
+ be part of a data-flow back-edge, and as a result, we may have entirely integer operations that
+ could lead to the creation of an integer that is out of range of 2^52 (the significand of a double
+ float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug.
+
+ In future we may want to actually look at whether or not there was a data-flow back-edge instead
+ of being super conservative about it. But we have no evidence, yet, that this would help us on
+ real code.
+
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2012-12-17 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Butterfly::growArrayRight shouldn't be called on null Butterfly objects
+ https://bugs.webkit.org/show_bug.cgi?id=105221
+
+ Reviewed by Filip Pizlo.
+
+ Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly
+ objects purely by coincidence. We should add a new static function that null checks the old
+ Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for
+ use in the couple of places in JSObject that expect such behavior to work.
+
+ * runtime/Butterfly.h:
+ (Butterfly):
+ * runtime/ButterflyInlines.h:
+ (JSC::Butterfly::createOrGrowArrayRight):
+ (JSC):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::createInitialIndexedStorage):
+ (JSC::JSObject::createArrayStorage):
+
+2012-12-17 Filip Pizlo <fpizlo@apple.com>
+
+ javascript integer overflow
+ https://bugs.webkit.org/show_bug.cgi?id=104967
+
+ Reviewed by Mark Hahnenberg.
+
+ Fix PutScopedVar backward flow.
+
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2012-12-16 Filip Pizlo <fpizlo@apple.com>
+
+ Rationalize array profiling for out-of-bounds and hole cases
+ https://bugs.webkit.org/show_bug.cgi?id=105139
+
+ Reviewed by Geoffrey Garen.
+
+ This makes ArrayProfile track whether or not we had out-of-bounds, which allows
+ for more precise decision-making in the DFG.
+
+ Also cleaned up ExitKinds for out-of-bounds and hole cases to make it easier to
+ look at them in the profiler.
+
+ Slight speed-up (5-8%) on SunSpider/crypto-md5.
+
+ * bytecode/ArrayProfile.cpp:
+ (JSC::ArrayProfile::computeUpdatedPrediction):
+ (JSC::ArrayProfile::briefDescription):
+ * bytecode/ArrayProfile.h:
+ (JSC::ArrayProfile::ArrayProfile):
+ (JSC::ArrayProfile::addressOfOutOfBounds):
+ (JSC::ArrayProfile::expectedStructure):
+ (JSC::ArrayProfile::structureIsPolymorphic):
+ (JSC::ArrayProfile::outOfBounds):
+ (JSC::ArrayProfile::polymorphicStructure):
+ * bytecode/CodeBlock.cpp:
+ (JSC::dumpChain):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ (JSC::exitKindIsCountable):
+ * bytecode/ExitKind.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JIT.h:
+ * jit/JITInlines.h:
+ (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2012-12-17 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ Implement add64 for MIPS assembler after r136601
+ https://bugs.webkit.org/show_bug.cgi?id=104106
+
+ Reviewed by Zoltan Herczeg.
+
+ Added add64 function to MacroAssebler of MIPS.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::add32):
+ (JSC::MacroAssemblerMIPS::add64):
+ (MacroAssemblerMIPS):
+
+2012-12-17 Jonathan Liu <net147@gmail.com>
+
+ Fix Math.pow implementation with MinGW-w64
+ https://bugs.webkit.org/show_bug.cgi?id=105087
+
+ Reviewed by Simon Hausmann.
+
+ The MinGW-w64 runtime has different behaviour for pow()
+ compared to other C runtimes. This results in the following
+ test262 tests failing with the latest MinGW-w64 runtime:
+ - S15.8.2.13_A14
+ - S15.8.2.13_A16
+ - S15.8.2.13_A20
+ - S15.8.2.13_A22
+
+ Handle the special cases that are different with MinGW-w64.
+
+ * runtime/MathObject.cpp:
+ (JSC::mathPow):
+
+2012-12-16 Filip Pizlo <fpizlo@apple.com>
+
+ Bytecode dumping should show rare case profiles
+ https://bugs.webkit.org/show_bug.cgi?id=105133
+
+ Reviewed by Geoffrey Garen.
+
+ Refactored the dumper to call dumpBytecodeCommandAndNewLine in just one place,
+ rather than in all of the places. Changed the rare case profile getters to use
+ tryBinarySearch rather than binarySearch, so that they can be used speculatively
+ even if you don't know that the bytecode has rare case profiles. This actually
+ increases our assertion level, since it means that in release builds we will get
+ null and crash rather than getting some random adjacent profile. And then this
+ adds some printing of the rare case profiles.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printUnaryOp):
+ (JSC::CodeBlock::printBinaryOp):
+ (JSC::CodeBlock::printConditionalJump):
+ (JSC::CodeBlock::printCallOp):
+ (JSC::CodeBlock::printPutByIdOp):
+ (JSC::CodeBlock::beginDumpProfiling):
+ (JSC):
+ (JSC::CodeBlock::dumpValueProfiling):
+ (JSC::CodeBlock::dumpArrayProfiling):
+ (JSC::CodeBlock::dumpRareCaseProfile):
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
+ (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):
+
+2012-12-13 Filip Pizlo <fpizlo@apple.com>
+
+ Attempt to rationalize and simplify WTF::binarySearch
+ https://bugs.webkit.org/show_bug.cgi?id=104890
+
+ Reviewed by Maciej Stachowiak.
+
+ Switch to using the new binarySearch() API. No change in behavior.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::bytecodeOffset):
+ (JSC::CodeBlock::codeOriginForReturn):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::getStubInfo):
+ (JSC::CodeBlock::getByValInfo):
+ (JSC::CodeBlock::getCallLinkInfo):
+ (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
+ (JSC::CodeBlock::valueProfileForBytecodeOffset):
+ (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
+ (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::blockIndexForBytecodeOffset):
+ * dfg/DFGMinifiedGraph.h:
+ (JSC::DFG::MinifiedGraph::at):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * profiler/ProfilerBytecodeSequence.cpp:
+ (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
+
+2012-12-13 Filip Pizlo <fpizlo@apple.com>
+
+ Don't assert that flags <= 0x3ff in JSTypeInfo
+ https://bugs.webkit.org/show_bug.cgi?id=104988
+
+ Reviewed by Sam Weinig.
+
+ This assertion doesn't accomplish anything other than crashes.
+
+ * runtime/JSTypeInfo.h:
+ (JSC::TypeInfo::TypeInfo):
+
+2012-12-13 Filip Pizlo <fpizlo@apple.com>
+
+ Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings
+ https://bugs.webkit.org/show_bug.cgi?id=104623
+
+ Reviewed by Geoffrey Garen.
+
+ Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
+ in some cases. This appears to be perf-neutral on benchmarks that we track.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDProtoList):
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::tryCacheGetByID):
+ (JSC::DEFINE_STUB_FUNCTION):
+ * runtime/JSTypeInfo.h:
+ (JSC):
+ (JSC::TypeInfo::hasImpureGetOwnPropertySlot):
+ * runtime/Operations.h:
+ (JSC::normalizePrototypeChainForChainAccess):
+
+2012-12-13 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, roll out http://trac.webkit.org/changeset/137683.
+ It broke gmail.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/Operations.cpp:
+ (JSC::jsTypeStringForValue):
+ (JSC):
+ * runtime/Operations.h:
+ (JSC):
+
+2012-13-11 Oliver Hunt <oliver@apple.com>
+
+ Support op_typeof in the DFG
+ https://bugs.webkit.org/show_bug.cgi?id=98898
+
+ Reviewed by Filip Pizlo.
+
+ Adds a TypeOf node to the DFG to support op_typeof.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ We try to determine the result early here, and substitute in a constant.
+ Otherwise we leave the node intact, and set the result type to SpecString.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ Parse op_typeof
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ TypeOf nodes can be subjected to pure CSE
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ We can handle typeof.
+ * dfg/DFGNodeType.h:
+ (DFG):
+ Define the node.
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ Add operationTypeOf to support the non-trivial cases.
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ Actual codegen
+ * runtime/Operations.cpp:
+ (JSC::jsTypeStringForValue):
+ (JSC):
+ * runtime/Operations.h:
+ (JSC):
+ Some refactoring to allow us to get the type string for an
+ object without needing a callframe.
+
+2012-12-12 Filip Pizlo <fpizlo@apple.com>
+
+ OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=104791
+
+ Reviewed by Oliver Hunt.
+
+ The OSR exit compiler wants to make it so that every OSR exit does the equivalent
+ of:
+
+ codeBlock->m_jitExecuteCounter.setNewThreshold(
+ codeBlock->counterValueForOptimizeAfterLongWarmUp());
+
+ This logically involves:
+
+ - Resetting the counter to zero.
+ - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
+ - Figuring out the scaled threshold, subtracting the count so far (which is zero,
+ so this part is a no-op), and clipping (ExecuteCounter::clippedThreshold()).
+ - Setting m_counter to the negated clipped threshold.
+ - Setting m_totalCount to the previous count so far (which is zero) plus the
+ clipped threshold.
+
+ Because of the reset, which sets the count-so-far to zero, this amounts to:
+
+ - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
+ - Figuring out the clipped scaled threshold.
+ - Setting m_counter to the negated clipped scaled threshold.
+ - Setting m_totalCount to the (positive) clipped scaled threshold.
+
+ The code was previously not doing this, but now is. This is performance neutral.
+ The only change in behavior over what the code was previously doing (setting the
+ m_counter to the negated scaled threshold, without clipping, and then setting
+ the m_totalCount to the clipped scaled threshold) is that this will respond more
+ gracefully under memory pressure and will ensure that we get more value profile
+ LUBing before triggering recompilation. More LUBing is almost always a good
+ thing.
+
+ * dfg/DFGOSRExitCompiler.cpp:
+ (JSC::DFG::OSRExitCompiler::handleExitCounts):
+
+2012-12-12 Ilya Tikhonovsky <loislo@chromium.org>
+
+ Web Inspector: Native Memory Instrumentation: remove fake root MemoryObjectInfo.
+ https://bugs.webkit.org/show_bug.cgi?id=104796
+
+ Reviewed by Yury Semikhatsky.
+
+ It was not a good idea to introduce a fake root MemoryObjectInfo.
+ It makes a problem when we visit an object without its own MemoryObjectType.
+
+ Example: RenderBox has a global pointer to a hash map.
+ HashMap doesn't have its own object type because it is a generic container.
+ It will inherit object type from the fake root memory object info.
+ The same could happen for another container in another class with other MemoryObjectType.
+
+ This fact forces me to create custom process method for root objects
+ because they need to have their own MemoryObjectInfo with customisable memory object type.
+
+ Drive by fix: InstrumentedPointer* was replaced with Wrapper* because actually it is using
+ for instrumented and not instrumented object classes.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-12-11 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ Implement add64 for ARM traditional assembler after r136601
+ https://bugs.webkit.org/show_bug.cgi?id=104103
+
+ Reviewed by Zoltan Herczeg.
+
+ Implement add64 function for ARM traditional macroassembler.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::add64):
+ (MacroAssemblerARM):
+
+2012-12-11 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed. Fix build with DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE).
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::tallyFrequentExitSites):
+
+2012-12-11 Filip Pizlo <fpizlo@apple.com>
+
+ Profiler should show bytecode dumps as they would have been visible to the JITs, including the profiling data that the JITs would see
+ https://bugs.webkit.org/show_bug.cgi?id=104647
+
+ Reviewed by Oliver Hunt.
+
+ Adds more profiling data to bytecode dumps, and adds the ability to do a secondary
+ bytecode dump for each JIT compilation of a code block. This is relevant because both
+ the bytecodes, and the profiling data, may change after some number of executions.
+
+ Also fixes some random dumping code to use PrintStream& rather than
+ static const char[thingy].
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/ArrayProfile.cpp:
+ (JSC::dumpArrayModes):
+ (JSC::ArrayProfile::briefDescription):
+ * bytecode/ArrayProfile.h:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printGetByIdOp):
+ (JSC::CodeBlock::printGetByIdCacheStatus):
+ (JSC::CodeBlock::printCallOp):
+ (JSC::CodeBlock::dumpValueProfiling):
+ (JSC::CodeBlock::dumpArrayProfiling):
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/CodeBlock.h:
+ * bytecode/ValueProfile.h:
+ (JSC::ValueProfileBase::briefDescription):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * profiler/ProfilerBytecodeSequence.cpp: Added.
+ (JSC::Profiler::BytecodeSequence::BytecodeSequence):
+ (JSC::Profiler::BytecodeSequence::~BytecodeSequence):
+ (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
+ (JSC::Profiler::BytecodeSequence::forBytecodeIndex):
+ (JSC::Profiler::BytecodeSequence::addSequenceProperties):
+ * profiler/ProfilerBytecodeSequence.h: Added.
+ (JSC::Profiler::BytecodeSequence::size):
+ (JSC::Profiler::BytecodeSequence::at):
+ * profiler/ProfilerBytecodes.cpp:
+ (JSC::Profiler::Bytecodes::Bytecodes):
+ (JSC::Profiler::Bytecodes::toJS):
+ * profiler/ProfilerBytecodes.h:
+ (JSC::Profiler::Bytecodes::instructionCount):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::addProfiledBytecodes):
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerCompilation.h:
+ (JSC::Profiler::Compilation::profiledBytecodesSize):
+ (JSC::Profiler::Compilation::profiledBytecodesAt):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ * profiler/ProfilerDatabase.h:
+ * profiler/ProfilerProfiledBytecodes.cpp: Added.
+ (JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes):
+ (JSC::Profiler::ProfiledBytecodes::~ProfiledBytecodes):
+ (JSC::Profiler::ProfiledBytecodes::toJS):
+ * profiler/ProfilerProfiledBytecodes.h: Added.
+ (JSC::Profiler::ProfiledBytecodes::bytecodes):
+ * runtime/CommonIdentifiers.h:
+
+2012-12-11 Oswald Buddenhagen <oswald.buddenhagen@digia.com>
+
+ [Qt] delete dead include paths
+
+ Reviewed by Simon Hausmann.
+
+ followup to https://bugs.webkit.org/show_bug.cgi?id=93446
+
+ * JavaScriptCore.pri:
+
+2012-12-11 Julien BRIANCEAU <jbrianceau@nds.com>
+
+ Implement add64 for SH4 assembler to fix build after r136601
+ https://bugs.webkit.org/show_bug.cgi?id=104377
+
+ Reviewed by Zoltan Herczeg.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::add64):
+ (MacroAssemblerSH4):
+
+2012-12-10 Yury Semikhatsky <yurys@chromium.org>
+
+ Memory instrumentation: make sure each edge is reported only once
+ https://bugs.webkit.org/show_bug.cgi?id=104630
+
+ Reviewed by Pavel Feldman.
+
+ Changed exported symbols for MemoryInstrumentation.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-12-10 Filip Pizlo <fpizlo@apple.com>
+
+ Don't OSR exit just because a string is a rope
+ https://bugs.webkit.org/show_bug.cgi?id=104621
+
+ Reviewed by Michael Saboff.
+
+ Slight SunSpider speed-up at around the 0.7% level. This patch does the obvious
+ thing of calling a slow path to resolve ropes rather than OSR exiting if the
+ string is a rope.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::getIndexedPropertyStorageMayTriggerGC):
+ (ArrayMode):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::putStructureStoreElimination):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+
+2012-12-10 Gustavo Noronha Silva <gns@gnome.org>
+
+ Unreviewed distcheck fix.
+
+ * GNUmakefile.list.am:
+
+2012-12-10 Filip Pizlo <fpizlo@apple.com>
+
+ JSC profiling and debug dump code should use inferred names when possible
+ https://bugs.webkit.org/show_bug.cgi?id=104519
+
+ Reviewed by Oliver Hunt.
+
+ This does as advertised: the profiler now knows the inferred name of all code blocks,
+ and all uses of CodeBlock::dump() dump it along with the hash.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::inferredName):
+ (JSC::CodeBlock::dumpAssumingJITType):
+ * bytecode/CodeBlock.h:
+ * profiler/ProfilerBytecodes.cpp:
+ (JSC::Profiler::Bytecodes::Bytecodes):
+ (JSC::Profiler::Bytecodes::toJS):
+ * profiler/ProfilerBytecodes.h:
+ (JSC::Profiler::Bytecodes::inferredName):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::addBytecodes):
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ * profiler/ProfilerDatabase.h:
+ * runtime/CommonIdentifiers.h:
+
+2012-12-09 Filip Pizlo <fpizlo@apple.com>
+
+ Profiler should say things about OSR exits
+ https://bugs.webkit.org/show_bug.cgi?id=104497
+
+ Reviewed by Oliver Hunt.
+
+ This adds support for profiling OSR exits. For each exit that is taken, the profiler
+ records the machine code address that the exit occurred on, the exit kind, the origin
+ stack, and the number of times that it happened.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/AbstractMacroAssembler.h:
+ (Jump):
+ (JSC::AbstractMacroAssembler::Jump::label):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::saveCompilation):
+ (CodeBlock):
+ (JSC::CodeBlock::compilation):
+ (DFGData):
+ * bytecode/DFGExitProfile.h:
+ (DFG):
+ * bytecode/ExitKind.cpp: Added.
+ (JSC):
+ (JSC::exitKindToString):
+ (JSC::exitKindIsCountable):
+ (WTF):
+ (WTF::printInternal):
+ * bytecode/ExitKind.h: Added.
+ (JSC):
+ (WTF):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::linkOSRExits):
+ (JSC::DFG::JITCompiler::link):
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGJITCompiler.h:
+ (JITCompiler):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JumpReplacementWatchpoint.h:
+ (JSC::JumpReplacementWatchpoint::sourceLabel):
+ (JumpReplacementWatchpoint):
+ * profiler/ProfilerCompilation.cpp:
+ (JSC::Profiler::Compilation::addOSRExitSite):
+ (Profiler):
+ (JSC::Profiler::Compilation::addOSRExit):
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerCompilation.h:
+ (Compilation):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::newCompilation):
+ * profiler/ProfilerDatabase.h:
+ (Database):
+ * profiler/ProfilerOSRExit.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::OSRExit::OSRExit):
+ (JSC::Profiler::OSRExit::~OSRExit):
+ (JSC::Profiler::OSRExit::toJS):
+ * profiler/ProfilerOSRExit.h: Added.
+ (Profiler):
+ (OSRExit):
+ (JSC::Profiler::OSRExit::id):
+ (JSC::Profiler::OSRExit::origin):
+ (JSC::Profiler::OSRExit::exitKind):
+ (JSC::Profiler::OSRExit::isWatchpoint):
+ (JSC::Profiler::OSRExit::counterAddress):
+ (JSC::Profiler::OSRExit::count):
+ * profiler/ProfilerOSRExitSite.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::OSRExitSite::toJS):
+ * profiler/ProfilerOSRExitSite.h: Added.
+ (Profiler):
+ (OSRExitSite):
+ (JSC::Profiler::OSRExitSite::OSRExitSite):
+ (JSC::Profiler::OSRExitSite::codeAddress):
+ * runtime/CommonIdentifiers.h:
+
+2012-12-10 Alexis Menard <alexis@webkit.org>
+
+ [CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag.
+ https://bugs.webkit.org/show_bug.cgi?id=104539
+
+ Reviewed by Antonio Gomes.
+
+ As discussed on webkit-dev it is not needed to keep this feature flag
+ as support for <position> type is a small feature that is already
+ implemented by three other UAs. It was useful while landing this
+ feature as partial bits were landed one after one.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-12-09 Filip Pizlo <fpizlo@apple.com>
+
+ DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation()
+ https://bugs.webkit.org/show_bug.cgi?id=104500
+
+ Reviewed by Oliver Hunt.
+
+ Slight across-the-board speed-up.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2012-12-08 Filip Pizlo <fpizlo@apple.com>
+
+ JSC should scale the optimization threshold for a code block according to the cost of compiling it
+ https://bugs.webkit.org/show_bug.cgi?id=104406
+
+ Reviewed by Oliver Hunt.
+
+ We've long known that we want to scale the execution count threshold needed for the DFG
+ to kick in to scale according to some estimate of the cost of compiling that code block.
+ This institutes a relationship like this:
+
+ threshold = thresholdSetting * (a * sqrt(instructionCount + b) + abs(c * instructionCount) + d
+
+ Where a, b, c, d are coefficients derived from fitting the above expression to various
+ data points, which I chose based on looking at one benchmark (3d-cube) and from my
+ own intuitions.
+
+ Making this work well also required changing the thresholdForOptimizeAfterLongWarmUp
+ from 5000 to 1000.
+
+ This is a >1% speed-up on SunSpider, a >3% speed-up on V8Spider, ~1% speed-up on V8v7,
+ neutral on Octane, and neutral on Kraken.
+
+ I also out-of-lined a bunch of methods related to these heuristics, because I couldn't
+ stand having them defined in the header anymore. I also made improvements to debugging
+ code because I needed it for tuning this change.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::sourceCodeForTools):
+ (JSC::CodeBlock::sourceCodeOnOneLine):
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::reoptimizationRetryCounter):
+ (JSC::CodeBlock::countReoptimization):
+ (JSC::CodeBlock::optimizationThresholdScalingFactor):
+ (JSC::clipThreshold):
+ (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
+ (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
+ (JSC::CodeBlock::counterValueForOptimizeSoon):
+ (JSC::CodeBlock::checkIfOptimizationThresholdReached):
+ (JSC::CodeBlock::optimizeNextInvocation):
+ (JSC::CodeBlock::dontOptimizeAnytimeSoon):
+ (JSC::CodeBlock::optimizeAfterWarmUp):
+ (JSC::CodeBlock::optimizeAfterLongWarmUp):
+ (JSC::CodeBlock::optimizeSoon):
+ (JSC::CodeBlock::adjustedExitCountThreshold):
+ (JSC::CodeBlock::exitCountThresholdForReoptimization):
+ (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
+ (JSC::CodeBlock::shouldReoptimizeNow):
+ (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
+ * bytecode/CodeBlock.h:
+ * bytecode/ExecutionCounter.cpp:
+ (JSC::ExecutionCounter::hasCrossedThreshold):
+ * bytecode/ReduceWhitespace.cpp: Added.
+ (JSC::reduceWhitespace):
+ * bytecode/ReduceWhitespace.h: Added.
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::mightCompileEval):
+ (JSC::DFG::mightCompileProgram):
+ (JSC::DFG::mightCompileFunctionForCall):
+ (JSC::DFG::mightCompileFunctionForConstruct):
+ (JSC::DFG::mightInlineFunctionForCall):
+ (JSC::DFG::mightInlineFunctionForConstruct):
+ * dfg/DFGCapabilities.h:
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dumpHeader):
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dumpHeader):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::entryOSR):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ * runtime/Options.h:
+
+2012-12-07 Jonathan Liu <net147@gmail.com>
+
+ Add missing forward declaration for JSC::ArrayAllocationProfile
+ https://bugs.webkit.org/show_bug.cgi?id=104425
+
+ Reviewed by Kentaro Hara.
+
+ The header for the JSC::ArrayConstructor class is missing a forward
+ declaration for the JSC::ArrayAllocationProfile class which causes
+ compilation to fail when compiling with MinGW-w64.
+
+ * runtime/ArrayConstructor.h:
+ (JSC):
+
+2012-12-07 Jonathan Liu <net147@gmail.com>
+
+ Add missing const qualifier to JSC::CodeBlock::getJITType()
+ https://bugs.webkit.org/show_bug.cgi?id=104424
+
+ Reviewed by Laszlo Gombos.
+
+ JSC::CodeBlock::getJITType() has the const qualifier when JIT is
+ enabled but is missing the const qualifier when JIT is disabled.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::getJITType):
+
+2012-12-07 Oliver Hunt <oliver@apple.com>
+
+ Make function code cache proportional to main codeblock cache
+ https://bugs.webkit.org/show_bug.cgi?id=104420
+
+ Reviewed by Geoffrey Garen.
+
+ Makes the constants determining the recently used function cache proportional
+ to the number of root codeblocks in the cache. Also renames the constants to
+ make them more clear.
+
+ * runtime/CodeCache.h:
+
+2012-12-06 Filip Pizlo <fpizlo@apple.com>
+
+ Strange results calculating a square root in a loop
+ https://bugs.webkit.org/show_bug.cgi?id=104247
+ <rdar://problem/12826880>
+
+ Reviewed by Oliver Hunt.
+
+ Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks
+ under the merge. This fixes the assertion, and is also cleaner: our general rule is
+ to not "revive" things that we've already proved to be dead.
+
+ Also fixed some rotted debug code.
+
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2012-12-07 Geoffrey Garen <ggaren@apple.com>
+
+ Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
+ https://bugs.webkit.org/show_bug.cgi?id=104321
+ <rdar://problem/12770497>
+
+ Reviewed by Sam Weinig.
+
+ Work around a JSValueUnprotect(NULL) in Evernote.
+
+ * API/JSValueRef.cpp:
+ (evernoteHackNeeded):
+ (JSValueUnprotect):
+
+2012-12-06 Filip Pizlo <fpizlo@apple.com>
+
+ Incorrect inequality for checking whether a statement is within bounds of a handler
+ https://bugs.webkit.org/show_bug.cgi?id=104313
+ <rdar://problem/12808934>
+
+ Reviewed by Geoffrey Garen.
+
+ The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
+ used for checking whether a handler is pertinent to the current instruction. '<' is
+ correct, but '<=' isn't, since the 'end' is not inclusive.
+
+ Also found, and addressed, a benign goof in how the finally inliner works: sometimes
+ we will have end > start. This falls out naturally from how the inliner works and how
+ we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
+ future confusion, I added a comment and some code to prune those handlers out. Because
+ of how the handler resolution works, these handlers would have been skipped anyway.
+
+ Also made various fixes to debugging code, which was necessary for tracking this down.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::handlerForBytecodeOffset):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::generate):
+ * bytecompiler/Label.h:
+ (JSC::Label::bind):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::throwException):
+ * llint/LLIntExceptions.cpp:
+ (JSC::LLInt::interpreterThrowInCaller):
+ (JSC::LLInt::returnToThrow):
+ (JSC::LLInt::callToThrow):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::handleHostCall):
+
+2012-12-06 Rick Byers <rbyers@chromium.org>
+
+ CSS cursor property should support webkit-image-set
+ https://bugs.webkit.org/show_bug.cgi?id=99493
+
+ Reviewed by Beth Dakin.
+
+ Add ENABLE_MOUSE_CURSOR_SCALE (disabled by default)
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-12-06 Laszlo Gombos <l.gombos@samsung.com>
+
+ [CMake] Consolidate list of files to build for JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=104287
+
+ Reviewed by Gyuyoung Kim.
+
+ Add MemoryStatistics.cpp and ExecutableAllocator.cpp to the common
+ list of files and remove them from the port specific lists.
+
+ * CMakeLists.txt:
+ * PlatformBlackBerry.cmake:
+ * PlatformEfl.cmake:
+ * PlatformWinCE.cmake:
+
+2012-12-06 Oliver Hunt <oliver@apple.com>
+
+ Tell heap that we've released all the compiled code.
+
+ Reviewed by Geoff Garen.
+
+ When we discard compiled code, inform the heap that we've
+ released an entire object graph. This informs the heap that
+ it might want to perform a GC soon.
+
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::discardAllCode):
+
+2012-12-06 Laszlo Gombos <l.gombos@samsung.com>
+
+ [EFL] Remove ENABLE_GLIB_SUPPORT CMake variable
+ https://bugs.webkit.org/show_bug.cgi?id=104278
+
+ Reviewed by Brent Fulgham.
+
+ The conditional is not required as it is always set for EFL.
+
+ * PlatformEfl.cmake:
+
+2012-12-06 Oliver Hunt <oliver@apple.com>
+
+ Build fix, last patch rolled out logic that is now needed on ToT.
+
+ * parser/ASTBuilder.h:
+ (ASTBuilder):
+ (JSC::ASTBuilder::setFunctionStart):
+ * parser/Nodes.h:
+ (JSC::FunctionBodyNode::setFunctionStart):
+ (JSC::FunctionBodyNode::functionStart):
+ (FunctionBodyNode):
+ * parser/Parser.cpp:
+ (JSC::::parseFunctionInfo):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::setFunctionStart):
+
+2012-12-05 Oliver Hunt <oliver@apple.com>
+
+ Remove harmful string->function cache
+ https://bugs.webkit.org/show_bug.cgi?id=104193
+
+ Reviewed by Alexey Proskuryakov.
+
+ Remove the string->function code cache that turned out to actually
+ be quite harmful.
+
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getFunctionCodeBlock):
+ * runtime/CodeCache.h:
+ (JSC::CodeCache::clear):
+
+2012-12-05 Halton Huo <halton.huo@intel.com>
+
+ [CMake] Unify coding style for CMake files
+ https://bugs.webkit.org/show_bug.cgi?id=103605
+
+ Reviewed by Laszlo Gombos.
+
+ Update cmake files(.cmake, CMakeLists.txt) with following style rules:
+ 1. Indentation
+ 1.1 Use spaces, not tabs.
+ 1.2 Four spaces as indent.
+ 2. Spacing
+ 2.1 Place one space between control statements and their parentheses.
+ For eg, if (), else (), elseif (), endif (), foreach (),
+ endforeach (), while (), endwhile (), break ().
+ 2.2 Do not place spaces between function and macro statements and
+ their parentheses. For eg, macro(), endmacro(), function(),
+ endfunction().
+ 2.3 Do not place spaces between a command or function or macro and its
+ parentheses, or between a parenthesis and its content. For eg,
+ message("testing") not message( "testing") or message ("testing" )
+ 2.4 No space at line ending.
+ 3. Lowercase when call commands macros and functions. For eg,
+ add_executable() not ADD_EXECUTABLE(), set() not SET().
+
+ * CMakeLists.txt:
+ * PlatformBlackBerry.cmake:
+ * PlatformEfl.cmake:
+ * PlatformWinCE.cmake:
+ * shell/CMakeLists.txt:
+ * shell/PlatformBlackBerry.cmake:
+ * shell/PlatformEfl.cmake:
+ * shell/PlatformWinCE.cmake:
+
+2012-12-05 Oliver Hunt <oliver@apple.com>
+
+ Empty parse cache when receiving a low memory warning
+ https://bugs.webkit.org/show_bug.cgi?id=104161
+
+ Reviewed by Filip Pizlo.
+
+ This adds a function to the globaldata to empty all code related data
+ structures (code in the heap and the code cache).
+ It also adds a function to allow the CodeCache to actually be cleared
+ at all.
+
+ * runtime/CodeCache.h:
+ (CacheMap):
+ (JSC::CacheMap::clear):
+ (JSC::CodeCache::clear):
+ (CodeCache):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::discardAllCode):
+ (JSC):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+
+2012-12-05 Filip Pizlo <fpizlo@apple.com>
+
+ JSC profiler should not count executions of op_call_put_result because doing so changes DFG codegen
+ https://bugs.webkit.org/show_bug.cgi?id=104102
+
+ Reviewed by Oliver Hunt.
+
+ This removes op_call_put_result from profiling, since profiling it has an effect on
+ codegen. This fix enables all of SunSpider, V8, and Kraken to be profiled with the
+ new profiler.
+
+ To make this all fit together, the profiler now also reports in its output the exact
+ bytecode opcode name for each instruction (in addition to the stringified dump of that
+ bytecode), so that tools that grok the output can take note of op_call_put_result and
+ work around the fact that it has no counts.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * profiler/ProfilerBytecode.cpp:
+ (JSC::Profiler::Bytecode::toJS):
+ * profiler/ProfilerBytecode.h:
+ (JSC::Profiler::Bytecode::Bytecode):
+ (JSC::Profiler::Bytecode::opcodeID):
+ (Bytecode):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ * runtime/CommonIdentifiers.h:
+
+2012-12-04 Filip Pizlo <fpizlo@apple.com>
+
+ display-profiler-output should be able to show source code
+ https://bugs.webkit.org/show_bug.cgi?id=104073
+
+ Reviewed by Oliver Hunt.
+
+ Modify the profiler database to store source code. For functions, we store the
+ function including the function signature.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::unlinkedCodeBlock):
+ (CodeBlock):
+ * profiler/ProfilerBytecodes.cpp:
+ (JSC::Profiler::Bytecodes::Bytecodes):
+ (JSC::Profiler::Bytecodes::toJS):
+ * profiler/ProfilerBytecodes.h:
+ (Bytecodes):
+ (JSC::Profiler::Bytecodes::sourceCode):
+ * profiler/ProfilerDatabase.cpp:
+ (JSC::Profiler::Database::addBytecodes):
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ * profiler/ProfilerDatabase.h:
+ (Database):
+ * runtime/CommonIdentifiers.h:
+ * runtime/Executable.h:
+ (FunctionExecutable):
+ (JSC::FunctionExecutable::unlinkedExecutable):
+
+2012-12-02 Filip Pizlo <fpizlo@apple.com>
+
+ JSC should be able to report profiling data associated with the IR dumps and disassembly
+ https://bugs.webkit.org/show_bug.cgi?id=102999
+
+ Reviewed by Gavin Barraclough.
+
+ Added a new profiler to JSC. It's simply called "Profiler" in anticipation of it
+ ultimately replacing the previous profiling infrastructure. This profiler counts the
+ number of times that a bytecode executes in various engines, and will record both the
+ counts and all disassembly and bytecode dumps, into a database that can be at any
+ time turned into either a JS object using any global object or global data of your
+ choice, or can be turned into a JSON string, or saved to a file.
+
+ Currently the only use of this is the new '-p <file>' flag to the jsc command-line.
+
+ The profiler is always compiled in and normally incurs no execution time cost, but is
+ only activated when you create a Profiler::Database and install it in
+ JSGlobalData::m_perBytecodeProfiler. From that point on, all code blocks will be
+ compiled along with disassembly and bytecode dumps stored into the Profiler::Database,
+ and all code blocks will have execution counts, which are also stored in the database.
+ The database will continue to keep information about code blocks alive even after they
+ are otherwise GC'd.
+
+ This currently still has some glitches, like the fact that it only counts executions
+ in the JITs. Doing execution counting in the LLInt might require a bit of a rethink
+ about how the counting is expressed - currently it is implicit in bytecode, so there
+ is no easy way to "turn it on" in the LLInt. Also, right now there is no information
+ recorded about OSR exits or out-of-line stubs. But, even so, it's quite cool, and
+ gives you a peek into what JSC is doing that would otherwise not be possible.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::~CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::baselineVersion):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::baselineCodeBlock):
+ (JSC):
+ * bytecode/CodeOrigin.h:
+ (InlineCallFrame):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ (DFG):
+ (JSC::DFG::Disassembler::reportToProfiler):
+ (JSC::DFG::Disassembler::dumpHeader):
+ (JSC::DFG::Disassembler::append):
+ (JSC::DFG::Disassembler::createDumpList):
+ * dfg/DFGDisassembler.h:
+ (Disassembler):
+ (JSC::DFG::Disassembler::DumpedOp::DumpedOp):
+ (DumpedOp):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::JITCompiler):
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGNode.h:
+ (Node):
+ (JSC::DFG::Node::hasExecutionCounter):
+ (JSC::DFG::Node::executionCounter):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dump):
+ (JSC::JITDisassembler::reportToProfiler):
+ (JSC):
+ (JSC::JITDisassembler::dumpHeader):
+ (JSC::JITDisassembler::firstSlowLabel):
+ (JSC::JITDisassembler::dumpVectorForInstructions):
+ (JSC::JITDisassembler::dumpForInstructions):
+ (JSC::JITDisassembler::reportInstructions):
+ * jit/JITDisassembler.h:
+ (JITDisassembler):
+ (DumpedOp):
+ * jsc.cpp:
+ (CommandLine::CommandLine):
+ (CommandLine):
+ (printUsageStatement):
+ (CommandLine::parseArguments):
+ (jscmain):
+ * profiler/ProfilerBytecode.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::Bytecode::toJS):
+ * profiler/ProfilerBytecode.h: Added.
+ (Profiler):
+ (Bytecode):
+ (JSC::Profiler::Bytecode::Bytecode):
+ (JSC::Profiler::Bytecode::bytecodeIndex):
+ (JSC::Profiler::Bytecode::description):
+ (JSC::Profiler::getBytecodeIndexForBytecode):
+ * profiler/ProfilerBytecodes.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::Bytecodes::Bytecodes):
+ (JSC::Profiler::Bytecodes::~Bytecodes):
+ (JSC::Profiler::Bytecodes::indexForBytecodeIndex):
+ (JSC::Profiler::Bytecodes::forBytecodeIndex):
+ (JSC::Profiler::Bytecodes::dump):
+ (JSC::Profiler::Bytecodes::toJS):
+ * profiler/ProfilerBytecodes.h: Added.
+ (Profiler):
+ (Bytecodes):
+ (JSC::Profiler::Bytecodes::append):
+ (JSC::Profiler::Bytecodes::id):
+ (JSC::Profiler::Bytecodes::hash):
+ (JSC::Profiler::Bytecodes::size):
+ (JSC::Profiler::Bytecodes::at):
+ * profiler/ProfilerCompilation.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::Compilation::Compilation):
+ (JSC::Profiler::Compilation::~Compilation):
+ (JSC::Profiler::Compilation::addDescription):
+ (JSC::Profiler::Compilation::executionCounterFor):
+ (JSC::Profiler::Compilation::toJS):
+ * profiler/ProfilerCompilation.h: Added.
+ (Profiler):
+ (Compilation):
+ (JSC::Profiler::Compilation::bytecodes):
+ (JSC::Profiler::Compilation::kind):
+ * profiler/ProfilerCompilationKind.cpp: Added.
+ (WTF):
+ (WTF::printInternal):
+ * profiler/ProfilerCompilationKind.h: Added.
+ (Profiler):
+ (WTF):
+ * profiler/ProfilerCompiledBytecode.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::CompiledBytecode::CompiledBytecode):
+ (JSC::Profiler::CompiledBytecode::~CompiledBytecode):
+ (JSC::Profiler::CompiledBytecode::toJS):
+ * profiler/ProfilerCompiledBytecode.h: Added.
+ (Profiler):
+ (CompiledBytecode):
+ (JSC::Profiler::CompiledBytecode::originStack):
+ (JSC::Profiler::CompiledBytecode::description):
+ * profiler/ProfilerDatabase.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::Database::Database):
+ (JSC::Profiler::Database::~Database):
+ (JSC::Profiler::Database::addBytecodes):
+ (JSC::Profiler::Database::ensureBytecodesFor):
+ (JSC::Profiler::Database::notifyDestruction):
+ (JSC::Profiler::Database::newCompilation):
+ (JSC::Profiler::Database::toJS):
+ (JSC::Profiler::Database::toJSON):
+ (JSC::Profiler::Database::save):
+ * profiler/ProfilerDatabase.h: Added.
+ (Profiler):
+ (Database):
+ * profiler/ProfilerExecutionCounter.h: Added.
+ (Profiler):
+ (ExecutionCounter):
+ (JSC::Profiler::ExecutionCounter::ExecutionCounter):
+ (JSC::Profiler::ExecutionCounter::address):
+ (JSC::Profiler::ExecutionCounter::count):
+ * profiler/ProfilerOrigin.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::Origin::Origin):
+ (JSC::Profiler::Origin::dump):
+ (JSC::Profiler::Origin::toJS):
+ * profiler/ProfilerOrigin.h: Added.
+ (JSC):
+ (Profiler):
+ (Origin):
+ (JSC::Profiler::Origin::Origin):
+ (JSC::Profiler::Origin::operator!):
+ (JSC::Profiler::Origin::bytecodes):
+ (JSC::Profiler::Origin::bytecodeIndex):
+ (JSC::Profiler::Origin::operator!=):
+ (JSC::Profiler::Origin::operator==):
+ (JSC::Profiler::Origin::hash):
+ (JSC::Profiler::Origin::isHashTableDeletedValue):
+ (JSC::Profiler::OriginHash::hash):
+ (JSC::Profiler::OriginHash::equal):
+ (OriginHash):
+ (WTF):
+ * profiler/ProfilerOriginStack.cpp: Added.
+ (Profiler):
+ (JSC::Profiler::OriginStack::OriginStack):
+ (JSC::Profiler::OriginStack::~OriginStack):
+ (JSC::Profiler::OriginStack::append):
+ (JSC::Profiler::OriginStack::operator==):
+ (JSC::Profiler::OriginStack::hash):
+ (JSC::Profiler::OriginStack::dump):
+ (JSC::Profiler::OriginStack::toJS):
+ * profiler/ProfilerOriginStack.h: Added.
+ (JSC):
+ (Profiler):
+ (OriginStack):
+ (JSC::Profiler::OriginStack::OriginStack):
+ (JSC::Profiler::OriginStack::operator!):
+ (JSC::Profiler::OriginStack::size):
+ (JSC::Profiler::OriginStack::fromBottom):
+ (JSC::Profiler::OriginStack::fromTop):
+ (JSC::Profiler::OriginStack::isHashTableDeletedValue):
+ (JSC::Profiler::OriginStackHash::hash):
+ (JSC::Profiler::OriginStackHash::equal):
+ (OriginStackHash):
+ (WTF):
+ * runtime/CommonIdentifiers.h:
+ * runtime/ExecutionHarness.h:
+ (JSC::prepareForExecution):
+ (JSC::prepareFunctionForExecution):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::~JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ * runtime/Options.h:
+ (JSC):
+
+2012-12-04 Filip Pizlo <fpizlo@apple.com>
+
+ Rename Profiler to LegacyProfiler
+ https://bugs.webkit.org/show_bug.cgi?id=104031
+
+ Rubber stamped by Mark Hahnenberg
+
+ Make room in the namespace for https://bugs.webkit.org/show_bug.cgi?id=102999.
+
+ * API/JSProfilerPrivate.cpp:
+ (JSStartProfiling):
+ (JSEndProfiling):
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ * jit/JIT.h:
+ * jit/JITCode.h:
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * jit/JITStubs.h:
+ (JSC):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * profiler/LegacyProfiler.cpp: Added.
+ (JSC):
+ (JSC::LegacyProfiler::profiler):
+ (JSC::LegacyProfiler::startProfiling):
+ (JSC::LegacyProfiler::stopProfiling):
+ (JSC::dispatchFunctionToProfiles):
+ (JSC::LegacyProfiler::willExecute):
+ (JSC::LegacyProfiler::didExecute):
+ (JSC::LegacyProfiler::exceptionUnwind):
+ (JSC::LegacyProfiler::createCallIdentifier):
+ (JSC::createCallIdentifierFromFunctionImp):
+ * profiler/LegacyProfiler.h: Added.
