| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Change-Id: Id24f973470620b1c7a36576606b81f5df0fd75d0
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: I3f9320f43d5d1fc5169a6c1b9dcea454974d6578
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: Ifdedb7bc3162434686201813dc1d994cf5ae7e70
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: I480668a0cb8114dccf7a1195190a993282875759
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
| |
Change-Id: Ied338d9a16b44b5da35d484e80a21acc284eb625
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: I8886595114569f61168aed76b23ad7288c5cb34c
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: Iccbb1e8bd8b7f72322614224c203fc509a8dbb79
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: I8dda875c38075d43b76fe3a21acb0ffa102bb82d
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |
|
|
|
| |
Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
|
| |\
| |
| |
| | |
Change-Id: I824a984e8552340c2f9f631ac951f2c9eaa90b74
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A non-inline template needs to be explicitly instantiated if used
outside the object where it is declared.
Patch suggested by Khem Raj.
Task-number: QTBUG-44829
Change-Id: Ib0adbd9273bd1cef01e5863bc8aaa9c373022792
Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
|
| |/
|
|
|
|
|
| |
Improved warnings in gcc 5.0 has exposed some unclear expressions.
Change-Id: I2c269528f6246319dab1a83d929d55c8d8e5a17d
Reviewed-by: Andras Becsi <andras.becsi@theqtcompany.com>
|
| |\
| |
| |
| | |
Change-Id: I509f0440296df39aece8133382aacc43a4e05f99
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://bugs.webkit.org/show_bug.cgi?id=130684
<rdar://problem/16398388>
Reviewed by Oliver Hunt.
Add string length bounds checks in a bunch of places. We should never allow a string
to have a length greater than 2^31-1 because it's not clear that the language has
semantics for it and because there is code that assumes that this cannot happen.
Also add a bunch of tests to that effect to cover the various ways in which this was
previously allowed to happen.
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMakeRope):
* runtime/JSString.cpp:
(JSC::JSRopeString::RopeBuilder::expand):
* runtime/JSString.h:
(JSC::JSString::create):
(JSC::JSRopeString::RopeBuilder::append):
(JSC::JSRopeString::RopeBuilder::release):
(JSC::JSRopeString::append):
* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
* tests/stress/make-large-string-jit-strcat.js: Added.
(foo):
* tests/stress/make-large-string-jit.js: Added.
(foo):
* tests/stress/make-large-string-strcat.js: Added.
* tests/stress/make-large-string.js: Added.
Change-Id: If01dd2a2d2daa3d209eddf0213d2b391e94f54a0
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@167336 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
A default cache-entry has a null String and an uninitialized key. We
should therefore only try to use the key if the String is not null.
Change-Id: Icd6819b96b9b650305cf0611b6b2978c07dc9196
Reviewed-by: Michael Bruning <michael.bruning@digia.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
if it sees a hole
https://bugs.webkit.org/show_bug.cgi?id=121717
Reviewed by Oliver Hunt.
Source/JavaScriptCore:
This bug caused the array to become corrupted. We now check for holes before we start moving things,
and start moving things only once we've determined that there are none.
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
Change-Id: I9948bfa2c9b4a345076f7f2b4e50a566f521b6fe
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156214 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
corruption
Reviewed by Oliver Hunt.
When we flatten an object in dictionary mode, we compact its properties. If the object
had out-of-line storage in the form of a Butterfly prior to this compaction, and after
compaction its properties fit inline, the object's Structure "forgets" that the object
has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
with bytes = 0, which causes all sorts of badness in CopiedSpace.
Instead, after we flatten a dictionary, if properties fit inline we should clear the
Butterfly pointer so that the GC doesn't get confused later.
This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
that the number of bytes reported to SlotVisitor::copyLater is non-zero.
