summaryrefslogtreecommitdiff
path: root/Source/JavaScriptCore/dfg
Commit message (Collapse)AuthorAgeFilesLines
* Import WebKit commit 3c9fc2fb47474909f5c30b518d372c854a3ec433Konstantin Tokarev2017-06-302-1/+59
| | | | | Change-Id: Iccd335ea312d91e826885857fee6d0da3e913b8c Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Import WebKit commit 3ca7a25a550e473d60bbbe321475c6c0ef114b31Konstantin Tokarev2017-06-025-9/+43
| | | | | Change-Id: I480668a0cb8114dccf7a1195190a993282875759 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
* Import WebKit commit 342c7c7c069db3ca1d09ae6c5f7d600f9b241778Konstantin Tokarev2017-04-071-1/+3
| | | | | Change-Id: I8886595114569f61168aed76b23ad7288c5cb34c Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Import WebKit commit 13ac532967b6ac2d18d6fc4ea72c4ca35eccff20Konstantin Tokarev2017-03-311-5/+7
| | | | | Change-Id: I12a5c8f98aeaac1b542ce20c0ff297c57b5d84d1 Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Imported WebKit commit eb954cdcf58f9b915b2fcb6f8e4cb3a60650a4f3Konstantin Tokarev2017-02-022-5/+16
| | | | | Change-Id: I8dda875c38075d43b76fe3a21acb0ffa102bb82d Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Imported QtWebKit TP3 (git b57bc6801f1876c3220d5a4bfea33d620d477443)Konstantin Tokarev2017-02-02328-26748/+61005
| | | | | Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
* Merge remote-tracking branch 'origin/5.4' into 5.5v5.5.0-beta1Liang Qi2015-04-152-7/+12
|\ | | | | | | Change-Id: I0d9dd63455dc12402afd56cc1bd97d0cc97c24e8
| * DFG optimizes out strict mode arguments tear offFilip Pizlo2015-04-101-6/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119504 Source/JavaScriptCore: Reviewed by Mark Hahnenberg and Oliver Hunt. Don't do the optimization for strict mode. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154217 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I68037df21deaa964ff18c4f168f465c2600627f7 Reviewed-by: Julien Brianceau <jbriance@cisco.com> Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
| * Fix crash in JIT::DFG::prepareOSREntryJulien Brianceau2015-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | While verifying predictions in prepareOSREntry, locals could lay outside the stack in some cases. So we shouldn't retrieve jsValue from locals when we don't have to. Task-number: QTBUG-45299 Change-Id: I70003170348887128e11360fb501b69647194172 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
* | Merge remote-tracking branch 'origin/5.4' into 5.5Frederik Gladhorn2015-03-171-4/+2
|\ \ | |/ | | | | Change-Id: I5add7bbeab559b3f14207c37c6e010f953f6a286
| * Incorrect type speculation reported by ToPrimitiveOliver Hunt2015-03-111-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119458 Reviewed by Mark Hahnenberg. Make sure that we report the correct type possibilities for the output from ToPrimitive * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153674 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I85d91598088ead350c89c4a9cc28a2bd866a2d22 Task-number: QTBUG-44912 Reviewed-by: Julien Brianceau <jbriance@cisco.com> Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
* | Fix lots of crashes because of 4th argument register trampling.Julien Brianceau2015-02-091-8/+5
|/ | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=123421 Reviewed by Michael Saboff. r3 register is the 4th argument register for ARM and also a scratch register in the baseline JIT for this architecture. We can use r6 instead, as this used to be the timeoutCheckRegister and it is no longer used since r148119. * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM. * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7. * dfg/DFGGPRInfo.h: Add r3 properly in GPRInfo for ARM. * jit/JITStubs.cpp: Remove obsolete timeoutCheckRegister init. * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6 and r8 register doesn't need to be saved. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158208 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: I5198a158e5e69d4e3a05b353abb60f28c0ab095e Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
* Merge remote-tracking branch 'origin/5.3' into 5.4Oswald Buddenhagen2014-10-311-0/+1
|\ | | | | | | Change-Id: I11f35f205d2ded597d54650a948bec3e1e52b419
| * Fix assert after makerope boundary check5.3Lucas Forschler2014-10-311-0/+1
| | | | | | | | | | | | | | | | | | | | The browser demo asserts on qt-project.org after the makerope security fix. Port of http://trac.webkit.org/changeset/169397 Change-Id: I19c98737735d9b17133742752928d4ce6349de13 Reviewed-by: Michael Bruning <michael.bruning@digia.com>