+ (JSC):
+ (LegacyProfiler):
+ (JSC::LegacyProfiler::currentProfiles):
+ * profiler/ProfileGenerator.cpp:
+ (JSC::ProfileGenerator::addParentForConsoleStart):
+ * profiler/ProfileNode.cpp:
+ * profiler/Profiler.cpp: Removed.
+ * profiler/Profiler.h: Removed.
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSC::JSGlobalData::enabledProfiler):
+ (JSGlobalData):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::~JSGlobalObject):
+
+2012-12-03 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should inline code blocks that use scoped variable access
+ https://bugs.webkit.org/show_bug.cgi?id=103974
+
+ Reviewed by Oliver Hunt.
+
+ This mostly just turns on something we could have done all along, but also adds a few key
+ necessities to make this right:
+
+ 1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the
+ scope is constant.
+
+ 2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar.
+
+ This is not meant to be a speed-up on major benchmarks since we don't yet inline most
+ closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getScope):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+ (JSC::DFG::CSEPhase::getLocalLoadElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineResolveOperations):
+
+2012-12-03 Filip Pizlo <fpizlo@apple.com>
+
+ Replace JSValue::description() with JSValue::dump(PrintStream&)
+ https://bugs.webkit.org/show_bug.cgi?id=103866
+
+ Reviewed by Darin Adler.
+
+ JSValue now has a dump() method. Anywhere that you would have wanted to use
+ description(), you can either do toCString(value).data(), or if the callee
+ is a print()/dataLog() method then you just pass the value directly.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * bytecode/CodeBlock.cpp:
+ (JSC::valueToSourceString):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ * bytecode/ValueProfile.h:
+ (JSC::ValueProfileBase::dump):
+ * bytecode/ValueRecovery.h:
+ (JSC::ValueRecovery::dump):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpRegisters):
+ * jsc.cpp:
+ (functionDescribe):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::llint_trace_value):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::dump):
+ * runtime/JSValue.h:
+
+2012-12-04 Filip Pizlo <fpizlo@apple.com>
+
+ jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
+ https://bugs.webkit.org/show_bug.cgi?id=104020
+ <rdar://problem/12802478>
+
+ Reviewed by Mark Hahnenberg.
+
+ Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
+ and that is indeed the contract of ArrayBuffer and TypedArrayBase.
+
+ * JSCTypedArrayStubs.h:
+ (JSC):
+
+2012-12-03 Peter Rybin <prybin@chromium.org>
+
+ Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
+ https://bugs.webkit.org/show_bug.cgi?id=103254
+
+ Reviewed by Pavel Feldman.
+
+ Missing symbol WTFReportFatalError is added to the linker list.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-12-03 Alexis Menard <alexis@webkit.org>
+
+ [Mac] Enable CSS3 background-position offset by default.
+ https://bugs.webkit.org/show_bug.cgi?id=103905
+
+ Reviewed by Simon Fraser.
+
+ Turn the flag on by default.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-12-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
+ https://bugs.webkit.org/show_bug.cgi?id=103858
+
+ Reviewed by Gavin Barraclough.
+
+ A rage conversion from double to contiguous is one where you try to convert each
+ double to an int32.
+
+ This is probably not the last we'll hear of rage conversion from double to contiguous.
+ It may be better to do this right during parsing, which will result in fewer cases of
+ Arrayification. But even so, this looks like a straight win already - 1% speed-up on
+ Kraken, no major regression anywhere else.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::refine):
+ (JSC::DFG::arrayConversionToString):
+ (JSC::DFG::ArrayMode::dump):
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::withConversion):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::doesConversion):
+ (WTF):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupBlock):
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (FixupPhase):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * runtime/JSObject.cpp:
+ (JSC):
+ (JSC::JSObject::genericConvertDoubleToContiguous):
+ (JSC::JSObject::convertDoubleToContiguous):
+ (JSC::JSObject::rageConvertDoubleToContiguous):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::rageEnsureContiguousSlow):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC::JSObject::rageEnsureContiguous):
+
+2012-12-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CSE should not keep alive things that aren't relevant to OSR
+ https://bugs.webkit.org/show_bug.cgi?id=103849
+
+ Reviewed by Oliver Hunt.
+
+ Most Phantom nodes are inserted by CSE, and by default have the same children as the
+ node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
+ those it creates and those that were created by other phases) to see if they have
+ children that are redundant - i.e. children that are not interesting to OSR, which
+ is the only reason why Phantoms exist in the first place. Being relevant to OSR is
+ defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
+ your definition and the Phantom there was a SetLocal that referred to you.
+
+ This is a slight speed-up in a few places.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::CSEPhase):
+ (JSC::DFG::CSEPhase::run):
+ (JSC::DFG::CSEPhase::performSubstitution):
+ (CSEPhase):
+ (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::eliminate):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ (JSC::DFG::CSEPhase::performBlockCSE):
+
+2012-12-02 Filip Pizlo <fpizlo@apple.com>
+
+ It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
+ https://bugs.webkit.org/show_bug.cgi?id=103848
+
+ Reviewed by Sam Weinig.
+
+ Fix random dataLog() and print() statements.
+
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dumpBlockHeader):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2012-12-01 Filip Pizlo <fpizlo@apple.com>
+
+ CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
+ https://bugs.webkit.org/show_bug.cgi?id=103832
+
+ Reviewed by Oliver Hunt.
+
+ Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
+ (JSC::CodeBlock::printUnaryOp):
+ (JSC::CodeBlock::printBinaryOp):
+ (JSC::CodeBlock::printConditionalJump):
+ (JSC::CodeBlock::printGetByIdOp):
+ (JSC::dumpStructure):
+ (JSC::dumpChain):
+ (JSC::CodeBlock::printGetByIdCacheStatus):
+ (JSC::CodeBlock::printCallOp):
+ (JSC::CodeBlock::printPutByIdOp):
+ (JSC::CodeBlock::printStructure):
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dumpForInstructions):
+
+2012-11-30 Pierre Rossi <pierre.rossi@gmail.com>
+
+ [Qt] Unreviewed speculative Mac build fix after r136232
+
+ Update the include path so that LLIntAssembly.h is picked up.
+ The bot didn't break until later when a clean build was triggered.
+
+ * JavaScriptCore.pri:
+
+2012-11-30 Oliver Hunt <oliver@apple.com>
+
+ Optimise more cases of op_typeof
+ https://bugs.webkit.org/show_bug.cgi?id=103783
+
+ Reviewed by Mark Hahnenberg.
+
+ Increase our coverage of typeof based typechecks by
+ making sure that the codegenerators always uses
+ consistent operand ordering when feeding typeof operations
+ into equality operations.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::BinaryOpNode::emitBytecode):
+ (JSC::EqualNode::emitBytecode):
+ (JSC::StrictEqualNode::emitBytecode):
+
+2012-11-30 Filip Pizlo <fpizlo@apple.com>
+
+ Rationalize and clean up DFG handling of scoped accesses
+ https://bugs.webkit.org/show_bug.cgi?id=103715
+
+ Reviewed by Oliver Hunt.
+
+ Previously, we had a GetScope node that specified the depth to which you wanted
+ to travel to get a JSScope, and the backend implementation of the node would
+ perform all of the necessary footwork, including potentially skipping the top
+ scope if necessary, and doing however many loads were needed. But there were
+ strange things. First, if you had accesses at different scope depths, then the
+ loads to get to the common depth could not be CSE'd - CSE would match only
+ GetScope's that had identical depth. Second, GetScope would be emitted even if
+ we already had the scope, for example in put_to_base. And finally, even though
+ the ResolveOperations could tell us whether or not we had to skip the top scope,
+ the backend would recompute this information itself, often pessimistically.
+
+ This eliminates GetScope and replaces it with the following:
+
+ GetMyScope: just get the JSScope from the call frame header. This will forever
+ mean getting the JSScope associated with the machine call frame; it will not
+ mean getting the scope of an inlined function. Or at least that's the intent.
+
+ SkipTopScope: check if there is an activation, and if so, skip a scope. This
+ takes a scope as a child and returns a scope.
+
+ SkipScope: skip one scope level.
+
+ The bytecode parser now emits the right combination of the above, and
+ potentially emits multiple SkipScope's, based on the ResolveOperations.
+
+ This change also includes some fixups to debug logging. We now always print
+ the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
+ and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
+
+ This is performance-neutral. It's just meant to be a clean-up.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpAssumingJITType):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::CodeOrigin::inlineStack):
+ (JSC::CodeOrigin::dump):
+ (JSC):
+ (JSC::InlineCallFrame::dump):
+ * bytecode/CodeOrigin.h:
+ (CodeOrigin):
+ (InlineCallFrame):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::getScope):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+ (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+ (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+ (JSC::DFG::CSEPhase::setLocalStoreElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ (JSC::DFG::Graph::dumpBlockHeader):
+ * dfg/DFGNode.h:
+ (Node):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dump):
+
+2012-11-30 Oliver Hunt <oliver@apple.com>
+
+ Add direct string->function code cache
+ https://bugs.webkit.org/show_bug.cgi?id=103764
+
+ Reviewed by Michael Saboff.
+
+ A fairly logically simple patch. We now track the start of the
+ unique portion of a functions body, and use that as our key for
+ unlinked function code. This allows us to cache identical code
+ in different contexts, leading to a small but consistent improvement
+ on the benchmarks we track.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC::UnlinkedFunctionExecutable::functionStartOffset):
+ (UnlinkedFunctionExecutable):
+ * parser/ASTBuilder.h:
+ (ASTBuilder):
+ (JSC::ASTBuilder::setFunctionStart):
+ * parser/Nodes.cpp:
+ * parser/Nodes.h:
+ (JSC::FunctionBodyNode::setFunctionStart):
+ (JSC::FunctionBodyNode::functionStart):
+ (FunctionBodyNode):
+ * parser/Parser.cpp:
+ (JSC::::parseFunctionInfo):
+ * parser/Parser.h:
+ (JSC::Parser::findCachedFunctionInfo):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::setFunctionStart):
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::generateFunctionCodeBlock):
+ (JSC::CodeCache::getFunctionCodeBlock):
+ (JSC::CodeCache::usedFunctionCode):
+ * runtime/CodeCache.h:
+
+2012-11-30 Allan Sandfeld Jensen <allan.jensen@digia.com>
+
+ Crash in conversion of empty OpaqueJSString to Identifier
+ https://bugs.webkit.org/show_bug.cgi?id=101867
+
+ Reviewed by Michael Saboff.
+
+ The constructor call used for both null and empty OpaqueJSStrings results
+ in an assertion voilation and crash. This patch instead uses the Identifier
+ constructors which are specifically for null and empty Identifier.
+
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::identifier):
+
+2012-11-30 Tor Arne Vestbø <tor.arne.vestbo@digia.com>
+
+ [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac
+
+ Otherwise we'll end up using the same LLIntAssembly.h for both build
+ configs of JavaScriptCore -- one of them which will be for the wrong
+ config.
+
+ Reviewed by Simon Hausmann.
+
+ * LLIntOffsetsExtractor.pro:
+
+2012-11-30 Julien BRIANCEAU <jbrianceau@nds.com>
+
+ [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
+ https://bugs.webkit.org/show_bug.cgi?id=103378
+
+ Reviewed by Filip Pizlo.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::branchTest32):
+ (JSC::MacroAssemblerSH4::branchAdd32):
+ (JSC::MacroAssemblerSH4::branchMul32):
+ (JSC::MacroAssemblerSH4::branchSub32):
+ (JSC::MacroAssemblerSH4::branchOr32):
+
+2012-11-29 Rafael Weinstein <rafaelw@chromium.org>
+
+ [HTMLTemplateElement] Add feature flag
+ https://bugs.webkit.org/show_bug.cgi?id=103694
+
+ Reviewed by Adam Barth.
+
+ This flag will guard the implementation of the HTMLTemplateElement.
+ http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-29 Filip Pizlo <fpizlo@apple.com>
+
+ It should be easy to find code blocks in debug dumps
+ https://bugs.webkit.org/show_bug.cgi?id=103623
+
+ Reviewed by Goeffrey Garen.
+
+ This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
+ it lazily so that it only impacts run-time when debug support is enabled. We stringify
+ it smartly so that it's short and easy to type. We base it on the source code so that
+ the optimization level is irrelevant. And, we use SHA1 since it's already in our code
+ base. Now, when a piece of code wants to print some debugging to say that it's operating
+ on some code block, it can use this CodeBlockHash instead of memory addresses.
+
+ This also takes CodeBlock debugging into the new world of print() and dataLog(). In
+ particular, CodeBlock::dump() corresponds to the thing you want printed if you do:
+
+ dataLog("I heart ", *myCodeBlock);
+
+ Probably, you want to just print some identifying information at this point rather than
+ the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
+ CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
+ a few little tidbits.
+
+ Here's an example of CodeBlock::dump() output:
+
+ EkILzr:[0x103883a00, BaselineFunctionCall]
+
+ EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
+ part is self-explanatory.
+
+ Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
+ breakage. As such CodeBlockHash has all of the comparison operator overloads. When
+ bisecting in DFGDriver.cpp, you can now say things like:
+
+ if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
+ return false;
+
+ And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
+ is life when you use base 62 to encode a 32-bit number.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CallLinkInfo.h:
+ (CallLinkInfo):
+ (JSC::CallLinkInfo::specializationKind):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::hash):
+ (JSC):
+ (JSC::CodeBlock::dumpAssumingJITType):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::resetStubInternal):
+ (JSC::CodeBlock::reoptimize):
+ (JSC::ProgramCodeBlock::jettison):
+ (JSC::EvalCodeBlock::jettison):
+ (JSC::FunctionCodeBlock::jettison):
+ (JSC::CodeBlock::shouldOptimizeNow):
+ (JSC::CodeBlock::tallyFrequentExitSites):
+ (JSC::CodeBlock::dumpValueProfiles):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::specializationKind):
+ (CodeBlock):
+ (JSC::CodeBlock::getJITType):
+ * bytecode/CodeBlockHash.cpp: Added.
+ (JSC):
+ (JSC::CodeBlockHash::CodeBlockHash):
+ (JSC::CodeBlockHash::dump):
+ * bytecode/CodeBlockHash.h: Added.
+ (JSC):
+ (CodeBlockHash):
+ (JSC::CodeBlockHash::CodeBlockHash):
+ (JSC::CodeBlockHash::hash):
+ (JSC::CodeBlockHash::operator==):
+ (JSC::CodeBlockHash::operator!=):
+ (JSC::CodeBlockHash::operator<):
+ (JSC::CodeBlockHash::operator>):
+ (JSC::CodeBlockHash::operator<=):
+ (JSC::CodeBlockHash::operator>=):
+ * bytecode/CodeBlockWithJITType.h: Added.
+ (JSC):
+ (CodeBlockWithJITType):
+ (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
+ (JSC::CodeBlockWithJITType::dump):
+ * bytecode/CodeOrigin.cpp: Added.
+ (JSC):
+ (JSC::CodeOrigin::inlineDepthForCallFrame):
+ (JSC::CodeOrigin::inlineDepth):
+ (JSC::CodeOrigin::inlineStack):
+ (JSC::InlineCallFrame::hash):
+ * bytecode/CodeOrigin.h:
+ (InlineCallFrame):
+ (JSC::InlineCallFrame::specializationKind):
+ (JSC):
+ * bytecode/CodeType.cpp: Added.
+ (WTF):
+ (WTF::printInternal):
+ * bytecode/CodeType.h:
+ (WTF):
+ * bytecode/ExecutionCounter.cpp:
+ (JSC::ExecutionCounter::dump):
+ * bytecode/ExecutionCounter.h:
+ (ExecutionCounter):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::generateProtoChainAccessStub):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::emitPutReplaceStub):
+ (JSC::DFG::emitPutTransitionStub):
+ (JSC::DFG::dfgLinkClosureCall):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpCallFrame):
+ * jit/JITCode.cpp: Added.
+ (WTF):
+ (WTF::printInternal):
+ * jit/JITCode.h:
+ (JSC::JITCode::jitType):
+ (WTF):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dump):
+ (JSC::JITDisassembler::dumpForInstructions):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdSelfList):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+ (JSC::JIT::privateCompileGetByVal):
+ (JSC::JIT::privateCompilePutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdSelfList):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * runtime/CodeSpecializationKind.cpp: Added.
+ (WTF):
+ (WTF::printInternal):
+ * runtime/CodeSpecializationKind.h:
+ (JSC::specializationFromIsCall):
+ (JSC):
+ (JSC::specializationFromIsConstruct):
+ (WTF):
+ * runtime/Executable.cpp:
+ (JSC::ExecutableBase::hashFor):
+ (JSC):
+ (JSC::NativeExecutable::hashFor):
+ (JSC::ScriptExecutable::hashFor):
+ * runtime/Executable.h:
+ (ExecutableBase):
+ (NativeExecutable):
+ (ScriptExecutable):
+ (JSC::ScriptExecutable::source):
+
+2012-11-29 Michael Saboff <msaboff@apple.com>
+
+ Speculative Windows build fix after r136086.
+
+ Unreviewed build fix.
+
+ Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
+ export list since the symbol was removed in r136086.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-11-28 Filip Pizlo <fpizlo@apple.com>
+
+ SpeculatedType dumping should not use the static char buffer[thingy] idiom
+ https://bugs.webkit.org/show_bug.cgi?id=103584
+
+ Reviewed by Michael Saboff.
+
+ Changed SpeculatedType to be "dumpable" by saying things like:
+
+ dataLog("thingy = ", SpeculationDump(thingy))
+
+ Removed the old stringification functions, and changed all code that referred to them
+ to use the new dataLog()/print() style.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/SpeculatedType.cpp:
+ (JSC::dumpSpeculation):
+ (JSC::speculationToAbbreviatedString):
+ (JSC::dumpSpeculationAbbreviated):
+ * bytecode/SpeculatedType.h:
+ * bytecode/ValueProfile.h:
+ (JSC::ValueProfileBase::dump):
+ * bytecode/VirtualRegister.h:
+ (WTF::printInternal):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
+ (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::predictArgumentTypes):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGStructureAbstractValue.h:
+ * dfg/DFGVariableAccessDataDump.cpp: Added.
+ (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
+ (JSC::DFG::VariableAccessDataDump::dump):
+ * dfg/DFGVariableAccessDataDump.h: Added.
+ (VariableAccessDataDump):
+
+2012-11-28 Michael Saboff <msaboff@apple.com>
+
+ Change Bytecompiler s_dumpsGeneratedCode to an Options value
+ https://bugs.webkit.org/show_bug.cgi?id=103588
+
+ Reviewed by Filip Pizlo.
+
+ Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ * bytecompiler/BytecodeGenerator.cpp:
+ * bytecompiler/BytecodeGenerator.h:
+ * jsc.cpp:
+ (runWithScripts):
+ * runtime/Options.h:
+
+2012-11-28 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Copying phase should use work lists
+ https://bugs.webkit.org/show_bug.cgi?id=101390
+
+ Reviewed by Filip Pizlo.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
+ (BlockAllocator):
+ (JSC::CopyWorkListSegment):
+ * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
+ phase to copy their backing stores.
+ (CopiedBlock):
+ (JSC::CopiedBlock::CopiedBlock):
+ (JSC::CopiedBlock::didSurviveGC):
+ (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're
+ responsible for evacuating, we no longer need any of that fancy compare and swap stuff.
+ (JSC::CopiedBlock::pin):
+ (JSC::CopiedBlock::hasWorkList):
+ (JSC::CopiedBlock::workList):
+ * heap/CopiedBlockInlines.h: Added.
+ (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
+ we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
+ * heap/CopiedSpace.h:
+ (CopiedSpace):
+ * heap/CopiedSpaceInlines.h:
+ (JSC::CopiedSpace::pin):
+ * heap/CopyVisitor.cpp:
+ (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
+ blocks' CopyWorkLists.
+ * heap/CopyVisitor.h:
+ (CopyVisitor):
+ * heap/CopyVisitorInlines.h:
+ (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from
+ a CopiedBlock's CopyWorkList.
+ (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done
+ evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
+ * heap/CopyWorkList.h: Added.
+ (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
+ (JSC::CopyWorkListSegment::create):
+ (JSC::CopyWorkListSegment::size):
+ (JSC::CopyWorkListSegment::isFull):
+ (JSC::CopyWorkListSegment::get):
+ (JSC::CopyWorkListSegment::append):
+ (JSC::CopyWorkListSegment::CopyWorkListSegment):
+ (JSC::CopyWorkListSegment::data):
+ (JSC::CopyWorkListSegment::endOfBlock):
+ (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
+ that make up each CopyWorkList.
+ (JSC::CopyWorkListIterator::get):
+ (JSC::CopyWorkListIterator::operator*):
+ (JSC::CopyWorkListIterator::operator->):
+ (JSC::CopyWorkListIterator::operator++):
+ (JSC::CopyWorkListIterator::operator==):
+ (JSC::CopyWorkListIterator::operator!=):
+ (JSC::CopyWorkListIterator::CopyWorkListIterator):
+ (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
+ (JSC::CopyWorkList::CopyWorkList):
+ (JSC::CopyWorkList::~CopyWorkList):
+ (JSC::CopyWorkList::append):
+ (JSC::CopyWorkList::begin):
+ (JSC::CopyWorkList::end):
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
+ (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for
+ iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and
+ recycled throughout the copying phase.
+ * heap/GCThreadSharedData.h:
+ (GCThreadSharedData):
+ * heap/Heap.h:
+ (Heap):
+ * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it
+ in a CopyWorkList to revisit later during the copying phase.
+ * heap/SlotVisitorInlines.h:
+ (JSC::SlotVisitor::copyLater):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::visitButterfly):
+
+2012-11-28 Filip Pizlo <fpizlo@apple.com>
+
+ Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
+ https://bugs.webkit.org/show_bug.cgi?id=103492
+
+ Reviewed by Mark Hahnenberg.
+
+ Switched disassembly code to use PrintStream&, and to use print() rather than printf().
+
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ (DFG):
+ (JSC::DFG::Disassembler::dumpDisassembly):
+ * dfg/DFGDisassembler.h:
+ (Disassembler):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::printWhiteSpace):
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ (JSC::DFG::Graph::printNodeWhiteSpace):
+ (JSC::DFG::Graph::dump):
+ (DFG):
+ (JSC::DFG::Graph::dumpBlockHeader):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dump):
+ (JSC::JITDisassembler::dumpForInstructions):
+ (JSC::JITDisassembler::dumpDisassembly):
+ * jit/JITDisassembler.h:
+ (JITDisassembler):
+
+2012-11-28 Filip Pizlo <fpizlo@apple.com>
+
+ It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
+ https://bugs.webkit.org/show_bug.cgi?id=103009
+
+ Reviewed by Michael Saboff.
+
+ Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
+ one place: dumping of abstract values. This is mainly just to ensure that the code I
+ added to WTF is actually doing things.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ (WTF):
+ (WTF::printInternal):
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::dump):
+ (WTF):
+ (WTF::printInternal):
+
+2012-11-28 Oliver Hunt <oliver@apple.com>
+
+ Make source cache include more information about the function extent.
+ https://bugs.webkit.org/show_bug.cgi?id=103552
+
+ Reviewed by Gavin Barraclough.
+
+ Add a bit more information to the source cache.
+
+ * parser/Parser.cpp:
+ (JSC::::parseFunctionInfo):
+ Store the function start offset
+ * parser/SourceProviderCacheItem.h:
+ (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
+ (SourceProviderCacheItem):
+ Add additional field for the start of the real function string, and re-arrange
+ fields to avoid growing the struct.
+
+2012-11-27 Filip Pizlo <fpizlo@apple.com>
+
+ Convert some remaining uses of FILE* to PrintStream&.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * bytecode/ValueProfile.h:
+ (JSC::ValueProfileBase::dump):
+ * bytecode/ValueRecovery.h:
+ (JSC::ValueRecovery::dump):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::dumpChildren):
+
+2012-11-27 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation in JSValue.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/JSValue.h:
+
+2012-11-26 Filip Pizlo <fpizlo@apple.com>
+
+ DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
+ https://bugs.webkit.org/show_bug.cgi?id=103353
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ Made it possible to use forward speculations for most of the operand classes. Changed the conditional
+ direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
+ to use forward speculations and got rid of its half-baked version of same.
+
+ Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::fillStorage):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateIntegerOperand::gpr):
+ (SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateDoubleOperand::fpr):
+ (SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+ (JSC::DFG::SpeculateCellOperand::gpr):
+ (SpeculateCellOperand):
+ (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
+ (JSC::DFG::SpeculateBooleanOperand::gpr):
+ (SpeculateBooleanOperand):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/Options.h:
+ (JSC):
+
+2012-11-26 Daniel Bates <dbates@webkit.org>
+
+ Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
+ <https://bugs.webkit.org/show_bug.cgi?id=103303>
+
+ Reviewed by Simon Fraser.
+
+ Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstringsWithSeparators):
+
+2012-11-26 Daniel Bates <dbates@webkit.org>
+
+ JavaScript fails to handle String.replace() with large replacement string
+ https://bugs.webkit.org/show_bug.cgi?id=102956
+ <rdar://problem/12738012>
+
+ Reviewed by Oliver Hunt.
+
+ Fix an issue where we didn't check for overflow when computing the length
+ of the result of String.replace() with a large replacement string.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstringsWithSeparators):
+
+2012-11-26 Zeno Albisser <zeno@webkit.org>
+
+ [Qt] Fix the LLInt build on Mac
+ https://bugs.webkit.org/show_bug.cgi?id=97587
+
+ Reviewed by Simon Hausmann.
+
+ * DerivedSources.pri:
+ * JavaScriptCore.pro:
+
+2012-11-26 Oliver Hunt <oliver@apple.com>
+
+ 32-bit build fix. Move the method decalration outside of the X86_64 only section.
+
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::shouldConsiderBlinding):
+
+2012-11-26 Oliver Hunt <oliver@apple.com>
+
+ Don't blind all the things.
+ https://bugs.webkit.org/show_bug.cgi?id=102572
+
+ Reviewed by Gavin Barraclough.
+
+ No longer blind all the constants in the instruction stream. We use a
+ simple non-deterministic filter to avoid blinding everything. Also modified
+ the basic integer blinding logic to avoid blinding small negative values.
+
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::shouldConsiderBlinding):
+ (JSC::MacroAssembler::shouldBlind):
+
+2012-11-26 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ JSObject::copyButterfly doesn't handle undecided indexing types correctly
+ https://bugs.webkit.org/show_bug.cgi?id=102573
+
+ Reviewed by Filip Pizlo.
+
+ We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks
+ during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing
+ types. We should just do the actual memcpy from the old block to the new one.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.
+
+2012-11-26 Julien BRIANCEAU <jbrianceau@nds.com>
+
+ [sh4] JavaScriptCore JIT build is broken since r135330
+ Add missing implementation for sh4 arch.
+ https://bugs.webkit.org/show_bug.cgi?id=103145
+
+ Reviewed by Oliver Hunt.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
+ (MacroAssemblerSH4):
+ (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
+ (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
+ (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
+ (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::revertJump):
+ (SH4Assembler):
+ (JSC::SH4Assembler::printInstr):
+
+2012-11-26 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
+ https://bugs.webkit.org/show_bug.cgi?id=100909
+
+ Reviewed by Brent Fulgham.
+
+ This is a (trivial) fix after r132701.
+
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+
+2012-11-26 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
+ https://bugs.webkit.org/show_bug.cgi?id=98857
+
+ Reviewed by Zoltan Herczeg.
+
+ Implement a new version of patchableBranch32 to fix crashing JSC
+ tests.
+
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::patchableBranch32):
+ (MacroAssemblerARM):
+
+2012-11-21 Filip Pizlo <fpizlo@apple.com>
+
+ Any function that can log things should be able to easily log them to a memory buffer as well
+ https://bugs.webkit.org/show_bug.cgi?id=103000
+
+ Reviewed by Sam Weinig.
+
+ Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.
+
+ * bytecode/Operands.h:
+ (JSC::OperandValueTraits::dump):
+ (JSC::dumpOperands):
+ (JSC):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::dump):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ * dfg/DFGCommon.h:
+ (JSC::DFG::NodeIndexTraits::dump):
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::dump):
+ * dfg/DFGVariableEvent.cpp:
+ (JSC::DFG::VariableEvent::dump):
+ (JSC::DFG::VariableEvent::dumpFillInfo):
+ (JSC::DFG::VariableEvent::dumpSpillInfo):
+ * dfg/DFGVariableEvent.h:
+ (VariableEvent):
+ * disassembler/Disassembler.h:
+ (JSC):
+ (JSC::tryToDisassemble):
+ * disassembler/UDis86Disassembler.cpp:
+ (JSC::tryToDisassemble):
+
+2012-11-23 Alexis Menard <alexis@webkit.org>
+
+ [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
+ https://bugs.webkit.org/show_bug.cgi?id=102104
+
+ Reviewed by Julien Chaffraix.
+
+ Protect the new feature behind a feature flag.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-23 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ Fix the ARM traditional build after r135330
+ https://bugs.webkit.org/show_bug.cgi?id=102871
+
+ Reviewed by Zoltan Herczeg.
+
+ Added missing functionality to traditional ARM architecture.
+
+ * assembler/ARMAssembler.h:
+ (JSC::ARMAssembler::revertJump):
+ (ARMAssembler):
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
+ (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
+ (MacroAssemblerARM):
+ (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
+
+2012-11-16 Yury Semikhatsky <yurys@chromium.org>
+
+ Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
+ https://bugs.webkit.org/show_bug.cgi?id=102510
+
+ Reviewed by Pavel Feldman.
+
+ Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-11-23 Julien BRIANCEAU <jbrianceau@nds.com>
+
+ [sh4] JavaScriptCore JIT build is broken since r130839
+ Add missing implementation for sh4 arch.
+ https://bugs.webkit.org/show_bug.cgi?id=101479
+
+ Reviewed by Filip Pizlo.
+
+ * assembler/MacroAssemblerSH4.h:
+ (JSC::MacroAssemblerSH4::load8Signed):
+ (MacroAssemblerSH4):
+ (JSC::MacroAssemblerSH4::load16Signed):
+ (JSC::MacroAssemblerSH4::store8):
+ (JSC::MacroAssemblerSH4::store16):
+ (JSC::MacroAssemblerSH4::moveDoubleToInts):
+ (JSC::MacroAssemblerSH4::moveIntsToDouble):
+ (JSC::MacroAssemblerSH4::loadFloat):
+ (JSC::MacroAssemblerSH4::loadDouble):
+ (JSC::MacroAssemblerSH4::storeFloat):
+ (JSC::MacroAssemblerSH4::storeDouble):
+ (JSC::MacroAssemblerSH4::addDouble):
+ (JSC::MacroAssemblerSH4::convertFloatToDouble):
+ (JSC::MacroAssemblerSH4::convertDoubleToFloat):
+ (JSC::MacroAssemblerSH4::urshift32):
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::sublRegReg):
+ (JSC::SH4Assembler::subvlRegReg):
+ (JSC::SH4Assembler::floatfpulfrn):
+ (JSC::SH4Assembler::fldsfpul):
+ (JSC::SH4Assembler::fstsfpul):
+ (JSC::SH4Assembler::dcnvsd):
+ (SH4Assembler):
+ (JSC::SH4Assembler::movbRegMem):
+ (JSC::SH4Assembler::sizeOfConstantPool):
+ (JSC::SH4Assembler::linkJump):
+ (JSC::SH4Assembler::printInstr):
+ (JSC::SH4Assembler::printBlockInstr):
+
+2012-11-22 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ Fix the MIPS build after r135330
+ https://bugs.webkit.org/show_bug.cgi?id=102872
+
+ Reviewed by Gavin Barraclough.
+
+ Revert/replace functions added to MIPS port.
+
+ * assembler/MIPSAssembler.h:
+ (JSC::MIPSAssembler::revertJumpToMove):
+ (MIPSAssembler):
+ (JSC::MIPSAssembler::replaceWithJump):
+ * assembler/MacroAssemblerMIPS.h:
+ (MacroAssemblerMIPS):
+ (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
+ (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
+ (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
+
+2012-11-21 Filip Pizlo <fpizlo@apple.com>
+
+ Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
+ https://bugs.webkit.org/show_bug.cgi?id=103001
+
+ Rubber stamped by Dan Bernstein.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+ (JSC::LinkBuffer::dumpLinkStatistics):
+ (JSC::LinkBuffer::dumpCode):
+ * assembler/LinkBuffer.h:
+ (JSC):
+ * assembler/SH4Assembler.h:
+ (JSC::SH4Assembler::vprintfStdoutInstr):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
+ (JSC::CodeBlock::printUnaryOp):
+ (JSC::CodeBlock::printBinaryOp):
+ (JSC::CodeBlock::printConditionalJump):
+ (JSC::CodeBlock::printGetByIdOp):
+ (JSC::dumpStructure):
+ (JSC::dumpChain):
+ (JSC::CodeBlock::printGetByIdCacheStatus):
+ (JSC::CodeBlock::printCallOp):
+ (JSC::CodeBlock::printPutByIdOp):
+ (JSC::CodeBlock::printStructure):
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::dumpStatistics):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::resetStubInternal):
+ (JSC::CodeBlock::reoptimize):
+ (JSC::ProgramCodeBlock::jettison):
+ (JSC::EvalCodeBlock::jettison):
+ (JSC::FunctionCodeBlock::jettison):
+ (JSC::CodeBlock::shouldOptimizeNow):
+ (JSC::CodeBlock::tallyFrequentExitSites):
+ (JSC::CodeBlock::dumpValueProfiles):
+ * bytecode/Opcode.cpp:
+ (JSC::OpcodeStats::~OpcodeStats):
+ * bytecode/SamplingTool.cpp:
+ (JSC::SamplingFlags::stop):
+ (JSC::SamplingRegion::dumpInternal):
+ (JSC::SamplingTool::dump):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::initialize):
+ (JSC::DFG::AbstractState::endBasicBlock):
+ (JSC::DFG::AbstractState::mergeStateAtTail):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::dump):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
+ (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+ (JSC::DFG::ByteCodeParser::makeSafe):
+ (JSC::DFG::ByteCodeParser::makeDivSafe):
+ (JSC::DFG::ByteCodeParser::handleCall):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::processPhiStack):
+ (JSC::DFG::ByteCodeParser::linkBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseCodeBlock):
+ (JSC::DFG::ByteCodeParser::parse):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::performBlockCFA):
+ (JSC::DFG::CFAPhase::performForwardCFA):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
+ (JSC::DFG::CFGSimplificationPhase::fixPhis):
+ (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
+ (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::endIndexForPureCSE):
+ (JSC::DFG::CSEPhase::setReplacement):
+ (JSC::DFG::CSEPhase::eliminate):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::debugFail):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dump):
+ * dfg/DFGDriver.cpp:
+ (JSC::DFG::compile):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixDoubleEdge):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::printWhiteSpace):
+ (JSC::DFG::Graph::dumpCodeOrigin):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::dumpBlockHeader):
+ (JSC::DFG::Graph::predictArgumentTypes):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGPhase.cpp:
+ (JSC::DFG::Phase::beginPhase):
+ * dfg/DFGPhase.h:
+ (JSC::DFG::runAndLog):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ (JSC::DFG::PredictionPropagationPhase::propagateForward):
+ (JSC::DFG::PredictionPropagationPhase::propagateBackward):
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGRegisterBank.h:
+ (JSC::DFG::RegisterBank::dump):
+ * dfg/DFGScoreBoard.h:
+ (JSC::DFG::ScoreBoard::use):
+ (JSC::DFG::ScoreBoard::dump):
+ * dfg/DFGSlowPathGenerator.h:
+ (JSC::DFG::SlowPathGenerator::generate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+ (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
+ (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
+ (JSC::DFG::SpeculativeJIT::dump):
+ (JSC::DFG::SpeculativeJIT::checkConsistency):
+ (JSC::DFG::SpeculativeJIT::compile):
+ (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * dfg/DFGValidate.cpp:
+ (Validate):
+ (JSC::DFG::Validate::reportValidationContext):
+ (JSC::DFG::Validate::dumpData):
+ (JSC::DFG::Validate::dumpGraphIfAppropriate):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::logEvent):
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * dfg/DFGVirtualRegisterAllocationPhase.cpp:
+ (JSC::DFG::VirtualRegisterAllocationPhase::run):
+ * heap/Heap.cpp:
+ * heap/HeapStatistics.cpp:
+ (JSC::HeapStatistics::logStatistics):
+ (JSC::HeapStatistics::showObjectStatistics):
+ * heap/MarkStack.h:
+ * heap/MarkedBlock.h:
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::validate):
+ * interpreter/CallFrame.cpp:
+ (JSC::CallFrame::dumpCaller):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpRegisters):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ (JSC::JIT::privateCompile):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dump):
+ (JSC::JITDisassembler::dumpForInstructions):
+ * jit/JITStubRoutine.h:
+ (JSC):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * jit/JumpReplacementWatchpoint.cpp:
+ (JSC::JumpReplacementWatchpoint::fireInternal):
+ * llint/LLIntExceptions.cpp:
+ (JSC::LLInt::interpreterThrowInCaller):
+ (JSC::LLInt::returnToThrow):
+ (JSC::LLInt::callToThrow):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::llint_trace_operand):
+ (JSC::LLInt::llint_trace_value):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::traceFunctionPrologue):
+ (JSC::LLInt::jitCompileAndSetHeuristics):
+ (JSC::LLInt::entryOSR):
+ (JSC::LLInt::handleHostCall):
+ (JSC::LLInt::setUpCall):
+ * profiler/Profile.cpp:
+ (JSC::Profile::debugPrintData):
+ (JSC::Profile::debugPrintDataSampleStyle):
+ * profiler/ProfileNode.cpp:
+ (JSC::ProfileNode::debugPrintData):
+ (JSC::ProfileNode::debugPrintDataSampleStyle):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::dumpRegExpTrace):
+ * runtime/RegExp.cpp:
+ (JSC::RegExp::matchCompareWithInterpreter):
+ * runtime/SamplingCounter.cpp:
+ (JSC::AbstractSamplingCounter::dump):
+ * runtime/Structure.cpp:
+ (JSC::Structure::dumpStatistics):
+ (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
+ * tools/CodeProfile.cpp:
+ (JSC::CodeProfile::report):
+ * tools/ProfileTreeNode.h:
+ (JSC::ProfileTreeNode::dumpInternal):
+ * yarr/YarrInterpreter.cpp:
+ (JSC::Yarr::ByteCompiler::dumpDisjunction):
+
+2012-11-21 Filip Pizlo <fpizlo@apple.com>
+
+ It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
+ https://bugs.webkit.org/show_bug.cgi?id=103010
+
+ Reviewed by Anders Carlsson.
+
+ You can still say tryToDisassemble(), which will tell you if it failed; you can then
+ decide what to do instead. But it's better to say disassemble(), which will just print
+ the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
+ since that's what all previous users of tryToDisassemble() would have done in some
+ form or another.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+ * dfg/DFGDisassembler.cpp:
+ (JSC::DFG::Disassembler::dumpDisassembly):
+ * disassembler/Disassembler.cpp: Added.
+ (JSC):
+ (JSC::disassemble):
+ * disassembler/Disassembler.h:
+ (JSC):
+ * jit/JITDisassembler.cpp:
+ (JSC::JITDisassembler::dumpDisassembly):
+
+2012-11-21 Filip Pizlo <fpizlo@apple.com>
+
+ dumpOperands() claims that it needs a non-const Operands& when that is completely false
+ https://bugs.webkit.org/show_bug.cgi?id=103005
+
+ Reviewed by Eric Carlson.
+
+ * bytecode/Operands.h:
+ (JSC::dumpOperands):
+ (JSC):
+
+2012-11-20 Filip Pizlo <fpizlo@apple.com>
+
+ Baseline JIT's disassembly should be just as pretty as the DFG's
+ https://bugs.webkit.org/show_bug.cgi?id=102873
+
+ Reviewed by Sam Weinig.
+
+ Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
+ some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
+ iterator makes no sense) and stream-lined some things (you don't actually need a
+ full-fledged ExecState* to dump bytecode).
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printUnaryOp):
+ (JSC::CodeBlock::printBinaryOp):
+ (JSC::CodeBlock::printConditionalJump):
+ (JSC::CodeBlock::printGetByIdOp):
+ (JSC::CodeBlock::printCallOp):
+ (JSC::CodeBlock::printPutByIdOp):
+ (JSC::CodeBlock::dump):
+ (JSC):
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpCallFrame):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITDisassembler.cpp: Added.
+ (JSC):
+ (JSC::JITDisassembler::JITDisassembler):
+ (JSC::JITDisassembler::~JITDisassembler):
+ (JSC::JITDisassembler::dump):
+ (JSC::JITDisassembler::dumpForInstructions):
+ (JSC::JITDisassembler::dumpDisassembly):
+ * jit/JITDisassembler.h: Added.
+ (JSC):
+ (JITDisassembler):
+ (JSC::JITDisassembler::setStartOfCode):
+ (JSC::JITDisassembler::setForBytecodeMainPath):
+ (JSC::JITDisassembler::setForBytecodeSlowPath):
+ (JSC::JITDisassembler::setEndOfSlowPath):
+ (JSC::JITDisassembler::setEndOfCode):
+
+2012-11-21 Daniel Bates <dbates@webkit.org>
+
+ JavaScript fails to concatenate large strings
+ <https://bugs.webkit.org/show_bug.cgi?id=102963>
+
+ Reviewed by Michael Saboff.
+
+ Fixes an issue where we inadvertently didn't check the length of
+ a JavaScript string for overflow.
+
+ * runtime/Operations.h:
+ (JSC::jsString):
+ (JSC::jsStringFromArguments):
+
+2012-11-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should be able to cache closure calls (part 2/2)
+ https://bugs.webkit.org/show_bug.cgi?id=102662
+
+ Reviewed by Gavin Barraclough.
+
+ Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
+ stay the same. This is accomplished by replacing the branch that compares against a constant
+ JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
+ and jumps slow directly to the virtual call thunk.