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::copyLater):
* runtime/JSObject.cpp:
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::genericConvertDoubleToContiguous):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::seal):
(JSC::JSObject::freeze):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::reifyStaticFunctionsForDelete):
(JSC::JSObject::removeDirect):
* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructure):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the length of the ArrayStorage after possible reallocing it
https://bugs.webkit.org/show_bug.cgi?id=120278
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
Change-Id: I034d6950683304d08a4e076d58fb1b999ade444b
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154633 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
backing store
https://bugs.webkit.org/show_bug.cgi?id=118914
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
There are two distinct actions that we're trying to optimize for:
new Array(100000);
and:
a = [];
a[100000] = 42;
In the first case, the programmer has indicated that they expect this Array to be very big,
so they should get a contiguous array up until some threshold, above which we perform density
calculations to see if it is indeed dense enough to warrant being contiguous.
In the second case, the programmer hasn't indicated anything about the size of the Array, so
we should be more conservative and assume it should be sparse until we've proven otherwise.
Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish
between them for the purposes of not over-allocating large backing stores like we see on
http://www.peekanalytics.com/burgerjoints/
The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and
introduce a new heuristic for the second case. If we are putting to an index above a certain
threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse
map instead. So for example, in the second case above the empty array has a blank indexing
type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
This fix is ~800x speedup on the accompanying regression test :-o
* runtime/ArrayConventions.h:
(JSC::indexIsSufficientlyBeyondLengthForSparseMap):
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153374 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: I1c29992d6e09c9d523a8093e76e3848a9581ce45
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
| |
Make sure the inline methods are defined whereever referenced. This fixes
'undefined reference' errors when linking with MinGW-builds 4.8.2 32 bit
posix dwarf rev2.
Task-number: QTBUG-34083
Change-Id: Iadc7300634780741be9d97bc889290cd113181e1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
| |
|
|
|
|
|
| |
Cherry-picked upstream r153965 to fix linux build with clang 3.4
Change-Id: Ib3eeb5c424c4f0ef00c228ad02b61ef87dd9b3b6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
| |
|
|
|
|
|
|
|
| |
Fix wrong export/import flags in inlined methods.
Use normal GCC inline asm instead of _ReadWriteBarrier.
Change-Id: Iba6b923be383777f2807d84349044dbe5a22eb57
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
| |
|
|
|
|
|
| |
Importing a new snapshot of webkit.
Change-Id: I2d01ad12cdc8af8cb015387641120a9d7ea5f10c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
incorrectly (2/2)
https://bugs.webkit.org/show_bug.cgi?id=114235
Reviewed by Filip Pizlo.
If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
accessible in the base object's backing store, which is bad.
Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(PropertyNameArray):
Change-Id: If61b609438fa1d62364bac556af635413198d8ad
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=114235
Reviewed by Geoffrey Garen.
Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable
properties causes us not to cache any properties at all. We should only cache properties on the object itself
since we currently don't take advantage of any sort of name caching for properties in the prototype chain.
This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570.
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnNonIndexPropertyNames):
Change-Id: I5853ab567cd0a8cd20aeac1372ec64fc4f25df1a
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
properties
https://bugs.webkit.org/show_bug.cgi?id=113831
Reviewed by Geoffrey Garen.
get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly
access an object's backing store. One way to fix this is to not cache any properties when iterating over
objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.
Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlots):
(PropertyNameArray):
Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=101328
Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-02-18
Reviewed by Oliver Hunt.
DFG implementation for MIPS.