* | Merge remote-tracking branch 'origin/5.3' into 5.4Frederik Gladhorn2014-10-142-1/+30
|\ \ | |/ | | | | Change-Id: I509f0440296df39aece8133382aacc43a4e05f99
| * compileMakeRope does not emit necessary bounds checksFilip Pizlo2014-09-262-1/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=130684 <rdar://problem/16398388> Reviewed by Oliver Hunt. Add string length bounds checks in a bunch of places. We should never allow a string to have a length greater than 2^31-1 because it's not clear that the language has semantics for it and because there is code that assumes that this cannot happen. Also add a bunch of tests to that effect to cover the various ways in which this was previously allowed to happen. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileMakeRope): * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMakeRope): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): * runtime/JSString.h: (JSC::JSString::create): (JSC::JSRopeString::RopeBuilder::append): (JSC::JSRopeString::RopeBuilder::release): (JSC::JSRopeString::append): * runtime/Operations.h: (JSC::jsString): (JSC::jsStringFromRegisterArray): (JSC::jsStringFromArguments): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncIndexOf): (JSC::stringProtoFuncSlice): (JSC::stringProtoFuncSubstring): (JSC::stringProtoFuncToLowerCase): * tests/stress/make-large-string-jit-strcat.js: Added. (foo): * tests/stress/make-large-string-jit.js: Added. (foo): * tests/stress/make-large-string-strcat.js: Added. * tests/stress/make-large-string.js: Added. Change-Id: If01dd2a2d2daa3d209eddf0213d2b391e94f54a0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167336 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG 32Bit: Crash loading "Classic" site @ translate.google.comMichael Saboff2014-09-301-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=120015 Reviewed by Sam Weinig. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in all versions of fillSpeculateBoolean(). Change-Id: I4de21707f00c1538b82b9bee6b2acc2903611983 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | REGRESSION: Crash when opening Facebook.comOliver Hunt2014-09-252-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119155 Reviewed by Andreas Kling. Scope nodes are always objects, so we should be using SpecObjectOther rather than SpecCellOther. Marking Scopes as CellOther leads to a contradiction in the CFA, resulting in bogus codegen. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): Change-Id: Ic083c04b9351c904ea4b5ee41bcc98c7d66d757d git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153410 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Incorrect behavior on emscripten-compiled cube2hashFilip Pizlo2014-09-241-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=120033 Source/JavaScriptCore: Reviewed by Mark Hahnenberg. If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar then we should bail attempts to CSE. * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::scopedVarLoadElimination): (JSC::DFG::CSEPhase::scopedVarStoreElimination): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154344 268f45cc-cd09-0410-ab3c-d52691b4dbfc Task-number: QTBUG-41500 Change-Id: Ia6bd7b09b20a99d5f4b5a14bf58737bc4b8c6a2b Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS.commit-queue@webkit.org2014-09-191-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=121439 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-09-16 Reviewed by Geoffrey Garen. Missing implementations of setupArgumentsWithExecState added. Change-Id: Ief1b1505d6c20b091ae0fcc24d7c21f50fcc712a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155884 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | ARM EABI hardfp buildfix after r155675ossy@webkit.org2014-09-181-2/+3
| | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=121287 Reviewed by Geoffrey Garen. Change-Id: I03c086a652b501c5424a6de6763fed1c88466e3a git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155705 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Fixed crash in V8 benchmark suite in ARM,softp,EABI environment.commit-queue@webkit.org2014-09-182-13/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=117281 Patch by Youngho Yoo <youngho33.yoo@lge.com> on 2013-09-13 Reviewed by Michael Saboff. Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function. Change-Id: I77e7e7a37ada9d33574949220d109e8b5f2392b2 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155675 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | Take advantage of 3 parameters or32() callsJulien Brianceau2014-08-281-12/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=136287 Reviewed by Michael Saboff. For specific architectures (arm and mips for instance), or32() calls with 3 parameters are likely to produce a single instruction. Change-Id: I1c56f5b8229dd2d82d96c56cb10b1ac8dc9ba0b0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@173006 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* | [mips] Take advantage of integer divide instruction for ArithDiv and ArithMod.Julien Brianceau2014-08-234-1/+66