+
+ Looks like a 1% win on V8v7.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CallLinkInfo.cpp:
+ (JSC::CallLinkInfo::unlink):
+ * bytecode/CallLinkInfo.h:
+ (CallLinkInfo):
+ (JSC::CallLinkInfo::isLinked):
+ (JSC::getCallLinkInfoBytecodeIndex):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC):
+ (JSC::CodeBlock::findClosureCallForReturnPC):
+ (JSC::CodeBlock::bytecodeOffset):
+ (JSC::CodeBlock::codeOriginForReturn):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::getCallLinkInfo):
+ (CodeBlock):
+ (JSC::CodeBlock::isIncomingCallAlreadyLinked):
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::link):
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::addJSCall):
+ (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
+ (JSCallRecord):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::linkSlowFor):
+ (DFG):
+ (JSC::DFG::dfgLinkFor):
+ (JSC::DFG::dfgLinkSlowFor):
+ (JSC::DFG::dfgLinkClosureCall):
+ * dfg/DFGRepatch.h:
+ (DFG):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ * dfg/DFGThunks.cpp:
+ (DFG):
+ (JSC::DFG::linkClosureCallThunkGenerator):
+ * dfg/DFGThunks.h:
+ (DFG):
+ * heap/Heap.h:
+ (Heap):
+ (JSC::Heap::jitStubRoutines):
+ * heap/JITStubRoutineSet.h:
+ (JSC::JITStubRoutineSet::size):
+ (JSC::JITStubRoutineSet::at):
+ (JITStubRoutineSet):
+ * jit/ClosureCallStubRoutine.cpp: Added.
+ (JSC):
+ (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
+ (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
+ (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
+ * jit/ClosureCallStubRoutine.h: Added.
+ (JSC):
+ (ClosureCallStubRoutine):
+ (JSC::ClosureCallStubRoutine::structure):
+ (JSC::ClosureCallStubRoutine::executable):
+ (JSC::ClosureCallStubRoutine::codeOrigin):
+ * jit/GCAwareJITStubRoutine.cpp:
+ (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
+ * jit/GCAwareJITStubRoutine.h:
+ (GCAwareJITStubRoutine):
+ (JSC::GCAwareJITStubRoutine::isClosureCall):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+
+2012-11-20 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should be able to cache closure calls (part 1/2)
+ https://bugs.webkit.org/show_bug.cgi?id=102662
+
+ Reviewed by Gavin Barraclough.
+
+ Add ability to revert a jump replacement back to
+ branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
+ a mandatory piece of functionality for all assemblers. I also renamed some of
+ the functions for reverting jump replacements back to
+ patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
+ confusion.
+
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::BadReg):
+ (ARMv7Assembler):
+ (JSC::ARMv7Assembler::revertJumpTo_movT3):
+ * assembler/LinkBuffer.h:
+ (JSC):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
+ (MacroAssemblerARMv7):
+ (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
+ (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
+ * assembler/MacroAssemblerX86.h:
+ (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
+ (MacroAssemblerX86):
+ (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
+ (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
+ * assembler/MacroAssemblerX86_64.h:
+ (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
+ (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
+ (MacroAssemblerX86_64):
+ (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
+ * assembler/RepatchBuffer.h:
+ (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
+ (RepatchBuffer):
+ (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
+ (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
+ (X86Assembler):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::replaceWithJump):
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+
+2012-11-20 Yong Li <yoli@rim.com>
+
+ [ARMv7] Neither linkCall() nor linkPointer() should flush code.
+ https://bugs.webkit.org/show_bug.cgi?id=99213
+
+ Reviewed by George Staikos.
+
+ LinkBuffer doesn't need to flush code during linking. It will
+ eventually flush the whole executable. Fixing this gives >%5
+ sunspider boost (on QNX).
+
+ Also make replaceWithLoad() and replaceWithAddressComputation() flush
+ only when necessary.
+
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::linkCall):
+ (JSC::ARMv7Assembler::linkPointer):
+ (JSC::ARMv7Assembler::relinkCall):
+ (JSC::ARMv7Assembler::repatchInt32):
+ (JSC::ARMv7Assembler::repatchPointer):
+ (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
+ (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
+ (JSC::ARMv7Assembler::setInt32):
+ (JSC::ARMv7Assembler::setPointer):
+
+2012-11-19 Filip Pizlo <fpizlo@apple.com>
+
+ Remove support for ARMv7 errata from the jump code
+ https://bugs.webkit.org/show_bug.cgi?id=102759
+
+ Reviewed by Oliver Hunt.
+
+ The jump replacement code was wrong to begin with since it wasn't doing
+ a cache flush on the inserted padding. And, to my knowledge, we don't need
+ this anymore, so this patch removes all errata code from the ARMv7 port.
+
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::computeJumpType):
+ (JSC::ARMv7Assembler::replaceWithJump):
+ (JSC::ARMv7Assembler::maxJumpReplacementSize):
+ (JSC::ARMv7Assembler::canBeJumpT3):
+ (JSC::ARMv7Assembler::canBeJumpT4):
+
+2012-11-19 Patrick Gansterer <paroga@webkit.org>
+
+ [CMake] Create JavaScriptCore ForwardingHeaders
+ https://bugs.webkit.org/show_bug.cgi?id=92665
+
+ Reviewed by Brent Fulgham.
+
+ When using CMake to build the Windows port, we need
+ to generate the forwarding headers with it too.
+
+ * CMakeLists.txt:
+
+2012-11-19 Kihong Kwon <kihong.kwon@samsung.com>
+
+ Add PROXIMITY_EVENTS feature
+ https://bugs.webkit.org/show_bug.cgi?id=102658
+
+ Reviewed by Kentaro Hara.
+
+ Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-18 Dan Bernstein <mitz@apple.com>
+
+ Try to fix the DFG build after r135099.
+
+ * dfg/DFGCommon.h:
+ (JSC::DFG::shouldShowDisassembly):
+
+2012-11-18 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, build fix for !ENABLE(DFG_JIT).
+
+ * dfg/DFGCommon.h:
+ (JSC::DFG::shouldShowDisassembly):
+ (DFG):
+
+2012-11-18 Filip Pizlo <fpizlo@apple.com>
+
+ JSC should have more logging in structure-related code
+ https://bugs.webkit.org/show_bug.cgi?id=102630
+
+ Reviewed by Simon Fraser.
+
+ - JSValue::description() now tells you if something is a structure, and if so,
+ what kind of structure it is.
+
+ - Jettisoning logic now tells you why things are being jettisoned.
+
+ - It's now possible to turn off GC-triggered jettisoning entirely.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::reoptimize):
+ (JSC::ProgramCodeBlock::jettison):
+ (JSC::EvalCodeBlock::jettison):
+ (JSC::FunctionCodeBlock::jettison):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::description):
+ * runtime/Options.h:
+ (JSC):
+
+2012-11-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG constant folding phase should say 'changed = true' whenever it changes the graph
+ https://bugs.webkit.org/show_bug.cgi?id=102550
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2012-11-17 Elliott Sprehn <esprehn@chromium.org>
+
+ Expose JSObject removeDirect and PrivateName to WebCore
+ https://bugs.webkit.org/show_bug.cgi?id=102546
+
+ Reviewed by Geoffrey Garen.
+
+ Export removeDirect for use in WebCore so JSDependentRetained works.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-11-16 Filip Pizlo <fpizlo@apple.com>
+
+ Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
+ https://bugs.webkit.org/show_bug.cgi?id=102327
+
+ Reviewed by Mark Hahnenberg.
+
+ If the profiler tells us that a GetById or PutById may be polymorphic but our
+ control flow analysis proves that it isn't, we should trust the control flow
+ analysis over the profiler. This arises in cases where GetById or PutById were
+ inlined: the inlined function may have been called from other places that led
+ to polymorphism, but in the current inlined context, there is no polymorphism.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeFor):
+ (JSC):
+ * bytecode/GetByIdStatus.h:
+ (JSC::GetByIdStatus::GetByIdStatus):
+ (GetByIdStatus):
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+ (JSC):
+ * bytecode/PutByIdStatus.h:
+ (JSC):
+ (JSC::PutByIdStatus::PutByIdStatus):
+ (PutByIdStatus):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::bestProvenStructure):
+ (AbstractValue):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+ (ConstantFoldingPhase):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToGetByOffset):
+ (Node):
+ (JSC::DFG::Node::convertToPutByOffset):
+ (JSC::DFG::Node::hasStorageResult):
+ * runtime/JSGlobalObject.h:
+ (JSC::Structure::prototypeChain):
+ (JSC):
+ (JSC::Structure::isValid):
+ * runtime/Operations.h:
+ (JSC::isPrototypeChainNormalized):
+ (JSC):
+ * runtime/Structure.h:
+ (Structure):
+ (JSC::Structure::transitionDidInvolveSpecificValue):
+
+2012-11-16 Tony Chang <tony@chromium.org>
+
+ Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
+ https://bugs.webkit.org/show_bug.cgi?id=102554
+
+ Reviewed by Andreas Kling.
+
+ As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
+ we're going to revist this feature once additional vendor support is
+ achieved.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-16 Patrick Gansterer <paroga@webkit.org>
+
+ Build fix for WinCE after r133688.
+
+ Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.
+
+ * runtime/CodeCache.h:
+ (JSC::CacheMap::CacheMap):
+
+2012-11-15 Filip Pizlo <fpizlo@apple.com>
+
+ ClassInfo.h should have correct indentation.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ ClassInfo.h had some true creativity in its use of whitespace. Some things within
+ the namespace were indented four spaces and others where not. One #define had its
+ contents indented four spaces, while another didn't. I applied the following rule:
+
+ - Non-macro things in the namespace should not be indented (that's our current
+ accepted practice).
+
+ - Macros should never be indented but if they are multi-line then their subsequent
+ bodies should be indented four spaces. I believe that is consistent with what we
+ do elsewhere.
+
+ * runtime/ClassInfo.h:
+ (JSC):
+ (MethodTable):
+ (ClassInfo):
+ (JSC::ClassInfo::propHashTable):
+ (JSC::ClassInfo::isSubClassOf):
+ (JSC::ClassInfo::hasStaticProperties):
+
+2012-11-15 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should copy propagate trivially no-op ConvertThis
+ https://bugs.webkit.org/show_bug.cgi?id=102445
+
+ Reviewed by Oliver Hunt.
+
+ Copy propagation is always a good thing, since it reveals must-alias relationships
+ to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
+ converting it to an Identity node (which is done by the constant folder since it
+ has access to CFA results) and then performing substitution of references to
+ Identity with references to Identity's child in the CSE.
+
+ I'm not aiming for a big speed-up here; I just think that this will be useful for
+ the work on https://bugs.webkit.org/show_bug.cgi?id=102327.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-11-15 Filip Pizlo <fpizlo@apple.com>
+
+ CallData.h should have correct indentation.
+
+ Rubber stamped by Mark Hahneberg.
+
+ * runtime/CallData.h:
+ (JSC):
+
+2012-11-15 Filip Pizlo <fpizlo@apple.com>
+
+ Remove methodCallDummy since it is not used anymore.
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+
+2012-11-14 Filip Pizlo <fpizlo@apple.com>
+
+ Structure should be able to easily tell if the prototype chain might intercept a store
+ https://bugs.webkit.org/show_bug.cgi?id=102326
+
+ Reviewed by Geoffrey Garen.
+
+ This improves our ability to reason about the correctness of the more optimized
+ prototype chain walk in JSObject::put(), while also making it straight forward to
+ check if the prototype chain will do strange things to a property store by just
+ looking at the structure.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::put):
+ * runtime/Structure.cpp:
+ (JSC::Structure::prototypeChainMayInterceptStoreTo):
+ (JSC):
+ * runtime/Structure.h:
+ (Structure):
+
+2012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com>
+
+ [CMake] Do not regenerate LLIntAssembly.h on every incremental build
+ https://bugs.webkit.org/show_bug.cgi?id=102248
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Update LLIntAssembly.h's mtime after running asm.rb to make the build
+ system dependency tracking consistent.
+
+ * CMakeLists.txt:
+
+2012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com>
+
+ Fix compiler warnings about signed/unsigned comparison on i386
+ https://bugs.webkit.org/show_bug.cgi?id=102249
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Add casting to unsigned to shut up gcc warnings. Build was broken on
+ JSVALUE32_64 ports compiling with -Werror.
+
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+
+2012-11-14 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows, WinCairo] Unreviewed build fix.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ Missed one of the exports that was part of the WebKit2.def.
+
+2012-11-14 Brent Fulgham <bfulgham@webkit.org>
+
+ [Windows, WinCairo] Correct build failure.
+ https://bugs.webkit.org/show_bug.cgi?id=102302
+
+ WebCore symbols were mistakenly added to the JavaScriptCore
+ library definition file.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
+ WebCore symbols that were incorrectly added to the export file.
+
+2012-11-14 Mark Lam <mark.lam@apple.com>
+
+ Change JSEventListener::m_jsFunction to be a weak ref.
+ https://bugs.webkit.org/show_bug.cgi?id=101989.
+
+ Reviewed by Geoffrey Garen.
+
+ Added infrastructure for scanning weak ref slots.
+
+ * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
+ * heap/SlotVisitor.h:
+ (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
+ * heap/SlotVisitorInlines.h: Added #include "Weak.h".
+ (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
+ * heap/Weak.h:
+ (JSC::operator==): Added operator==() for Weak.
+ * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
+ * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".
+
+2012-11-14 Filip Pizlo <fpizlo@apple.com>
+
+ Read-only properties created with putDirect() should tell the structure that there are read-only properties
+ https://bugs.webkit.org/show_bug.cgi?id=102292
+
+ Reviewed by Gavin Barraclough.
+
+ This mostly affects things like function.length.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::putDirectInternal):
+
+2012-11-13 Filip Pizlo <fpizlo@apple.com>
+
+ Don't access Node& after adding nodes to the graph.
+ https://bugs.webkit.org/show_bug.cgi?id=102005
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2012-11-14 Valery Ignatyev <valery.ignatyev@ispras.ru>
+
+ Replace (typeof(x) != <"object", "undefined", ...>) with
+ !(typeof(x) == <"object",..>). Later is_object, is_<...> bytecode operation
+ will be used.
+
+ https://bugs.webkit.org/show_bug.cgi?id=98893
+
+ Reviewed by Filip Pizlo.
+
+ This eliminates expensive typeof implementation and
+ allows to use DFG optimizations, which doesn't support 'typeof'.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::BinaryOpNode::emitBytecode):
+
+2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ [Qt][ARM]REGRESSION(r133985): It broke the build
+ https://bugs.webkit.org/show_bug.cgi?id=101740
+
+ Reviewed by Csaba Osztrogonác.
+
+ Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
+ This information was passed as a template parameter.
+
+ * jit/JIT.h:
+ (JSC::JIT::emitInt32PutByVal):
+ (JSC::JIT::emitDoublePutByVal):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JIT):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitGenericContiguousPutByVal):
+
+2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Fix the MIPS build after r134332
+ https://bugs.webkit.org/show_bug.cgi?id=102227
+
+ Reviewed by Csaba Osztrogonác.
+
+ Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
+ (MacroAssemblerMIPS):
+ (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
+
+2012-11-14 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
+ https://bugs.webkit.org/show_bug.cgi?id=102206
+
+ Reviewed by Csaba Osztrogonác.
+
+ Add a return value for the function to suppress the warning.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
+
+2012-11-14 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r134599.
+ http://trac.webkit.org/changeset/134599
+ https://bugs.webkit.org/show_bug.cgi?id=102225
+
+ It broke the 32 bit EFL build (Requested by Ossy on #webkit).
+
+ * jit/JITPropertyAccess.cpp:
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+
+2012-11-14 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ [Qt][ARM]REGRESSION(r133985): It broke the build
+ https://bugs.webkit.org/show_bug.cgi?id=101740
+
+ Reviewed by Csaba Osztrogonác.
+
+ Template function body moved to fix VALUE_PROFILER disabled case.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+
+2012-11-13 Filip Pizlo <fpizlo@apple.com>
+
+ DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
+ https://bugs.webkit.org/show_bug.cgi?id=102017
+
+ Reviewed by Geoffrey Garen.
+
+ This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
+ NewObject to take a structure as an operand (previously it implicitly used the owning
+ global object's empty object structure). Any GetCallee where the callee is predictable
+ is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
+ where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
+ followed by a NewObject. NewObject already accounts for the structure it uses for object
+ creation in the CFA.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::checkFunctionElimination):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasFunction):
+ (JSC::DFG::Node::function):
+ (JSC::DFG::Node::hasStructure):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/Executable.h:
+ (JSC::JSFunction::JSFunction):
+ * runtime/JSBoundFunction.cpp:
+ (JSC):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::JSFunction):
+ (JSC::JSFunction::put):
+ (JSC::JSFunction::defineOwnProperty):
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::tryGetKnownInheritorID):
+ (JSFunction):
+ (JSC::JSFunction::addInheritorIDWatchpoint):
+
+2012-11-13 Filip Pizlo <fpizlo@apple.com>
+
+ JSFunction and its descendants should be destructible
+ https://bugs.webkit.org/show_bug.cgi?id=102062
+
+ Reviewed by Mark Hahnenberg.
+
+ This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
+ future, we could make JSFunction non-destructible again by making a version of
+ WatchpointSet that is entirely GC'd, but this seems like overkill for now.
+
+ This is performance-neutral.
+
+ * runtime/JSBoundFunction.cpp:
+ (JSC::JSBoundFunction::destroy):
+ (JSC):
+ * runtime/JSBoundFunction.h:
+ (JSBoundFunction):
+ * runtime/JSFunction.cpp:
+ (JSC):
+ (JSC::JSFunction::destroy):
+ * runtime/JSFunction.h:
+ (JSFunction):
+
+2012-11-13 Cosmin Truta <ctruta@rim.com>
+
+ Uninitialized fields in class JSLock
+ https://bugs.webkit.org/show_bug.cgi?id=101695
+
+ Reviewed by Mark Hahnenberg.
+
+ Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.
+
+ * runtime/JSLock.cpp:
+ (JSC::JSLock::JSLock):
+
+2012-11-13 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Fix the ARM traditional build after r134332
+ https://bugs.webkit.org/show_bug.cgi?id=102044
+
+ Reviewed by Zoltan Herczeg.
+
+ Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
+ (MacroAssemblerARM):
+ (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
+
+2012-11-12 Filip Pizlo <fpizlo@apple.com>
+
+ op_get_callee should have value profiling
+ https://bugs.webkit.org/show_bug.cgi?id=102047
+
+ Reviewed by Sam Weinig.
+
+ This will allow us to detect if the callee is always the same, which is probably
+ the common case for a lot of constructors.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_get_callee):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_get_callee):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2012-11-12 Filip Pizlo <fpizlo@apple.com>
+
+ The act of getting the callee during 'this' construction should be explicit in bytecode
+ https://bugs.webkit.org/show_bug.cgi?id=102016
+
+ Reviewed by Michael Saboff.
+
+ This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes
+ changes to have create_this use the result of get_callee.
+
+ No performance or behavioral impact. This is just meant to allow us to profile
+ get_callee in the future.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_get_callee):
+ (JSC):
+ (JSC::JIT::emit_op_create_this):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_get_callee):
+ (JSC):
+ (JSC::JIT::emit_op_create_this):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2012-11-12 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, fix ARMv7 build.
+
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
+
+2012-11-12 Filip Pizlo <fpizlo@apple.com>
+
+ Patching of jumps to stubs should use jump replacement rather than branch destination overwrite
+ https://bugs.webkit.org/show_bug.cgi?id=101909
+
+ Reviewed by Geoffrey Garen.
+
+ This saves a few instructions in inline cases, on those architectures where it is
+ easy to figure out where to put the jump replacement. Sub-1% speed-up across the
+ board.
+
+ * assembler/MacroAssemblerARMv7.h:
+ (MacroAssemblerARMv7):
+ (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
+ * assembler/MacroAssemblerX86.h:
+ (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch):
+ (MacroAssemblerX86):
+ (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
+ * assembler/MacroAssemblerX86_64.h:
+ (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch):
+ (MacroAssemblerX86_64):
+ (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch):
+ (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
+ * assembler/RepatchBuffer.h:
+ (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch):
+ (RepatchBuffer):
+ (JSC::RepatchBuffer::replaceWithJump):
+ (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch):
+ * assembler/X86Assembler.h:
+ (X86Assembler):
+ (JSC::X86Assembler::revertJumpTo_movq_i64r):
+ (JSC::X86Assembler::revertJumpTo_cmpl_im_force32):
+ (X86InstructionFormatter):
+ * bytecode/StructureStubInfo.h:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::replaceWithJump):
+ (DFG):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::tryBuildGetByIDProtoList):
+ (JSC::DFG::tryCachePutByID):
+ (JSC::DFG::dfgResetGetByID):
+ (JSC::DFG::dfgResetPutByID):
+
+2012-11-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG ArithMul overflow check elimination is too aggressive
+ https://bugs.webkit.org/show_bug.cgi?id=101871
+
+ Reviewed by Oliver Hunt.
+
+ The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0)
+ only holds if a * b < 2^53. So, I changed it to only enable the optimization
+ when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole
+ analysis to prove the inequality. I considered writing an epic forward flow
+ formulation that tracks the ranges of integer values but then I thought better
+ of it.
+
+ This also rewires the ArithMul integer speculation logic. Previously, we would
+ assume that an ArithMul was only UsedAsNumber if it escaped, and separately we
+ would decide whether to speculate integer based on a proof of the <2^22
+ inequality. Now, we treat the double rounding behavior of ArithMul as if the
+ result was UsedAsNumber even if it did not escape. Then we try to prove that
+ double rounding cannot happen by attemping to prove that a < 2^22. This then
+ feeds back into the decision of whether or not to speculate integer (if we fail
+ to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then
+ that forces double speculation).
+
+ No performance impact. It just fixes a bug.
+
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::mulShouldSpeculateInteger):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
+ (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2012-11-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not emit function checks if we've already proved that the operand is that exact function
+ https://bugs.webkit.org/show_bug.cgi?id=101885
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::filterByValue):
+ (AbstractValue):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2012-11-12 Kentaro Hara <haraken@chromium.org>
+
+ [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom]
+ https://bugs.webkit.org/show_bug.cgi?id=101892
+
+ Reviewed by Adam Barth.
+
+ Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID.
+
+ * profiler/ProfileNode.h:
+ (JSC::ProfileNode::callUID):
+
+2012-11-12 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ Unreviewed. Fix make distcheck.
+
+ * GNUmakefile.list.am: Add missing header.
+
+2012-11-11 Michael Pruett <michael@68k.org>
+
+ Fix assertion failure in JSObject::tryGetIndexQuickly()
+ https://bugs.webkit.org/show_bug.cgi?id=101869
+
+ Reviewed by Filip Pizlo.
+
+ Currently JSObject::tryGetIndexQuickly() triggers an assertion
+ failure when the object has an undecided indexing type. This
+ case should be treated the same as a blank indexing type.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::tryGetIndexQuickly):
+
+2012-11-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG register allocation should be greedy rather than round-robin
+ https://bugs.webkit.org/show_bug.cgi?id=101870
+
+ Reviewed by Geoffrey Garen.
+
+ This simplifies the code, reduces some code duplication, and shows some slight
+ performance improvements in a few places, likely due to the fact that lower-numered
+ registers also typically have smaller encodings.
+
+ * dfg/DFGRegisterBank.h:
+ (JSC::DFG::RegisterBank::RegisterBank):
+ (JSC::DFG::RegisterBank::tryAllocate):
+ (JSC::DFG::RegisterBank::allocate):
+ (JSC::DFG::RegisterBank::allocateInternal):
+ (RegisterBank):
+
+2012-11-11 Kenichi Ishibashi <bashi@chromium.org>
+
+ WTFString::utf8() should have a mode of conversion to use replacement character
+ https://bugs.webkit.org/show_bug.cgi?id=101678
+
+ Reviewed by Alexey Proskuryakov.
+
+ Follow the change on String::utf8()
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::encode): Pass String::StrictConversion instead of true to String::utf8().
+
+2012-11-10 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time
+ https://bugs.webkit.org/show_bug.cgi?id=101718
+
+ Reviewed by Geoffrey Garen.
+
+ If we're reading from a JSArray in double mode, where the array's structure is
+ primordial (all aspects of the structure are unchanged except for indexing type),
+ and the result of the load is used in arithmetic that is known to not distinguish
+ between NaN and undefined, then we should not emit a NaN check. Looks like a 5%
+ win on navier-stokes.
+
+ Also fixed an OpInfo initialization goof for String ops that was revealed by this
+ change.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::arraySpeculationToString):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::isSaneChain):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::isInBounds):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGNodeFlags.cpp:
+ (JSC::DFG::nodeFlagsAsString):
+ * dfg/DFGNodeFlags.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
+ (JSC):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+
+2012-11-10 Filip Pizlo <fpizlo@apple.com>
+
+ DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
+ https://bugs.webkit.org/show_bug.cgi?id=101511
+
+ Reviewed by Geoffrey Garen.
+
+ This is the second attempt at this patch, which fixes the !"" case.
+
+ To make life easier, this moves BranchDirection into BasicBlock so that after
+ running the CFA, we always know, for each block, what direction the CFA
+ proved. CFG simplification now both uses and preserves cfaBranchDirection in
+ its transformations.
+
+ Also made both LogicalNot and Branch check whether the operand is a known cell
+ with a known structure, and if so, made them do the appropriate folding.
+
+ 5% speed-up on V8/raytrace because it makes raytrace's own null checks
+ evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
+ that we were already doing structure check hoisting.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::endBasicBlock):
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+ * dfg/DFGBasicBlock.h:
+ (JSC::DFG::BasicBlock::BasicBlock):
+ (BasicBlock):
+ * dfg/DFGBranchDirection.h: Added.
+ (DFG):
+ (JSC::DFG::branchDirectionToString):
+ (JSC::DFG::isKnownDirection):
+ (JSC::DFG::branchCondition):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+
+2012-11-10 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r133971.
+ http://trac.webkit.org/changeset/133971
+ https://bugs.webkit.org/show_bug.cgi?id=101839
+
+ Causes WebProcess to hang at 100% on www.apple.com (Requested
+ by kling on #webkit).
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::endBasicBlock):
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGAbstractState.h:
+ (JSC::DFG::AbstractState::branchDirectionToString):
+ (AbstractState):
+ * dfg/DFGBasicBlock.h:
+ (JSC::DFG::BasicBlock::BasicBlock):
+ (BasicBlock):
+ * dfg/DFGBranchDirection.h: Removed.
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
+ https://bugs.webkit.org/show_bug.cgi?id=101720
+
+ Reviewed by Mark Hahnenberg.
+
+ Previously, "original" arrays was just a hint that we could find the structure
+ of the array if we needed to even if the array profile didn't have it due to
+ polymorphism. Now, "original" arrays are a property that is actually checked:
+ if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
+ can be sure that the code performing the access is dealing with not just a
+ JSArray, but a JSArray that has no named properties, no indexed accessors, and
+ the ArrayPrototype as its prototype. This will be useful for optimizations that
+ are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::originalArrayStructure):
+ (DFG):
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ * dfg/DFGArrayMode.h:
+ (JSC):
+ (DFG):
+ (JSC::DFG::ArrayMode::withProfile):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::checkArray):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
+ (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of BooleanPrototype.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/BooleanPrototype.h:
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of BooleanObject.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/BooleanObject.h:
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of BooleanConstructor.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/BooleanConstructor.h:
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ Fix indentation of BatchedTransitionOptimizer.h
+
+ Rubber stamped by Mark Hahnenberg.
+
+ * runtime/BatchedTransitionOptimizer.h:
+
+2012-11-09 Oliver Hunt <oliver@apple.com>
+
+ So Thingy probably isn't the best name for a class, so
+ renamed to CacheMap.
+
+ RS=Geoff
+
+ * runtime/CodeCache.h:
+ (JSC::CacheMap::CacheMap):
+
+2012-11-09 Filip Pizlo <fpizlo@apple.com>
+
+ ArrayPrototype should start out with a blank indexing type
+ https://bugs.webkit.org/show_bug.cgi?id=101719
+
+ Reviewed by Mark Hahnenberg.
+
+ This allows us to track if the array prototype ever ends up with indexed
+ properties.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::ArrayPrototype::create):
+ (JSC::ArrayPrototype::ArrayPrototype):
+ * runtime/ArrayPrototype.h:
+ (ArrayPrototype):
+ (JSC::ArrayPrototype::createStructure):
+
+2012-11-08 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator
+ https://bugs.webkit.org/show_bug.cgi?id=101642
+
+ Reviewed by Filip Pizlo.
+
+ MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support
+ for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator.
+
+ * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments.
+ (JSC):
+ (JSC::MarkStackSegment):
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData):
+ (JSC::GCThreadSharedData::reset):
+ * heap/GCThreadSharedData.h:
+ (GCThreadSharedData):
+ * heap/MarkStack.cpp:
+ (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor
+ all the places that used the old custom tail/previous logic.
+ (JSC::MarkStackArray::~MarkStackArray):
+ (JSC::MarkStackArray::expand):
+ (JSC::MarkStackArray::refill):
+ (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list.
+ (JSC::MarkStackArray::stealSomeCellsFrom): Ditto.
+ * heap/MarkStack.h:
+ (JSC):
+ (MarkStackSegment):
+ (JSC::MarkStackSegment::MarkStackSegment):
+ (JSC::MarkStackSegment::sizeFromCapacity):
+ (MarkStackArray):
+ * heap/MarkStackInlines.h:
+ (JSC::MarkStackSegment::create):
+ (JSC):
+ (JSC::MarkStackArray::postIncTop):
+ (JSC::MarkStackArray::preDecTop):
+ (JSC::MarkStackArray::setTopForFullSegment):
+ (JSC::MarkStackArray::setTopForEmptySegment):
+ (JSC::MarkStackArray::top):
+ (JSC::MarkStackArray::validatePrevious):
+ (JSC::MarkStackArray::append):
+ (JSC::MarkStackArray::removeLast):
+ (JSC::MarkStackArray::isEmpty):
+ (JSC::MarkStackArray::size):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::SlotVisitor):
+
+2012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ [Qt] r133953 broke the ARM_TRADITIONAL build
+ https://bugs.webkit.org/show_bug.cgi?id=101706
+
+ Reviewed by Csaba Osztrogonác.
+
+ Fix for both hardfp and softfp.
+
+ * dfg/DFGCCallHelpers.h:
+ (CCallHelpers):
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+
+2012-11-09 Sheriff Bot <webkit.review.bot@gmail.com>
+
+ Unreviewed, rolling out r134051.
+ http://trac.webkit.org/changeset/134051
+ https://bugs.webkit.org/show_bug.cgi?id=101757
+
+ It didn't fix the build (Requested by Ossy on #webkit).
+
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+
+2012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ [Qt] r133953 broke the ARM_TRADITIONAL build
+ https://bugs.webkit.org/show_bug.cgi?id=101706
+
+ Reviewed by Csaba Osztrogonác.
+
+ Fix the ARM_TRADITIONAL build after r133953
+
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ (CCallHelpers):
+
+2012-11-09 Csaba Osztrogonác <ossy@webkit.org>
+
+ [Qt] Fix the LLINT build from ARMv7 platform
+ https://bugs.webkit.org/show_bug.cgi?id=101712
+
+ Reviewed by Simon Hausmann.
+
+ Enable generating of LLIntAssembly.h on ARM platforms.
+
+ * DerivedSources.pri:
+ * JavaScriptCore.pro:
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ ArrayPrototype.h should have correct indentation
+
+ Rubber stamped by Sam Weinig.
+
+ * runtime/ArrayPrototype.h:
+
+2012-11-08 Mark Lam <mark.lam@apple.com>
+
+ Renamed ...InlineMethods.h files to ...Inlines.h.
+ https://bugs.webkit.org/show_bug.cgi?id=101145.
+
+ Reviewed by Geoffrey Garen.
+
+ This is only a refactoring effort to rename the files. There are no
+ functionality changes.
+
+ * API/JSObjectRef.cpp:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ * dfg/DFGOperations.cpp:
+ * heap/ConservativeRoots.cpp:
+ * heap/CopiedBlock.h:
+ * heap/CopiedSpace.cpp:
+ * heap/CopiedSpaceInlineMethods.h: Removed.
+ * heap/CopiedSpaceInlines.h: Copied from Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h.
+ * heap/CopyVisitor.cpp:
+ * heap/CopyVisitorInlineMethods.h: Removed.
+ * heap/CopyVisitorInlines.h: Copied from Source/JavaScriptCore/heap/CopyVisitorInlineMethods.h.
+ * heap/GCThread.cpp:
+ * heap/GCThreadSharedData.cpp:
+ * heap/HandleStack.cpp:
+ * heap/Heap.cpp:
+ * heap/HeapRootVisitor.h:
+ * heap/MarkStack.cpp:
+ * heap/MarkStackInlineMethods.h: Removed.
+ * heap/MarkStackInlines.h: Copied from Source/JavaScriptCore/heap/MarkStackInlineMethods.h.
+ * heap/SlotVisitor.cpp:
+ * heap/SlotVisitor.h:
+ * heap/SlotVisitorInlineMethods.h: Removed.
+ * heap/SlotVisitorInlines.h: Copied from Source/JavaScriptCore/heap/SlotVisitorInlineMethods.h.
+ * jit/HostCallReturnValue.cpp:
+ * jit/JIT.cpp:
+ * jit/JITArithmetic.cpp:
+ * jit/JITArithmetic32_64.cpp:
+ * jit/JITCall.cpp:
+ * jit/JITCall32_64.cpp:
+ * jit/JITInlineMethods.h: Removed.
+ * jit/JITInlines.h: Copied from Source/JavaScriptCore/jit/JITInlineMethods.h.
+ * jit/JITOpcodes.cpp:
+ * jit/JITOpcodes32_64.cpp:
+ * jit/JITPropertyAccess.cpp:
+ * jit/JITPropertyAccess32_64.cpp:
+ * jsc.cpp:
+ * runtime/ArrayConstructor.cpp:
+ * runtime/ArrayPrototype.cpp:
+ * runtime/ButterflyInlineMethods.h: Removed.
+ * runtime/ButterflyInlines.h: Copied from Source/JavaScriptCore/runtime/ButterflyInlineMethods.h.
+ * runtime/IndexingHeaderInlineMethods.h: Removed.
+ * runtime/IndexingHeaderInlines.h: Copied from Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h.
+ * runtime/JSActivation.h:
+ * runtime/JSArray.cpp:
+ * runtime/JSArray.h:
+ * runtime/JSCell.h:
+ * runtime/JSObject.cpp:
+ * runtime/JSValueInlineMethods.h: Removed.
+ * runtime/JSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlineMethods.h.
+ * runtime/LiteralParser.cpp:
+ * runtime/ObjectConstructor.cpp:
+ * runtime/Operations.h:
+ * runtime/RegExpMatchesArray.cpp:
+ * runtime/RegExpObject.cpp:
+ * runtime/StringPrototype.cpp:
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ ArrayConstructor.h should have correct indentation
+
+ Rubber stamped by Sam Weinig.
+
+ * runtime/ArrayConstructor.h:
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should know that int == null is always false
+ https://bugs.webkit.org/show_bug.cgi?id=101665
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ Arguments.h should have correct indentation
+
+ Rubber stamped by Sam Weinig.
+
+ * runtime/Arguments.h:
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled.
+
+ Reviewed by Oliver Hunt.
+
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::chooseArrayMode):
+
+2012-11-08 Filip Pizlo <fpizlo@apple.com>
+
+ op_call should have LLInt call link info even if the DFG is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=101672
+
+ Reviewed by Oliver Hunt.
+
+ Get rid of the evil uses of fall-through.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2012-11-08 Oliver Hunt <oliver@apple.com>
+
+ Improve effectiveness of function-level caching
+ https://bugs.webkit.org/show_bug.cgi?id=101667
+
+ Reviewed by Filip Pizlo.
+
+ Added a random-eviction based cache for unlinked functions, and switch
+ UnlinkedFunctionExecutable's code references to Weak<>, thereby letting
+ us remove the explicit UnlinkedFunctionExecutable::clearCode() calls that
+ were being triggered by GC.
+
+ Refactored the random eviction part of the CodeCache into a separate data
+ structure so that I didn't have to duplicate the code again, and then used
+ that for the new function cache.
+
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedFunctionExecutable::visitChildren):
+ (JSC::UnlinkedFunctionExecutable::codeBlockFor):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC::UnlinkedFunctionExecutable::clearCodeForRecompilation):
+ (UnlinkedFunctionExecutable):
+ * debugger/Debugger.cpp:
+ * runtime/CodeCache.cpp:
+ (JSC::CodeCache::getCodeBlock):
+ (JSC::CodeCache::generateFunctionCodeBlock):
+ (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
+ (JSC::CodeCache::usedFunctionCode):
+ (JSC):
+ * runtime/Executable.cpp:
+ (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling):
+ (JSC::FunctionExecutable::clearCode):
+ * runtime/Executable.h:
+ (FunctionExecutable):
+
+2012-11-07 Filip Pizlo <fpizlo@apple.com>
+
+ DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
+ https://bugs.webkit.org/show_bug.cgi?id=101511
+
+ Reviewed by Oliver Hunt.
+
+ To make life easier, this moves BranchDirection into BasicBlock so that after
+ running the CFA, we always know, for each block, what direction the CFA
+ proved. CFG simplification now both uses and preserves cfaBranchDirection in
+ its transformations.
+
+ Also made both LogicalNot and Branch check whether the operand is a known cell
+ with a known structure, and if so, made them do the appropriate folding.
+
+ 5% speed-up on V8/raytrace because it makes raytrace's own null checks
+ evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
+ that we were already doing structure check hoisting.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::endBasicBlock):
+ (JSC::DFG::AbstractState::execute):
+ (JSC::DFG::AbstractState::mergeToSuccessors):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+ * dfg/DFGBasicBlock.h:
+ (JSC::DFG::BasicBlock::BasicBlock):
+ (BasicBlock):
+ * dfg/DFGBranchDirection.h: Added.
+ (DFG):
+ (JSC::DFG::branchDirectionToString):
+ (JSC::DFG::isKnownDirection):
+ (JSC::DFG::branchCondition):
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+ (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+
+2012-11-08 Christophe Dumez <christophe.dumez@intel.com>
+
+ [JSC] HTML extensions to String.prototype should escape " as &quot; in argument values
+ https://bugs.webkit.org/show_bug.cgi?id=90667
+
+ Reviewed by Benjamin Poulain.
+
+ Escape quotation mark as &quot; in argument values to:
+ - String.prototype.anchor(name)
+ - String.prototype.fontcolor(color)
+ - String.prototype.fontsize(size)
+ - String.prototype.link(href)
+
+ This behavior matches Chromium/V8 and Firefox/Spidermonkey
+ implementations and is requited by:
+ http://mathias.html5.org/specs/javascript/#escapeattributevalue
+
+ This also fixes a potential security risk (XSS vector).
+
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncFontcolor):
+ (JSC::stringProtoFuncFontsize):
+ (JSC::stringProtoFuncAnchor):
+ (JSC::stringProtoFuncLink):
+
+2012-11-08 Anders Carlsson <andersca@apple.com>
+
+ HeapStatistics::s_pauseTimeStarts and s_pauseTimeEnds should be Vectors
+ https://bugs.webkit.org/show_bug.cgi?id=101651
+
+ Reviewed by Andreas Kling.
+
+ HeapStatistics uses Deques when Vectors would work just as good.
+
+ * heap/HeapStatistics.cpp:
+ * heap/HeapStatistics.h:
+ (HeapStatistics):
+
+2012-11-07 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not assume that something is a double just because it might be undefined
+ https://bugs.webkit.org/show_bug.cgi?id=101438
+
+ Reviewed by Oliver Hunt.
+
+ This changes all non-bitop arithmetic to (a) statically expect that variables are
+ defined prior to use in arithmetic and (b) not fall off into double paths just
+ because a value may not be a number. This is accomplished with two new notions of
+ speculation:
+
+ shouldSpeculateIntegerExpectingDefined: Should we speculate that the value is an
+ integer if we ignore undefined (i.e. SpecOther) predictions?
+
+ shouldSpeculateIntegerForArithmetic: Should we speculate that the value is an
+ integer if we ignore non-numeric predictions?
+
+ This is a ~2x speed-up on programs that seem to our prediction propagator to have
+ paths in which otherwise numeric variables are undefined.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isInt32SpeculationForArithmetic):
+ (JSC):
+ (JSC::isInt32SpeculationExpectingDefined):
+ (JSC::isDoubleSpeculationForArithmetic):
+ (JSC::isNumberSpeculationExpectingDefined):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::addShouldSpeculateInteger):
+ (JSC::DFG::Graph::mulShouldSpeculateInteger):
+ (JSC::DFG::Graph::negateShouldSpeculateInteger):
+ (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
+ (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
+ (Node):
+ (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
+ (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
+ (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileAdd):
+ (JSC::DFG::SpeculativeJIT::compileArithMod):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emit_op_div):
+
+2012-11-06 Filip Pizlo <fpizlo@apple.com>
+
+ JSC should infer when indexed storage contains only integers or doubles
+ https://bugs.webkit.org/show_bug.cgi?id=98606
+
+ Reviewed by Oliver Hunt.
+
+ This adds two new indexing types: int32 and double. It also adds array allocation profiling,
+ which allows array allocations to converge to allocating arrays using those types to which
+ those arrays would have been converted.
+
+ 20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
+ but a performance win overall on all benchmarks we track.
+
+ * API/JSObjectRef.cpp:
+ (JSObjectMakeArray):
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/AbstractMacroAssembler.h:
+ (JumpList):
+ (JSC::AbstractMacroAssembler::JumpList::JumpList):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::branchDouble):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::jnp):
+ (X86Assembler):
+ (JSC::X86Assembler::X86InstructionFormatter::emitRex):
+ * bytecode/ArrayAllocationProfile.cpp: Added.
+ (JSC):
+ (JSC::ArrayAllocationProfile::updateIndexingType):
+ * bytecode/ArrayAllocationProfile.h: Added.
+ (JSC):
+ (ArrayAllocationProfile):
+ (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
+ (JSC::ArrayAllocationProfile::selectIndexingType):
+ (JSC::ArrayAllocationProfile::updateLastAllocation):
+ (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
+ (JSC::ArrayAllocationProfile::updateLastAllocationFor):
+ * bytecode/ArrayProfile.cpp:
+ (JSC::ArrayProfile::updatedObservedArrayModes):
+ (JSC):
+ * bytecode/ArrayProfile.h:
+ (JSC):
+ (JSC::arrayModesInclude):
+ (JSC::shouldUseSlowPutArrayStorage):
+ (JSC::shouldUseFastArrayStorage):
+ (JSC::shouldUseContiguous):
+ (JSC::shouldUseDouble):
+ (JSC::shouldUseInt32):
+ (ArrayProfile):
+ * bytecode/ByValInfo.h:
+ (JSC::isOptimizableIndexingType):
+ (JSC::jitArrayModeForIndexingType):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+ (JSC):
+ (JSC::CodeBlock::updateAllValueProfilePredictions):
+ (JSC::CodeBlock::updateAllArrayPredictions):
+ (JSC::CodeBlock::updateAllPredictions):
+ (JSC::CodeBlock::shouldOptimizeNow):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::numberOfArrayAllocationProfiles):
+ (JSC::CodeBlock::addArrayAllocationProfile):
+ (JSC::CodeBlock::updateAllValueProfilePredictions):
+ (JSC::CodeBlock::updateAllArrayPredictions):
+ * bytecode/DFGExitProfile.h:
+ (JSC::DFG::exitKindToString):
+ * bytecode/Instruction.h:
+ (JSC):
+ (JSC::Instruction::Instruction):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/SpeculatedType.h:
+ (JSC):
+ (JSC::isRealNumberSpeculation):
+ * bytecode/UnlinkedCodeBlock.cpp:
+ (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+ * bytecode/UnlinkedCodeBlock.h:
+ (JSC):
+ (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
+ (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
+ (UnlinkedCodeBlock):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::newArrayAllocationProfile):
+ (JSC):
+ (JSC::BytecodeGenerator::emitNewArray):
+ (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::fromObserved):
+ (JSC::DFG::ArrayMode::refine):
+ (DFG):
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ (JSC::DFG::arrayTypeToString):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::withType):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::withTypeAndConversion):
+ (JSC::DFG::ArrayMode::usesButterfly):
+ (JSC::DFG::ArrayMode::isSpecific):
+ (JSC::DFG::ArrayMode::supportsLength):
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getArrayMode):
+ (ByteCodeParser):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ (CCallHelpers):
+ * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
+ (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
+ (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ * dfg/DFGNode.h:
+ (NewArrayBufferData):
+ (JSC::DFG::Node::hasIndexingType):
+ (Node):
+ (JSC::DFG::Node::indexingType):
+ (JSC::DFG::Node::setIndexingType):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (SpeculateIntegerOperand):
+ (JSC::DFG::SpeculateIntegerOperand::use):
+ (SpeculateDoubleOperand):
+ (JSC::DFG::SpeculateDoubleOperand::use):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JIT.h:
+ (JSC::JIT::emitInt32GetByVal):
+ (JIT):
+ (JSC::JIT::emitInt32PutByVal):
+ (JSC::JIT::emitDoublePutByVal):
+ (JSC::JIT::emitContiguousPutByVal):
+ * jit/JITExceptions.cpp:
+ (JSC::genericThrow):
+ * jit/JITInlineMethods.h:
+ (JSC::arrayProfileSaw):
+ (JSC::JIT::chooseArrayMode):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_new_array):
+ (JSC::JIT::emit_op_new_array_with_size):
+ (JSC::JIT::emit_op_new_array_buffer):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emitDoubleGetByVal):
+ (JSC):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ (JSC::JIT::privateCompileGetByVal):
+ (JSC::JIT::privateCompilePutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitDoubleGetByVal):
+ (JSC):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * jit/JITStubs.h:
+ (JSC):
+ * jsc.cpp:
+ (GlobalObject::finishCreation):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::jitCompileAndSetHeuristics):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * offlineasm/x86.rb:
+ * runtime/ArrayConstructor.cpp:
+ (JSC::constructArrayWithSizeQuirk):
+ * runtime/ArrayConstructor.h:
+ (JSC):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncConcat):
+ (JSC::arrayProtoFuncSlice):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncFilter):
+ (JSC::arrayProtoFuncMap):
+ * runtime/Butterfly.h:
+ (JSC::Butterfly::contiguousInt32):
+ (JSC::Butterfly::contiguousDouble):
+ (JSC::Butterfly::fromContiguous):
+ * runtime/ButterflyInlineMethods.h:
+ (JSC::Butterfly::createUninitializedDuringCollection):
+ * runtime/FunctionPrototype.cpp:
+ (JSC::functionProtoFuncBind):
+ * runtime/IndexingHeaderInlineMethods.h:
+ (JSC::IndexingHeader::indexingPayloadSizeInBytes):
+ * runtime/IndexingType.cpp:
+ (JSC::leastUpperBoundOfIndexingTypes):
+ (JSC):
+ (JSC::leastUpperBoundOfIndexingTypeAndType):
+ (JSC::leastUpperBoundOfIndexingTypeAndValue):
+ (JSC::indexingTypeToString):
+ * runtime/IndexingType.h:
+ (JSC):
+ (JSC::hasUndecided):
+ (JSC::hasInt32):
+ (JSC::hasDouble):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLength):
+ (JSC::JSArray::pop):
+ (JSC::JSArray::push):
+ (JSC::JSArray::shiftCountWithAnyIndexingType):
+ (JSC::JSArray::unshiftCountWithAnyIndexingType):
+ (JSC::compareNumbersForQSortWithInt32):
+ (JSC):
+ (JSC::compareNumbersForQSortWithDouble):
+ (JSC::JSArray::sortNumericVector):
+ (JSC::JSArray::sortNumeric):
+ (JSC::JSArray::sortCompactedVector):
+ (JSC::JSArray::sort):
+ (JSC::JSArray::sortVector):
+ (JSC::JSArray::fillArgList):
+ (JSC::JSArray::copyToArguments):
+ (JSC::JSArray::compactForSorting):
+ * runtime/JSArray.h:
+ (JSArray):
+ (JSC::createContiguousArrayButterfly):
+ (JSC::JSArray::create):
+ (JSC::JSArray::tryCreateUninitialized):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+ (JSC::JSGlobalObject::haveABadTime):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
+ (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
+ (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
+ (JSC::JSGlobalObject::isOriginalArrayStructure):
+ (JSC::constructEmptyArray):
+ (JSC::constructArray):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly):
+ (JSC::JSObject::getOwnPropertySlotByIndex):
+ (JSC::JSObject::putByIndex):
+ (JSC::JSObject::enterDictionaryIndexingMode):
+ (JSC::JSObject::createInitialIndexedStorage):
+ (JSC):
+ (JSC::JSObject::createInitialUndecided):
+ (JSC::JSObject::createInitialInt32):
+ (JSC::JSObject::createInitialDouble):
+ (JSC::JSObject::createInitialContiguous):
+ (JSC::JSObject::convertUndecidedToInt32):
+ (JSC::JSObject::convertUndecidedToDouble):
+ (JSC::JSObject::convertUndecidedToContiguous):
+ (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+ (JSC::JSObject::convertUndecidedToArrayStorage):
+ (JSC::JSObject::convertInt32ToDouble):
+ (JSC::JSObject::convertInt32ToContiguous):
+ (JSC::JSObject::convertInt32ToArrayStorage):
+ (JSC::JSObject::convertDoubleToContiguous):
+ (JSC::JSObject::convertDoubleToArrayStorage):
+ (JSC::JSObject::convertContiguousToArrayStorage):
+ (JSC::JSObject::convertUndecidedForValue):
+ (JSC::JSObject::convertInt32ForValue):
+ (JSC::JSObject::setIndexQuicklyToUndecided):
+ (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
+ (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
+ (JSC::JSObject::ensureInt32Slow):
+ (JSC::JSObject::ensureDoubleSlow):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+ (JSC::JSObject::switchToSlowPutArrayStorage):
+ (JSC::JSObject::deletePropertyByIndex):
+ (JSC::JSObject::getOwnPropertyNames):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+ (JSC::JSObject::putByIndexBeyondVectorLength):
+ (JSC::JSObject::putDirectIndexBeyondVectorLength):
+ (JSC::JSObject::getNewVectorLength):
+ (JSC::JSObject::countElements):
+ (JSC::JSObject::ensureLengthSlow):
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ * runtime/JSObject.h:
+ (JSC::JSObject::getArrayLength):
+ (JSC::JSObject::getVectorLength):
+ (JSC::JSObject::canGetIndexQuickly):
+ (JSC::JSObject::getIndexQuickly):
+ (JSC::JSObject::tryGetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuicklyForPutDirect):
+ (JSC::JSObject::setIndexQuickly):
+ (JSC::JSObject::initializeIndex):
+ (JSC::JSObject::hasSparseMap):
+ (JSC::JSObject::inSparseIndexingMode):
+ (JSObject):
+ (JSC::JSObject::ensureInt32):
+ (JSC::JSObject::ensureDouble):
+ (JSC::JSObject::ensureLength):
+ (JSC::JSObject::indexingData):
+ (JSC::JSObject::currentIndexingData):
+ (JSC::JSObject::getHolyIndexQuickly):
+ (JSC::JSObject::relevantLength):
+ (JSC::JSObject::currentRelevantLength):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::description):
+ * runtime/LiteralParser.cpp:
+ (JSC::::parse):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorGetOwnPropertyNames):
+ (JSC::objectConstructorKeys):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncMatch):
+ (JSC::stringProtoFuncSplit):
+ * runtime/Structure.cpp:
+ (JSC::Structure::nonPropertyTransition):
+ * runtime/StructureTransitionTable.h:
+ (JSC::newIndexingType):
+
+2012-11-08 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ ASSERT problem on MIPS
+ https://bugs.webkit.org/show_bug.cgi?id=100589
+
+ Reviewed by Oliver Hunt.
+
+ ASSERT fix for MIPS arch.
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_resolve_operations):
+
+2012-11-08 Michael Saboff <msaboff@apple.com>
+
+ OpaqueJSClassContextData() should use StringImpl::isolatedCopy() to make string copies
+ https://bugs.webkit.org/show_bug.cgi?id=101507
+
+ Reviewed by Andreas Kling.
+
+ Changed to use isolatedCopy() for key Strings.
+
+ * API/JSClassRef.cpp:
+ (OpaqueJSClassContextData::OpaqueJSClassContextData):
+
+2012-11-07 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ WeakBlocks should be HeapBlocks
+ https://bugs.webkit.org/show_bug.cgi?id=101411
+
+ Reviewed by Oliver Hunt.
+
+ Currently WeakBlocks use fastMalloc memory. They are very similar to the other HeapBlocks, however,
+ so we should change them to being allocated with the BlockAllocator.
+
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h: Added a new RegionSet for WeakBlocks.
+ (JSC):
+ (BlockAllocator):
+ (JSC::WeakBlock):
+ * heap/Heap.h: Friended WeakSet to allow access to the BlockAllocator.
+ (Heap):
+ * heap/WeakBlock.cpp:
+ (JSC::WeakBlock::create): Refactored to use HeapBlocks rather than fastMalloc.
+ (JSC::WeakBlock::WeakBlock):
+ * heap/WeakBlock.h: Changed the WeakBlock size to 4 KB so that it divides evenly into the Region size.
+ (JSC):
+ (WeakBlock):
+ * heap/WeakSet.cpp:
+ (JSC::WeakSet::~WeakSet):
+ (JSC::WeakSet::addAllocator):
+
+2012-11-07 Filip Pizlo <fpizlo@apple.com>
+
+ Indentation of ArgList.h is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=101441
+
+ Reviewed by Andreas Kling.
+
+ Just unindented by 4 spaces.
+
+ * runtime/ArgList.h:
+
+2012-11-07 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ [Qt][ARM] REGRESSION(r133688): It made all JSC and layout tests crash on ARM traditional platform
+ https://bugs.webkit.org/show_bug.cgi?id=101465
+
+ Reviewed by Oliver Hunt.
+
+ Fix failing javascriptcore tests on ARM after r133688
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+
+2012-11-06 Oliver Hunt <oliver@apple.com>
+
+ Reduce parser overhead in JSC
+ https://bugs.webkit.org/show_bug.cgi?id=101127
+
+ Reviewed by Filip Pizlo.
+
+ An exciting journey into the world of architecture in which our hero
+ adds yet another layer to JSC codegeneration.
+
+ This patch adds a marginally more compact form of bytecode that is
+ free from any data specific to a given execution context, and that
+ does store any data structures necessary for execution. To actually
+ execute this UnlinkedBytecode we still need to instantiate a real
+ CodeBlock, but this is a much faster linear time operation than any
+ of the earlier parsing or code generation passes.
+
+ As the unlinked code is context free we can then simply use a cache
+ from source to unlinked code mapping to completely avoid all of the
+ old parser overhead. The cache is currently very simple and memory
+ heavy, using the complete source text as a key (rather than SourceCode
+ or equivalent), and a random eviction policy.
+
+ This seems to produce a substantial win when loading identical content
+ in different contexts.
+
+ * API/tests/testapi.c:
+ (main):
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ * bytecode/CodeBlock.h:
+ Moved a number of fields, and a bunch of logic to UnlinkedCodeBlock.h/cpp
+ * bytecode/Opcode.h:
+ Added a global const init no op instruction needed to get correct
+ behaviour without any associated semantics.
+ * bytecode/UnlinkedCodeBlock.cpp: Added.
+ * bytecode/UnlinkedCodeBlock.h: Added.
+ A fairly shallow, GC allocated version of the old CodeBlock
+ classes with a 32bit instruction size, and just metadata
+ size tracking.
+ * bytecompiler/BytecodeGenerator.cpp:
+ * bytecompiler/BytecodeGenerator.h:
+ Replace direct access to m_symbolTable with access through
+ symbolTable(). ProgramCode no longer has a symbol table at
+ all so some previously unconditional (and pointless) uses
+ of symbolTable get null checks.
+ A few other changes to deal with type changes due to us generating
+ unlinked code (eg. pointer free, so profile indices rather than
+ pointers).
+ * dfg/DFGByteCodeParser.cpp:
+ * dfg/DFGCapabilities.h:
+ Support global_init_nop
+ * interpreter/Interpreter.cpp:
+ Now get the ProgramExecutable to initialise new global properties
+ before starting execution.
+ * jit/JIT.cpp:
+ * jit/JITDriver.h:
+ * jit/JITStubs.cpp:
+ * llint/LLIntData.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ Adding init_global_const_nop everywhere else
+ * parser/Parser.h:
+ * parser/ParserModes.h: Added.
+ * parser/ParserTokens.h:
+ Parser no longer needs a global object or callframe to function
+ * runtime/CodeCache.cpp: Added.
+ * runtime/CodeCache.h: Added.
+ A simple, random eviction, Source->UnlinkedCode cache
+ * runtime/Executable.cpp:
+ * runtime/Executable.h:
+ Executables now reference their unlinked counterparts, and
+ request code specifically for the target global object.
+ * runtime/JSGlobalData.cpp:
+ * runtime/JSGlobalData.h:
+ GlobalData now owns a CodeCache and a set of new structures
+ for the unlinked code types.
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalObject.h:
+ Utility functions used by executables to perform compilation
+
+ * runtime/JSType.h:
+ Add new JSTypes for unlinked code
+
+2012-11-06 Michael Saboff <msaboff@apple.com>
+
+ JSStringCreateWithCFString() Should create an 8 bit String if possible
+ https://bugs.webkit.org/show_bug.cgi?id=101104
+
+ Reviewed by Darin Adler.
+
+ Try converting the CFString to an 8 bit string using CFStringGetBytes(...,
+ kCFStringEncodingISOLatin1, ...) and return the 8 bit string if successful.
+ If not proceed with 16 bit conversion.
+
+ * API/JSStringRefCF.cpp:
+ (JSStringCreateWithCFString):
+
+2012-11-06 Oliver Hunt <oliver@apple.com>
+
+ Reduce direct m_symbolTable usage in CodeBlock
+ https://bugs.webkit.org/show_bug.cgi?id=101391
+
+ Reviewed by Sam Weinig.
+
+ Simple refactoring.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::dumpStatistics):
+ (JSC::CodeBlock::nameForRegister):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::isCaptured):
+
+2012-11-06 Michael Saboff <msaboff@apple.com>
+
+ Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible
+ https://bugs.webkit.org/show_bug.cgi?id=101013
+
+ Reviewed by Darin Adler.
+
+ Changed scanRegExp so that it will create 8 bit identifiers from 8 bit sources and from 16 bit sources
+ whan all the characters are 8 bit. Using two templated helpers, the "is all 8 bit" check is only performed
+ on 16 bit sources. The first helper is orCharacter() that will accumulate the or value of all characters
+ only for 16 bit sources. Replaced the helper Lexer::makeIdentifierSameType() with Lexer::makeRightSizedIdentifier().
+
+ * parser/Lexer.cpp:
+ (JSC::orCharacter<LChar>): Explicit template that serves as a placeholder.
+ (JSC::orCharacter<UChar>): Explicit template that actually or accumulates characters.
+ (JSC::Lexer::scanRegExp):
+ * parser/Lexer.h:
+ (Lexer):
+ (JSC::Lexer::makeRightSizedIdentifier<LChar>): New template that always creates an 8 bit Identifier.
+ (JSC::Lexer::makeRightSizedIdentifier<UChar>): New template that creates an 8 bit Identifier for 8 bit
+ data in a 16 bit source.
+
+2012-11-06 Filip Pizlo <fpizlo@apple.com>
+
+ Indentation of JSCell.h is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=101379
+
+ Rubber stamped by Alexey Proskuryakov.
+
+ Just removed four spaces on a bunch of lines.
+
+ * runtime/JSCell.h:
+
+2012-11-05 Filip Pizlo <fpizlo@apple.com>
+
+ Indentation of JSObject.h is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=101313
+
+ Rubber stamped by Alexey Proskuryakov.
+
+ Just unindented code, since namespace bodies shouldn't be indented.
+
+ * runtime/JSObject.h:
+
+2012-11-05 Filip Pizlo <fpizlo@apple.com>
+
+ Indentation of JSArray.h is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=101314
+
+ Rubber stamped by Alexey Proskuryakov.
+
+ Just removing the indentation inside the namespace body.
+
+ * runtime/JSArray.h:
+
+2012-11-05 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should not fall down to patchable GetById just because a prototype had things added to it
+ https://bugs.webkit.org/show_bug.cgi?id=101299
+
+ Reviewed by Geoffrey Garen.
+
+ This looks like a slight win on V8v7 and SunSpider.
+
+ * bytecode/DFGExitProfile.h:
+ (JSC::DFG::exitKindToString):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-11-05 Filip Pizlo <fpizlo@apple.com>
+
+ Get rid of method_check
+ https://bugs.webkit.org/show_bug.cgi?id=101147
+
+ Reviewed by Geoffrey Garen.
+
+ op_method_check no longer buys us anything, since get_by_id proto caching
+ gives just as much profiling information and the DFG inlines monomorphic
+ proto accesses anyway.
+
+ This also has the potential for a speed-up since it makes parsing of
+ profiling data easier. No longer do we have to deal with the confusion of
+ the get_by_id portion of a method_check appearing monomorphic even though
+ we're really dealing with a bimorphic access (method_check specializes for
+ one case and get_by_id for another).
+
+ This looks like a 1% speed-up on both SunSpider and V8v7.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printGetByIdCacheStatus):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::shrinkToFit):
+ (JSC::CodeBlock::unlinkCalls):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::getCallLinkInfo):
+ (JSC::CodeBlock::callLinkInfo):
+ (CodeBlock):
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeFromLLInt):
+ * bytecode/MethodCallLinkInfo.cpp: Removed.
+ * bytecode/MethodCallLinkInfo.h: Removed.
+ * bytecode/MethodCallLinkStatus.cpp: Removed.
+ * bytecode/MethodCallLinkStatus.h: Removed.
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::FunctionCallDotNode::emitBytecode):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ (JSC::PropertyStubCompilationInfo::copyToStubInfo):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JSC::PropertyStubCompilationInfo::slowCaseInfo):
+ (PropertyStubCompilationInfo):
+ (JSC):
+ (JIT):
+ * jit/JITPropertyAccess.cpp:
+ (JSC):
+ (JSC::JIT::emitSlow_op_get_by_id):
+ (JSC::JIT::compileGetByIdSlowCase):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC):
+ (JSC::JIT::compileGetByIdSlowCase):
+ * jit/JITStubs.cpp:
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LowLevelInterpreter.asm:
+
+2012-11-05 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations
+ https://bugs.webkit.org/show_bug.cgi?id=100321
+
+ Reviewed by Filip Pizlo.
+
+ We have refactored the MacroAssembler and JIT compilers to distinguish
+ the pointer operations from the 64-bit integer operations (see bug #99154).
+ Now we want to do the similar work for LLInt, and the goal is same as
+ the one mentioned in 99154.
+
+ This is the second part of the modification: in the low level interpreter,
+ changing the operations on 64-bit integers to use the "<foo>q" instructions.
+ This also removes some unused/meaningless "<foo>p" instructions.
+
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoop::execute):
+ * llint/LowLevelInterpreter64.asm:
+ * offlineasm/armv7.rb:
+ * offlineasm/cloop.rb:
+ * offlineasm/instructions.rb:
+ * offlineasm/x86.rb:
+
+2012-11-05 Filip Pizlo <fpizlo@apple.com>
+
+ Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only
+ https://bugs.webkit.org/show_bug.cgi?id=101276
+
+ Reviewed by Gavin Barraclough.
+
+ Changed normalizePrototypeChain() to report an invalid prototype chain if any object is a proxy.
+ This catches cases where our prototype chain checks would have been insufficient to guard against
+ newly introduced properties, despecialized properties, or deleted properties in the chain of
+ objects involved in the access.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDProtoList):
+ (JSC::DFG::tryCachePutByID):
+ (JSC::DFG::tryBuildPutByIdList):
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::tryCachePutByID):
+ (JSC::JITThunks::tryCacheGetByID):
+ (JSC::DEFINE_STUB_FUNCTION):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/Operations.h:
+ (JSC):
+ (JSC::normalizePrototypeChain):
+
+2012-11-05 Dima Gorbik <dgorbik@apple.com>
+
+ Back out controversial changes from Bug 98665.
+ https://bugs.webkit.org/show_bug.cgi?id=101244
+
+ Reviewed by David Kilzer.
+
+ Backing out changes from Bug 98665 until further discussions take place on rules for including Platform.h in Assertions.h.
+
+ * API/tests/minidom.c:
+ * API/tests/testapi.c:
+
+2012-11-04 Filip Pizlo <fpizlo@apple.com>
+
+ Reduce the verbosity of referring to QNaN in JavaScriptCore
+ https://bugs.webkit.org/show_bug.cgi?id=101174
+
+ Reviewed by Geoffrey Garen.
+
+ Introduces a #define QNaN in JSValue.h, and replaces all previous uses of
+ std::numeric_limits<double>::quiet_NaN() with QNaN.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeNumber):
+ (JSValueToNumber):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ * runtime/CachedTranscendentalFunction.h:
+ (JSC::CachedTranscendentalFunction::initialize):
+ * runtime/DateConstructor.cpp:
+ (JSC::constructDate):
+ * runtime/DateInstanceCache.h:
+ (JSC::DateInstanceData::DateInstanceData):
+ (JSC::DateInstanceCache::reset):
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::InterruptedExecutionError::defaultValue):
+ (JSC::TerminatedExecutionError::defaultValue):
+ * runtime/JSCell.h:
+ (JSC::JSValue::getPrimitiveNumber):
+ * runtime/JSDateMath.cpp:
+ (JSC::parseDateFromNullTerminatedCharacters):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::resetDateCache):
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::parseInt):
+ (JSC::jsStrDecimalLiteral):
+ (JSC::toDouble):
+ (JSC::jsToNumber):
+ (JSC::parseFloat):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::toNumberSlowCase):
+ * runtime/JSValue.h:
+ (JSC):
+ * runtime/JSValueInlineMethods.h:
+ (JSC::jsNaN):
+ * runtime/MathObject.cpp:
+ (JSC::mathProtoFuncMax):
+ (JSC::mathProtoFuncMin):
+
+2012-11-03 Filip Pizlo <fpizlo@apple.com>
+
+ Baseline JIT should use structure watchpoints whenever possible
+ https://bugs.webkit.org/show_bug.cgi?id=101146
+
+ Reviewed by Sam Weinig.
+
+ No speed-up yet except on toy programs. I think that it will start to show
+ speed-ups with https://bugs.webkit.org/show_bug.cgi?id=101147, which this is
+ a step towards.
+
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+ (JSC::JIT::addStructureTransitionCheck):
+ (JSC):
+ (JSC::JIT::testPrototype):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ (JSC::JIT::privateCompileGetByIdProto):
+ (JSC::JIT::privateCompileGetByIdProtoList):
+ (JSC::JIT::privateCompileGetByIdChainList):
+ (JSC::JIT::privateCompileGetByIdChain):
+
+2012-11-04 Csaba Osztrogonác <ossy@webkit.org>
+
+ [Qt] udis86_itab.c is always regenerated
+ https://bugs.webkit.org/show_bug.cgi?id=100756
+
+ Reviewed by Simon Hausmann.
+
+ * DerivedSources.pri: Generate sources to the generated directory.
+ * disassembler/udis86/differences.txt:
+ * disassembler/udis86/itab.py: Add --outputDir option.
+ (UdItabGenerator.__init__):
+ (genItabH):
+ (genItabC):
+ (main):
+
+2012-11-02 Filip Pizlo <fpizlo@apple.com>
+
+ LLInt 32-bit put_by_val ArrayStorage case should use the right register (t3, not t2) for the index in the publicLength updating path
+ https://bugs.webkit.org/show_bug.cgi?id=101118
+
+ Reviewed by Gavin Barraclough.
+
+ * llint/LowLevelInterpreter32_64.asm:
+
+2012-11-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure
+ https://bugs.webkit.org/show_bug.cgi?id=101117
+
+ Reviewed by Gavin Barraclough.
+
+ We have logic to convert ArrayifyToStructure to StructureTransitionWatchpoint, which is awesome, except
+ that previously convertToStructureTransitionWatchpoint was (a) asserting that it never saw an
+ ArrayifyToStructure and (b) would incorrectly create a ForwardStructureTransitionWatchpoint if it did.
+
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
+
+2012-11-02 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays
+ https://bugs.webkit.org/show_bug.cgi?id=101114
+
+ Reviewed by Gavin Barraclough.
+
+ As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors
+ hadn't been initialized yet. That happens rarely, but when it does happen, we would crash.
+
+ This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor
+ and used that directly. So it's good to fix it.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
+
+2012-11-02 Filip Pizlo <fpizlo@apple.com>
+
+ JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays
+ https://bugs.webkit.org/show_bug.cgi?id=101112
+
+ Reviewed by Gavin Barraclough.
+
+ The only reason why the code was wrong to use uint8ArrayDescriptor instead is that if we're just using
+ Uint8ClampedArrays then the descriptor for Uint8Array may not have been initialized.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompileGetByVal):
+
+2012-11-02 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects
+ https://bugs.webkit.org/show_bug.cgi?id=100877
+
+ Reviewed by Filip Pizlo.
+
+ Currently when we canonicalize cell liveness data in MarkedBlocks, we set the mark bit for every cell in the
+ block except for those in the free list. This allows us to consider objects that were allocated since the
+ previous collection to be considered live until they have a chance to be properly marked by the collector.
+
+ If we want to use the mark bits to signify other types of information, e.g. using sticky mark bits for generational
+ collection, we will have to keep track of newly allocated objects in a different fashion when we canonicalize cell liveness.
+
+ One method would be to allocate a separate set of bits while canonicalizing liveness data. These bits would
+ track the newly allocated objects in the block separately from those objects who had already been marked. We would
+ then check these bits, along with the mark bits, when determining liveness.
+
+ * heap/Heap.h:
+ (Heap):
+ (JSC::Heap::isLive): We now check for the presence of the newlyAllocated Bitmap.
+ (JSC):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::specializedSweep): We clear the newlyAllocated Bitmap if we're creating a free list. This
+ will happen if we canonicalize liveness data for some other reason than collection (e.g. forEachCell) and
+ then start allocating again.
+ (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
+ (SetNewlyAllocatedFunctor):
+ (JSC::SetNewlyAllocatedFunctor::operator()): We set the newlyAllocated bits for all the objects
+ that aren't already marked. We undo the bits for the objects in the free list later in canonicalizeCellLivenessData.
+ (JSC::MarkedBlock::canonicalizeCellLivenessData): We should never have a FreeListed block with a newlyAllocated Bitmap.
+ We allocate the new Bitmap, set the bits for all the objects that aren't already marked, and then unset all of the
+ bits for the items currently in the FreeList.
+ * heap/MarkedBlock.h:
+ (JSC::MarkedBlock::clearMarks): We clear the newlyAllocated bitmap if it exists because at this point we don't need it
+ any more.
+ (JSC::MarkedBlock::isEmpty): If we have some objects that are newlyAllocated, we are not empty.
+ (JSC::MarkedBlock::isNewlyAllocated):
+ (JSC):
+ (JSC::MarkedBlock::setNewlyAllocated):
+ (JSC::MarkedBlock::clearNewlyAllocated):
+ (JSC::MarkedBlock::isLive): We now check the newlyAllocated Bitmap, if it exists, when determining liveness of a cell in
+ a block that is Marked.
+ * heap/WeakBlock.cpp:
+ (JSC::WeakBlock::visit): We need to make sure we don't finalize objects that are in the newlyAllocated Bitmap.
+ (JSC::WeakBlock::reap): Ditto.
+
+2012-11-02 Filip Pizlo <fpizlo@apple.com>
+
+ JIT::privateCompileGetByVal should use MacroAssemblerCodePtr::createFromExecutableAddress like JIT::privateCompilePutByVal
+ https://bugs.webkit.org/show_bug.cgi?id=101109
+
+ Reviewed by Gavin Barraclough.
+
+ This fixes crashes on ARMv7 resulting from the return address already being tagged with the THUMB2 bit.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompileGetByVal):
+
+2012-11-02 Simon Fraser <simon.fraser@apple.com>
+
+ Enable SUBPIXEL_LAYOUT on Mac
+ https://bugs.webkit.org/show_bug.cgi?id=101076
+
+ Reviewed by Dave Hyatt.
+
+ Define ENABLE_SUBPIXEL_LAYOUT and include it in FEATURE_DEFINES.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-02 Michael Saboff <msaboff@apple.com>
+
+ RegExp.prototype.toString Should Produce an 8 bit JSString if possible.
+ https://bugs.webkit.org/show_bug.cgi?id=101003
+
+ Reviewed by Geoffrey Garen.
+
+ Took the logic of regExpObjectSource() and created two templated helpers that uses the
+ source character type when appending to the StringBuilder.
+
+ * runtime/RegExpObject.cpp:
+ (JSC::appendLineTerminatorEscape): Checks line terminate type to come up with escaped version.
+ (JSC::regExpObjectSourceInternal): Templated version of original.
+ (JSC::regExpObjectSource): Wrapper function.
+
+2012-11-02 Adam Barth <abarth@webkit.org>
+
+ ENABLE(UNDO_MANAGER) is disabled everywhere and is not under active development
+ https://bugs.webkit.org/show_bug.cgi?id=100711
+
+ Reviewed by Eric Seidel.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-11-02 Simon Hausmann <simon.hausmann@digia.com>
+
+ [Qt] Fix build on Windows when Qt is configured with -release
+ https://bugs.webkit.org/show_bug.cgi?id=101041
+
+ Reviewed by Jocelyn Turcotte.
+
+ When Qt is configured with -debug or -release, the release/debug build of for example
+ QtCore is not available by default. For LLIntExtractor we always need to build debug
+ _and_ release versions, but we do not actually need any Qt libraries nor qtmain(d).lib.
+ Therefore we can disable all these features but need to keep $$QT.core.includes in the
+ INCLUDEPATH for some defines from qglobal.h.
+
+ * LLIntOffsetsExtractor.pro:
+
+2012-11-01 Mark Lam <mark.lam@apple.com>
+
+ A llint workaround for a toolchain issue.
+ https://bugs.webkit.org/show_bug.cgi?id=101012.
+
+ Reviewed by Michael Saboff.
+
+ * llint/LowLevelInterpreter.asm:
+ - use a local label to workaround the toolchain issue with undeclared
+ global labels.
+
+2012-11-01 Oliver Hunt <oliver@apple.com>
+
+ Remove GlobalObject constant register that is typically unused
+ https://bugs.webkit.org/show_bug.cgi?id=101005
+
+ Reviewed by Geoffrey Garen.
+
+ The GlobalObject constant register is frequently allocated even when it
+ is not used, it is also getting in the way of some other optimisations.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::CodeBlock):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+
+2012-10-31 Filip Pizlo <fpizlo@apple.com>
+
+ DFG optimized string access code should be enabled
+ https://bugs.webkit.org/show_bug.cgi?id=100825
+
+ Reviewed by Oliver Hunt.
+
+ - Removes prediction checks from the parser.
+
+ - Fixes the handling of array mode refinement for strings. I.e. we don't do
+ any refinement - we already know it's going to be a string. We could
+ revisit this in the future, but for now the DFG lacks the ability to
+ handle any array modes other than Array::String for string intrinsics, so
+ this is as good as it gets.
+
+ - Removes uses of isBlahSpeculation for checking if a mode is already
+ checked. isBlahSpeculation implicitly checks if the SpeculatedType is not
+ BOTTOM ("empty"), which breaks for checking if a mode is already checked
+ since a mode may already be "checked" in the sense that we've proven that
+ the code is unreachable.
+
+ ~1% speed-up on V8v7, mostly from a speed-up on crypto, which uses string
+ intrinsics in one of the hot functions.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::speculationChecked):
+ (JSC):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+
+2012-10-31 Filip Pizlo <fpizlo@apple.com>
+
+ Sparse array size threshold should be increased to 100000
+ https://bugs.webkit.org/show_bug.cgi?id=100827
+
+ Reviewed by Oliver Hunt.
+
+ This enables the use of contiguous arrays in programs that previously
+ couldn't use them. And I so far can't see any examples of this being
+ a downside. To the extent that there is a downside, it ought to be
+ addressed by GC: https://bugs.webkit.org/show_bug.cgi?id=100828
+
+ * runtime/ArrayConventions.h:
+ (JSC):
+
+2012-10-31 Mark Lam <mark.lam@apple.com>
+
+ C++ llint 64-bit backend needs to zero extend results of int32 operations.
+ https://bugs.webkit.org/show_bug.cgi?id=100899.
+
+ Reviewed by Filip Pizlo.
+
+ llint asm instructions ending in "i" for a 64-bit machine expects the
+ high 32-bit of registers to be zero'ed out when a 32-bit instruction
+ writes into a register. Fixed the C++ llint to honor this.
+
+ Fixed the index register used in BaseIndex addressing to be of size
+ intptr_t as expected.
+
+ Updated CLoopRegister to handle different endiannesss configurations.
+
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoopRegister::clearHighWord):
+ - new method to clear the high 32-bit of a 64-bit register.
+ It's a no-op for the 32-bit build.
+ (CLoopRegister):
+ - CLoopRegister now takes care of packing and byte endianness order.
+ (JSC::CLoop::execute): - Added an assert.
+ * offlineasm/cloop.rb:
+ - Add calls to clearHighWord() wherever needed.
+
+2012-10-31 Mark Lam <mark.lam@apple.com>
+
+ A JSC printf (support for %J+s and %b).
+ https://bugs.webkit.org/show_bug.cgi?id=100566.
+
+ Reviewed by Michael Saboff.
+
+ Added VMInspector::printf(), fprintf(), sprintf(), and snprintf().
+ - %b prints ints as boolean TRUE (non-zero) or FALSE (zero).
+ - %Js prints a WTF::String* like a %s prints a char*.
+ Also works for 16bit WTF::Strings (prints wchar_t* using %S).
+ - '+' is a modifier meaning 'use verbose mode', and %J+s is an example
+ of its use.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * interpreter/VMInspector.cpp:
+ (FormatPrinter):
+ (JSC::FormatPrinter::~FormatPrinter):
+ (JSC::FormatPrinter::print):
+ (JSC::FormatPrinter::printArg):
+ (JSC::FormatPrinter::printWTFString):
+ (JSC::FileFormatPrinter::FileFormatPrinter):
+ (JSC::FileFormatPrinter::printArg):
+ (JSC::StringFormatPrinter::StringFormatPrinter):
+ (JSC::StringFormatPrinter::printArg):
+ (JSC::StringNFormatPrinter::StringNFormatPrinter):
+ (JSC::StringNFormatPrinter::printArg):
+ (JSC::VMInspector::fprintf):
+ (JSC::VMInspector::printf):
+ (JSC::VMInspector::sprintf):
+ (JSC::VMInspector::snprintf):
+ * interpreter/VMInspector.h:
+ (VMInspector):
+
+2012-10-31 Mark Lam <mark.lam@apple.com>
+
+ 64-bit llint PC offset can be negative: using an unsigned shift is a bug.
+ https://bugs.webkit.org/show_bug.cgi?id=100896.
+
+ Reviewed by Filip Pizlo.
+
+ Fixed the PC offset divisions in the 64-bit llint asm to use rshift instead of urshift.
+
+ * llint/LowLevelInterpreter64.asm:
+
+2012-10-30 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ glsl-function-atan.html WebGL conformance test fails after https://bugs.webkit.org/show_bug.cgi?id=99154
+ https://bugs.webkit.org/show_bug.cgi?id=100789
+
+ Reviewed by Filip Pizlo.
+
+ We accidently missed a bitwise double to int64 conversion.
+
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::silentFill):
+
+2012-10-30 Joseph Pecoraro <pecoraro@apple.com>
+
+ [Mac] Sync up FeatureDefine Configuration Files
+ https://bugs.webkit.org/show_bug.cgi?id=100171
+
+ Reviewed by David Kilzer.
+
+ Follow up to better coordinate with iOS feature defines. Make:
+
+ - ENABLE_FILTERS always on
+ - ENABLE_INPUT_* iphonesimulator values point to the iphoneos values
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-30 Joseph Pecoraro <pecoraro@apple.com>
+
+ [Mac] Sync up FeatureDefine Configuration Files
+ https://bugs.webkit.org/show_bug.cgi?id=100171
+
+ Reviewed by David Kilzer.
+
+ Ensure an identical FeatureDefine files across all projects. Changes:
+
+ - ENABLE_CSS_BOX_DECORATION_BREAK should be in all
+ - ENABLE_PDFKIT_PLUGIN should be in all
+ - ENABLE_RESOLUTION_MEDIA_QUERY should be in all
+ - ENABLE_ENCRYPTED_MEDIA should be in all
+ - ENABLE_HIDDEN_PAGE_DOM_TIMER_THROTTLING with corrected value
+ - Some alphabetical ordering cleanup
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-30 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Arrays can change IndexingType in the middle of sorting
+ https://bugs.webkit.org/show_bug.cgi?id=100773
+
+ Reviewed by Filip Pizlo.
+
+ Instead of giving up, we just fetch the appropriate vector based on the current
+ IndexingType of the array.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::sortVector):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC::JSObject::currentIndexingData):
+ (JSC::JSObject::currentRelevantLength):
+
+2012-10-29 Anders Carlsson <andersca@apple.com>
+
+ Build WebKit as C++11 on Mac
+ https://bugs.webkit.org/show_bug.cgi?id=100720
+
+ Reviewed by Daniel Bates.
+
+ * Configurations/Base.xcconfig:
+ Add CLANG_CXX_LANGUAGE_STANDARD=gnu++0x.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::generate):
+ (JSC::BytecodeGenerator::pushFinallyContext):
+ (JSC::BytecodeGenerator::beginSwitch):
+ * llint/LLIntOffsetsExtractor.cpp:
+ * runtime/Identifier.cpp:
+ (JSC::Identifier::add8):
+ * runtime/Identifier.h:
+ (JSC::Identifier::add):
+ * runtime/JSONObject.cpp:
+ (JSC::appendStringToStringBuilder):
+ * runtime/StringPrototype.cpp:
+ (JSC::replaceUsingStringSearch):
+ Add static_casts to prevent implicit type conversions in non-constant initializer lists.
+
+2012-10-28 Mark Rowe <mrowe@apple.com>
+
+ Simplify Xcode configuration settings that used to vary between OS versions.
+
+ Reviewed by Dan Bernstein.
+
+ * Configurations/Base.xcconfig:
+ * Configurations/DebugRelease.xcconfig:
+ * Configurations/JavaScriptCore.xcconfig:
+
+2012-10-28 Mark Rowe <mrowe@apple.com>
+
+ Remove references to unsupported OS and Xcode versions.
+
+ Reviewed by Anders Carlsson.
+
+ * Configurations/Base.xcconfig:
+ * Configurations/CompilerVersion.xcconfig: Removed.
+ * Configurations/DebugRelease.xcconfig:
+ * Configurations/Version.xcconfig:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2012-10-29 Michael Saboff <msaboff@apple.com>
+
+ Non-special escape character sequences cause JSC::Lexer::parseString to create 16 bit strings
+ https://bugs.webkit.org/show_bug.cgi?id=100576
+
+ Reviewed by Darin Adler.
+
+ Changed singleEscape() processing to be based on a lookup of a static table. The table
+ covers ASCII characters SPACE through DEL. If a character can be a single character escape,
+ then the table provides the non-zero result of that escape. Updated the result of
+ singleEscape to be an LChar to make the table as small as possible.
+ Added a new test fast/js/normal-character-escapes-in-string-literals.html to validated
+ the behavior.
+
+ * parser/Lexer.cpp:
+ (JSC::singleEscape):
+ (JSC::Lexer::parseString):
+ (JSC::Lexer::parseStringSlowCase):
+
+2012-10-29 Enrica Casucci <enrica@apple.com>
+
+ Add ENABLE_USERSELECT_ALL feature flag.
+ https://bugs.webkit.org/show_bug.cgi?id=100559
+
+ Reviewed by Eric Seidel.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-28 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should be able to emit effectful structure checks
+ https://bugs.webkit.org/show_bug.cgi?id=99260
+
+ Reviewed by Oliver Hunt.
+
+ This change allows us to find out if an array access that has gone polymorphic
+ is operating over known structures - i.e. the primordial array structures of the
+ global object that the code block containing the array access belongs to. We
+ term this state "OriginalArray" for short. The fact that the access has gone
+ polymorphic means that the array profile will not be able to report the set of
+ structures it had seen - but if it can tell us that all of the structures were
+ primordial then it just so happens that we can deduce what the structure set
+ would have been by just querying the code block's global object. This allows us
+ to emit an ArrayifyToStructure instead of an Arrayify if we find that we need to
+ do conversions. The fast path of an ArrayifyToStructure is exactly like the fast
+ path of a CheckStructure and is mostly subject to the same optimizations. It
+ also burns one fewer registers.