|/ | | | | | | Added MIPS integer divide path for ArithDiv and ArithMod where operands and results are integer. Change-Id: I00d5b58e6e0be39f083676fb0c435b3545d3aca1 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Crash during exception unwindingOliver Hunt2014-07-089-12/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://webkit.org/b/119860 Reviewed by Filip Pizlo. Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node. We need this so that Throw and ThrowReferenceError no longer need to be treated as terminals and the subsequent flush keeps the activation (and other registers) live. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::isTerminal): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Idb894e780cd3ebe15515d1796c58a339ae54d55f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Fix SpeculateCellOperand ASSERT failure in DFG for 32-bit builds.Julien Brianceau2014-06-261-18/+27
| | | | | | | | | | Original patch by Filip Pizlo <fpizlo@apple.com> on 2013-08-28 taken from WebKit r154804 (http://trac.webkit.org/changeset/154804). Task-number: QTBUG-39768 Change-Id: I239f2ee2ec5d1c21f7e50709b8989e744fd87995 Reviewed-by: Zhang Zengbo <zengbo.zhang@gmail.com> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* Prevent register clobbering to fix negative zero check in SoftModulo.Julien Brianceau2014-06-061-1/+7
| | | | | | | | This fix is not relevant for x86 architectures. Covered by integer-division-neg2tothe32-by-neg1 JavaScript test. Change-Id: I8ffd1280063305bc98c564f5df57c76cc5b1d7a6 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* [arm] Inverted src and dest FP registers in DFG speculative JIT when using ↵Julien Brianceau2013-10-181-2/+4
| | | | | | | | | | | | | | | | | hardfp. https://bugs.webkit.org/show_bug.cgi?id=122555 Patch by Julien Brianceau <jbriance@cisco.com> on 2013-10-09 Reviewed by Michael Saboff. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): (JSC::DFG::SpeculativeJIT::appendCallSetResult): Change-Id: Ib633513948031702efd5ca0d4b89920e99979755 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157173 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* 32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter stateMark Hahnenberg2013-10-161-1/+1
| | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=119555 Reviewed by Geoffrey Garen. It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does. This was causing crashes on maps.google.com in 32-bit debug builds. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Icdcfe0719d22df7db6dc7ffcee309b75b63914df git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153793 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
* Import Qt5x2 branch of QtWebkit for Qt 5.2Allan Sandfeld Jensen2013-09-19112-11761/+15963
| | | | | | | Importing a new snapshot of webkit. Change-Id: I2d01ad12cdc8af8cb015387641120a9d7ea5f10c Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
* JavaScriptCore: Fix header guardTobias Hunger2013-09-031-1/+1
| | | | | | | Clang nags about it. Change-Id: I0f4629048e2e02370202cf47748be05bfa0cbf81 Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* MIPS DFG implementation.Balazs Kilvady2013-05-235-29/+221
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=101328 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-18 Reviewed by Oliver Hunt. DFG implementation for MIPS. Source/JavaScriptCore: * assembler/MIPSAssembler.h: (JSC::MIPSAssembler::MIPSAssembler): (JSC::MIPSAssembler::sllv): (JSC::MIPSAssembler::movd): (MIPSAssembler): (JSC::MIPSAssembler::negd): (JSC::MIPSAssembler::labelForWatchpoint): (JSC::MIPSAssembler::label): (JSC::MIPSAssembler::vmov): (JSC::MIPSAssembler::linkDirectJump): (JSC::MIPSAssembler::maxJumpReplacementSize): (JSC::MIPSAssembler::revertJumpToMove): (JSC::MIPSAssembler::replaceWithJump): * assembler/MacroAssembler.h: (MacroAssembler): (JSC::MacroAssembler::poke): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::add32): (MacroAssemblerMIPS): (JSC::MacroAssemblerMIPS::and32): (JSC::MacroAssemblerMIPS::lshift32): (JSC::MacroAssemblerMIPS::mul32): (JSC::MacroAssemblerMIPS::or32): (JSC::MacroAssemblerMIPS::rshift32): (JSC::MacroAssemblerMIPS::urshift32): (JSC::MacroAssemblerMIPS::sub32): (JSC::MacroAssemblerMIPS::xor32): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::jump): (JSC::MacroAssemblerMIPS::branchAdd32): (JSC::MacroAssemblerMIPS::branchMul32): (JSC::MacroAssemblerMIPS::branchSub32): (JSC::MacroAssemblerMIPS::branchNeg32): (JSC::MacroAssemblerMIPS::call): (JSC::MacroAssemblerMIPS::loadDouble): (JSC::MacroAssemblerMIPS::moveDouble): (JSC::MacroAssemblerMIPS::swapDouble): (JSC::MacroAssemblerMIPS::subDouble): (JSC::MacroAssemblerMIPS::mulDouble): (JSC::MacroAssemblerMIPS::divDouble): (JSC::MacroAssemblerMIPS::negateDouble): (JSC::MacroAssemblerMIPS::branchEqual): (JSC::MacroAssemblerMIPS::branchNotEqual): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32): (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32): (JSC::MacroAssemblerMIPS::truncateDoubleToInt32): (JSC::MacroAssemblerMIPS::truncateDoubleToUint32): (JSC::MacroAssemblerMIPS::branchDoubleNonZero): (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN): (JSC::MacroAssemblerMIPS::invert): (JSC::MacroAssemblerMIPS::replaceWithJump): (JSC::MacroAssemblerMIPS::maxJumpReplacementSize): * dfg/DFGAssemblyHelpers.h: (AssemblyHelpers): (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): (JSC::DFG::AssemblyHelpers::debugCall): * dfg/DFGCCallHelpers.h: (CCallHelpers): (JSC::DFG::CCallHelpers::setupArguments): (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): * dfg/DFGFPRInfo.h: (DFG): (FPRInfo): (JSC::DFG::FPRInfo::toRegister): (JSC::DFG::FPRInfo::toIndex): (JSC::DFG::FPRInfo::debugName): * dfg/DFGGPRInfo.h: (DFG): (GPRInfo): (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): (JSC::DFG::GPRInfo::debugName): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): * jit/JSInterfaceJIT.h: (JSInterfaceJIT): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::allocationSize): (ScratchBuffer): Source/WTF: * wtf/Platform.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143247 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h Source/WTF/ChangeLog Change-Id: Ibc6c2a2b1d5c70d351ede37c6c111b66b4cf7fef Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* MIPS LLInt implementation.Balazs Kilvady2013-05-231-0/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=99706 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-07 Reviewed by Filip Pizlo. LLInt implementation for MIPS. Source/JavaScriptCore: * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::jump): * dfg/DFGOperations.cpp: (JSC): * jit/JITStubs.cpp: (JSC): * jit/JITStubs.h: (JITStackFrame): * llint/LLIntOfflineAsmConfig.h: * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * offlineasm/backends.rb: * offlineasm/instructions.rb: * offlineasm/mips.rb: Added. Source/WTF: * wtf/Platform.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138970 268f45cc-cd09-0410-ab3c-d52691b4dbfc Conflicts: Source/JavaScriptCore/ChangeLog Source/JavaScriptCore/jit/JITStubs.h Change-Id: I1677d54c1641cf60e517772944582c8f387eeb6d Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Merge "Merge remote-tracking branch 'origin/release' into stable" into ↵Frederik Gladhorn2013-04-051-2/+2
|\ | | | | | | refs/staging/stable
| * Merge remote-tracking branch 'origin/release' into stableFrederik Gladhorn2013-04-031-2/+2
| |\ | | | | | | | | | Change-Id: If3305d4a24584f4289f840e60a2362220d005013
| | * Crash at JSC::call when loading www.gap.com with JSVALUE32_64 EnabledMichael Saboff2013-03-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=108991 Reviewed by Oliver Hunt. Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location may step on calleeGPR is it happen to be nonArgGPR2. * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkClosureCall): Change-Id: I2d27a111ae1edbfea9335f3a06c5cc53e065a673 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141951 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Change set r140201 broke editing/selection/move-by-word-visually-multi-line.htmlMichael Saboff2013-04-041-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107340 Reviewed by Filip Pizlo. Due to the change landed in r140201, more nodes might end up generating Int32ToDouble nodes. Therefore, changed the JSVALUE64 constant path of compileInt32ToDouble() to use the more restrictive isInt32Constant() check on the input. This check was the same as the existing ASSERT() so the ASSERT was eliminated. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Change-Id: I8e9f3858414e37f5b8232a58d8f6f9dada755343 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140221 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directlyMichael Saboff2013-04-041-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107321 Reviewed by Filip Pizlo. Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up an ArithDiv node with integer inputs and output for platforms that don't have integer division. Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node without any further checks. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixDoubleEdge): (FixupPhase): (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Change-Id: Ic79f2823a7cfb9ce52bb935536972f48508579fd git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140203 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Fix up of ArithDiv nodes for non-x86 CPUs is brokenMichael Saboff2013-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107309 Reviewed by Filip Pizlo. Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixDoubleEdge): Change-Id: I8e73ad242feb65c143857d3a4190e095aa5e9d06 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140201 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | Dont use a node reference after appending to the graph.Filip Pizlo2013-04-041-8/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=103305 <rdar://problem/12753096> Reviewed by Mark Hahnenberg. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): Change-Id: I48ebd652e936ca5781fd6d1bab2df012b2027c34 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139264 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | | DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1Michael Saboff2013-04-041-2/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=106978 Reviewed by Filip Pizlo. Source/JavaScriptCore: Changed the numerator equal to -2^31 check to just return if we expect an integer result, since the check is after we have determined that the denominator is -1. The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): LayoutTests: Added a new DFG check for -2^31 / -1 when we expect and integer result. * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt: * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js: (myDivExpectingInt): Change-Id: Ifd8dd24e75e60520a140c09948dd3ab49aaa3fa8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139835 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSizeFilip Pizlo2013-03-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=107081 Reviewed by Michael Saboff. This bug led to the 32_64 backend emitting contiguous allocation code to allocate ArrayStorage arrays. This then led to all manner of heap corruption, since subsequent array accesses would be accessing the contiguous array "as if" it was an arraystorage array. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Ide538ea42dc32f29daf7bfe4b035053f1e9471b1 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139949 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG Phantom node should be honest about the fact that it can exitv5.1.0-alpha1Filip Pizlo2013-03-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=111115 Reviewed by Mark Hahnenberg. The chances of this having cause serious issues are low, since most clients of the NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible case of badness is if the ByteCodeParser inserted a Phantom with a type check in between a LogicalNot and a Branch; then that peephole optimization in Fixup might go slightly wrong. * dfg/DFGNodeType.h: (DFG): Change-Id: I568e22c3577979de0eeea945de519a920ee212b6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144373 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG is too aggressive with eliding overflow checks in loopsFilip Pizlo2013-03-272-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=105226 Reviewed by Mark Hahnenberg and Oliver Hunt. Source/JavaScriptCore: If we see a variable's live range cross basic block boundaries, conservatively assume that it may be part of a data-flow back-edge, and as a result, we may have entirely integer operations that could lead to the creation of an integer that is out of range of 2^52 (the significand of a double float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug. In future we may want to actually look at whether or not there was a data-flow back-edge instead of being super conservative about it. But we have no evidence, yet, that this would help us on real code. * dfg/DFGNodeFlags.h: (DFG): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-in-loop-expected.txt: Added. * fast/js/dfg-int-overflow-in-loop.