+
+ Essentially the notion of OriginalArray is a super cheap way of getting the
+ array profile to tell us a structure set instead of a singleton structure.
+ Currently, the array profile can only tell us the structure seen at an array
+ access if there was exactly one structure. If there were multiple structures, it
+ won't tell us anything other than the array modes and other auxiliary profiling
+ data (whether there were stores to holes, for example). With OriginalArray, we
+ cheaply get a structure set if all of the structures were primordial for the
+ code block's global object, since in that case the array mode set (ArrayModes)
+ can directly tell us the structure set. In the future, we might consider adding
+ complete structure sets to the array profiles, but I suspect that we would hit
+ diminishing returns if we did so - it would only help if we have array accesses
+ that are both polymorphic and are cross-global-object accesses (rare) or if the
+ arrays had named properties or other structure transitions that are unrelated to
+ indexing type (also rare).
+
+ This also does away with Arrayify (and the new ArrayifyToStructure) returning
+ the butterfly pointer. This turns out to be faster and easier to CSE.
+
+ And, this also changes constant folding to be able to eliminate CheckStructure,
+ ForwardCheckStructure, and ArrayifyToStructure in addition to being able to
+ transform them into structure transition watchpoints. This is great for
+ ArrayifyToStructure because then CSE and CFA know that there is no side effect.
+ Converting CheckStructure and ForwardCheckStructure to also behave this way is
+ just a matter of elegance.
+
+ This has no performance impact right now. It's intended to alleviate some of the
+ regressions seen in the early implementation of
+ https://bugs.webkit.org/show_bug.cgi?id=98606.
+
+ * bytecode/ArrayProfile.cpp:
+ (JSC::ArrayProfile::computeUpdatedPrediction):
+ * bytecode/ArrayProfile.h:
+ (JSC):
+ (JSC::ArrayProfile::ArrayProfile):
+ (ArrayProfile):
+ (JSC::ArrayProfile::usesOriginalArrayStructures):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::fromObserved):
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ (JSC::DFG::arrayClassToString):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::withProfile):
+ (JSC::DFG::ArrayMode::isJSArray):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure):
+ (JSC::DFG::ArrayMode::supportsLength):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getArrayMode):
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::checkStructureElimination):
+ (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+ (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::checkArrayElimination):
+ (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasStructure):
+ (JSC::DFG::Node::hasArrayMode):
+ (JSC::DFG::Node::arrayMode):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::isOriginalArrayStructure):
+ * runtime/Structure.cpp:
+ (JSC::Structure::nonPropertyTransition):
+
+2012-10-28 Filip Pizlo <fpizlo@apple.com>
+
+ There should not be blind spots in array length array profiling
+ https://bugs.webkit.org/show_bug.cgi?id=100620
+
+ Reviewed by Oliver Hunt.
+
+ I don't think this has any performance impact. But it's good to not have random
+ programs occasionally emit a GetById for array length accesses.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+
+2012-10-28 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, make always-true enum-to-int comparisons use casts.
+
+ * dfg/DFGFPRInfo.h:
+ (JSC::DFG::FPRInfo::debugName):
+ * dfg/DFGGPRInfo.h:
+ (JSC::DFG::JSValueSource::tagGPR):
+ (JSC::DFG::GPRInfo::toIndex):
+ (JSC::DFG::GPRInfo::debugName):
+ * runtime/JSTypeInfo.h:
+ (JSC::TypeInfo::TypeInfo):
+
+2012-10-27 Filip Pizlo <fpizlo@apple.com>
+
+ OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack
+ https://bugs.webkit.org/show_bug.cgi?id=100601
+
+ Reviewed by Oliver Hunt.
+
+ This happened to me while I was fixing bugs for https://bugs.webkit.org/show_bug.cgi?id=100599.
+ I'm not sure how to reproduce this.
+
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
+ (AssemblyHelpers):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+
+2012-10-27 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::Array::Mode needs to be cleaned up
+ https://bugs.webkit.org/show_bug.cgi?id=100599
+
+ Reviewed by Oliver Hunt.
+
+ Turn the previous massive Array::Mode enum into a class that contains four
+ fields, the type, whether it's a JSArray, the level of speculation, and the
+ kind of conversion to perform.
+
+ No performance or behavioral change.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::fromObserved):
+ (JSC::DFG::ArrayMode::refine):
+ (JSC::DFG::ArrayMode::alreadyChecked):
+ (JSC::DFG::arrayTypeToString):
+ (JSC::DFG::arrayClassToString):
+ (DFG):
+ (JSC::DFG::arraySpeculationToString):
+ (JSC::DFG::arrayConversionToString):
+ (JSC::DFG::ArrayMode::toString):
+ * dfg/DFGArrayMode.h:
+ (DFG):
+ (ArrayMode):
+ (JSC::DFG::ArrayMode::ArrayMode):
+ (JSC::DFG::ArrayMode::type):
+ (JSC::DFG::ArrayMode::arrayClass):
+ (JSC::DFG::ArrayMode::speculation):
+ (JSC::DFG::ArrayMode::conversion):
+ (JSC::DFG::ArrayMode::asWord):
+ (JSC::DFG::ArrayMode::fromWord):
+ (JSC::DFG::ArrayMode::withSpeculation):
+ (JSC::DFG::ArrayMode::usesButterfly):
+ (JSC::DFG::ArrayMode::isJSArray):
+ (JSC::DFG::ArrayMode::isInBounds):
+ (JSC::DFG::ArrayMode::mayStoreToHole):
+ (JSC::DFG::ArrayMode::isOutOfBounds):
+ (JSC::DFG::ArrayMode::isSlowPut):
+ (JSC::DFG::ArrayMode::canCSEStorage):
+ (JSC::DFG::ArrayMode::lengthNeedsStorage):
+ (JSC::DFG::ArrayMode::modeForPut):
+ (JSC::DFG::ArrayMode::isSpecific):
+ (JSC::DFG::ArrayMode::supportsLength):
+ (JSC::DFG::ArrayMode::benefitsFromStructureCheck):
+ (JSC::DFG::ArrayMode::doesConversion):
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
+ (JSC::DFG::ArrayMode::operator==):
+ (JSC::DFG::ArrayMode::operator!=):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::lengthNeedsStorage):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getArrayMode):
+ (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::getArrayLengthElimination):
+ (JSC::DFG::CSEPhase::checkArrayElimination):
+ (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::arrayMode):
+ (JSC::DFG::Node::setArrayMode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
+ (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-27 Dan Bernstein <mitz@apple.com>
+
+ REAL_PLATFORM_NAME build setting is no longer needed
+ https://bugs.webkit.org/show_bug.cgi?id=100587
+
+ Reviewed by Mark Rowe.
+
+ Removed the definition of REAL_PLATFORM_NAME and replaced references to it with references
+ to PLATFORM_NAME.
+
+ * Configurations/Base.xcconfig:
+ * Configurations/CompilerVersion.xcconfig:
+ * Configurations/DebugRelease.xcconfig:
+ * Configurations/FeatureDefines.xcconfig:
+ * Configurations/JSC.xcconfig:
+ * Configurations/JavaScriptCore.xcconfig:
+ * Configurations/ToolExecutable.xcconfig:
+
+2012-10-25 Filip Pizlo <fpizlo@apple.com>
+
+ Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms
+ https://bugs.webkit.org/show_bug.cgi?id=100461
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ This does a couple of things. First, it removes the part of the change in r131822 that made the forward
+ OSR exit calculator capable of handling multiple SetLocals. That change was wrong, because it would
+ blindly assume that all SetLocals had the same ValueRecovery, and would ignore the possibility that if
+ there is no value recovery then a ForwardCheckStructure on the first SetLocal would not know how to
+ recover the state associated with the second SetLocal. Then, it introduces the invariant that any bytecode
+ op that decomposes into multiple SetLocals must first emit dead SetLocals as hints and then emit a second
+ set of SetLocals to actually do the setting of the locals. This means that if a ForwardCheckStructure (or
+ any other hoisted forward speculation) is inserted, it will always be inserted on the second set of
+ SetLocals (since hoisting only touches the live ones), at which point OSR will already know about the
+ mov hints implied by the first set of (dead) SetLocals. This gives us the behavior we wanted, namely, that
+ a ForwardCheckStructure applied to a variant set by a resolve_with_base-like operation can correctly do a
+ forward exit while also ensuring that prior to exiting we set the appropriate locals.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+
+2012-10-26 Simon Hausmann <simon.hausmann@digia.com>
+
+ [Qt] Fix the LLInt build on Windows
+ https://bugs.webkit.org/show_bug.cgi?id=97648
+
+ Reviewed by Tor Arne Vestbø.
+
+ The main change for the port on Windows is changing the way offsets are extracted
+ and the LLIntAssembly.h is generated to accomodate release and debug configurations.
+
+ Firstly the LLIntOffsetsExtractor binary is now built as-is (no DESTDIR set) and
+ placed into debug\LLIntOffsetsExtractor.exe and release\LLIntOffsetsExtractor.exe
+ on Windows debug_and_release builds. On other patforms it remainds in the regular
+ out directory.
+
+ Secondly the LLIntAssembly.h files must be different for different build types,
+ so the LLIntAssembly.h generator in DerivedSources.pri operates no on the extractor
+ binary files as input. Using a simple exists() check we verify the presence of either
+ a regular, a debug\LLIntOffsetsExtractor and a release\LLIntOffsetsExtractor binary
+ and process all of them. The resulting assembly files consequently end up in
+ generated\debug\LLIntAssembly.h and generated\release\LLIntAssembly.h.
+
+ In Target.pri we have to also make sure that those directories are in the include
+ path according to the release or debug configuration.
+
+ Lastly a small tweak - swapping WTF.pri and JSC.pri inclusions - in the
+ LLIntOffsetsExtractor build was needed to make sure that we include
+ JavaScriptCore/config.h instead of WTF/config.h, required to fix the
+ build issues originally pasted in bug #97648.
+
+ * DerivedSources.pri:
+ * JavaScriptCore.pro:
+ * LLIntOffsetsExtractor.pro:
+ * Target.pri:
+
+2012-10-26 Gabor Ballabas <gaborb@inf.u-szeged.hu>
+
+ [Qt] Enable JSC's disassembler on x86, x86_64 Linux
+ https://bugs.webkit.org/show_bug.cgi?id=100386
+
+ Reviewed by Simon Hausmann.
+
+ It works fine on Linux x86, x86_64 just needs to be enabled in the
+ QtWebKit build system.
+
+ * DerivedSources.pri:
+ * JavaScriptCore.pri:
+ * Target.pri:
+
+2012-10-26 Thiago Marcos P. Santos <thiago.santos@intel.com>
+
+ Add feature flags for CSS Device Adaptation
+ https://bugs.webkit.org/show_bug.cgi?id=95960
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-26 Simon Hausmann <simon.hausmann@digia.com>
+
+ [WIN] Make LLInt offsets extractor work on Windows
+ https://bugs.webkit.org/show_bug.cgi?id=100369
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ Open the input file explicitly in binary mode to prevent ruby/Windows from thinking that
+ it's a text mode file that needs even new line conversions. The binary mode parameter is
+ ignored on other platforms.
+
+ * offlineasm/offsets.rb:
+
+2012-10-25 Michael Saboff <msaboff@apple.com>
+
+ SymbolTableIndexHashTraits::needsDestruction should be set to true
+ https://bugs.webkit.org/show_bug.cgi?id=100437
+
+ Reviewed by Mark Hahnenberg.
+
+ For correctness, set SymbolTableIndexHashTraits::needsDestruction to true since SymbolTableEntry's do
+ need to have their destructor called due to the possibility of rare data.
+
+ * runtime/SymbolTable.h:
+ (SymbolTableIndexHashTraits):
+
+2012-10-25 Filip Pizlo <fpizlo@apple.com>
+
+ DFG Arrayify elimination should replace it with GetButterfly rather than Phantom
+ https://bugs.webkit.org/show_bug.cgi?id=100441
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ Made array profiler's to-string helper behave correctly.
+
+ Made Arrayify elimination do the right thing (convert to GetButterfly).
+
+ Made CFA's interference analysis track clobbered array modes correctly, mostly by
+ simplifying the machinery.
+
+ * bytecode/ArrayProfile.cpp:
+ (JSC::arrayModesToString):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::clobberArrayModes):
+ (AbstractValue):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2012-10-25 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION (r131793-r131826): Crash going to wikifonia.org
+ https://bugs.webkit.org/show_bug.cgi?id=100281
+
+ Reviewed by Oliver Hunt.
+
+ Restore something that got lost in the resolve refactoring: the ability to give up on life if
+ we see a resolve of 'arguments'.
+
+ * runtime/JSScope.cpp:
+ (JSC::JSScope::resolveContainingScopeInternal):
+
+2012-10-25 Dominik Röttsches <dominik.rottsches@intel.com>
+
+ Conditionalize XHR timeout support
+ https://bugs.webkit.org/show_bug.cgi?id=100356
+
+ Reviewed by Adam Barth.
+
+ Adding XHR_TIMEOUT feature to conditionalize this on ports without network backend support.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-25 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION (r131836): failures in list styles tests on EFL, GTK
+ https://bugs.webkit.org/show_bug.cgi?id=99824
+
+ Reviewed by Oliver Hunt.
+
+ Saved start of string since it is modified by call convertUTF8ToUTF16().
+
+ * API/JSStringRef.cpp:
+ (JSStringCreateWithUTF8CString):
+
+2012-10-24 Filip Pizlo <fpizlo@apple.com>
+
+ DFG NewArrayBuffer node should keep its data in a structure on the side to free up one of the opInfos
+ https://bugs.webkit.org/show_bug.cgi?id=100328
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGGraph.h:
+ (Graph):
+ * dfg/DFGNode.h:
+ (NewArrayBufferData):
+ (DFG):
+ (JSC::DFG::Node::newArrayBufferData):
+ (Node):
+ (JSC::DFG::Node::startConstant):
+ (JSC::DFG::Node::numConstants):
+
+2012-10-25 Mark Lam <mark.lam@apple.com>
+
+ Update the C++ llint to work with the latest op_resolve... changes.
+ https://bugs.webkit.org/show_bug.cgi?id=100345.
+
+ Reviewed by Oliver Hunt.
+
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoop::execute):
+ - emit opcode name as label when not using COMPUTED_GOTOs. The new op_resolve
+ opcodes have jumps to these labels.
+ - declare all opcode labels as UNUSED_LABEL()s to keep the compiler happy
+ for opcodes that are not referenced by anyone.
+ * offlineasm/asm.rb:
+ - strip llint_ prefix from opcode names used as labels.
+
+2012-10-24 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations
+ https://bugs.webkit.org/show_bug.cgi?id=100321
+
+ Reviewed by Filip Pizlo.
+
+ We have refactored the MacroAssembler and JIT compilers to distinguish
+ the pointer operations from the 64-bit integer operations (see bug #99154).
+ Now we want to do the similar work for LLInt, and the goal is same as
+ the one mentioned in 99154.
+
+ This is the first part of the modification: in the offline assembler,
+ adding the support of the "<foo>q" instructions which will be used for
+ 64-bit integer operations.
+
+ * llint/LowLevelInterpreter.cpp:
+ (JSC::CLoop::execute):
+ * offlineasm/cloop.rb:
+ * offlineasm/instructions.rb:
+ * offlineasm/x86.rb:
+
+2012-10-24 Filip Pizlo <fpizlo@apple.com>
+
+ DFG compileBlahBlahByVal methods for Contiguous and ArrayStorage have only one caller and should be removed
+ https://bugs.webkit.org/show_bug.cgi?id=100311
+
+ Reviewed by Mark Hahnenberg.
+
+ Just trying to simplify things before I make them more complicated again.
+
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-23 Andreas Kling <kling@webkit.org>
+
+ CodeBlock: Give m_putToBaseOperations an inline capacity.
+ <http://webkit.org/b/100190>
+ <rdar://problem/12562466>
+
+ Reviewed by Oliver Hunt.
+
+ Since the CodeBlock constructor always inserts a single PutToBaseOperation, but there's no
+ guarantee that more will follow, give the m_putToBaseOperations vector an inline capacity of 1.
+ There are 4009 of these Vectors on Membuster3, and only 126 of them have more than a single entry.
+
+ This change yields a 1.90MB reduction in memory usage.
+
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+
+2012-10-23 Christophe Dumez <christophe.dumez@intel.com>
+
+ Regression(r132143): Assertion hit in JSC::Interpreter::StackPolicy::StackPolicy(JSC::Interpreter&, const WTF::StackBounds&)
+ https://bugs.webkit.org/show_bug.cgi?id=100109
+
+ Reviewed by Oliver Hunt.
+
+ Fix possible integer overflow in StackPolicy constructor by
+ using size_t type instead of int for stack sizes. The value
+ returned by StackBounds::size() is of type size_t but was
+ assigned to an int, which may overflow.
+
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::Interpreter::StackPolicy::StackPolicy):
+
+2012-10-23 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ Unreviewed. Fix make distcheck.
+
+ * GNUmakefile.list.am: Add missing header file.
+
+2012-10-23 Mark Lam <mark.lam@apple.com>
+
+ Make topCallFrame reliable.
+ https://bugs.webkit.org/show_bug.cgi?id=98928.
+
+ Reviewed by Geoffrey Garen.
+
+ - VM entry points and the GC now uses topCallFrame.
+ - The callerFrame value in CallFrames are now always the previous
+ frame on the stack, except for the first frame which has a
+ callerFrame of 0 (not counting the HostCallFrameFlag).
+ Hence, we can now traverse every frame on the stack all the way
+ back to the first frame.
+ - GlobalExec's will no longer be used as the callerFrame values in
+ call frames.
+ - Added fences and traps for debugging the JSStack in debug builds.
+
+ * bytecode/SamplingTool.h:
+ (SamplingTool):
+ (JSC::SamplingTool::CallRecord::CallRecord):
+ * dfg/DFGOperations.cpp:
+ - Fixed 2 DFG helper functions to flush topCallFrame as expected.
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::callerFrameNoFlags):
+ (ExecState):
+ (JSC::ExecState::argIndexForRegister):
+ (JSC::ExecState::getArgumentUnsafe):
+ * interpreter/CallFrameClosure.h:
+ (CallFrameClosure):
+ * interpreter/Interpreter.cpp:
+ (JSC):
+ (JSC::eval):
+ (JSC::Interpreter::Interpreter):
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ (JSC::Interpreter::prepareForRepeatCall):
+ (JSC::Interpreter::endRepeatCall):
+ * interpreter/Interpreter.h:
+ (JSC):
+ (Interpreter):
+ * interpreter/JSStack.cpp:
+ (JSC::JSStack::JSStack):
+ (JSC::JSStack::gatherConservativeRoots):
+ (JSC::JSStack::disableErrorStackReserve):
+ * interpreter/JSStack.h:
+ (JSC):
+ (JSStack):
+ (JSC::JSStack::installFence):
+ (JSC::JSStack::validateFence):
+ (JSC::JSStack::installTrapsAfterFrame):
+ * interpreter/JSStackInlines.h: Added.
+ (JSC):
+ (JSC::JSStack::getTopOfFrame):
+ (JSC::JSStack::getTopOfStack):
+ (JSC::JSStack::getStartOfFrame):
+ (JSC::JSStack::pushFrame):
+ (JSC::JSStack::popFrame):
+ (JSC::JSStack::generateFenceValue):
+ (JSC::JSStack::installFence):
+ (JSC::JSStack::validateFence):
+ (JSC::JSStack::installTrapsAfterFrame):
+ * jit/JITStubs.cpp:
+ (JSC::jitCompileFor):
+ (JSC::lazyLinkFor):
+ - Set frame->codeBlock to 0 for both the above because they are called
+ with partially intitialized frames (cb uninitialized), but may
+ trigger a GC.
+ (JSC::DEFINE_STUB_FUNCTION):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+
+2012-10-22 Filip Pizlo <fpizlo@apple.com>
+
+ DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions
+ https://bugs.webkit.org/show_bug.cgi?id=100052
+
+ Reviewed by Oliver Hunt.
+
+ No functional change, just renaming. It's a clearer name that more accurately
+ reflects the meaning, and it eliminates the namespace confusion that will happen
+ with the Undecided indexing type in https://bugs.webkit.org/show_bug.cgi?id=98606
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::fromObserved):
+ (JSC::DFG::refineArrayMode):
+ (JSC::DFG::modeAlreadyChecked):
+ (JSC::DFG::modeToString):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::modeIsSpecific):
+ (JSC::DFG::modeSupportsLength):
+ (JSC::DFG::benefitsFromStructureCheck):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-22 Mark Lam <mark.lam@apple.com>
+
+ Change stack recursion checks to be based on stack availability.
+ https://bugs.webkit.org/show_bug.cgi?id=99872.
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ - Remove m_reentryDepth, ThreadStackType which are now obsolete.
+ - Replaced the reentryDepth checks with a StackBounds check.
+ - Added the Interpreter::StackPolicy class to compute a reasonable
+ stack capacity requirement given the native stack that the
+ interpreter is executing on at that time.
+ - Reserved an amount of JSStack space for the use of error handling
+ and enable its use (using Interpreter::ErrorHandlingMode) when
+ we're about to throw or report an exception.
+ - Interpreter::StackPolicy also allows more native stack space
+ to be used when in ErrorHandlingMode. This is needed in the case
+ of native stack overflows.
+ - Fixed the parser so that it throws a StackOverflowError instead of
+ a SyntaxError when it encounters a stack overflow.
+
+ * API/JSContextRef.cpp:
+ (JSContextGroupCreate):
+ (JSGlobalContextCreateInGroup):
+ * JavaScriptCore.order:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::ErrorHandlingMode::ErrorHandlingMode):
+ (JSC):
+ (JSC::Interpreter::ErrorHandlingMode::~ErrorHandlingMode):
+ (JSC::Interpreter::StackPolicy::StackPolicy):
+ (JSC::Interpreter::Interpreter):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ (JSC::Interpreter::prepareForRepeatCall):
+ * interpreter/Interpreter.h:
+ (JSC):
+ (Interpreter):
+ (ErrorHandlingMode):
+ (StackPolicy):
+ (JSC::Interpreter::StackPolicy::requiredCapacity):
+ * interpreter/JSStack.cpp:
+ (JSC):
+ (JSC::JSStack::JSStack):
+ (JSC::JSStack::growSlowCase):
+ (JSC::JSStack::enableErrorStackReserve):
+ (JSC::JSStack::disableErrorStackReserve):
+ * interpreter/JSStack.h:
+ (JSStack):
+ (JSC::JSStack::reservationEnd):
+ (JSC):
+ * jsc.cpp:
+ (jscmain):
+ * parser/Parser.cpp:
+ (JSC::::Parser):
+ * parser/Parser.h:
+ (Parser):
+ (JSC::::parse):
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::throwStackOverflowError):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ (JSC::JSGlobalData::createContextGroup):
+ (JSC::JSGlobalData::create):
+ (JSC::JSGlobalData::createLeaked):
+ (JSC::JSGlobalData::sharedInstance):
+ * runtime/JSGlobalData.h:
+ (JSC):
+ (JSGlobalData):
+ * runtime/StringRecursionChecker.h:
+ (JSC::StringRecursionChecker::performCheck):
+ * testRegExp.cpp:
+ (realMain):
+
+2012-10-20 Martin Robinson <mrobinson@igalia.com>
+
+ Fix 'make dist' for the GTK+ port
+
+ * GNUmakefile.list.am: Add missing files to the source list.
+
+2012-10-21 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
+
+ [CMake][JSC] Depend on risc.rb to decide when to run the LLInt scripts.
+ https://bugs.webkit.org/show_bug.cgi?id=99917
+
+ Reviewed by Geoffrey Garen.
+
+ Depend on the newly-added risc.rb to make sure we always run the
+ LLInt scripts when one of them changes.
+
+ * CMakeLists.txt:
+
+2012-10-20 Filip Pizlo <fpizlo@apple.com>
+
+ LLInt backends of non-ARM RISC platforms should be able to share code with the existing ARMv7 backend
+ https://bugs.webkit.org/show_bug.cgi?id=99745
+
+ Reviewed by Geoffrey Garen.
+
+ This moves all of the things in armv7.rb that I thought are generally useful out
+ into risc.rb. It also separates some phases (branch ops is separated into one
+ phase that does sensible things, and another that does things that are painfully
+ ARM-specific), and removes ARM assumptions from others by using a callback to
+ drive exactly what lowering must happen. The goal here is to minimize the future
+ maintenance burden of LLInt by ensuring that the various platforms share as much
+ lowering code as possible.
+
+ * offlineasm/armv7.rb:
+ * offlineasm/risc.rb: Added.
+
+2012-10-19 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should have some facility for recognizing redundant CheckArrays and Arrayifies
+ https://bugs.webkit.org/show_bug.cgi?id=99287
+
+ Reviewed by Mark Hahnenberg.
+
+ Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which
+ then enables us to fold away CheckArray's and Arrayify's that are redundant.
+
+ * bytecode/ArrayProfile.cpp:
+ (JSC::arrayModesToString):
+ (JSC):
+ * bytecode/ArrayProfile.h:
+ (JSC):
+ (JSC::mergeArrayModes):
+ (JSC::arrayModesAlreadyChecked):
+ * bytecode/StructureSet.h:
+ (JSC::StructureSet::arrayModesFromStructures):
+ (StructureSet):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::AbstractValue):
+ (JSC::DFG::AbstractValue::clear):
+ (JSC::DFG::AbstractValue::isClear):
+ (JSC::DFG::AbstractValue::makeTop):
+ (JSC::DFG::AbstractValue::clobberStructures):
+ (AbstractValue):
+ (JSC::DFG::AbstractValue::setMostSpecific):
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::operator==):
+ (JSC::DFG::AbstractValue::merge):
+ (JSC::DFG::AbstractValue::filter):
+ (JSC::DFG::AbstractValue::filterArrayModes):
+ (JSC::DFG::AbstractValue::validate):
+ (JSC::DFG::AbstractValue::checkConsistency):
+ (JSC::DFG::AbstractValue::dump):
+ (JSC::DFG::AbstractValue::clobberArrayModes):
+ (JSC::DFG::AbstractValue::clobberArrayModesSlow):
+ (JSC::DFG::AbstractValue::setFuturePossibleStructure):
+ (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::modeAlreadyChecked):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::arrayModesFor):
+ (DFG):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::arrayify):
+
+2012-10-19 Filip Pizlo <fpizlo@apple.com>
+
+ Baseline JIT should not inline array allocations, to make them easier to instrument
+ https://bugs.webkit.org/show_bug.cgi?id=99905
+
+ Reviewed by Mark Hahnenberg.
+
+ This will make it easier to instrument array allocations for the purposes of profiling.
+ It also allows us to kill off a bunch of code. And, this doesn't appear to hurt
+ performance at all. That's expected because these days any hot allocation will end up
+ in the DFG JIT, which does inline these allocations.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITInlineMethods.h:
+ (JSC):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_new_array):
+
+2012-10-19 Oliver Hunt <oliver@apple.com>
+
+ Fix some of the regression cause by the non-local variable reworking
+ https://bugs.webkit.org/show_bug.cgi?id=99896
+
+ Reviewed by Filip Pizlo.
+
+ The non0local variable reworking led to some of the optimisations performed by
+ the bytecode generator being dropped. This in turn put more pressure on the DFG
+ optimisations. This exposed a short coming in our double speculation propogation.
+ Now we try to distinguish between places where we should SpecDoubleReal vs generic
+ SpecDouble.
+
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (PredictionPropagationPhase):
+ (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
+ (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPredictions):
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+
+2012-10-19 Michael Saboff <msaboff@apple.com>
+
+ Lexer should create 8 bit Identifiers for RegularExpressions and ASCII identifiers
+ https://bugs.webkit.org/show_bug.cgi?id=99855
+
+ Reviewed by Filip Pizlo.
+
+ Added makeIdentifier helpers that will always make an 8 bit Identifier or make an
+ Identifier that is the same size as the template parameter. Used the first in the fast
+ path when looking for a JS identifier and the second when scanning regular expressions.
+
+ * parser/Lexer.cpp:
+ (JSC::::scanRegExp):
+ * parser/Lexer.h:
+ (Lexer):
+ (JSC::::makeIdentifierSameType):
+ (JSC::::makeLCharIdentifier):
+ (JSC::::lexExpectIdentifier):
+
+2012-10-19 Mark Lam <mark.lam@apple.com>
+
+ Added WTF::StackStats mechanism.
+ https://bugs.webkit.org/show_bug.cgi?id=99805.
+
+ Reviewed by Geoffrey Garen.
+
+ Added StackStats checkpoints and probes.
+
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitNode):
+ (JSC::BytecodeGenerator::emitNodeInConditionContext):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::append):
+ (JSC::visitChildren):
+ (JSC::SlotVisitor::donateKnownParallel):
+ (JSC::SlotVisitor::drain):
+ (JSC::SlotVisitor::drainFromShared):
+ (JSC::SlotVisitor::mergeOpaqueRoots):
+ (JSC::SlotVisitor::internalAppend):
+ (JSC::SlotVisitor::harvestWeakReferences):
+ (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ (JSC::Interpreter::prepareForRepeatCall):
+ * parser/Parser.h:
+ (JSC::Parser::canRecurse):
+ * runtime/StringRecursionChecker.h:
+ (StringRecursionChecker):
+
+2012-10-19 Oliver Hunt <oliver@apple.com>
+
+ REGRESSION(r131822): It made 500+ tests crash on 32 bit platforms
+ https://bugs.webkit.org/show_bug.cgi?id=99814
+
+ Reviewed by Filip Pizlo.
+
+ Call the correct macro in 32bit.
+
+ * llint/LowLevelInterpreter.asm:
+
+2012-10-19 Dongwoo Joshua Im <dw.im@samsung.com>
+
+ Rename ENABLE_CSS3_TEXT_DECORATION to ENABLE_CSS3_TEXT
+ https://bugs.webkit.org/show_bug.cgi?id=99804
+
+ Reviewed by Julien Chaffraix.
+
+ CSS3 text related properties will be implemented under this flag,
+ including text decoration, text-align-last, and text-justify.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-18 Anders Carlsson <andersca@apple.com>
+
+ Clean up RegExpKey
+ https://bugs.webkit.org/show_bug.cgi?id=99798
+
+ Reviewed by Darin Adler.
+
+ RegExpHash doesn't need to be a class template specialization when the class template is specialized
+ for JSC::RegExpKey only. Make it a nested class of RegExp instead. Also, make operator== a friend function
+ so Hash::equal can see it.
+
+ * runtime/RegExpKey.h:
+ (JSC::RegExpKey::RegExpKey):
+ (JSC::RegExpKey::operator==):
+ (RegExpKey):
+ (JSC::RegExpKey::Hash::hash):
+ (JSC::RegExpKey::Hash::equal):
+ (Hash):
+
+2012-10-19 Mark Lam <mark.lam@apple.com>
+
+ Bot greening: Follow up to r131877 to fix the Windows build.
+ https://bugs.webkit.org/show_bug.cgi?id=99739.
+
+ Not reviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-10-19 Mark Lam <mark.lam@apple.com>
+
+ Bot greening: Attempt to fix broken Window build after r131836.
+ https://bugs.webkit.org/show_bug.cgi?id=99739.
+
+ Not reviewed.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-10-19 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Unreviewed fix after r131868.
+
+ On JSVALUE64 platforms, JSValue constants can be Imm64 instead of ImmPtr for JIT compilers.
+
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+
+2012-10-18 Filip Pizlo <fpizlo@apple.com>
+
+ Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure
+ https://bugs.webkit.org/show_bug.cgi?id=99261
+
+ Reviewed by Oliver Hunt.
+
+ This makes array profiling stochastic, like value profiling. The point is to avoid
+ noticing one-off indexing types that we'll never see again, but instead to:
+
+ Notice the big ones: We want the DFG to compile based on the things that happen with
+ high probability. So, this change makes array profiling do like value profiling and
+ only notice a random subsampling of indexing types that flowed through an array
+ access. Prior to this patch array profiles noticed all indexing types and weighted
+ them identically.
+
+ Bias the recent: Often an array access will see awkward indexing types during the
+ first handful of executions because of artifacts of program startup. So, we want to
+ bias towards the indexing types that we saw most recently. With this change, array
+ profiling does like value profiling and usually tells use a random sampling that
+ is biased to what happened recently.
+
+ Have a backup plan: The above two things don't work by themselves because our
+ randomness is not that random (nor do we care enough to make it more random), and
+ because some procedures will have a <1/10 probability event that we must handle
+ without bailing because it dominates a hot loop. So, like value profiling, this
+ patch makes array profiling use OSR exits to tell us why we are bailing out, so
+ that we don't make the same mistake again in the future.
+
+ This change also makes the way that the 32-bit OSR exit compiler snatches scratch
+ registers more uniform. We don't need a scratch buffer when we can push and pop.
+
+ * bytecode/DFGExitProfile.h:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitArrayProfilingSite):
+ * llint/LowLevelInterpreter.asm:
+
+2012-10-18 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ [Qt] REGRESSION(r131858): It broke the ARM build
+ https://bugs.webkit.org/show_bug.cgi?id=99809
+
+ Reviewed by Csaba Osztrogonác.
+
+ * dfg/DFGCCallHelpers.h:
+ (CCallHelpers):
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+
+2012-10-18 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
+ https://bugs.webkit.org/show_bug.cgi?id=99154
+
+ Reviewed by Gavin Barraclough.
+
+ In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
+ the X64 platform), we assume that the JSValue size is same to the
+ pointer size, and thus EncodedJSValue is simply type defined as a
+ "void*". In the JIT compiler, we also take this assumption and invoke
+ the same macro assembler interfaces for both JSValue and pointer
+ operands. We need to differentiate the operations on pointers from the
+ operations on JSValues, and let them invoking different macro
+ assembler interfaces. For example, we now use the interface of
+ "loadPtr" to load either a pointer or a JSValue, and we need to switch
+ to using "loadPtr" to load a pointer and some new "load64" interface
+ to load a JSValue. This would help us supporting other JSVALUE64
+ platforms where pointer size is not necessarily 64-bits, for example
+ x32 (bug #99153).
+
+ The major modification I made is to introduce the "*64" interfaces in
+ the MacroAssembler for those operations on JSValues, keep the "*Ptr"
+ interfaces for those operations on real pointers, and go through all
+ the JIT compiler code to correct the usage.
+
+ This is the second part of the work, i.e, to correct the usage of the
+ new MacroAssembler interfaces in the JIT compilers, which also means
+ that now EncodedJSValue is defined as a 64-bit integer, and the "*64"
+ interfaces are used for it.
+
+ * assembler/MacroAssembler.h: JSValue immediates should be in Imm64 instead of ImmPtr.
+ (MacroAssembler):
+ (JSC::MacroAssembler::shouldBlind):
+ * dfg/DFGAssemblyHelpers.cpp: Correct the JIT compilers usage of the new interfaces.
+ (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
+ (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
+ (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
+ (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
+ (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
+ (JSC::DFG::AssemblyHelpers::branchIfNotCell):
+ (JSC::DFG::AssemblyHelpers::debugCall):
+ (JSC::DFG::AssemblyHelpers::boxDouble):
+ (JSC::DFG::AssemblyHelpers::unboxDouble):
+ (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ (CCallHelpers):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::generateProtoChainAccessStub):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::emitPutReplaceStub):
+ (JSC::DFG::emitPutTransitionStub):
+ * dfg/DFGScratchRegisterAllocator.h:
+ (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
+ (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
+ * dfg/DFGSilentRegisterSavePlan.h:
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+ (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+ (JSC::DFG::SpeculativeJIT::silentSpill):
+ (JSC::DFG::SpeculativeJIT::silentFill):
+ (JSC::DFG::SpeculativeJIT::spill):
+ (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (JSC::DFG::SpeculativeJIT::branch64):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::fillDouble):
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
+ (JSC::DFG::SpeculativeJIT::cachedGetById):
+ (JSC::DFG::SpeculativeJIT::cachedPutById):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::convertToDouble):
+ (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+ (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+ (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
+ (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
+ (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGThunks.cpp:
+ (JSC::DFG::osrExitGenerationThunkGenerator):
+ (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
+ (JSC::DFG::slowPathFor):
+ (JSC::DFG::virtualForThunkGenerator):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpRegisters):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emit_op_negate):
+ (JSC::JIT::emitSlow_op_negate):
+ (JSC::JIT::emit_op_rshift):
+ (JSC::JIT::emitSlow_op_urshift):
+ (JSC::JIT::emit_compareAndJumpSlow):
+ (JSC::JIT::emit_op_bitand):
+ (JSC::JIT::compileBinaryArithOpSlowCase):
+ (JSC::JIT::emit_op_div):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEval):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCall):
+ * jit/JITInlineMethods.h: Have some clean-up work as well.
+ (JSC):
+ (JSC::JIT::emitPutCellToCallFrameHeader):
+ (JSC::JIT::emitPutIntToCallFrameHeader):
+ (JSC::JIT::emitPutToCallFrameHeader):
+ (JSC::JIT::emitGetFromCallFrameHeader32):
+ (JSC::JIT::emitGetFromCallFrameHeader64):
+ (JSC::JIT::emitAllocateJSArray):
+ (JSC::JIT::emitValueProfilingSite):
+ (JSC::JIT::emitGetJITStubArg):
+ (JSC::JIT::emitGetVirtualRegister):
+ (JSC::JIT::emitPutVirtualRegister):
+ (JSC::JIT::emitInitRegister):
+ (JSC::JIT::emitJumpIfJSCell):
+ (JSC::JIT::emitJumpIfBothJSCells):
+ (JSC::JIT::emitJumpIfNotJSCell):
+ (JSC::JIT::emitLoadInt32ToDouble):
+ (JSC::JIT::emitJumpIfImmediateInteger):
+ (JSC::JIT::emitJumpIfNotImmediateInteger):
+ (JSC::JIT::emitJumpIfNotImmediateIntegers):
+ (JSC::JIT::emitFastArithReTagImmediate):
+ (JSC::JIT::emitFastArithIntToImmNoCheck):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::privateCompileCTINativeCall):
+ (JSC::JIT::emit_op_mov):
+ (JSC::JIT::emit_op_instanceof):
+ (JSC::JIT::emit_op_is_undefined):
+ (JSC::JIT::emit_op_is_boolean):
+ (JSC::JIT::emit_op_is_number):
+ (JSC::JIT::emit_op_tear_off_activation):
+ (JSC::JIT::emit_op_not):
+ (JSC::JIT::emit_op_jfalse):
+ (JSC::JIT::emit_op_jeq_null):
+ (JSC::JIT::emit_op_jneq_null):
+ (JSC::JIT::emit_op_jtrue):
+ (JSC::JIT::emit_op_bitxor):
+ (JSC::JIT::emit_op_bitor):
+ (JSC::JIT::emit_op_get_pnames):
+ (JSC::JIT::emit_op_next_pname):
+ (JSC::JIT::compileOpStrictEq):
+ (JSC::JIT::emit_op_catch):
+ (JSC::JIT::emit_op_throw_static_error):
+ (JSC::JIT::emit_op_eq_null):
+ (JSC::JIT::emit_op_neq_null):
+ (JSC::JIT::emit_op_create_activation):
+ (JSC::JIT::emit_op_create_arguments):
+ (JSC::JIT::emit_op_init_lazy_reg):
+ (JSC::JIT::emitSlow_op_convert_this):
+ (JSC::JIT::emitSlow_op_not):
+ (JSC::JIT::emit_op_get_argument_by_val):
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC::JIT::emit_resolve_operations):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::compileGetDirectOffset):
+ (JSC::JIT::emit_op_get_by_pname):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::compileGetByIdHotPath):
+ (JSC::JIT::emit_op_put_by_id):
+ (JSC::JIT::compilePutDirectOffset):
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitIntTypedArrayGetByVal):
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jit/JITStubCall.h:
+ (JITStubCall):
+ (JSC::JITStubCall::JITStubCall):
+ (JSC::JITStubCall::addArgument):
+ (JSC::JITStubCall::call):
+ (JSC::JITStubCall::callWithValueProfiling):
+ * jit/JSInterfaceJIT.h:
+ (JSC::JSInterfaceJIT::emitJumpIfImmediateNumber):
+ (JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber):
+ (JSC::JSInterfaceJIT::emitLoadJSCell):
+ (JSC::JSInterfaceJIT::emitLoadInt32):
+ (JSC::JSInterfaceJIT::emitLoadDouble):
+ * jit/SpecializedThunkJIT.h:
+ (JSC::SpecializedThunkJIT::returnDouble):
+ (JSC::SpecializedThunkJIT::tagReturnAsInt32):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::description):
+ * runtime/JSValue.h: Define JSVALUE64 EncodedJSValue as int64_t, which is also unified with JSVALUE32_64.
+ (JSC):
+ * runtime/JSValueInlineMethods.h: New implementation of some JSValue methods to make them more conformant
+ with the new rule that "JSValue is a 64-bit integer rather than a pointer" for JSVALUE64 platforms.
+ (JSC):
+ (JSC::JSValue::JSValue):
+ (JSC::JSValue::operator bool):
+ (JSC::JSValue::operator==):
+ (JSC::JSValue::operator!=):
+ (JSC::reinterpretDoubleToInt64):
+ (JSC::reinterpretInt64ToDouble):
+ (JSC::JSValue::asDouble):
+
+2012-10-18 Michael Saboff <msaboff@apple.com>
+
+ convertUTF8ToUTF16() Should Check for ASCII Input
+ ihttps://bugs.webkit.org/show_bug.cgi?id=99739
+
+ Reviewed by Geoffrey Garen.
+
+ Using the updated convertUTF8ToUTF16() , we can determine if is makes more sense to
+ create a string using the 8 bit source. Added a new OpaqueJSString::create(LChar*, unsigned).
+ Had to add a cast n JSStringCreateWithCFString to differentiate which create() to call.
+
+ * API/JSStringRef.cpp:
+ (JSStringCreateWithUTF8CString):
+ * API/JSStringRefCF.cpp:
+ (JSStringCreateWithCFString):
+ * API/OpaqueJSString.h:
+ (OpaqueJSString::create):
+ (OpaqueJSString):
+ (OpaqueJSString::OpaqueJSString):
+
+2012-10-18 Oliver Hunt <oliver@apple.com>
+
+ Unbreak jsc tests. Last minute "clever"-ness is clearly just not
+ a good plan.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+
+2012-10-18 Oliver Hunt <oliver@apple.com>
+
+ Bytecode should not have responsibility for determining how to perform non-local resolves
+ https://bugs.webkit.org/show_bug.cgi?id=99349
+
+ Reviewed by Gavin Barraclough.
+
+ This patch removes lexical analysis from the bytecode generation. This allows
+ us to delay lookup of a non-local variables until the lookup is actually necessary,
+ and simplifies a lot of the resolve logic in BytecodeGenerator.
+
+ Once a lookup is performed we cache the lookup information in a set of out-of-line
+ buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing,
+ etc, and allows the respective JITs to recreated optimal lookup code.
+
+ This is currently still a performance regression in LLInt, but most of the remaining
+ regression is caused by a lot of indirection that I'll remove in future work, as well
+ as some work necessary to allow LLInt to perform in line instruction repatching.
+ We will also want to improve the behaviour of the baseline JIT for some of the lookup
+ operations, however this patch was getting quite large already so I'm landing it now
+ that we've reached the bar of "performance-neutral".
+
+ Basic browsing seems to work.
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::visitStructures):
+ (JSC):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::shrinkToFit):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::addResolve):
+ (JSC::CodeBlock::addPutToBase):
+ (CodeBlock):
+ (JSC::CodeBlock::resolveOperations):
+ (JSC::CodeBlock::putToBaseOperation):
+ (JSC::CodeBlock::numberOfResolveOperations):
+ (JSC::CodeBlock::numberOfPutToBaseOperations):
+ (JSC::CodeBlock::addPropertyAccessInstruction):
+ (JSC::CodeBlock::globalObjectConstant):
+ (JSC::CodeBlock::setGlobalObjectConstant):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/ResolveGlobalStatus.cpp:
+ (JSC::computeForStructure):
+ (JSC::ResolveGlobalStatus::computeFor):
+ * bytecode/ResolveGlobalStatus.h:
+ (JSC):
+ (ResolveGlobalStatus):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC):
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::resolve):
+ (JSC::BytecodeGenerator::resolveConstDecl):
+ (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetLocalVar):
+ (JSC::BytecodeGenerator::emitInitGlobalConst):
+ (JSC::BytecodeGenerator::emitPutToBase):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ResolveResult::registerResolve):
+ (JSC::ResolveResult::dynamicResolve):
+ (ResolveResult):
+ (JSC::ResolveResult::ResolveResult):
+ (JSC):
+ (NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::resolved):
+ (JSC::NonlocalResolveInfo::put):
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::getResolveOperations):
+ (JSC::BytecodeGenerator::getResolveWithThisOperations):
+ (JSC::BytecodeGenerator::getResolveBaseOperations):
+ (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
+ (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
+ (JSC::BytecodeGenerator::getPutToBaseOperation):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::isPure):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ (JSC::ForInNode::emitBytecode):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineResolveOperations):
+ (DFG):
+ (JSC::DFG::canCompileOpcode):
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGGraph.h:
+ (ResolveGlobalData):
+ (ResolveOperationData):
+ (DFG):
+ (PutToBaseOperationData):
+ (Graph):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasIdentifier):
+ (JSC::DFG::Node::resolveOperationsDataIndex):
+ (Node):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::resolveOperations):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::putToBaseOperation):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ (JSC::JIT::emit_resolve_operations):
+ (JSC::JIT::emitSlow_link_resolve_operations):
+ (JSC::JIT::emit_op_resolve):
+ (JSC::JIT::emitSlow_op_resolve):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emitSlow_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emitSlow_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_put_to_base):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ (LLInt):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSScope.cpp:
+ (JSC::LookupResult::base):
+ (JSC::LookupResult::value):
+ (JSC::LookupResult::setBase):
+ (JSC::LookupResult::setValue):
+ (LookupResult):
+ (JSC):
+ (JSC::setPutPropertyAccessOffset):
+ (JSC::executeResolveOperations):
+ (JSC::JSScope::resolveContainingScopeInternal):
+ (JSC::JSScope::resolveContainingScope):
+ (JSC::JSScope::resolve):
+ (JSC::JSScope::resolveBase):
+ (JSC::JSScope::resolveWithBase):
+ (JSC::JSScope::resolveWithThis):
+ (JSC::JSScope::resolvePut):
+ (JSC::JSScope::resolveGlobal):
+ * runtime/JSScope.h:
+ (JSScope):
+ * runtime/JSVariableObject.cpp:
+ (JSC):
+ * runtime/JSVariableObject.h:
+ (JSVariableObject):
+ * runtime/Structure.h:
+ (JSC::Structure::propertyAccessesAreCacheable):
+ (Structure):
+
+2012-10-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Live oversize copied blocks should count toward overall heap fragmentation
+ https://bugs.webkit.org/show_bug.cgi?id=99548
+
+ Reviewed by Filip Pizlo.
+
+ The CopiedSpace uses overall heap fragmentation to determine whether or not it should do any copying.
+ Currently it doesn't include live oversize CopiedBlocks in the calculation, but it should. We should
+ treat them as 100% utilized, since running a copying phase won't be able to free/compact any of their
+ memory. We can also free any dead oversize CopiedBlocks while we're iterating over them, rather than
+ iterating over them again at the end of the copying phase.
+
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::doneFillingBlock):
+ (JSC::CopiedSpace::startedCopying):
+ (JSC::CopiedSpace::doneCopying): Also removed a branch when iterating over from-space at the end of
+ copying. Since we eagerly recycle blocks as soon as they're fully evacuated, we should see no
+ unpinned blocks in from-space at the end of copying.
+ * heap/CopiedSpaceInlineMethods.h:
+ (JSC::CopiedSpace::recycleBorrowedBlock):
+ * heap/CopyVisitorInlineMethods.h:
+ (JSC::CopyVisitor::checkIfShouldCopy):
+
+2012-10-18 Roger Fong <roger_fong@apple.com>
+
+ Unreviewed. Build fix after r131701 and r131777.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-10-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Race condition between GCThread and main thread during copying phase
+ https://bugs.webkit.org/show_bug.cgi?id=99641
+
+ Reviewed by Filip Pizlo.
+
+ When a GCThread returns from copyFromShared(), it then calls doneCopying(), which returns
+ its borrowed CopiedBlock to the CopiedSpace. This final block allows the CopiedSpace to
+ continue and finish the cleanup of the copying phase. However, the GCThread can loop back
+ around, see that m_currentPhase is still "Copy", and try to go through the copying phase again.
+ This can cause all sorts of issues. To fix this, we should add a cyclic barrier to GCThread::waitForNextPhase().
+
+ * heap/GCThread.cpp:
+ (JSC::GCThread::waitForNextPhase): All GCThreads will wait when they finish one iteration until the main thread
+ notifies them to move down to the second while loop, where they wait for the next GCPhase to start. They also
+ decrement the m_numberOfActiveGCThreads counter as they begin to wait for the next phase and increment it as
+ they enter the next phase. This allows the main thread to wait in endCurrentPhase() until all the threads have
+ finished the current phase and are waiting on the next phase to begin. Without the counter, there would be
+ no way to ensure that every thread was available for each GCPhase.
+ (JSC::GCThread::gcThreadMain): We now use the m_phaseLock to synchronize with the main thread when we're being created.
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData): As we create each GCThread, we increment the m_numberOfActiveGCThreads
+ counter. When we are done creating the threads, we wait until they're all waiting for the next GCPhase. This prevents
+ us from leaving some GCThreads behind during the first GCPhase, which could hurt us on our very short-running
+ benchmarks (e.g. SunSpider).
+ (JSC::GCThreadSharedData::~GCThreadSharedData):
+ (JSC::GCThreadSharedData::startNextPhase): We atomically swap the two flags, m_gcThreadsShouldWait and m_currentPhase,
+ so that if the threads finish very quickly, they will wait until the main thread is ready to end the current phase.
+ (JSC::GCThreadSharedData::endCurrentPhase): Here atomically we swap the two flags again to allow the threads to
+ advance to waiting on the next GCPhase. We wait until all of the GCThreads have settled into the second wait loop
+ before allowing the main thread to continue. This prevents us from leaving one of the GCThreads stuck in the first
+ wait loop if we were to call startNextPhase() before it had time to wake up and move on to the second wait loop.
+ (JSC):
+ (JSC::GCThreadSharedData::didStartMarking): We now use startNextPhase() to properly swap the flags.
+ (JSC::GCThreadSharedData::didFinishMarking): Ditto for endCurrentPhase().
+ (JSC::GCThreadSharedData::didStartCopying): Ditto.
+ (JSC::GCThreadSharedData::didFinishCopying): Ditto.
+ * heap/GCThreadSharedData.h:
+ (GCThreadSharedData):
+ * heap/Heap.cpp:
+ (JSC::Heap::copyBackingStores): No reason to use the extra reference.
+
+2012-10-18 Pablo Flouret <pablof@motorola.com>
+
+ Implement css3-conditional's @supports rule
+ https://bugs.webkit.org/show_bug.cgi?id=86146
+
+ Reviewed by Antti Koivisto.
+
+ * Configurations/FeatureDefines.xcconfig:
+ Add an ENABLE_CSS3_CONDITIONAL_RULES flag.
+
+2012-10-18 Michael Saboff <msaboff@apple.com>
+
+ Make conversion between JSStringRef and WKStringRef work without character size conversions
+ https://bugs.webkit.org/show_bug.cgi?id=99727
+
+ Reviewed by Anders Carlsson.
+
+ Export the string() method for use in WebKit.
+
+ * API/OpaqueJSString.h:
+ (OpaqueJSString::string):
+
+2012-10-18 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
+
+ [CMake] Avoid unnecessarily running the LLInt generation commands.
+ https://bugs.webkit.org/show_bug.cgi?id=99708
+
+ Reviewed by Rob Buis.
+
+ As described in the comments in the change itself, in some cases
+ the Ruby generation scripts used when LLInt is on would each be
+ run twice in every build even if nothing had changed.
+
+ Fix that by not setting the OBJECT_DEPENDS property of some source
+ files to depend on the generated headers; instead, they are now
+ just part of the final binaries/libraries which use them.
+
+ * CMakeLists.txt:
+
+2012-10-17 Zoltan Horvath <zoltan@webkit.org>
+
+ Remove the JSHeap memory measurement of the PageLoad performacetests since it creates bogus JSGlobalDatas
+ https://bugs.webkit.org/show_bug.cgi?id=99609
+
+ Reviewed by Ryosuke Niwa.
+
+ Remove the implementation since it creates bogus JSGlobalDatas in the layout tests.
+
+ * heap/HeapStatistics.cpp:
+ (JSC):
+ * heap/HeapStatistics.h:
+ (HeapStatistics):
+
+2012-10-17 Sam Weinig <sam@webkit.org>
+
+ Attempt to fix the build.
+
+ * bytecode/GlobalResolveInfo.h: Copied from bytecode/GlobalResolveInfo.h.
+
+2012-10-17 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION (r130826 or r130828): Twitter top bar is dysfunctional
+ https://bugs.webkit.org/show_bug.cgi?id=99577
+ <rdar://problem/12518883>
+
+ Reviewed by Mark Hahnenberg.
+
+ It turns out that it's a good idea to maintain the invariants of your object model, such as that
+ elements past publicLength should have the hole value.
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-17 Anders Carlsson <andersca@apple.com>
+
+ Clean up Vector.h
+ https://bugs.webkit.org/show_bug.cgi?id=99622
+
+ Reviewed by Benjamin Poulain.
+
+ Fix fallout from removing std::max and std::min using declarations.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstrings):
+ (JSC::jsSpliceSubstringsWithSeparators):
+ (JSC::stringProtoFuncIndexOf):
+ * yarr/YarrPattern.cpp:
+ (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
+
+2012-10-17 Oliver Hunt <oliver@apple.com>
+
+ Committing new files is so overrated.
+
+ * bytecode/ResolveOperation.h: Added.
+ (JSC):
+ (JSC::ResolveOperation::getAndReturnScopedVar):
+ (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
+ (ResolveOperation):
+ (JSC::ResolveOperation::getAndReturnGlobalVar):
+ (JSC::ResolveOperation::getAndReturnGlobalProperty):
+ (JSC::ResolveOperation::resolveFail):
+ (JSC::ResolveOperation::skipTopScopeNode):
+ (JSC::ResolveOperation::skipScopes):
+ (JSC::ResolveOperation::returnGlobalObjectAsBase):
+ (JSC::ResolveOperation::setBaseToGlobal):
+ (JSC::ResolveOperation::setBaseToUndefined):
+ (JSC::ResolveOperation::setBaseToScope):
+ (JSC::ResolveOperation::returnScopeAsBase):
+ (JSC::PutToBaseOperation::PutToBaseOperation):
+
+2012-10-17 Michael Saboff <msaboff@apple.com>
+
+ StringPrototype::jsSpliceSubstringsWithSeparators() doesn't optimally handle 8 bit strings
+ https://bugs.webkit.org/show_bug.cgi?id=99230
+
+ Reviewed by Geoffrey Garen.
+
+ Added code to select characters8() or characters16() on the not all 8 bit path for both the
+ processing of the source and the separators.
+
+ * runtime/StringPrototype.cpp:
+ (JSC::jsSpliceSubstringsWithSeparators):
+
+2012-10-17 Filip Pizlo <fpizlo@apple.com>
+
+ Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling
+ https://bugs.webkit.org/show_bug.cgi?id=99557
+
+ Reviewed by Geoffrey Garen.
+
+ Removed an inaccurate and misleading comment as per Geoff's review. (I forgot
+ to make this change as part of http://trac.webkit.org/changeset/131644).
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::FunctionCallResolveNode::emitBytecode):
+
+2012-10-17 Oliver Hunt <oliver@apple.com>
+
+ Bytecode should not have responsibility for determining how to perform non-local resolves
+ https://bugs.webkit.org/show_bug.cgi?id=99349
+
+ Reviewed by Gavin Barraclough.
+
+ This patch removes lexical analysis from the bytecode generation. This allows
+ us to delay lookup of a non-local variables until the lookup is actually necessary,
+ and simplifies a lot of the resolve logic in BytecodeGenerator.
+
+ Once a lookup is performed we cache the lookup information in a set of out-of-line
+ buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing,
+ etc, and allows the respective JITs to recreated optimal lookup code.
+
+ This is currently still a performance regression in LLInt, but most of the remaining
+ regression is caused by a lot of indirection that I'll remove in future work, as well
+ as some work necessary to allow LLInt to perform in line instruction repatching.
+ We will also want to improve the behaviour of the baseline JIT for some of the lookup
+ operations, however this patch was getting quite large already so I'm landing it now
+ that we've reached the bar of "performance-neutral".
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::visitStructures):
+ (JSC):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::shrinkToFit):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::addResolve):
+ (JSC::CodeBlock::addPutToBase):
+ (CodeBlock):
+ (JSC::CodeBlock::resolveOperations):
+ (JSC::CodeBlock::putToBaseOperation):
+ (JSC::CodeBlock::numberOfResolveOperations):
+ (JSC::CodeBlock::numberOfPutToBaseOperations):
+ (JSC::CodeBlock::addPropertyAccessInstruction):
+ (JSC::CodeBlock::globalObjectConstant):
+ (JSC::CodeBlock::setGlobalObjectConstant):
+ * bytecode/GlobalResolveInfo.h: Removed.
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/ResolveGlobalStatus.cpp:
+ (JSC::computeForStructure):
+ (JSC::ResolveGlobalStatus::computeFor):
+ * bytecode/ResolveGlobalStatus.h:
+ (JSC):
+ (ResolveGlobalStatus):
+ * bytecode/ResolveOperation.h: Added.
+ The new types and logic we use to perform the cached lookups.
+ (JSC):
+ (ResolveOperation):
+ (JSC::ResolveOperation::getAndReturnScopedVar):
+ (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
+ (JSC::ResolveOperation::getAndReturnGlobalVar):
+ (JSC::ResolveOperation::getAndReturnGlobalProperty):
+ (JSC::ResolveOperation::resolveFail):
+ (JSC::ResolveOperation::skipTopScopeNode):
+ (JSC::ResolveOperation::skipScopes):
+ (JSC::ResolveOperation::returnGlobalObjectAsBase):
+ (JSC::ResolveOperation::setBaseToGlobal):
+ (JSC::ResolveOperation::setBaseToUndefined):
+ (JSC::ResolveOperation::setBaseToScope):
+ (JSC::ResolveOperation::returnScopeAsBase):
+ (JSC::PutToBaseOperation::PutToBaseOperation):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC):
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::resolve):
+ (JSC::BytecodeGenerator::resolveConstDecl):
+ (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetLocalVar):
+ (JSC::BytecodeGenerator::emitInitGlobalConst):
+ (JSC::BytecodeGenerator::emitPutToBase):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ResolveResult::registerResolve):
+ (JSC::ResolveResult::dynamicResolve):
+ (ResolveResult):
+ (JSC::ResolveResult::ResolveResult):
+ (JSC):
+ (NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::resolved):
+ (JSC::NonlocalResolveInfo::put):
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::getResolveOperations):
+ (JSC::BytecodeGenerator::getResolveWithThisOperations):
+ (JSC::BytecodeGenerator::getResolveBaseOperations):
+ (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
+ (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
+ (JSC::BytecodeGenerator::getPutToBaseOperation):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::isPure):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ (JSC::ForInNode::emitBytecode):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileResolveOperations):
+ (DFG):
+ (JSC::DFG::canCompilePutToBaseOperation):
+ (JSC::DFG::canCompileOpcode):
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGGraph.h:
+ (ResolveGlobalData):
+ (ResolveOperationData):
+ (DFG):
+ (PutToBaseOperationData):
+ (Graph):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasIdentifier):
+ (JSC::DFG::Node::resolveOperationsDataIndex):
+ (Node):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::resolveOperations):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::putToBaseOperation):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ (JSC::JIT::emit_resolve_operations):
+ (JSC::JIT::emitSlow_link_resolve_operations):
+ (JSC::JIT::emit_op_resolve):
+ (JSC::JIT::emitSlow_op_resolve):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emitSlow_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emitSlow_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_put_to_base):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ (LLInt):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSScope.cpp:
+ (JSC::LookupResult::base):
+ (JSC::LookupResult::value):
+ (JSC::LookupResult::setBase):
+ (JSC::LookupResult::setValue):
+ (LookupResult):
+ (JSC):
+ (JSC::setPutPropertyAccessOffset):
+ (JSC::executeResolveOperations):
+ (JSC::JSScope::resolveContainingScopeInternal):
+ (JSC::JSScope::resolveContainingScope):
+ (JSC::JSScope::resolve):
+ (JSC::JSScope::resolveBase):
+ (JSC::JSScope::resolveWithBase):
+ (JSC::JSScope::resolveWithThis):
+ (JSC::JSScope::resolvePut):
+ (JSC::JSScope::resolveGlobal):
+ * runtime/JSScope.h:
+ (JSScope):
+ * runtime/JSVariableObject.cpp:
+ (JSC):
+ * runtime/JSVariableObject.h:
+ (JSVariableObject):
+ * runtime/Structure.h:
+ (JSC::Structure::propertyAccessesAreCacheable):
+ (Structure):
+
+2012-10-17 Filip Pizlo <fpizlo@apple.com>
+
+ Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling
+ https://bugs.webkit.org/show_bug.cgi?id=99557
+
+ Reviewed by Geoffrey Garen.
+
+ This uses the old jneq_ptr trick to allow for the bytecode to "see" that the
+ operation in question is what we almost certainly know it to be.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/SpecialPointer.h:
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitCallEval):
+ (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
+ (JSC):
+ (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+ (JSC::BytecodeGenerator::emitConstruct):
+ * bytecompiler/BytecodeGenerator.h:
+ (BytecodeGenerator):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::NewExprNode::emitBytecode):
+ (JSC::FunctionCallValueNode::emitBytecode):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::FunctionCallBracketNode::emitBytecode):
+ (JSC::FunctionCallDotNode::emitBytecode):
+ (JSC::CallFunctionCallDotNode::emitBytecode):
+ (JSC::ApplyFunctionCallDotNode::emitBytecode):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_new_array_with_size):
+ (JSC):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (LLInt):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * runtime/ArrayConstructor.cpp:
+ (JSC::constructArrayWithSizeQuirk):
+ (JSC):
+ * runtime/ArrayConstructor.h:
+ (JSC):
+ * runtime/CommonIdentifiers.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+
+2012-10-17 Filip Pizlo <fpizlo@apple.com>
+
+ JIT op_get_by_pname should call cti_get_by_val_generic and not cti_get_by_val
+ https://bugs.webkit.org/show_bug.cgi?id=99631
+ <rdar://problem/12483221>
+
+ Reviewed by Mark Hahnenberg.
+
+ cti_get_by_val assumes that the return address has patching metadata associated with it, which won't
+ be true for op_get_by_pname. cti_get_by_val_generic makes no such assumptions.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitSlow_op_get_by_pname):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitSlow_op_get_by_pname):
+
+2012-10-17 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Block freeing thread should sleep indefinitely when there's no work to do
+ https://bugs.webkit.org/show_bug.cgi?id=98084
+
+ Reviewed by Geoffrey Garen.
+
+ r130212 didn't fully fix the problem.
+
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::blockFreeingThreadMain): We would just continue to the next iteration if
+ we found that we had zero blocks to copy. We should move the indefinite wait up to where that
+ check is done so that we properly detect the "no more blocks to copy, wait for more" condition.
+
+2012-10-16 Csaba Osztrogonác <ossy@webkit.org>
+
+ Unreviewed, rolling out r131516 and r131550.
+ http://trac.webkit.org/changeset/131516
+ http://trac.webkit.org/changeset/131550
+ https://bugs.webkit.org/show_bug.cgi?id=99349
+
+ It caused zillion different problem on different platforms
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC):
+ (JSC::isGlobalResolve):
+ (JSC::instructionOffsetForNth):
+ (JSC::printGlobalResolveInfo):
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::visitStructures):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset):
+ (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
+ (JSC::CodeBlock::shrinkToFit):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::addGlobalResolveInstruction):
+ (JSC::CodeBlock::addGlobalResolveInfo):
+ (JSC::CodeBlock::globalResolveInfo):
+ (JSC::CodeBlock::numberOfGlobalResolveInfos):
+ (JSC::CodeBlock::globalResolveInfoCount):
+ * bytecode/GlobalResolveInfo.h: Copied from Source/JavaScriptCore/bytecode/ResolveGlobalStatus.cpp.
+ (JSC):
+ (JSC::GlobalResolveInfo::GlobalResolveInfo):
+ (GlobalResolveInfo):
+ (JSC::getGlobalResolveInfoBytecodeOffset):
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/ResolveGlobalStatus.cpp:
+ (JSC):
+ (JSC::computeForStructure):
+ (JSC::computeForLLInt):
+ (JSC::ResolveGlobalStatus::computeFor):
+ * bytecode/ResolveGlobalStatus.h:
+ (JSC):
+ (ResolveGlobalStatus):
+ * bytecode/ResolveOperation.h: Removed.
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC::ResolveResult::registerPointer):
+ (JSC):
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::resolve):
+ (JSC::BytecodeGenerator::resolveConstDecl):
+ (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBase):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetStaticVar):
+ (JSC::BytecodeGenerator::emitInitGlobalConst):
+ (JSC::BytecodeGenerator::emitPutStaticVar):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ResolveResult::registerResolve):
+ (JSC::ResolveResult::dynamicResolve):
+ (JSC::ResolveResult::lexicalResolve):
+ (JSC::ResolveResult::indexedGlobalResolve):
+ (JSC::ResolveResult::dynamicIndexedGlobalResolve):
+ (JSC::ResolveResult::globalResolve):
+ (JSC::ResolveResult::dynamicGlobalResolve):
+ (JSC::ResolveResult::type):
+ (JSC::ResolveResult::index):
+ (JSC::ResolveResult::depth):
+ (JSC::ResolveResult::globalObject):
+ (ResolveResult):
+ (JSC::ResolveResult::isStatic):
+ (JSC::ResolveResult::isIndexed):
+ (JSC::ResolveResult::isScoped):
+ (JSC::ResolveResult::isGlobal):
+ (JSC::ResolveResult::ResolveResult):
+ (BytecodeGenerator):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::isPure):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ (JSC::ForInNode::emitBytecode):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGGraph.h:
+ (ResolveGlobalData):
+ (DFG):
+ (Graph):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasIdentifier):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ (JSC):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ (JSC::JIT::emit_op_get_global_var_watchable):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_resolve):
+ (JSC):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_skip):
+ (JSC::JIT::emit_op_resolve_global):
+ (JSC::JIT::emitSlow_op_resolve_global):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ (JSC::JIT::emit_op_resolve_global_dynamic):
+ (JSC::JIT::emitSlow_op_resolve_global_dynamic):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_resolve):
+ (JSC):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_skip):
+ (JSC::JIT::emit_op_resolve_global):
+ (JSC::JIT::emitSlow_op_resolve_global):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC):
+ (JSC::JIT::emit_op_put_scoped_var):
+ (JSC::JIT::emit_op_get_global_var):
+ (JSC::JIT::emit_op_put_global_var):
+ (JSC::JIT::emit_op_put_global_var_check):
+ (JSC::JIT::emitSlow_op_put_global_var_check):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC):
+ (JSC::JIT::emit_op_put_scoped_var):
+ (JSC::JIT::emit_op_get_global_var):
+ (JSC::JIT::emit_op_put_global_var):
+ (JSC::JIT::emit_op_put_global_var_check):
+ (JSC::JIT::emitSlow_op_put_global_var_check):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ (LLInt):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSScope.cpp:
+ (JSC::JSScope::resolve):
+ (JSC::JSScope::resolveSkip):
+ (JSC::JSScope::resolveGlobal):
+ (JSC::JSScope::resolveGlobalDynamic):
+ (JSC::JSScope::resolveBase):
+ (JSC::JSScope::resolveWithBase):
+ (JSC::JSScope::resolveWithThis):
+ * runtime/JSScope.h:
+ (JSScope):
+ * runtime/JSVariableObject.cpp:
+ * runtime/JSVariableObject.h:
+ * runtime/Structure.h:
+
+2012-10-16 Dongwoo Joshua Im <dw.im@samsung.com>
+
+ [GTK] Fix build break - ResolveOperations.h is not in WebKit.
+ https://bugs.webkit.org/show_bug.cgi?id=99538
+
+ Unreviewed build fix.
+
+ There are some files including ResolveOperations.h which is not exist at all.
+
+ * GNUmakefile.list.am: s/ResolveOperations.h/ResolveOperation.h/
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: s/ResolveOperations.h/ResolveOperation.h/
+
+2012-10-16 Jian Li <jianli@chromium.org>
+
+ Rename feature define ENABLE_WIDGET_REGION to ENABLE_DRAGGBALE_REGION
+ https://bugs.webkit.org/show_bug.cgi?id=98975
+
+ Reviewed by Adam Barth.
+
+ Renaming is needed to better match with the draggable region code.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-15 Oliver Hunt <oliver@apple.com>
+
+ Bytecode should not have responsibility for determining how to perform non-local resolves
+ https://bugs.webkit.org/show_bug.cgi?id=99349
+
+ Reviewed by Gavin Barraclough.
+
+ This patch removes lexical analysis from the bytecode generation. This allows
+ us to delay lookup of a non-local variables until the lookup is actually necessary,
+ and simplifies a lot of the resolve logic in BytecodeGenerator.
+
+ Once a lookup is performed we cache the lookup information in a set of out-of-line
+ buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing,
+ etc, and allows the respective JITs to recreated optimal lookup code.
+
+ This is currently still a performance regression in LLInt, but most of the remaining
+ regression is caused by a lot of indirection that I'll remove in future work, as well
+ as some work necessary to allow LLInt to perform in line instruction repatching.
+ We will also want to improve the behaviour of the baseline JIT for some of the lookup
+ operations, however this patch was getting quite large already so I'm landing it now
+ that we've reached the bar of "performance-neutral".
+
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::printStructures):
+ (JSC::CodeBlock::dump):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::visitStructures):
+ (JSC):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ (JSC::CodeBlock::shrinkToFit):
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::addResolve):
+ (JSC::CodeBlock::addPutToBase):
+ (CodeBlock):
+ (JSC::CodeBlock::resolveOperations):
+ (JSC::CodeBlock::putToBaseOperation):
+ (JSC::CodeBlock::numberOfResolveOperations):
+ (JSC::CodeBlock::numberOfPutToBaseOperations):
+ (JSC::CodeBlock::addPropertyAccessInstruction):
+ (JSC::CodeBlock::globalObjectConstant):
+ (JSC::CodeBlock::setGlobalObjectConstant):
+ * bytecode/GlobalResolveInfo.h: Removed.
+ * bytecode/Opcode.h:
+ (JSC):
+ (JSC::padOpcodeName):
+ * bytecode/ResolveGlobalStatus.cpp:
+ (JSC::computeForStructure):
+ (JSC::ResolveGlobalStatus::computeFor):
+ * bytecode/ResolveGlobalStatus.h:
+ (JSC):
+ (ResolveGlobalStatus):
+ * bytecode/ResolveOperation.h: Added.
+ The new types and logic we use to perform the cached lookups.
+ (JSC):
+ (ResolveOperation):
+ (JSC::ResolveOperation::getAndReturnScopedVar):
+ (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
+ (JSC::ResolveOperation::getAndReturnGlobalVar):
+ (JSC::ResolveOperation::getAndReturnGlobalProperty):
+ (JSC::ResolveOperation::resolveFail):
+ (JSC::ResolveOperation::skipTopScopeNode):
+ (JSC::ResolveOperation::skipScopes):
+ (JSC::ResolveOperation::returnGlobalObjectAsBase):
+ (JSC::ResolveOperation::setBaseToGlobal):
+ (JSC::ResolveOperation::setBaseToUndefined):
+ (JSC::ResolveOperation::setBaseToScope):
+ (JSC::ResolveOperation::returnScopeAsBase):
+ (JSC::PutToBaseOperation::PutToBaseOperation):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::ResolveResult::checkValidity):
+ (JSC):
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::resolve):
+ (JSC::BytecodeGenerator::resolveConstDecl):
+ (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
+ (JSC::BytecodeGenerator::emitResolve):
+ (JSC::BytecodeGenerator::emitResolveBase):
+ (JSC::BytecodeGenerator::emitResolveBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
+ (JSC::BytecodeGenerator::emitResolveWithThis):
+ (JSC::BytecodeGenerator::emitGetLocalVar):
+ (JSC::BytecodeGenerator::emitInitGlobalConst):
+ (JSC::BytecodeGenerator::emitPutToBase):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::ResolveResult::registerResolve):
+ (JSC::ResolveResult::dynamicResolve):
+ (ResolveResult):
+ (JSC::ResolveResult::ResolveResult):
+ (JSC):
+ (NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
+ (JSC::NonlocalResolveInfo::resolved):
+ (JSC::NonlocalResolveInfo::put):
+ (BytecodeGenerator):
+ (JSC::BytecodeGenerator::getResolveOperations):
+ (JSC::BytecodeGenerator::getResolveWithThisOperations):
+ (JSC::BytecodeGenerator::getResolveBaseOperations):
+ (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
+ (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
+ (JSC::BytecodeGenerator::getPutToBaseOperation):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ResolveNode::isPure):
+ (JSC::FunctionCallResolveNode::emitBytecode):
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ (JSC::ForInNode::emitBytecode):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (DFG):
+ (JSC::DFG::ByteCodeParser::parseResolveOperations):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileResolveOperations):
+ (DFG):
+ (JSC::DFG::canCompilePutToBaseOperation):
+ (JSC::DFG::canCompileOpcode):
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGGraph.h:
+ (ResolveGlobalData):
+ (ResolveOperationData):
+ (DFG):
+ (PutToBaseOperationData):
+ (Graph):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasIdentifier):
+ (JSC::DFG::Node::resolveOperationsDataIndex):
+ (Node):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::OSRExit):
+ * dfg/DFGOSRExit.h:
+ (OSRExit):
+ * dfg/DFGOSRExitCompiler.cpp:
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::resolveOperations):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::putToBaseOperation):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ (JSC::JIT::emit_resolve_operations):
+ (JSC::JIT::emitSlow_link_resolve_operations):
+ (JSC::JIT::emit_op_resolve):
+ (JSC::JIT::emitSlow_op_resolve):
+ (JSC::JIT::emit_op_resolve_base):
+ (JSC::JIT::emitSlow_op_resolve_base):
+ (JSC::JIT::emit_op_resolve_with_base):
+ (JSC::JIT::emitSlow_op_resolve_with_base):
+ (JSC::JIT::emit_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_resolve_with_this):
+ (JSC::JIT::emitSlow_op_put_to_base):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_put_to_base):
+ (JSC):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_init_global_const):
+ (JSC::JIT::emit_op_init_global_const_check):
+ (JSC::JIT::emitSlow_op_init_global_const_check):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC):
+ * jit/JITStubs.h:
+ * llint/LLIntSlowPaths.cpp:
+ (LLInt):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSScope.cpp:
+ (JSC::LookupResult::base):
+ (JSC::LookupResult::value):
+ (JSC::LookupResult::setBase):
+ (JSC::LookupResult::setValue):
+ (LookupResult):
+ (JSC):
+ (JSC::setPutPropertyAccessOffset):
+ (JSC::executeResolveOperations):
+ (JSC::JSScope::resolveContainingScopeInternal):
+ (JSC::JSScope::resolveContainingScope):
+ (JSC::JSScope::resolve):
+ (JSC::JSScope::resolveBase):
+ (JSC::JSScope::resolveWithBase):
+ (JSC::JSScope::resolveWithThis):
+ (JSC::JSScope::resolvePut):
+ (JSC::JSScope::resolveGlobal):
+ * runtime/JSScope.h:
+ (JSScope):
+ * runtime/JSVariableObject.cpp:
+ (JSC):
+ * runtime/JSVariableObject.h:
+ (JSVariableObject):
+ * runtime/Structure.h:
+ (JSC::Structure::propertyAccessesAreCacheable):
+ (Structure):
+
+2012-10-16 Filip Pizlo <fpizlo@apple.com>
+
+ Accidental switch fall-through in DFG::FixupPhase
+ https://bugs.webkit.org/show_bug.cgi?id=96956
+ <rdar://problem/12313242>
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2012-10-16 Filip Pizlo <fpizlo@apple.com>
+
+ GetScopedVar CSE matches dead GetScopedVar's leading to IR corruption
+ https://bugs.webkit.org/show_bug.cgi?id=99470
+ <rdar://problem/12363698>
+
+ Reviewed by Mark Hahnenberg.
+
+ All it takes is to follow the "if (!shouldGenerate) continue" idiom and everything will be OK.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::globalVarLoadElimination):
+ (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+ (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+ (JSC::DFG::CSEPhase::checkStructureElimination):
+ (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+ (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
+
+2012-10-16 Dima Gorbik <dgorbik@apple.com>
+
+ Remove Platform.h include from the header files.
+ https://bugs.webkit.org/show_bug.cgi?id=98665
+
+ Reviewed by Eric Seidel.
+
+ We don't want other clients that include WebKit headers to know about Platform.h.
+
+ * API/tests/minidom.c:
+ * API/tests/testapi.c:
+
+2012-10-16 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ Add missing MIPS functions to assembler.
+ https://bugs.webkit.org/show_bug.cgi?id=98856
+
+ Reviewed by Oliver Hunt.
+
+ Implement missing functions in MacroAssemblerMIPS and MIPSAssembler.
+
+ * assembler/MIPSAssembler.h:
+ (JSC::MIPSAssembler::lb):
+ (MIPSAssembler):
+ (JSC::MIPSAssembler::lh):
+ (JSC::MIPSAssembler::cvtds):
+ (JSC::MIPSAssembler::cvtsd):
+ (JSC::MIPSAssembler::vmov):
+ * assembler/MacroAssemblerMIPS.h:
+ (MacroAssemblerMIPS):
+ (JSC::MacroAssemblerMIPS::load8Signed):
+ (JSC::MacroAssemblerMIPS::load16Signed):
+ (JSC::MacroAssemblerMIPS::moveDoubleToInts):
+ (JSC::MacroAssemblerMIPS::moveIntsToDouble):
+ (JSC::MacroAssemblerMIPS::loadFloat):
+ (JSC::MacroAssemblerMIPS::loadDouble):
+ (JSC::MacroAssemblerMIPS::storeFloat):
+ (JSC::MacroAssemblerMIPS::storeDouble):
+ (JSC::MacroAssemblerMIPS::addDouble):
+ (JSC::MacroAssemblerMIPS::convertFloatToDouble):
+ (JSC::MacroAssemblerMIPS::convertDoubleToFloat):
+
+2012-10-16 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ MIPS assembler coding-style fix.
+ https://bugs.webkit.org/show_bug.cgi?id=99359
+
+ Reviewed by Oliver Hunt.
+
+ Coding style fix of existing MIPS assembler header files.
+
+ * assembler/MIPSAssembler.h:
+ (JSC::MIPSAssembler::addiu):
+ (JSC::MIPSAssembler::addu):
+ (JSC::MIPSAssembler::subu):
+ (JSC::MIPSAssembler::mul):
+ (JSC::MIPSAssembler::andInsn):
+ (JSC::MIPSAssembler::andi):
+ (JSC::MIPSAssembler::nor):
+ (JSC::MIPSAssembler::orInsn):
+ (JSC::MIPSAssembler::ori):
+ (JSC::MIPSAssembler::xorInsn):
+ (JSC::MIPSAssembler::xori):
+ (JSC::MIPSAssembler::slt):
+ (JSC::MIPSAssembler::sltu):
+ (JSC::MIPSAssembler::sltiu):
+ (JSC::MIPSAssembler::sll):
+ (JSC::MIPSAssembler::sllv):
+ (JSC::MIPSAssembler::sra):
+ (JSC::MIPSAssembler::srav):
+ (JSC::MIPSAssembler::srl):
+ (JSC::MIPSAssembler::srlv):
+ (JSC::MIPSAssembler::lbu):
+ (JSC::MIPSAssembler::lw):
+ (JSC::MIPSAssembler::lwl):
+ (JSC::MIPSAssembler::lwr):
+ (JSC::MIPSAssembler::lhu):
+ (JSC::MIPSAssembler::sb):
+ (JSC::MIPSAssembler::sh):
+ (JSC::MIPSAssembler::sw):
+ (JSC::MIPSAssembler::addd):
+ (JSC::MIPSAssembler::subd):
+ (JSC::MIPSAssembler::muld):
+ (JSC::MIPSAssembler::divd):
+ (JSC::MIPSAssembler::lwc1):
+ (JSC::MIPSAssembler::ldc1):
+ (JSC::MIPSAssembler::swc1):
+ (JSC::MIPSAssembler::sdc1):
+ (MIPSAssembler):
+ (JSC::MIPSAssembler::relocateJumps):
+ (JSC::MIPSAssembler::linkWithOffset):
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::add32):
+ (JSC::MacroAssemblerMIPS::and32):
+ (JSC::MacroAssemblerMIPS::sub32):
+ (MacroAssemblerMIPS):
+ (JSC::MacroAssemblerMIPS::load8):
+ (JSC::MacroAssemblerMIPS::load32):
+ (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
+ (JSC::MacroAssemblerMIPS::load16):
+ (JSC::MacroAssemblerMIPS::store8):
+ (JSC::MacroAssemblerMIPS::store16):
+ (JSC::MacroAssemblerMIPS::store32):
+ (JSC::MacroAssemblerMIPS::nearCall):
+ (JSC::MacroAssemblerMIPS::test8):
+ (JSC::MacroAssemblerMIPS::test32):
+
+2012-10-16 Yuqiang Xian <yuqiang.xian@intel.com>
+
+ Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
+ https://bugs.webkit.org/show_bug.cgi?id=99154
+
+ Reviewed by Gavin Barraclough.
+
+ In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
+ the X64 platform), we assume that the JSValue size is same to the
+ pointer size, and thus EncodedJSValue is simply type defined as a
+ "void*". In the JIT compiler, we also take this assumption and invoke
+ the same macro assembler interfaces for both JSValue and pointer
+ operands. We need to differentiate the operations on pointers from the
+ operations on JSValues, and let them invoking different macro
+ assembler interfaces. For example, we now use the interface of
+ "loadPtr" to load either a pointer or a JSValue, and we need to switch
+ to using "loadPtr" to load a pointer and some new "load64" interface
+ to load a JSValue. This would help us supporting other JSVALUE64
+ platforms where pointer size is not necessarily 64-bits, for example
+ x32 (bug #99153).
+
+ The major modification I made is to introduce the "*64" interfaces in
+ the MacroAssembler for those operations on JSValues, keep the "*Ptr"
+ interfaces for those operations on real pointers, and go through all
+ the JIT compiler code to correct the usage.
+
+ This is the first part of the work, i.e, to add the *64 interfaces to
+ the MacroAssembler.
+
+ * assembler/AbstractMacroAssembler.h: Add the Imm64 interfaces.
+ (AbstractMacroAssembler):
+ (JSC::AbstractMacroAssembler::TrustedImm64::TrustedImm64):
+ (TrustedImm64):
+ (JSC::AbstractMacroAssembler::Imm64::Imm64):
+ (Imm64):
+ (JSC::AbstractMacroAssembler::Imm64::asTrustedImm64):
+ * assembler/MacroAssembler.h: map <foo>Ptr methods to <foo>64 for X86_64.
+ (MacroAssembler):
+ (JSC::MacroAssembler::peek64):
+ (JSC::MacroAssembler::poke):
+ (JSC::MacroAssembler::poke64):
+ (JSC::MacroAssembler::addPtr):
+ (JSC::MacroAssembler::andPtr):
+ (JSC::MacroAssembler::negPtr):
+ (JSC::MacroAssembler::orPtr):
+ (JSC::MacroAssembler::rotateRightPtr):
+ (JSC::MacroAssembler::subPtr):
+ (JSC::MacroAssembler::xorPtr):
+ (JSC::MacroAssembler::loadPtr):
+ (JSC::MacroAssembler::loadPtrWithAddressOffsetPatch):
+ (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch):
+ (JSC::MacroAssembler::storePtr):
+ (JSC::MacroAssembler::storePtrWithAddressOffsetPatch):
+ (JSC::MacroAssembler::movePtrToDouble):
+ (JSC::MacroAssembler::moveDoubleToPtr):
+ (JSC::MacroAssembler::comparePtr):
+ (JSC::MacroAssembler::testPtr):
+ (JSC::MacroAssembler::branchPtr):
+ (JSC::MacroAssembler::branchTestPtr):
+ (JSC::MacroAssembler::branchAddPtr):
+ (JSC::MacroAssembler::branchSubPtr):
+ (JSC::MacroAssembler::shouldBlindDouble):
+ (JSC::MacroAssembler::shouldBlind):
+ (JSC::MacroAssembler::RotatedImm64::RotatedImm64):
+ (RotatedImm64):
+ (JSC::MacroAssembler::rotationBlindConstant):
+ (JSC::MacroAssembler::loadRotationBlindedConstant):
+ (JSC::MacroAssembler::move):
+ (JSC::MacroAssembler::and64):
+ (JSC::MacroAssembler::store64):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
+ (MacroAssemblerX86Common):
+ (JSC::MacroAssemblerX86Common::move):
+ * assembler/MacroAssemblerX86_64.h: Add the <foo>64 methods for X86_64.