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-in-loop.js: Added. (foo): Change-Id: I9df2d6d17ba404802456f4e2da313e47f0f4f62e git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137963 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | DFG is too aggressive eliding overflow checks for additions involving large ↵Filip Pizlo2013-03-262-11/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | constants https://bugs.webkit.org/show_bug.cgi?id=105239 Reviewed by Gavin Barraclough. Source/JavaScriptCore: If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate, then make sure that the non-constant child of the addition knows that he's got to do an overflow check, by flowing the UsedAsNumber property at him. * dfg/DFGGraph.h: (JSC::DFG::Graph::addSpeculationMode): (Graph): (JSC::DFG::Graph::addShouldSpeculateInteger): (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-large-constants-in-a-line-expected.txt: Added. * fast/js/dfg-int-overflow-large-constants-in-a-line.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-large-constants-in-a-line.js: Added. (foo): Change-Id: If9f7c71050b6f07fc024e6e9f42083d7d3ca71f6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137980 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | javascript integer overflowFilip Pizlo2013-03-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=104967 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: Fix PutScopedVar backward flow. * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-put-scoped-var-backward-flow-expected.txt: Added. * fast/js/dfg-put-scoped-var-backward-flow.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-put-scoped-var-backward-flow.js: Added. (sum): Change-Id: I63c3091751555d3690f22e38a55408ced098adf8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137951 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Named lookups on HTML documents produce inconsistent results in ↵Filip Pizlo2013-03-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JavaScriptCore bindings https://bugs.webkit.org/show_bug.cgi?id=104623 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching in some cases. This appears to be perf-neutral on benchmarks that we track. * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDProtoList): * jit/JITStubs.cpp: (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): * runtime/JSTypeInfo.h: (JSC): (JSC::TypeInfo::hasImpureGetOwnPropertySlot): * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Source/WebCore: All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as HasImpureGetOwnPropertySlot. Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): LayoutTests: * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): * fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* | Strange results calculating a square root in a loopFilip Pizlo2013-03-262-4/+9
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://bugs.webkit.org/show_bug.cgi?id=104247 <rdar://problem/12826880> Reviewed by Oliver Hunt. Source/JavaScriptCore: Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks under the merge. This fixes the assertion, and is also cleaner: our general rule is to not "revive" things that we've already proved to be dead. Also fixed some rotted debug code. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): * dfg/DFGStructureCheckHoistingPhase.cpp: (JSC::DFG::StructureCheckHoistingPhase::run): LayoutTests: * fast/js/dfg-cfg-simplify-redundant-dead-get-local-expected.txt: Added. * fast/js/dfg-cfg-simplify-redundant-dead-get-local.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-cfg-simplify-redundant-dead-get-local.js: Added. (getDist): (calcError): Change-Id: I70b28d61e3fcbbb551d9e71d458efe654149c12c git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136989 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
* Imported WebKit commit 6a4a1d32e1d779548c726c4826cba9d69eb87601 ↵Simon Hausmann2012-11-306-46/+56
| | | | | | | | | | | (http://svn.webkit.org/repository/webkit/trunk@136242) Final import for the Qt 5.x series that implements the QtWebKit / QtWebKitWidgets split Extra fixes will be cherry-picked. Change-Id: I844f1ebb99c6d6b75db31d6538c2acd628e79681 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
* Imported WebKit commit c60cfe0fc09efd257aa0111d7b133b02deb8a63e ↵Simon Hausmann2012-11-2915-378/+426
| | | | | | | | | (http://svn.webkit.org/repository/webkit/trunk@136119) New snapshot that includes the fix for installing the QtWebProcess into libexec Change-Id: I01344e079cbdac5678c4cba6ffcc05f4597cf0d7 Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
View Lorry Controller Status