+ (JSC::MacroAssemblerX86_64::branchAdd32):
+ (JSC::MacroAssemblerX86_64::add64):
+ (MacroAssemblerX86_64):
+ (JSC::MacroAssemblerX86_64::and64):
+ (JSC::MacroAssemblerX86_64::neg64):
+ (JSC::MacroAssemblerX86_64::or64):
+ (JSC::MacroAssemblerX86_64::rotateRight64):
+ (JSC::MacroAssemblerX86_64::sub64):
+ (JSC::MacroAssemblerX86_64::xor64):
+ (JSC::MacroAssemblerX86_64::load64):
+ (JSC::MacroAssemblerX86_64::load64WithAddressOffsetPatch):
+ (JSC::MacroAssemblerX86_64::load64WithCompactAddressOffsetPatch):
+ (JSC::MacroAssemblerX86_64::store64):
+ (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
+ (JSC::MacroAssemblerX86_64::move64ToDouble):
+ (JSC::MacroAssemblerX86_64::moveDoubleTo64):
+ (JSC::MacroAssemblerX86_64::compare64):
+ (JSC::MacroAssemblerX86_64::branch64):
+ (JSC::MacroAssemblerX86_64::branchTest64):
+ (JSC::MacroAssemblerX86_64::test64):
+ (JSC::MacroAssemblerX86_64::branchAdd64):
+ (JSC::MacroAssemblerX86_64::branchSub64):
+ (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
+ (JSC::MacroAssemblerX86_64::storePtrWithPatch):
+
+2012-10-15 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Make CopiedSpace and MarkedSpace regions independent
+ https://bugs.webkit.org/show_bug.cgi?id=99222
+
+ Reviewed by Filip Pizlo.
+
+ Right now CopiedSpace and MarkedSpace have the same block size and share the same regions,
+ but there's no reason that they can't have different block sizes while still sharing the
+ same underlying regions. We should factor the two "used" lists of regions apart so that
+ MarkedBlocks and CopiedBlocks can be different sizes. Regions will still be a uniform size
+ so that when they become empty they may be shared between the CopiedSpace and the MarkedSpace,
+ since benchmarks indicate that sharing is a boon for performance.
+
+ * heap/BlockAllocator.cpp:
+ (JSC::BlockAllocator::BlockAllocator):
+ * heap/BlockAllocator.h:
+ (JSC):
+ (Region):
+ (JSC::Region::create): We now have a fixed size for Regions so that empty regions can continue to
+ be shared between the MarkedSpace and CopiedSpace. Once they are used for a specific type of block,
+ however, they can only be used for that type of block until they become empty again.
+ (JSC::Region::createCustomSize):
+ (JSC::Region::Region):
+ (JSC::Region::~Region):
+ (JSC::Region::reset):
+ (BlockAllocator):
+ (JSC::BlockAllocator::RegionSet::RegionSet):
+ (RegionSet):
+ (JSC::BlockAllocator::tryAllocateFromRegion): We change this function so that it correctly
+ moves blocks between empty, partial, and full lists.
+ (JSC::BlockAllocator::allocate):
+ (JSC::BlockAllocator::allocateCustomSize):
+ (JSC::BlockAllocator::deallocate): Ditto.
+ (JSC::CopiedBlock):
+ (JSC::MarkedBlock):
+ (JSC::BlockAllocator::regionSetFor): We use this so that we can use the same allocate/deallocate
+ functions with different RegionSets. We specialize the function for each type of block that we
+ want to allocate.
+ * heap/CopiedBlock.h:
+ (CopiedBlock):
+ * heap/CopiedSpace.h:
+ (CopiedSpace):
+ * heap/HeapBlock.h:
+ (HeapBlock):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::MarkedBlock): For oversize MarkedBlocks, if the block size gets too big we can
+ underflow the endAtom, which will cause us to segfault when we try to sweep a block. If we're a
+ custom size MarkedBlock we need to calculate endAtom so it doesn't underflow.
+
+2012-10-14 Filip Pizlo <fpizlo@apple.com>
+
+ JIT::JIT fails to initialize all of its fields
+ https://bugs.webkit.org/show_bug.cgi?id=99283
+
+ Reviewed by Andreas Kling.
+
+ There were two groups of such fields, all of which are eventually initialized
+ prior to use inside of privateCompile(). But it's safer to make sure that they
+ are initialized in the constructor as well, since we may use the JIT to do a
+ stub compile without calling into privateCompile().
+
+ Unsigned index fields for dynamic repatching meta-data: this change
+ initializes them to UINT_MAX, so we should crash if we try to use those
+ indices without initializing them.
+
+ Boolean flags for value profiling: this change initializes them to false, so
+ we at worst turn off value profiling.
+
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+
+2012-10-15 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ We should avoid weakCompareAndSwap when parallel GC is disabled
+ https://bugs.webkit.org/show_bug.cgi?id=99331
+
+ Reviewed by Filip Pizlo.
+
+ CopiedBlock::reportLiveBytes and didEvacuateBytes uses weakCompareAndSwap, which some platforms
+ don't support. For platforms that don't have parallel GC enabled, we should just use a normal store.
+
+ * heap/CopiedBlock.h:
+ (JSC::CopiedBlock::reportLiveBytes):
+ (JSC::CopiedBlock::didEvacuateBytes):
+
+2012-10-15 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ Unreviewed. Fix make distcheck.
+
+ * GNUmakefile.list.am: Add missing header file.
+
+2012-10-14 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should handle polymorphic array modes by eagerly transforming arrays into the most general applicable form
+ https://bugs.webkit.org/show_bug.cgi?id=99269
+
+ Reviewed by Geoffrey Garen.
+
+ This kills off a bunch of code for "polymorphic" array modes in the DFG. It should
+ also be a performance win for code that uses a lot of array storage arrays.
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::fromObserved):
+ (JSC::DFG::modeAlreadyChecked):
+ (JSC::DFG::modeToString):
+ * dfg/DFGArrayMode.h:
+ (DFG):
+ (JSC::DFG::modeUsesButterfly):
+ (JSC::DFG::modeIsJSArray):
+ (JSC::DFG::mayStoreToTail):
+ (JSC::DFG::mayStoreToHole):
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::modeSupportsLength):
+ (JSC::DFG::benefitsFromStructureCheck):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-14 Filip Pizlo <fpizlo@apple.com>
+
+ REGRESSION(126886): Fat binary builds don't know how to handle architecture variants to which the LLInt is agnostic
+ https://bugs.webkit.org/show_bug.cgi?id=99270
+
+ Reviewed by Geoffrey Garen.
+
+ The fix is to hash cons the offsets based on configuration index, not the offsets
+ themselves.
+
+ * offlineasm/offsets.rb:
+
+2012-10-13 Filip Pizlo <fpizlo@apple.com>
+
+ IndexingType should not have a bit for each type
+ https://bugs.webkit.org/show_bug.cgi?id=98997
+
+ Reviewed by Oliver Hunt.
+
+ Somewhat incidentally, the introduction of butterflies led to each indexing
+ type being represented by a unique bit. This is superficially nice since it
+ allows you to test if a structure corresponds to a particular indexing type
+ by saying !!(structure->indexingType() & TheType). But the downside is that
+ given the 8 bits we have for the m_indexingType field, that leaves only a
+ small number of possible indexing types if we have one per bit.
+
+ This changeset changes the indexing type to be:
+
+ Bit #1: Tells you if you're an array.
+
+ Bits #2 - #5: 16 possible indexing types, including the blank type for
+ objects that don't have indexed properties.
+
+ Bits #6-8: Auxiliary bits that we could use for other things. Currently we
+ just use one of those bits, for MayHaveIndexedAccessors.
+
+ This is performance-neutral, and is primarily intended to give us more
+ breathing room for introducing new inferred array modes.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::JumpList::jumps):
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::patchableBranch32):
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::patchableBranch32):
+ (MacroAssemblerARMv7):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::modeAlreadyChecked):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculationCheck):
+ (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitAllocateJSArray):
+ (JSC::JIT::chooseArrayMode):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/IndexingType.h:
+ (JSC):
+ (JSC::hasIndexedProperties):
+ (JSC::hasContiguous):
+ (JSC::hasFastArrayStorage):
+ (JSC::hasArrayStorage):
+ (JSC::shouldUseSlowPut):
+ * runtime/JSGlobalObject.cpp:
+ (JSC):
+ * runtime/StructureTransitionTable.h:
+ (JSC::newIndexingType):
+
+2012-10-14 Filip Pizlo <fpizlo@apple.com>
+
+ DFG structure check hoisting should attempt to ignore side effects and make transformations that are sound even in their presence
+ https://bugs.webkit.org/show_bug.cgi?id=99262
+
+ Reviewed by Oliver Hunt.
+
+ This hugely simplifies the structure check hoisting phase. It will no longer be necessary
+ to modify it when the effectfulness of operations changes. This also enables the hoister
+ to hoist effectful things in the future.
+
+ The downside is that the hoister may end up adding strictly more checks than were present
+ in the original code, if the code truly has a lot of side-effects. I don't see evidence
+ of this happening. This patch does have some speed-ups and some slow-downs, but is
+ neutral in the average, and the slow-downs do not appear to have more structure checks
+ than ToT.
+
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
+ (StructureCheckHoistingPhase):
+ (CheckData):
+ (JSC::DFG::StructureCheckHoistingPhase::CheckData::CheckData):
+
+2012-10-14 Filip Pizlo <fpizlo@apple.com>
+
+ Fix the build of universal binary with ARMv7s of JavaScriptCore
+
+ * llint/LLIntOfflineAsmConfig.h:
+ * llint/LowLevelInterpreter.asm:
+
+2012-10-13 Filip Pizlo <fpizlo@apple.com>
+
+ Array length array profiling is broken in the baseline JIT
+ https://bugs.webkit.org/show_bug.cgi?id=99258
+
+ Reviewed by Oliver Hunt.
+
+ The code generator for array length stubs calls into
+ emitArrayProfilingSiteForBytecodeIndex(), which emits profiling only if
+ canBeOptimized() returns true. But m_canBeOptimized is only initialized during
+ full method compiles, so in a stub compile it may (or may not) be false, meaning
+ that we may, or may not, get meaningful profiling info.
+
+ This appeared to not affect too many programs since the LLInt has good array
+ length array profiling.
+
+ * jit/JIT.h:
+ (JSC::JIT::compilePatchGetArrayLength):
+
+2012-10-14 Patrick Gansterer <paroga@webkit.org>
+
+ Build fix for WinCE after r131089.
+
+ WinCE does not support getenv().
+
+ * runtime/Options.cpp:
+ (JSC::overrideOptionWithHeuristic):
+
+2012-10-12 Kangil Han <kangil.han@samsung.com>
+
+ Fix build error on DFGSpeculativeJIT32_64.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=99234
+
+ Reviewed by Anders Carlsson.
+
+ Seems BUG 98608 causes build error on 32bit machine so fix it.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-12 Filip Pizlo <fpizlo@apple.com>
+
+ Contiguous array allocation should always be inlined
+ https://bugs.webkit.org/show_bug.cgi?id=98608
+
+ Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+ This inlines contiguous array allocation in the most obvious way possible.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::branchSubPtr):
+ (MacroAssembler):
+ * assembler/MacroAssemblerX86_64.h:
+ (JSC::MacroAssemblerX86_64::branchSubPtr):
+ (MacroAssemblerX86_64):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ (CCallHelpers):
+ * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: Added.
+ (DFG):
+ (CallArrayAllocatorSlowPathGenerator):
+ (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
+ (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
+ (CallArrayAllocatorWithVariableSizeSlowPathGenerator):
+ (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
+ (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-12 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Race condition during CopyingPhase can lead to deadlock
+ https://bugs.webkit.org/show_bug.cgi?id=99226
+
+ Reviewed by Filip Pizlo.
+
+ The main thread calls startCopying() for each of the GCThreads at the beginning of the copy phase.
+ It then proceeds to start copying. If copying completes before one of the GCThreads wakes up, the
+ main thread will set m_currentPhase back to NoPhase, the GCThread will wake up, see that there's
+ nothing to do, and then it will go back to sleep without ever calling CopyVisitor::doneCopying()
+ to return its borrowed block to the CopiedSpace. CopiedSpace::doneCopying() will then sleep forever
+ waiting on the block.
+
+ The fix for this is to make sure we call CopiedSpace::doneCopying() on the main thread before we
+ call GCThreadSharedData::didFinishCopying(), which sets the m_currentPhase flag to NoPhase. This
+ way we will wait until all threads have woken up and given back their borrowed blocks before
+ clearing the flag.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::copyBackingStores):
+
+2012-10-12 Anders Carlsson <andersca@apple.com>
+
+ Move macros from Parser.h to Parser.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=99217
+
+ Reviewed by Andreas Kling.
+
+ There are a bunch of macros in Parser.h that are only used in Parser.cpp. Move them to Parser.cpp
+ so they won't pollute the global namespace.
+ * parser/Parser.cpp:
+ * parser/Parser.h:
+ (JSC):
+
+2012-10-12 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Another build fix after r131213
+
+ Added some symbol magic to placate the linker on some platforms.
+
+ * JavaScriptCore.order:
+
+2012-10-12 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Build fix after r131213
+
+ Removed an unused variable that was making compilers unhappy.
+
+ * heap/GCThread.cpp:
+ (JSC::GCThread::GCThread):
+ * heap/GCThread.h:
+ (GCThread):
+ * heap/GCThreadSharedData.cpp:
+ (JSC::GCThreadSharedData::GCThreadSharedData):
+
+2012-10-09 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Copying collection shouldn't require O(live bytes) memory overhead
+ https://bugs.webkit.org/show_bug.cgi?id=98792
+
+ Reviewed by Filip Pizlo.
+
+ Currently our copying collection occurs simultaneously with the marking phase. We'd like
+ to be able to reuse CopiedBlocks as soon as they become fully evacuated, but this is not
+ currently possible because we don't know the liveness statistics of each old CopiedBlock
+ until marking/copying has already finished. Instead, we have to allocate additional memory
+ from the OS to use as our working set of CopiedBlocks while copying. We then return the
+ fully evacuated old CopiedBlocks back to the block allocator, thus giving our copying phase
+ an O(live bytes) overhead.
+
+ To fix this, we should instead split the copying phase apart from the marking phase. This
+ way we have full liveness data for each CopiedBlock during the copying phase so that we
+ can reuse them the instant they become fully evacuated. With the additional liveness data
+ that each CopiedBlock accumulates, we can add some additional heuristics to the collector.
+ For example, we can calculate our global Heap fragmentation and only choose to do a copying
+ phase if that fragmentation exceeds some limit. As another example, we can skip copying
+ blocks that are already above a particular fragmentation limit, which allows older objects
+ to coalesce into blocks that are rarely copied.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * heap/CopiedBlock.h:
+ (CopiedBlock):
+ (JSC::CopiedBlock::CopiedBlock): Added support for tracking live bytes in a CopiedBlock in a
+ thread-safe fashion.
+ (JSC::CopiedBlock::reportLiveBytes): Adds a number of live bytes to the block in a thread-safe
+ fashion using compare and swap.
+ (JSC):
+ (JSC::CopiedBlock::didSurviveGC): Called when a block survives a single GC without being
+ evacuated. This could be called for a couple reasons: (a) the block was pinned or (b) we
+ decided not to do any copying. A block can become pinned for a few reasons: (1) a pointer into
+ the block was found during the conservative scan. (2) the block was deemed full enough to
+ not warrant any copying. (3) The block is oversize and was found to be live.
+ (JSC::CopiedBlock::didEvacuateBytes): Called when some number of bytes are copied from this
+ block. If the number of live bytes ever hits zero, the block will return itself to the
+ BlockAllocator to be recycled.
+ (JSC::CopiedBlock::canBeRecycled): Indicates that a block has no live bytes and can be
+ immediately recycled. This is used for blocks that are found to have zero live bytes at the
+ beginning of the copying phase.
+ (JSC::CopiedBlock::shouldEvacuate): This function returns true if the current fragmentation
+ of the block is above our fragmentation threshold, and false otherwise.
+ (JSC::CopiedBlock::isPinned): Added an accessor for the pinned flag
+ (JSC::CopiedBlock::liveBytes):
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::CopiedSpace):
+ (JSC::CopiedSpace::doneFillingBlock): Changed so that we can exchange our filled block for a
+ fresh block. This avoids the situation where a thread returns its borrowed block, it's the last
+ borrowed block, so CopiedSpace thinks that copying has completed, and it starts doing all of the
+ copying phase cleanup. In actuality, the thread wanted another block after returning the current
+ block. So we allow the thread to atomically exchange its block for another block.
+ (JSC::CopiedSpace::startedCopying): Added the calculation of global Heap fragmentation to
+ determine if the copying phase should commence. We include the MarkedSpace in our fragmentation
+ calculation by assuming that the MarkedSpace is 0% fragmented since we can reuse any currently
+ free memory in it (i.e. we ignore any internal fragmentation in the MarkedSpace). While we're
+ calculating the fragmentation of CopiedSpace, we also return any free blocks we find along the
+ way (meaning liveBytes() == 0).
+ (JSC):
+ (JSC::CopiedSpace::doneCopying): We still have to iterate over all the blocks, regardless of
+ whether the copying phase took place or not so that we can reset all of the live bytes counters
+ and un-pin any pinned blocks.
+ * heap/CopiedSpace.h:
+ (CopiedSpace):
+ (JSC::CopiedSpace::shouldDoCopyPhase):
+ * heap/CopiedSpaceInlineMethods.h:
+ (JSC::CopiedSpace::recycleEvacuatedBlock): This function is distinct from recycling a borrowed block
+ because a borrowed block hasn't been added to the CopiedSpace yet, but an evacuated block is still
+ currently in CopiedSpace, so we have to make sure we properly remove all traces of the block from
+ CopiedSpace before returning it to BlockAllocator.
+ (JSC::CopiedSpace::recycleBorrowedBlock): Renamed to indicate the distinction mentioned above.
+ * heap/CopyVisitor.cpp: Added.
+ (JSC):
+ (JSC::CopyVisitor::CopyVisitor):
+ (JSC::CopyVisitor::copyFromShared): Main function for any thread participating in the copying phase.
+ Grabs chunks of MarkedBlocks from the shared list and copies the backing store of anybody who needs
+ it until there are no more chunks to copy.
+ * heap/CopyVisitor.h: Added.
+ (JSC):
+ (CopyVisitor):
+ * heap/CopyVisitorInlineMethods.h: Added.
+ (JSC):
+ (GCCopyPhaseFunctor):
+ (JSC::GCCopyPhaseFunctor::GCCopyPhaseFunctor):
+ (JSC::GCCopyPhaseFunctor::operator()):
+ (JSC::CopyVisitor::checkIfShouldCopy): We don't have to check shouldEvacuate() because all of those
+ checks are done during the marking phase.
+ (JSC::CopyVisitor::allocateNewSpace):
+ (JSC::CopyVisitor::allocateNewSpaceSlow):
+ (JSC::CopyVisitor::startCopying): Initialization function for a thread that is about to start copying.
+ (JSC::CopyVisitor::doneCopying):
+ (JSC::CopyVisitor::didCopy): This callback is called by an object that has just successfully copied its
+ backing store. It indicates to the CopiedBlock that somebody has just finished evacuating some number of
+ bytes from it, and, if the CopiedBlock now has no more live bytes, can be recycled immediately.
+ * heap/GCThread.cpp: Added.
+ (JSC):
+ (JSC::GCThread::GCThread): This is a new class that encapsulates a single thread responsible for participating
+ in a specific set of GC phases. Currently, that set of phases includes Mark, Copy, and Exit. Each thread
+ monitors a shared variable in its associated GCThreadSharedData. The main thread updates this m_currentPhase
+ variable as collection progresses through the various phases. Parallel marking still works exactly like it
+ has. In other words, the "run loop" for each of the GC threads sits above any individual phase, thus keeping
+ the separate phases of the collector orthogonal.
+ (JSC::GCThread::threadID):
+ (JSC::GCThread::initializeThreadID):
+ (JSC::GCThread::slotVisitor):
+ (JSC::GCThread::copyVisitor):
+ (JSC::GCThread::waitForNextPhase):
+ (JSC::GCThread::gcThreadMain):
+ (JSC::GCThread::gcThreadStartFunc):
+ * heap/GCThread.h: Added.
+ (JSC):
+ (GCThread):
+ * heap/GCThreadSharedData.cpp: The GCThreadSharedData now has a list of GCThread objects rather than raw
+ ThreadIdentifiers.
+ (JSC::GCThreadSharedData::resetChildren):
+ (JSC::GCThreadSharedData::childVisitCount):
+ (JSC::GCThreadSharedData::GCThreadSharedData):
+ (JSC::GCThreadSharedData::~GCThreadSharedData):
+ (JSC::GCThreadSharedData::reset):
+ (JSC::GCThreadSharedData::didStartMarking): Callback to let the GCThreadSharedData know that marking has
+ started and updates the m_currentPhase variable and notifies the GCThreads accordingly.
+ (JSC::GCThreadSharedData::didFinishMarking): Ditto for finishing marking.
+ (JSC::GCThreadSharedData::didStartCopying): Ditto for starting the copying phase.
+ (JSC::GCThreadSharedData::didFinishCopying): Ditto for finishing copying.
+ * heap/GCThreadSharedData.h:
+ (JSC):
+ (GCThreadSharedData):
+ (JSC::GCThreadSharedData::getNextBlocksToCopy): Atomically gets the next chunk of work for a copying thread.
+ * heap/Heap.cpp:
+ (JSC::Heap::Heap):
+ (JSC::Heap::markRoots):
+ (JSC):
+ (JSC::Heap::copyBackingStores): Responsible for setting up the copying phase, notifying the copying threads,
+ and doing any copying work if necessary.
+ (JSC::Heap::collect):
+ * heap/Heap.h:
+ (Heap):
+ (JSC):
+ (JSC::CopyFunctor::CopyFunctor):
+ (CopyFunctor):
+ (JSC::CopyFunctor::operator()):
+ * heap/IncrementalSweeper.cpp: Changed the incremental sweeper to have a reference to the list of MarkedBlocks
+ that need sweeping, since this now resides in the Heap so that it can be easily shared by the GCThreads.
+ (JSC::IncrementalSweeper::IncrementalSweeper):
+ (JSC::IncrementalSweeper::startSweeping):
+ * heap/IncrementalSweeper.h:
+ (JSC):
+ (IncrementalSweeper):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::setup):
+ (JSC::SlotVisitor::drainFromShared): We no longer do any copying-related work here.
+ (JSC):
+ * heap/SlotVisitor.h:
+ (SlotVisitor):
+ * heap/SlotVisitorInlineMethods.h:
+ (JSC):
+ (JSC::SlotVisitor::copyLater): Notifies the CopiedBlock that there are some live bytes that may need
+ to be copied.
+ * runtime/Butterfly.h:
+ (JSC):
+ (Butterfly):
+ * runtime/ButterflyInlineMethods.h:
+ (JSC::Butterfly::createUninitializedDuringCollection): Uses the new CopyVisitor.
+ * runtime/ClassInfo.h:
+ (MethodTable): Added new "virtual" function copyBackingStore to method table.
+ (JSC):
+ * runtime/JSCell.cpp:
+ (JSC::JSCell::copyBackingStore): Default implementation that does nothing.
+ (JSC):
+ * runtime/JSCell.h:
+ (JSC):
+ (JSCell):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::copyButterfly): Does the actual copying of the butterfly.
+ (JSC):
+ (JSC::JSObject::visitButterfly): Calls copyLater for the butterfly.
+ (JSC::JSObject::copyBackingStore):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC::JSCell::methodTable):
+ (JSC::JSCell::inherits):
+ * runtime/Options.h: Added two new constants, minHeapUtilization and minCopiedBlockUtilization,
+ to govern the amount of fragmentation we allow before doing copying.
+ (JSC):
+
+2012-10-12 Filip Pizlo <fpizlo@apple.com>
+
+ DFG array allocation calls should not return an encoded JSValue
+ https://bugs.webkit.org/show_bug.cgi?id=99196
+
+ Reviewed by Mark Hahnenberg.
+
+ The array allocation operations now return a pointer instead. This makes it
+ easier to share code between 32-bit and 64-bit.
+
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-01 Jer Noble <jer.noble@apple.com>
+
+ Enable ENCRYPTED_MEDIA support on Mac.
+ https://bugs.webkit.org/show_bug.cgi?id=98044
+
+ Reviewed by Anders Carlsson.
+
+ Enable the ENCRYPTED_MEDIA flag.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-12 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed. It should be possible to build JSC on ARMv7.
+
+ * assembler/MacroAssemblerARMv7.h:
+ (JSC::MacroAssemblerARMv7::patchableBranchPtr):
+
+2012-10-11 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ BlockAllocator should use regions as its VM allocation abstraction
+ https://bugs.webkit.org/show_bug.cgi?id=99107
+
+ Reviewed by Geoffrey Garen.
+
+ Currently the BlockAllocator allocates a single block at a time directly from the OS. Our block
+ allocations are on the large-ish side (64 KB) to amortize across many allocations the expense of
+ mapping new virtual memory from the OS. These large blocks are then shared between the MarkedSpace
+ and the CopiedSpace. This design makes it difficult to vary the size of the blocks in different
+ parts of the Heap while still allowing us to amortize the VM allocation costs.
+
+ We should redesign the BlockAllocator so that it has a layer of indirection between blocks that are
+ used by the allocator/collector and our primary unit of VM allocation from the OS. In particular,
+ the BlockAllocator should allocate Regions of virtual memory from the OS, which are then subdivided
+ into one or more Blocks to be used in our custom allocators. This design has the following nice properties:
+
+ 1) We can remove the knowledge of PageAllocationAligned from HeapBlocks. Each HeapBlock will now
+ only know what Region it belongs to. The Region maintains all the metadata for how to allocate
+ and deallocate virtual memory from the OS.
+
+ 2) We can easily allocate in larger chunks than we need to satisfy a particular request for a Block.
+ We can then continue to amortize our VM allocation costs while allowing for smaller block sizes,
+ which should increase locality in the mutator when allocating, lazy sweeping, etc.
+
+ 3) By encapsulating the logic of where our memory comes from inside of the Region class, we can more
+ easily transition over to allocating VM from a specific range of pre-reserved address space. This
+ will be a necessary step along the way to 32-bit pointers.
+
+ This particular patch will not change the size of MarkedBlocks or CopiedBlocks, nor will it change how
+ much VM we allocate per failed Block request. It only sets up the data structures that we need to make
+ these changes in future patches.
+
+ Most of the changes in this patch relate to the addition of the Region class to be used by the
+ BlockAllocator and the threading of changes made to BlockAllocator's interface through to the call sites.
+
+ * heap/BlockAllocator.cpp: The BlockAllocator now has three lists that track the three disjoint sets of
+ Regions that it cares about: empty regions, partially full regions, and completely full regions.
+ Empty regions have no blocks currently in use and can be freed immediately if the freeing thread
+ determines they should be. Partial regions have some blocks used, but aren't completely in use yet.
+ These regions are preferred for recycling before empty regions to mitigate fragmentation within regions.
+ Completely full regions are no longer able to be used for allocations. Regions move between these
+ three lists as they are created and their constituent blocks are allocated and deallocated.
+ (JSC::BlockAllocator::BlockAllocator):
+ (JSC::BlockAllocator::~BlockAllocator):
+ (JSC::BlockAllocator::releaseFreeRegions):
+ (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
+ (JSC::BlockAllocator::waitForRelativeTime):
+ (JSC::BlockAllocator::blockFreeingThreadMain):
+ * heap/BlockAllocator.h:
+ (JSC):
+ (DeadBlock):
+ (JSC::DeadBlock::DeadBlock):
+ (Region):
+ (JSC::Region::blockSize):
+ (JSC::Region::isFull):
+ (JSC::Region::isEmpty):
+ (JSC::Region::create): This function is responsible for doing the actual VM allocation. This should be the
+ only function in the entire JSC object runtime that calls out the OS for virtual memory allocation.
+ (JSC::Region::Region):
+ (JSC::Region::~Region):
+ (JSC::Region::allocate):
+ (JSC::Region::deallocate):
+ (BlockAllocator):
+ (JSC::BlockAllocator::tryAllocateFromRegion): Helper function that encapsulates checking a particular list
+ of regions for a free block.
+ (JSC::BlockAllocator::allocate):
+ (JSC::BlockAllocator::allocateCustomSize): This function is responsible for allocating one-off custom size
+ regions for use in oversize allocations in both the MarkedSpace and the CopiedSpace. These regions are not
+ tracked by the BlockAllocator. The only pointer to them is in the HeapBlock that is returned. These regions
+ contain exactly one block.
+ (JSC::BlockAllocator::deallocate):
+ (JSC::BlockAllocator::deallocateCustomSize): This function is responsible for deallocating one-off custom size
+ regions. The regions are deallocated back to the OS eagerly.
+ * heap/CopiedBlock.h: Re-worked CopiedBlocks to use Regions instead of PageAllocationAligned.
+ (CopiedBlock):
+ (JSC::CopiedBlock::createNoZeroFill):
+ (JSC::CopiedBlock::create):
+ (JSC::CopiedBlock::CopiedBlock):
+ (JSC::CopiedBlock::payloadEnd):
+ (JSC::CopiedBlock::capacity):
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::~CopiedSpace):
+ (JSC::CopiedSpace::tryAllocateOversize):
+ (JSC::CopiedSpace::tryReallocateOversize):
+ (JSC::CopiedSpace::doneCopying):
+ * heap/CopiedSpaceInlineMethods.h:
+ (JSC::CopiedSpace::allocateBlockForCopyingPhase):
+ (JSC::CopiedSpace::allocateBlock):
+ * heap/HeapBlock.h:
+ (JSC::HeapBlock::destroy):
+ (JSC::HeapBlock::HeapBlock):
+ (JSC::HeapBlock::region):
+ (HeapBlock):
+ * heap/MarkedAllocator.cpp:
+ (JSC::MarkedAllocator::allocateBlock):
+ * heap/MarkedBlock.cpp:
+ (JSC::MarkedBlock::create):
+ (JSC::MarkedBlock::MarkedBlock):
+ * heap/MarkedBlock.h:
+ (JSC::MarkedBlock::capacity):
+ * heap/MarkedSpace.cpp:
+ (JSC::MarkedSpace::freeBlock):
+
+2012-10-11 Filip Pizlo <fpizlo@apple.com>
+
+ UInt32ToNumber and OSR exit should be aware of copy propagation and correctly recover both versions of a variable that was subject to a UInt32ToNumber cast
+ https://bugs.webkit.org/show_bug.cgi?id=99100
+ <rdar://problem/12480955>
+
+ Reviewed by Michael Saboff and Mark Hahnenberg.
+
+ Fixed by forcing UInt32ToNumber to use a different register. This "undoes" the copy propagation that we
+ would have been doing, since it has no performance effect in this case and has the benefit of making the
+ OSR exit compiler a lot simpler.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
+
+2012-10-11 Geoffrey Garen <ggaren@apple.com>
+
+ Removed some more static assumptions about inline object capacity
+ https://bugs.webkit.org/show_bug.cgi?id=98603
+
+ Reviewed by Filip Pizlo.
+
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Use JSObject::allocationSize()
+ for a little more flexibility. We still pass it a constant inline capacity
+ because the JIT doesn't have a strategy for selecting a size class based
+ on non-constant capacity yet. "INLINE_STORAGE_CAPACITY" is a marker for
+ code that makes static assumptions about object size.
+
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitAllocateBasicJSObject):
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm: Ditto for the rest of our many execution engines.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::allocationSize):
+ (JSC::JSFinalObject::finishCreation):
+ (JSC::JSFinalObject::create): New helper function for computing object
+ size dynamically, since we plan to have objects of different sizes.
+
+ (JSC::JSFinalObject::JSFinalObject): Note that our m_inlineStorage used
+ to auto-generate an implicit C++ constructor with default null initialization.
+ This memory is not observed in its uninitialized state, and our LLInt and
+ JIT allocators do not initialize it, so I did not add any explicit code
+ to do so, now that the implicit code is gone.
+
+ (JSC::JSObject::offsetOfInlineStorage): Changed the math here to match
+ inlineStorageUnsafe(), since we can rely on an explicit data member anymore.
+
+2012-10-11 Geoffrey Garen <ggaren@apple.com>
+
+ Enable RUNTIME_HEURISTICS all the time, for easier testing
+ https://bugs.webkit.org/show_bug.cgi?id=99090
+
+ Reviewed by Filip Pizlo.
+
+ I find myself using this a lot, and there doesn't seem to be an obvious
+ reason to compile it out, since it only runs once at startup.
+
+ * runtime/Options.cpp:
+ (JSC::overrideOptionWithHeuristic):
+ (JSC::Options::initialize):
+ * runtime/Options.h: Removed the #ifdef.
+
+2012-10-11 Geoffrey Garen <ggaren@apple.com>
+
+ Removed ASSERT_CLASS_FITS_IN_CELL
+ https://bugs.webkit.org/show_bug.cgi?id=97634
+
+ Reviewed by Mark Hahnenberg.
+
+ Our collector now supports arbitrarily sized objects, so the ASSERT is not needed.
+
+ * API/JSCallbackFunction.cpp:
+ * API/JSCallbackObject.cpp:
+ * heap/MarkedSpace.h:
+ * jsc.cpp:
+ * runtime/Arguments.cpp:
+ * runtime/ArrayConstructor.cpp:
+ * runtime/ArrayPrototype.cpp:
+ * runtime/BooleanConstructor.cpp:
+ * runtime/BooleanObject.cpp:
+ * runtime/BooleanPrototype.cpp:
+ * runtime/DateConstructor.cpp:
+ * runtime/DatePrototype.cpp:
+ * runtime/Error.cpp:
+ * runtime/ErrorConstructor.cpp:
+ * runtime/ErrorPrototype.cpp:
+ * runtime/FunctionConstructor.cpp:
+ * runtime/FunctionPrototype.cpp:
+ * runtime/InternalFunction.cpp:
+ * runtime/JSActivation.cpp:
+ * runtime/JSArray.cpp:
+ * runtime/JSBoundFunction.cpp:
+ * runtime/JSFunction.cpp:
+ * runtime/JSGlobalObject.cpp:
+ * runtime/JSGlobalThis.cpp:
+ * runtime/JSNameScope.cpp:
+ * runtime/JSNotAnObject.cpp:
+ * runtime/JSONObject.cpp:
+ * runtime/JSObject.cpp:
+ * runtime/JSPropertyNameIterator.cpp:
+ * runtime/JSScope.cpp:
+ * runtime/JSWithScope.cpp:
+ * runtime/JSWrapperObject.cpp:
+ * runtime/MathObject.cpp:
+ * runtime/NameConstructor.cpp:
+ * runtime/NamePrototype.cpp:
+ * runtime/NativeErrorConstructor.cpp:
+ * runtime/NativeErrorPrototype.cpp:
+ * runtime/NumberConstructor.cpp:
+ * runtime/NumberObject.cpp:
+ * runtime/NumberPrototype.cpp:
+ * runtime/ObjectConstructor.cpp:
+ * runtime/ObjectPrototype.cpp:
+ * runtime/RegExpConstructor.cpp:
+ * runtime/RegExpMatchesArray.cpp:
+ * runtime/RegExpObject.cpp:
+ * runtime/RegExpPrototype.cpp:
+ * runtime/StringConstructor.cpp:
+ * runtime/StringObject.cpp:
+ * runtime/StringPrototype.cpp:
+ * testRegExp.cpp: Removed the ASSERT.
+
+2012-10-11 Filip Pizlo <fpizlo@apple.com>
+
+ DFG should inline code blocks that use new_array_buffer
+ https://bugs.webkit.org/show_bug.cgi?id=98996
+
+ Reviewed by Geoffrey Garen.
+
+ This adds plumbing to drop in constant buffers from the inlinees to the inliner.
+ It's smart about not duplicating buffers needlessly but doesn't try to completely
+ hash-cons them, either.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::numberOfConstantBuffers):
+ (JSC::CodeBlock::addConstantBuffer):
+ (JSC::CodeBlock::constantBufferAsVector):
+ (JSC::CodeBlock::constantBuffer):
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGByteCodeParser.cpp:
+ (ConstantBufferKey):
+ (JSC::DFG::ConstantBufferKey::ConstantBufferKey):
+ (JSC::DFG::ConstantBufferKey::operator==):
+ (JSC::DFG::ConstantBufferKey::hash):
+ (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue):
+ (JSC::DFG::ConstantBufferKey::codeBlock):
+ (JSC::DFG::ConstantBufferKey::index):
+ (DFG):
+ (JSC::DFG::ConstantBufferKeyHash::hash):
+ (JSC::DFG::ConstantBufferKeyHash::equal):
+ (ConstantBufferKeyHash):
+ (WTF):
+ (ByteCodeParser):
+ (InlineStackEntry):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canInlineOpcode):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2012-10-10 Zoltan Horvath <zoltan@webkit.org>
+
+ Pageload tests should measure memory usage
+ https://bugs.webkit.org/show_bug.cgi?id=93958
+
+ Reviewed by Ryosuke Niwa.
+
+ Add JS Heap and Heap memory measurement to PageLoad tests.
+
+ * heap/HeapStatistics.cpp:
+ (JSC::HeapStatistics::usedJSHeap): Add new private function to expose the used JS Heap size.
+ (JSC):
+ * heap/HeapStatistics.h:
+ (HeapStatistics): Add new private function to expose the used JS Heap size.
+
+2012-10-10 Balazs Kilvady <kilvadyb@homejinni.com>
+
+ RegisterFile to JSStack rename fix for a struct member.
+
+ Compilation problem in debug build on MIPS
+ https://bugs.webkit.org/show_bug.cgi?id=98808
+
+ Reviewed by Alexey Proskuryakov.
+
+ In ASSERT conditions structure field name "registerFile" was replaced
+ with type name "JSStack" and it should be "stack".
+
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::JITThunks): structure member name fix.
+
+2012-10-10 Michael Saboff <msaboff@apple.com>
+
+ After r130344, OpaqueJSString::string() shouldn't directly return the wrapped String
+ https://bugs.webkit.org/show_bug.cgi?id=98801
+
+ Reviewed by Geoffrey Garen.
+
+ Return a copy of the wrapped String so that the wrapped string cannot be turned into
+ an Identifier.
+
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::string):
+ * API/OpaqueJSString.h:
+ (OpaqueJSString):
+
+2012-10-10 Peter Gal <galpeter@inf.u-szeged.hu>
+
+ Add moveDoubleToInts and moveIntsToDouble to MacroAssemblerARM
+ https://bugs.webkit.org/show_bug.cgi?id=98855
+
+ Reviewed by Filip Pizlo.
+
+ Implement the missing moveDoubleToInts and moveIntsToDouble
+ methods in the MacroAssemblerARM after r130839.
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::moveDoubleToInts):
+ (MacroAssemblerARM):
+ (JSC::MacroAssemblerARM::moveIntsToDouble):
+
+2012-10-09 Filip Pizlo <fpizlo@apple.com>
+
+ Typed arrays should not be 20x slower in the baseline JIT than in the DFG JIT
+ https://bugs.webkit.org/show_bug.cgi?id=98605
+
+ Reviewed by Oliver Hunt and Gavin Barraclough.
+
+ This adds typed array get_by_val/put_by_val patching to the baseline JIT. It's
+ a big (~40%) win on benchmarks that have trouble staying in the DFG JIT. Even
+ if we fix those benchmarks, this functionality gives us the insurance that we
+ typically desire with all speculative optimizations: even if we bail to
+ baseline, we're still reasonably performant.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/MacroAssembler.cpp: Added.
+ (JSC):
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::patchableBranchPtr):
+ * assembler/MacroAssemblerARMv7.h:
+ (MacroAssemblerARMv7):
+ (JSC::MacroAssemblerARMv7::moveDoubleToInts):
+ (JSC::MacroAssemblerARMv7::moveIntsToDouble):
+ (JSC::MacroAssemblerARMv7::patchableBranchPtr):
+ * assembler/MacroAssemblerX86.h:
+ (MacroAssemblerX86):
+ (JSC::MacroAssemblerX86::moveDoubleToInts):
+ (JSC::MacroAssemblerX86::moveIntsToDouble):
+ * bytecode/ByValInfo.h:
+ (JSC::hasOptimizableIndexingForClassInfo):
+ (JSC):
+ (JSC::hasOptimizableIndexing):
+ (JSC::jitArrayModeForClassInfo):
+ (JSC::jitArrayModeForStructure):
+ (JSC::ByValInfo::ByValInfo):
+ (ByValInfo):
+ * dfg/DFGAssemblyHelpers.cpp:
+ (DFG):
+ * dfg/DFGAssemblyHelpers.h:
+ (AssemblyHelpers):
+ (JSC::DFG::AssemblyHelpers::boxDouble):
+ (JSC::DFG::AssemblyHelpers::unboxDouble):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ * jit/JIT.h:
+ (JIT):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::privateCompileGetByVal):
+ (JSC::JIT::privateCompilePutByVal):
+ (JSC::JIT::emitIntTypedArrayGetByVal):
+ (JSC):
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * runtime/JSCell.h:
+ * runtime/JSGlobalData.h:
+ (JSGlobalData):
+ (JSC::JSGlobalData::typedArrayDescriptor):
+ * runtime/TypedArrayDescriptor.h: Added.
+ (JSC):
+ (JSC::TypedArrayDescriptor::TypedArrayDescriptor):
+ (TypedArrayDescriptor):
+
+2012-10-09 Michael Saboff <msaboff@apple.com>
+
+ Add tests to testapi for null OpaqueJSStrings
+ https://bugs.webkit.org/show_bug.cgi?id=98805
+
+ Reviewed by Geoffrey Garen.
+
+ Added tests that check that OpaqueJSString, which is wrapped via JSStringRef, properly returns
+ null strings and that a null string in a JSStringRef will return a NULL JSChar* and 0 length
+ via the JSStringGetCharactersPtr() and JSStringGetLength() APIs respectively. Added a check that
+ JSValueMakeFromJSONString() properly handles a null string as well.
+
+ * API/tests/testapi.c:
+ (main):
+
+2012-10-09 Jian Li <jianli@chromium.org>
+
+ Update the CSS property used to support draggable regions.
+ https://bugs.webkit.org/show_bug.cgi?id=97156
+
+ Reviewed by Adam Barth.
+
+ The CSS property to support draggable regions, guarded under
+ WIDGET_REGION is now disabled from Mac WebKit, in order not to cause
+ confusion with DASHBOARD_SUPPORT feature.
+
+ * Configurations/FeatureDefines.xcconfig: Disable WIDGET_REGION feature.
+
+2012-10-09 Filip Pizlo <fpizlo@apple.com>
+
+ Unreviewed, adding forgotten files.
+
+ * bytecode/ByValInfo.h: Added.
+ (JSC):
+ (JSC::isOptimizableIndexingType):
+ (JSC::jitArrayModeForIndexingType):
+ (JSC::ByValInfo::ByValInfo):
+ (ByValInfo):
+ (JSC::getByValInfoBytecodeIndex):
+ * runtime/IndexingType.cpp: Added.
+ (JSC):
+ (JSC::indexingTypeToString):
+
+2012-10-08 Filip Pizlo <fpizlo@apple.com>
+
+ JSC should infer when indexed storage is contiguous, and optimize for it
+ https://bugs.webkit.org/show_bug.cgi?id=97288
+
+ Reviewed by Mark Hahnenberg.
+
+ This introduces a new kind of indexed property storage called Contiguous,
+ which has the following properties:
+
+ - No header bits beyond IndexedHeader. This results in a 16 byte reduction
+ in memory usage per array versus an ArrayStorage array. It also means
+ that the total memory usage for an empty array is now just 3 * 8 on both
+ 32-bit and 64-bit. Of that, only 8 bytes are array-specific; the rest is
+ our standard object header overhead.
+
+ - No need for hole checks on store. This results in a ~4% speed-up on
+ Kraken and a ~1% speed-up on V8v7.
+
+ - publicLength <= vectorLength. This means that doing new Array(blah)
+ immediately allocates room for blah elements.
+
+ - No sparse map or index bias.
+
+ If you ever do things to an array that would require publicLength >
+ vectorLength, a sparse map, or index bias, then we switch to ArrayStorage
+ mode. This seems to never happen in any benchmark we track, and is unlikely
+ to happen very frequently on any website.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::JumpList::append):
+ * assembler/MacroAssembler.h:
+ (MacroAssembler):
+ (JSC::MacroAssembler::patchableBranchTest32):
+ * bytecode/ByValInfo.h: Added.
+ (JSC):
+ (JSC::isOptimizableIndexingType):
+ (JSC::jitArrayModeForIndexingType):
+ (JSC::ByValInfo::ByValInfo):
+ (ByValInfo):
+ (JSC::getByValInfoBytecodeIndex):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ (JSC::CodeBlock::getByValInfo):
+ (JSC::CodeBlock::setNumberOfByValInfos):
+ (JSC::CodeBlock::numberOfByValInfos):
+ (JSC::CodeBlock::byValInfo):
+ * bytecode/SamplingTool.h:
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::fromObserved):
+ (JSC::DFG::modeAlreadyChecked):
+ (JSC::DFG::modeToString):
+ * dfg/DFGArrayMode.h:
+ (DFG):
+ (JSC::DFG::modeUsesButterfly):
+ (JSC::DFG::modeIsJSArray):
+ (JSC::DFG::isInBoundsAccess):
+ (JSC::DFG::mayStoreToTail):
+ (JSC::DFG::mayStoreToHole):
+ (JSC::DFG::modeIsPolymorphic):
+ (JSC::DFG::polymorphicIncludesContiguous):
+ (JSC::DFG::polymorphicIncludesArrayStorage):
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::modeSupportsLength):
+ (JSC::DFG::benefitsFromStructureCheck):
+ (JSC::DFG::isEffectful):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsic):
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::getArrayLengthElimination):
+ (JSC::DFG::CSEPhase::getByValLoadElimination):
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::checkArray):
+ (JSC::DFG::FixupPhase::blessArrayOperation):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::arrayify):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+ (DFG):
+ * dfg/DFGSpeculativeJIT.h:
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
+ (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
+ (DFG):
+ (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
+ (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+ (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * interpreter/Interpreter.cpp:
+ (SamplingScope):
+ (JSC::SamplingScope::SamplingScope):
+ (JSC::SamplingScope::~SamplingScope):
+ (JSC):
+ (JSC::Interpreter::execute):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileSlowCases):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JSC::ByValCompilationInfo::ByValCompilationInfo):
+ (ByValCompilationInfo):
+ (JSC):
+ (JIT):
+ (JSC::JIT::compileGetByVal):
+ (JSC::JIT::compilePutByVal):
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitAllocateJSArray):
+ (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
+ (JSC):
+ (JSC::arrayProfileSaw):
+ (JSC::JIT::chooseArrayMode):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emitSlow_op_get_argument_by_val):
+ (JSC::JIT::emit_op_new_array):
+ (JSC::JIT::emitSlow_op_new_array):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emitSlow_op_get_argument_by_val):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ (JSC::JIT::privateCompileGetByVal):
+ (JSC::JIT::privateCompilePutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC):
+ (JSC::JIT::emitContiguousGetByVal):
+ (JSC::JIT::emitArrayStorageGetByVal):
+ (JSC::JIT::emitSlow_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emitSlow_op_put_by_val):
+ * jit/JITStubs.cpp:
+ (JSC::getByVal):
+ (JSC):
+ (JSC::DEFINE_STUB_FUNCTION):
+ (JSC::putByVal):
+ * jit/JITStubs.h:
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/ArrayConventions.h:
+ (JSC::isDenseEnoughForVector):
+ * runtime/ArrayPrototype.cpp:
+ (JSC):
+ (JSC::shift):
+ (JSC::unshift):
+ (JSC::arrayProtoFuncPush):
+ (JSC::arrayProtoFuncShift):
+ (JSC::arrayProtoFuncSplice):
+ (JSC::arrayProtoFuncUnShift):
+ * runtime/Butterfly.h:
+ (Butterfly):
+ (JSC::Butterfly::fromPointer):
+ (JSC::Butterfly::pointer):
+ (JSC::Butterfly::publicLength):
+ (JSC::Butterfly::vectorLength):
+ (JSC::Butterfly::setPublicLength):
+ (JSC::Butterfly::setVectorLength):
+ (JSC::Butterfly::contiguous):
+ (JSC::Butterfly::fromContiguous):
+ * runtime/ButterflyInlineMethods.h:
+ (JSC::Butterfly::unshift):
+ (JSC::Butterfly::shift):
+ * runtime/IndexingHeaderInlineMethods.h:
+ (JSC::IndexingHeader::indexingPayloadSizeInBytes):
+ * runtime/IndexingType.cpp: Added.
+ (JSC):
+ (JSC::indexingTypeToString):
+ * runtime/IndexingType.h:
+ (JSC):
+ (JSC::hasContiguous):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLengthWithArrayStorage):
+ (JSC::JSArray::setLength):
+ (JSC):
+ (JSC::JSArray::pop):
+ (JSC::JSArray::push):
+ (JSC::JSArray::shiftCountWithArrayStorage):
+ (JSC::JSArray::shiftCountWithAnyIndexingType):
+ (JSC::JSArray::unshiftCountWithArrayStorage):
+ (JSC::JSArray::unshiftCountWithAnyIndexingType):
+ (JSC::JSArray::sortNumericVector):
+ (JSC::JSArray::sortNumeric):
+ (JSC::JSArray::sortCompactedVector):
+ (JSC::JSArray::sort):
+ (JSC::JSArray::sortVector):
+ (JSC::JSArray::fillArgList):
+ (JSC::JSArray::copyToArguments):
+ (JSC::JSArray::compactForSorting):
+ * runtime/JSArray.h:
+ (JSC::JSArray::shiftCountForShift):
+ (JSC::JSArray::shiftCountForSplice):
+ (JSArray):
+ (JSC::JSArray::shiftCount):
+ (JSC::JSArray::unshiftCountForShift):
+ (JSC::JSArray::unshiftCountForSplice):
+ (JSC::JSArray::unshiftCount):
+ (JSC::JSArray::isLengthWritable):
+ (JSC::createContiguousArrayButterfly):
+ (JSC):
+ (JSC::JSArray::create):
+ (JSC::JSArray::tryCreateUninitialized):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::reset):
+ (JSC):
+ (JSC::JSGlobalObject::haveABadTime):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::arrayStructureWithArrayStorage):
+ (JSC::JSGlobalObject::addressOfArrayStructureWithArrayStorage):
+ (JSC::constructEmptyArray):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::visitButterfly):
+ (JSC::JSObject::getOwnPropertySlotByIndex):
+ (JSC::JSObject::putByIndex):
+ (JSC::JSObject::enterDictionaryIndexingMode):
+ (JSC::JSObject::createInitialContiguous):
+ (JSC):
+ (JSC::JSObject::createArrayStorage):
+ (JSC::JSObject::convertContiguousToArrayStorage):
+ (JSC::JSObject::ensureContiguousSlow):
+ (JSC::JSObject::ensureArrayStorageSlow):
+ (JSC::JSObject::ensureIndexedStorageSlow):
+ (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+ (JSC::JSObject::switchToSlowPutArrayStorage):
+ (JSC::JSObject::setPrototype):
+ (JSC::JSObject::deletePropertyByIndex):
+ (JSC::JSObject::getOwnPropertyNames):
+ (JSC::JSObject::defineOwnIndexedProperty):
+ (JSC::JSObject::putByIndexBeyondVectorLengthContiguousWithoutAttributes):
+ (JSC::JSObject::putByIndexBeyondVectorLength):
+ (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+ (JSC::JSObject::putDirectIndexBeyondVectorLength):
+ (JSC::JSObject::getNewVectorLength):
+ (JSC::JSObject::countElementsInContiguous):
+ (JSC::JSObject::increaseVectorLength):
+ (JSC::JSObject::ensureContiguousLengthSlow):
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ * runtime/JSObject.h:
+ (JSC::JSObject::getArrayLength):
+ (JSC::JSObject::getVectorLength):
+ (JSC::JSObject::canGetIndexQuickly):
+ (JSC::JSObject::getIndexQuickly):
+ (JSC::JSObject::tryGetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuickly):
+ (JSC::JSObject::canSetIndexQuicklyForPutDirect):
+ (JSC::JSObject::setIndexQuickly):
+ (JSC::JSObject::initializeIndex):
+ (JSC::JSObject::hasSparseMap):
+ (JSC::JSObject::inSparseIndexingMode):
+ (JSObject):
+ (JSC::JSObject::ensureContiguous):
+ (JSC::JSObject::ensureIndexedStorage):
+ (JSC::JSObject::ensureContiguousLength):
+ (JSC::JSObject::indexingData):
+ (JSC::JSObject::relevantLength):
+ * runtime/JSValue.cpp:
+ (JSC::JSValue::description):
+ * runtime/Options.cpp:
+ (JSC::Options::initialize):
+ * runtime/Structure.cpp:
+ (JSC::Structure::needsSlowPutIndexing):
+ (JSC):
+ (JSC::Structure::suggestedArrayStorageTransition):
+ * runtime/Structure.h:
+ (Structure):
+ * runtime/StructureTransitionTable.h:
+ (JSC::newIndexingType):
+
+2012-10-09 Michael Saboff <msaboff@apple.com>
+
+ After r130344, OpaqueJSString::identifier() adds wrapped String to identifier table
+ https://bugs.webkit.org/show_bug.cgi?id=98693
+ REGRESSION (r130344): Install failed in Install Environment
+ <rdar://problem/12450118>
+
+ Reviewed by Mark Rowe.
+
+ Use Identifier(LChar*, length) or Identifier(UChar*, length) constructors so that we don't
+ add the String instance in the OpaqueJSString to any identifier tables.
+
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::identifier):
+
+2012-10-08 Mark Lam <mark.lam@apple.com>
+
+ Renamed RegisterFile to JSStack, and removed prototype of the
+ previously deleted Interpreter::privateExecute().
+ https://bugs.webkit.org/show_bug.cgi?id=98717.
+
+ Reviewed by Filip Pizlo.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * JavaScriptCore.order:
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Target.pri:
+ * bytecode/BytecodeConventions.h:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::nameForRegister):
+ * bytecode/CodeBlock.h:
+ (CodeBlock):
+ * bytecode/ValueRecovery.h:
+ (JSC::ValueRecovery::alreadyInJSStack):
+ (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt32):
+ (JSC::ValueRecovery::alreadyInJSStackAsUnboxedCell):
+ (JSC::ValueRecovery::alreadyInJSStackAsUnboxedBoolean):
+ (JSC::ValueRecovery::alreadyInJSStackAsUnboxedDouble):
+ (JSC::ValueRecovery::displacedInJSStack):
+ (JSC::ValueRecovery::isAlreadyInJSStack):
+ (JSC::ValueRecovery::virtualRegister):
+ (JSC::ValueRecovery::dump):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::resolveCallee):
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitConstruct):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::registerFor):
+ * dfg/DFGAbstractState.h:
+ (AbstractState):
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
+ (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
+ (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::getDirect):
+ (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
+ (JSC::DFG::ByteCodeParser::addCall):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
+ (JSC::DFG::ByteCodeParser::handleInlining):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGGenerationInfo.h:
+ (GenerationInfo):
+ (JSC::DFG::GenerationInfo::needsSpill):
+ * dfg/DFGGraph.h:
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::compileEntry):
+ (JSC::DFG::JITCompiler::compileFunction):
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::beginCall):
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryBuildGetByIDList):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+ (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+ * dfg/DFGSpeculativeJIT.h:
+ (SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::spill):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillInteger):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGThunks.cpp:
+ (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
+ (JSC::DFG::slowPathFor):
+ (JSC::DFG::virtualForThunkGenerator):
+ * dfg/DFGValueSource.cpp:
+ (JSC::DFG::ValueSource::dump):
+ * dfg/DFGValueSource.h:
+ (JSC::DFG::dataFormatToValueSourceKind):
+ (JSC::DFG::valueSourceKindToDataFormat):
+ (JSC::DFG::isInJSStack):
+ (JSC::DFG::ValueSource::forSpeculation):
+ (JSC::DFG::ValueSource::isInJSStack):
+ (JSC::DFG::ValueSource::valueRecovery):
+ * dfg/DFGVariableEventStream.cpp:
+ (JSC::DFG::VariableEventStream::reconstruct):
+ * heap/Heap.cpp:
+ (JSC::Heap::stack):
+ (JSC::Heap::getConservativeRegisterRoots):
+ (JSC::Heap::markRoots):
+ * heap/Heap.h:
+ (JSC):
+ (Heap):
+ * interpreter/CallFrame.cpp:
+ (JSC::CallFrame::stack):
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::calleeAsValue):
+ (JSC::ExecState::callee):
+ (JSC::ExecState::codeBlock):
+ (JSC::ExecState::scope):
+ (JSC::ExecState::callerFrame):
+ (JSC::ExecState::returnPC):
+ (JSC::ExecState::hasReturnPC):
+ (JSC::ExecState::clearReturnPC):
+ (JSC::ExecState::bytecodeOffsetForNonDFGCode):
+ (JSC::ExecState::setBytecodeOffsetForNonDFGCode):
+ (JSC::ExecState::inlineCallFrame):
+ (JSC::ExecState::codeOriginIndexForDFG):
+ (JSC::ExecState::currentVPC):
+ (JSC::ExecState::setCurrentVPC):
+ (JSC::ExecState::setCallerFrame):
+ (JSC::ExecState::setScope):
+ (JSC::ExecState::init):
+ (JSC::ExecState::argumentCountIncludingThis):
+ (JSC::ExecState::offsetFor):
+ (JSC::ExecState::setArgumentCountIncludingThis):
+ (JSC::ExecState::setCallee):
+ (JSC::ExecState::setCodeBlock):
+ (JSC::ExecState::setReturnPC):
+ (JSC::ExecState::setInlineCallFrame):
+ (ExecState):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::slideRegisterWindowForCall):
+ (JSC::eval):
+ (JSC::loadVarargs):
+ (JSC::Interpreter::dumpRegisters):
+ (JSC::Interpreter::throwException):
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ (JSC::Interpreter::prepareForRepeatCall):
+ (JSC::Interpreter::endRepeatCall):
+ * interpreter/Interpreter.h:
+ (JSC::Interpreter::stack):
+ (Interpreter):
+ (JSC::Interpreter::execute):
+ (JSC):
+ * interpreter/JSStack.cpp: Copied from Source/JavaScriptCore/interpreter/RegisterFile.cpp.
+ (JSC::stackStatisticsMutex):
+ (JSC::JSStack::~JSStack):
+ (JSC::JSStack::growSlowCase):
+ (JSC::JSStack::gatherConservativeRoots):
+ (JSC::JSStack::releaseExcessCapacity):
+ (JSC::JSStack::initializeThreading):
+ (JSC::JSStack::committedByteCount):
+ (JSC::JSStack::addToCommittedByteCount):
+ * interpreter/JSStack.h: Copied from Source/JavaScriptCore/interpreter/RegisterFile.h.
+ (JSStack):
+ (JSC::JSStack::JSStack):
+ (JSC::JSStack::shrink):
+ (JSC::JSStack::grow):
+ * interpreter/RegisterFile.cpp: Removed.
+ * interpreter/RegisterFile.h: Removed.
+ * interpreter/VMInspector.cpp:
+ (JSC::VMInspector::dumpFrame):
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+ (JSC::JIT::privateCompile):
+ * jit/JIT.h:
+ (JSC):
+ (JIT):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEval):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::emit_op_ret):
+ (JSC::JIT::emit_op_ret_object_or_this):
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEval):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCall):
+ * jit/JITCode.h:
+ (JSC):
+ (JSC::JITCode::execute):
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitPutToCallFrameHeader):
+ (JSC::JIT::emitPutCellToCallFrameHeader):
+ (JSC::JIT::emitPutIntToCallFrameHeader):
+ (JSC::JIT::emitPutImmediateToCallFrameHeader):
+ (JSC::JIT::emitGetFromCallFrameHeaderPtr):
+ (JSC::JIT::emitGetFromCallFrameHeader32):
+ (JSC::JIT::updateTopCallFrame):
+ (JSC::JIT::unmap):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::privateCompileCTIMachineTrampolines):
+ (JSC::JIT::privateCompileCTINativeCall):
+ (JSC::JIT::emit_op_end):
+ (JSC::JIT::emit_op_ret):
+ (JSC::JIT::emit_op_ret_object_or_this):
+ (JSC::JIT::emit_op_create_this):
+ (JSC::JIT::emit_op_get_arguments_length):
+ (JSC::JIT::emit_op_get_argument_by_val):
+ (JSC::JIT::emit_op_resolve_global_dynamic):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::privateCompileCTIMachineTrampolines):
+ (JSC::JIT::privateCompileCTINativeCall):
+ (JSC::JIT::emit_op_end):
+ (JSC::JIT::emit_op_create_this):
+ (JSC::JIT::emit_op_get_arguments_length):
+ (JSC::JIT::emit_op_get_argument_by_val):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC::JIT::emit_op_put_scoped_var):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_scoped_var):
+ (JSC::JIT::emit_op_put_scoped_var):
+ * jit/JITStubs.cpp:
+ (JSC::ctiTrampoline):
+ (JSC::JITThunks::JITThunks):
+ (JSC):
+ (JSC::DEFINE_STUB_FUNCTION):
+ * jit/JITStubs.h:
+ (JSC):
+ (JITStackFrame):
+ * jit/JSInterfaceJIT.h:
+ * jit/SpecializedThunkJIT.h:
+ (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
+ (JSC::SpecializedThunkJIT::returnJSValue):
+ (JSC::SpecializedThunkJIT::returnDouble):
+ (JSC::SpecializedThunkJIT::returnInt32):
+ (JSC::SpecializedThunkJIT::returnJSCell):
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+ * llint/LLIntOffsetsExtractor.cpp:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::genericCall):
+ * llint/LLIntSlowPaths.h:
+ (LLInt):
+ * llint/LowLevelInterpreter.asm:
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::tearOffForInlineCallFrame):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::arityCheckFor):
+ * runtime/InitializeThreading.cpp:
+ (JSC::initializeThreadingOnce):
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::visitChildren):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::globalExec):
+ * runtime/JSGlobalObject.h:
+ (JSC):
+ (JSGlobalObject):
+ * runtime/JSLock.cpp:
+ (JSC):
+ * runtime/JSVariableObject.h:
+ (JSVariableObject):
+ * runtime/MemoryStatistics.cpp:
+ (JSC::globalMemoryStatistics):
+
+2012-10-08 Kiran Muppala <cmuppala@apple.com>
+
+ Throttle DOM timers on hidden pages.
+ https://bugs.webkit.org/show_bug.cgi?id=98474
+
+ Reviewed by Maciej Stachowiak.
+
+ Add HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-08 Michael Saboff <msaboff@apple.com>
+
+ After r130344, OpaqueJSString() creates an empty string which should be a null string
+ https://bugs.webkit.org/show_bug.cgi?id=98417
+
+ Reviewed by Sam Weinig.
+
+ Changed create() of a null string to return 0. This is the same behavior as before r130344.
+
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::create):
+
+2012-10-07 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org>
+
+ Rename first/second to key/value in HashMap iterators
+ https://bugs.webkit.org/show_bug.cgi?id=82784
+
+ Reviewed by Eric Seidel.
+
+ * API/JSCallbackObject.h:
+ (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
+ (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
+ (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
+ * API/JSCallbackObjectFunctions.h:
+ (JSC::::getOwnNonIndexPropertyNames):
+ * API/JSClassRef.cpp:
+ (OpaqueJSClass::~OpaqueJSClass):
+ (OpaqueJSClassContextData::OpaqueJSClassContextData):
+ (OpaqueJSClass::contextData):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dump):
+ (JSC::EvalCodeCache::visitAggregate):
+ (JSC::CodeBlock::nameForRegister):
+ * bytecode/JumpTable.h:
+ (JSC::StringJumpTable::offsetForValue):
+ (JSC::StringJumpTable::ctiForValue):
+ * bytecode/LazyOperandValueProfile.cpp:
+ (JSC::LazyOperandValueProfileParser::getIfPresent):
+ * bytecode/SamplingTool.cpp:
+ (JSC::SamplingTool::dump):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::addVar):
+ (JSC::BytecodeGenerator::addGlobalVar):
+ (JSC::BytecodeGenerator::addConstant):
+ (JSC::BytecodeGenerator::addConstantValue):
+ (JSC::BytecodeGenerator::emitLoad):
+ (JSC::BytecodeGenerator::addStringConstant):
+ (JSC::BytecodeGenerator::emitLazyNewFunction):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::PropertyListNode::emitBytecode):
+ * debugger/Debugger.cpp:
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+ (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
+ (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
+ (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
+ (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
+ * dfg/DFGAssemblyHelpers.cpp:
+ (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
+ * dfg/DFGByteCodeCache.h:
+ (JSC::DFG::ByteCodeCache::~ByteCodeCache):
+ (JSC::DFG::ByteCodeCache::get):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::cellConstant):
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGStructureCheckHoistingPhase.cpp:
+ (JSC::DFG::StructureCheckHoistingPhase::run):
+ (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
+ (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
+ * heap/Heap.cpp:
+ (JSC::Heap::markProtectedObjects):
+ * heap/Heap.h:
+ (JSC::Heap::forEachProtectedCell):
+ * heap/JITStubRoutineSet.cpp:
+ (JSC::JITStubRoutineSet::markSlow):
+ (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::internalAppend):
+ * heap/Weak.h:
+ (JSC::weakRemove):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::ctiStub):
+ * parser/Parser.cpp:
+ (JSC::::parseStrictObjectLiteral):
+ * profiler/Profile.cpp:
+ (JSC::functionNameCountPairComparator):
+ (JSC::Profile::debugPrintDataSampleStyle):
+ * runtime/Identifier.cpp:
+ (JSC::Identifier::add):
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::getOwnNonIndexPropertyNames):
+ (JSC::JSActivation::symbolTablePutWithAttributes):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::setLength):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnPropertySlotByIndex):
+ (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+ (JSC::JSObject::deletePropertyByIndex):
+ (JSC::JSObject::getOwnPropertyNames):
+ (JSC::JSObject::defineOwnIndexedProperty):
+ (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+ (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+ (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+ (JSC::JSObject::getOwnPropertyDescriptor):
+ * runtime/JSSymbolTableObject.cpp:
+ (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
+ * runtime/JSSymbolTableObject.h:
+ (JSC::symbolTableGet):
+ (JSC::symbolTablePut):
+ (JSC::symbolTablePutWithAttributes):
+ * runtime/RegExpCache.cpp:
+ (JSC::RegExpCache::invalidateCode):
+ * runtime/SparseArrayValueMap.cpp:
+ (JSC::SparseArrayValueMap::putEntry):
+ (JSC::SparseArrayValueMap::putDirect):
+ (JSC::SparseArrayValueMap::visitChildren):
+ * runtime/WeakGCMap.h:
+ (JSC::WeakGCMap::clear):
+ (JSC::WeakGCMap::set):
+ * tools/ProfileTreeNode.h:
+ (JSC::ProfileTreeNode::sampleChild):
+ (JSC::ProfileTreeNode::childCount):
+ (JSC::ProfileTreeNode::dumpInternal):
+ (JSC::ProfileTreeNode::compareEntries):
+
+2012-10-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ JSC should have a way to gather and log Heap memory use and pause times
+ https://bugs.webkit.org/show_bug.cgi?id=98431
+
+ Reviewed by Geoffrey Garen.
+
+ In order to improve our infrastructure for benchmark-driven development, we should
+ have a centralized method of gathering and logging various statistics about the state
+ of the JS heap. This would allow us to create and to use other tools to analyze the
+ output of the VM after running various workloads.
+
+ The first two statistics that might be interesting is memory use by JSC and GC pause
+ times. We can control whether this recording happens through the use of the Options
+ class, allowing us to either use environment variables or command line flags.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * heap/Heap.cpp:
+ (JSC::Heap::collect): If we finish a collection and are still over our set GC heap size,
+ we end the program immediately and report an error. Also added recording of pause times.
+ * heap/Heap.h:
+ (Heap):
+ (JSC::Heap::shouldCollect): When we set a specific GC heap size through Options, we
+ ignore all other heuristics on when we should collect and instead only ask if we're
+ greater than the amount specified in the Option value. This allows us to view time/memory
+ tradeoffs more clearly.
+ * heap/HeapStatistics.cpp: Added.
+ (JSC):
+ (JSC::HeapStatistics::initialize):
+ (JSC::HeapStatistics::recordGCPauseTime):
+ (JSC::HeapStatistics::logStatistics):
+ (JSC::HeapStatistics::exitWithFailure):
+ (JSC::HeapStatistics::reportSuccess):
+ (JSC::HeapStatistics::parseMemoryAmount):
+ (StorageStatistics):
+ (JSC::StorageStatistics::StorageStatistics):
+ (JSC::StorageStatistics::operator()):
+ (JSC::StorageStatistics::objectWithOutOfLineStorageCount):
+ (JSC::StorageStatistics::objectCount):
+ (JSC::StorageStatistics::storageSize):
+ (JSC::StorageStatistics::storageCapacity):
+ (JSC::HeapStatistics::showObjectStatistics): Moved the old showHeapStatistics (renamed to showObjectStatistics)
+ to try to start collecting our various memory statistics gathering/reporting mechanisms scattered throughout the
+ codebase into one place.
+ * heap/HeapStatistics.h: Added.
+ (JSC):
+ (HeapStatistics):
+ * jsc.cpp:
+ (main):
+ * runtime/InitializeThreading.cpp:
+ (JSC::initializeThreadingOnce): We need to initialize our data structures for recording
+ statistics if necessary.
+ * runtime/Options.cpp: Add new Options for the various types of statistics we'll be gathering.
+ (JSC::parse):
+ (JSC):
+ (JSC::Options::initialize): Initialize the various new options using environment variables.
+ (JSC::Options::dumpOption):
+ * runtime/Options.h:
+ (JSC):
+
+2012-10-04 Rik Cabanier <cabanier@adobe.com>
+
+ Turn Compositing on by default in WebKit build
+ https://bugs.webkit.org/show_bug.cgi?id=98315
+
+ Reviewed by Simon Fraser.
+
+ enable -webkit-blend-mode on trunk.
+
+ * Configurations/FeatureDefines.xcconfig:
+
+2012-10-04 Michael Saboff <msaboff@apple.com>
+
+ Crash in Safari at com.apple.JavaScriptCore: WTF::StringImpl::is8Bit const + 12
+ https://bugs.webkit.org/show_bug.cgi?id=98433
+
+ Reviewed by Jessie Berlin.
+
+ The problem is due to a String with a null StringImpl (i.e. a null string).
+ Added a length check before the is8Bit() check since length() checks for a null StringImpl. Changed the
+ characters16() call to characters() since it can handle a null StringImpl as well.
+
+ * API/JSValueRef.cpp:
+ (JSValueMakeFromJSONString):
+
+2012-10-04 Benjamin Poulain <bpoulain@apple.com>
+
+ Use copyLCharsFromUCharSource() for IdentifierLCharFromUCharTranslator translation
+ https://bugs.webkit.org/show_bug.cgi?id=98335
+
+ Reviewed by Michael Saboff.
+
+ Michael Saboff added an optimized version of UChar->LChar conversion in r125846.
+ Use this function in JSC::Identifier.
+
+ * runtime/Identifier.cpp:
+ (JSC::IdentifierLCharFromUCharTranslator::translate):
+
+2012-10-04 Michael Saboff <msaboff@apple.com>
+
+ After r130344, OpaqueJSString() creates a empty string which should be a null string
+ https://bugs.webkit.org/show_bug.cgi?id=98417
+
+ Reviewed by Alexey Proskuryakov.
+
+ Removed the setting of enclosed string to an empty string from default constructor.
+ Before changeset r130344, the semantic was the default constructor produced a null
+ string.
+
+ * API/OpaqueJSString.h:
+ (OpaqueJSString::OpaqueJSString):
+
+2012-10-04 Csaba Osztrogonác <ossy@webkit.org>
+
+ [Qt] Add missing LLInt dependencies to the build system
+ https://bugs.webkit.org/show_bug.cgi?id=98394
+
+ Reviewed by Geoffrey Garen.
+
+ * DerivedSources.pri:
+ * LLIntOffsetsExtractor.pro:
+
+2012-10-03 Geoffrey Garen <ggaren@apple.com>
+
+ Next step toward fixing Windows: add new symbol.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-10-03 Geoffrey Garen <ggaren@apple.com>
+
+ First step toward fixing Windows: remove old symbol.
+
+ * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+
+2012-10-03 Geoffrey Garen <ggaren@apple.com>
+
+ Removed the assumption that "final" objects have a fixed number of inline slots
+ https://bugs.webkit.org/show_bug.cgi?id=98332
+
+ Reviewed by Filip Pizlo.
+
+ This is a step toward object size inference.
+
+ I replaced the inline storage capacity constant with a data member per
+ structure, set the the maximum supported value for the constant to 100,
+ then fixed what broke. (Note that even though this patch increases the
+ theoretical maximum inline capacity, it doesn't change any actual inline
+ capacity.)
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::compileGetDirectOffset): These functions just get a rename:
+ the constant they need is the first out of line offset along the offset
+ number line, which is not necessarily the same thing (and is, in this
+ patch, never the same thing) as the inline capacity of any given object.
+
+ (JSC::JIT::emit_op_get_by_pname):
+ * jit/JITPropertyAccess32_64.cpp: This function changes functionality,
+ since it needs to convert from the abstract offset number line to an
+ actual offset in memory, and it can't assume that inline and out-of-line
+ offsets are contiguous on the number line.
+
+ (JSC::JIT::compileGetDirectOffset): Updated for rename.
+
+ (JSC::JIT::emit_op_get_by_pname): Same as emit_op_get_by_pname above.
+
+ * llint/LowLevelInterpreter.asm: Updated to mirror changes in PropertyOffset.h,
+ since we duplicate values from there.
+
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm: Just like the JIT, most things are just
+ renames, and get_by_pname changes to do more math. I also standardized
+ offset calculations to use a hard-coded "-2", to match the JIT. This
+ isn't really better, but it makes global search and replace easier,
+ should we choose to refactor this code not to hard-code constants.
+
+ I also renamed loadPropertyAtVariableOffsetKnownNotFinal to
+ loadPropertyAtVariableOffsetKnownNotInline in order to sever the assumption
+ that inline capacity is tied to object type, and I changed the 64bit LLInt
+ to use this -- not using this previously seems to have been an oversight.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::visitChildren):
+ (JSC::JSFinalObject::visitChildren):
+ * runtime/JSObject.h:
+ (JSC::JSObject::offsetForLocation):
+ (JSNonFinalObject):
+ (JSC::JSFinalObject::createStructure):
+ (JSFinalObject):
+ (JSC::JSFinalObject::finishCreation): Updated for above changes.
+
+ * runtime/JSPropertyNameIterator.h:
+ (JSPropertyNameIterator):
+ (JSC::JSPropertyNameIterator::finishCreation): Store the inline capacity
+ of our object, since it's not a constant.
+
+ (JSC::JSPropertyNameIterator::getOffset): Removed. This function was
+ wrong. Luckily, it was also unused, since the C++ interpreter is gone.
+
+ * runtime/PropertyMapHashTable.h:
+ (PropertyTable): Use a helper function instead of hard-coding assumptions
+ about object types.
+
+ (JSC::PropertyTable::nextOffset):
+ * runtime/PropertyOffset.h:
+ (JSC):
+ (JSC::checkOffset):
+ (JSC::validateOffset):
+ (JSC::isInlineOffset):
+ (JSC::numberOfSlotsForLastOffset):
+ (JSC::propertyOffsetFor): Refactored these functions to take inline capacity
+ as an argument, since it's not fixed at compile time anymore.
+
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::putSpecificValue):
+ * runtime/Structure.h:
+ (Structure):
+ (JSC::Structure::outOfLineCapacity):
+ (JSC::Structure::hasInlineStorage):
+ (JSC::Structure::inlineCapacity):
+ (JSC::Structure::inlineSize):
+ (JSC::Structure::firstValidOffset):
+ (JSC::Structure::lastValidOffset):
+ (JSC::Structure::create): Removed some hard-coded assumptions about inline
+ capacity and object type, and replaced with more liberal use of helper functions.
+
+2012-10-03 Michael Saboff <msaboff@apple.com>
+
+ OpaqueJSString doesn't optimally handle 8 bit strings
+ https://bugs.webkit.org/show_bug.cgi?id=98300
+
+ Reviewed by Geoffrey Garen.
+
+ Change OpaqueJSString to store and manage a String instead of a UChar buffer.
+ The member string is a copy of any string used during creation.
+
+ * API/OpaqueJSString.cpp:
+ (OpaqueJSString::create):
+ (OpaqueJSString::identifier):
+ * API/OpaqueJSString.h:
+ (OpaqueJSString::characters):
+ (OpaqueJSString::length):
+ (OpaqueJSString::string):
+ (OpaqueJSString::OpaqueJSString):
+ (OpaqueJSString):
+
+2012-10-03 Filip Pizlo <fpizlo@apple.com>
+
+ Array.splice should be fast when it is used to remove elements other than the very first
+ https://bugs.webkit.org/show_bug.cgi?id=98236
+
+ Reviewed by Michael Saboff.
+
+ Applied the same technique that was used to optimize the unshift case of splice in
+ http://trac.webkit.org/changeset/129676. This is a >20x speed-up on programs that
+ use splice for element removal.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::shift):
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::shiftCount):
+ * runtime/JSArray.h:
+ (JSArray):
+
+2012-09-16 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Delayed structure sweep can leak structures without bound
+ https://bugs.webkit.org/show_bug.cgi?id=96546
+
+ Reviewed by Geoffrey Garen.
+
+ This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
+ allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
+ those objects with destructors and with immortal structures, and those objects with destructors that don't have
+ immortal structures. All of the objects of the third type (destructors without immortal structures) now
+ inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores
+ the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
+
+ * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
+ (JSC):
+ (JSC::JSCallbackConstructor::JSCallbackConstructor):
+ * API/JSCallbackConstructor.h:
+ (JSCallbackConstructor):
+ * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for
+ JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
+ (JSC):
+ (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add
+ the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides
+ to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
+ (JSC::::createStructure):
+ * API/JSCallbackObject.h:
+ (JSCallbackObject):
+ (JSC):
+ * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
+ (OpaqueJSClass::prototype):
+ * API/JSObjectRef.cpp: Ditto.
+ (JSObjectMake):
+ (JSObjectGetPrivate):
+ (JSObjectSetPrivate):
+ (JSObjectGetPrivateProperty):
+ (JSObjectSetPrivateProperty):
+ (JSObjectDeletePrivateProperty):
+ * API/JSValueRef.cpp: Ditto.
+ (JSValueIsObjectOfClass):
+ * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
+ * JSCTypedArrayStubs.h:
+ (JSC):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
+ (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
+ * heap/Heap.cpp:
+ (JSC):
+ * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function
+ since it's always safe to sweep Structures now.
+ (JSC::Heap::allocatorForObjectWithNormalDestructor):
+ (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
+ (Heap):
+ (JSC::Heap::allocateWithNormalDestructor):
+ (JSC):
+ (JSC::Heap::allocateWithImmortalStructureDestructor):
+ * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the
+ IncrementalSweeper since it's always safe to sweep Structures now.
+ (JSC::IncrementalSweeper::IncrementalSweeper):
+ (JSC::IncrementalSweeper::sweepNextBlock):
+ (JSC::IncrementalSweeper::startSweeping):
+ (JSC::IncrementalSweeper::willFinishSweeping):
+ (JSC):
+ * heap/IncrementalSweeper.h:
+ (IncrementalSweeper):
+ * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add
+ tracking of the specific destructor type of allocator.
+ (JSC::MarkedAllocator::tryAllocateHelper):
+ (JSC::MarkedAllocator::allocateBlock):
+ * heap/MarkedAllocator.h:
+ (JSC::MarkedAllocator::destructorType):
+ (MarkedAllocator):
+ (JSC::MarkedAllocator::MarkedAllocator):
+ (JSC::MarkedAllocator::init):
+ * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping.
+ We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
+ (JSC::MarkedBlock::create):
+ (JSC::MarkedBlock::MarkedBlock):
+ (JSC):
+ (JSC::MarkedBlock::specializedSweep):
+ (JSC::MarkedBlock::sweep):
+ (JSC::MarkedBlock::sweepHelper):
+ * heap/MarkedBlock.h:
+ (JSC):
+ (JSC::MarkedBlock::allocator):
+ (JSC::MarkedBlock::destructorType):
+ * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
+ (JSC::MarkedSpace::MarkedSpace):
+ (JSC::MarkedSpace::resetAllocators):
+ (JSC::MarkedSpace::canonicalizeCellLivenessData):
+ (JSC::MarkedSpace::isPagedOut):
+ (JSC::MarkedSpace::freeBlock):
+ * heap/MarkedSpace.h:
+ (MarkedSpace):
+ (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
+ (JSC::MarkedSpace::normalDestructorAllocatorFor):
+ (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
+ (JSC::MarkedSpace::allocateWithNormalDestructor):
+ (JSC::MarkedSpace::forEachBlock):
+ * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
+ * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitAllocateBasicJSObject):
+ (JSC::JIT::emitAllocateJSFinalObject):
+ (JSC::JIT::emitAllocateJSArray):
+ * jsc.cpp:
+ (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from
+ JSDestructibleObject.
+ * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
+ (JSC):
+ * runtime/Arguments.h:
+ (Arguments):
+ (JSC::Arguments::Arguments):
+ * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
+ (JSC):
+ * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
+ (JSC):
+ * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
+ (JSC):
+ (JSC::InternalFunction::InternalFunction):
+ * runtime/InternalFunction.h:
+ (InternalFunction):
+ * runtime/JSCell.h: Added two static bools, needsDestruction and hasImmortalStructure, that classes can override
+ to indicate at compile time which part of the heap they should be allocated in.
+ (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
+ * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be
+ accessed safely when the object is being destroyed.
+ (JSC):
+ (JSDestructibleObject):
+ (JSC::JSDestructibleObject::classInfo):
+ (JSC::JSDestructibleObject::JSDestructibleObject):
+ (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
+ * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all
+ of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
+ (JSC::JSGlobalObject::reset):
+ * runtime/JSGlobalObject.h:
+ (JSGlobalObject):
+ (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one
+ for the m_rareData field when it's created.
+ (JSC::JSGlobalObject::create):
+ (JSC):
+ * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
+ (JSGlobalThis):
+ (JSC::JSGlobalThis::JSGlobalThis):
+ * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
+ (JSC):
+ * runtime/JSScope.cpp:
+ (JSC):
+ * runtime/JSString.h: Has an immortal Structure.
+ (JSC):
+ * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
+ (JSWrapperObject):
+ (JSC::JSWrapperObject::JSWrapperObject):
+ * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
+ (JSC):
+ * runtime/NameInstance.h: Inherit from JSDestructibleObject.
+ (NameInstance):
+ * runtime/RegExp.h: Has immortal Structure.
+ (JSC):
+ * runtime/RegExpObject.cpp: Inheritance cleanup.
+ (JSC):
+ * runtime/SparseArrayValueMap.h: Has immortal Structure.
+ (JSC):
+ * runtime/Structure.h: Has immortal Structure.
+ (JSC):
+ * runtime/StructureChain.h: Ditto.
+ (JSC):
+ * runtime/SymbolTable.h: Ditto.
+ (SharedSymbolTable):
+ (JSC):
+
+== Rolled over to ChangeLog-2012-10-02 ==
View Lorry Controller Status