Source/JavaScriptCore:
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::MIPSAssembler):
(JSC::MIPSAssembler::sllv):
(JSC::MIPSAssembler::movd):
(MIPSAssembler):
(JSC::MIPSAssembler::negd):
(JSC::MIPSAssembler::labelForWatchpoint):
(JSC::MIPSAssembler::label):
(JSC::MIPSAssembler::vmov):
(JSC::MIPSAssembler::linkDirectJump):
(JSC::MIPSAssembler::maxJumpReplacementSize):
(JSC::MIPSAssembler::revertJumpToMove):
(JSC::MIPSAssembler::replaceWithJump):
* assembler/MacroAssembler.h:
(MacroAssembler):
(JSC::MacroAssembler::poke):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::add32):
(MacroAssemblerMIPS):
(JSC::MacroAssemblerMIPS::and32):
(JSC::MacroAssemblerMIPS::lshift32):
(JSC::MacroAssemblerMIPS::mul32):
(JSC::MacroAssemblerMIPS::or32):
(JSC::MacroAssemblerMIPS::rshift32):
(JSC::MacroAssemblerMIPS::urshift32):
(JSC::MacroAssemblerMIPS::sub32):
(JSC::MacroAssemblerMIPS::xor32):
(JSC::MacroAssemblerMIPS::store32):
(JSC::MacroAssemblerMIPS::jump):
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
(JSC::MacroAssemblerMIPS::branchNeg32):
(JSC::MacroAssemblerMIPS::call):
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::moveDouble):
(JSC::MacroAssemblerMIPS::swapDouble):
(JSC::MacroAssemblerMIPS::subDouble):
(JSC::MacroAssemblerMIPS::mulDouble):
(JSC::MacroAssemblerMIPS::divDouble):
(JSC::MacroAssemblerMIPS::negateDouble):
(JSC::MacroAssemblerMIPS::branchEqual):
(JSC::MacroAssemblerMIPS::branchNotEqual):
(JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
(JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
(JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
(JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
(JSC::MacroAssemblerMIPS::branchDoubleNonZero):
(JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
(JSC::MacroAssemblerMIPS::invert):
(JSC::MacroAssemblerMIPS::replaceWithJump):
(JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
* dfg/DFGAssemblyHelpers.h:
(AssemblyHelpers):
(JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
(JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
(JSC::DFG::AssemblyHelpers::debugCall):
* dfg/DFGCCallHelpers.h:
(CCallHelpers):
(JSC::DFG::CCallHelpers::setupArguments):
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
* dfg/DFGFPRInfo.h:
(DFG):
(FPRInfo):
(JSC::DFG::FPRInfo::toRegister):
(JSC::DFG::FPRInfo::toIndex):
(JSC::DFG::FPRInfo::debugName):
* dfg/DFGGPRInfo.h:
(DFG):
(GPRInfo):
(JSC::DFG::GPRInfo::toRegister):
(JSC::DFG::GPRInfo::toIndex):
(JSC::DFG::GPRInfo::debugName):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* jit/JSInterfaceJIT.h:
(JSInterfaceJIT):
* runtime/JSGlobalData.h:
(JSC::ScratchBuffer::allocationSize):
(ScratchBuffer):
Source/WTF:
* wtf/Platform.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143247 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Conflicts:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h
Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h
Source/WTF/ChangeLog
Change-Id: Ibc6c2a2b1d5c70d351ede37c6c111b66b4cf7fef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=107728
Reviewed by Filip Pizlo.
Add a bunch of assertions to array and object butterfly
usage. This should make debugging somewhat easier.
I also converted a couple of assertions to release asserts
as they were so low cost it seemed a sensible thing to do.
* runtime/JSArray.cpp:
(JSC::JSArray::sortVector):
(JSC::JSArray::compactForSorting):
* runtime/JSObject.h:
(JSC::JSObject::getHolyIndexQuickly):
Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewed by Allan Sandfeld Jensen.
Source/JavaScriptCore:
Initialize JSObject* exception to suppress warnings that make
the build fail because of -Werror=maybe-uninitialized.
* runtime/Executable.cpp:
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):
Source/WTF:
Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8
since dummy typedefs are commonly used in the codebase.
* wtf/Compiler.h:
Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=102828
Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18
Reviewed by Mark Hahnenberg.
Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
* heap/MarkStack.cpp:
(JSC):
(JSC::MarkStackArray::MarkStackArray):
(JSC::MarkStackArray::expand):
(JSC::MarkStackArray::donateSomeCellsTo):
(JSC::MarkStackArray::stealSomeCellsFrom):
* heap/MarkStack.h:
(JSC::MarkStackSegment::data):
(CapacityFromSize):
(MarkStackArray):
* heap/MarkStackInlines.h:
(JSC::MarkStackArray::setTopForFullSegment):
(JSC::MarkStackArray::append):
(JSC::MarkStackArray::isEmpty):
(JSC::MarkStackArray::size):
* runtime/Options.h:
(JSC):
Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
then the holes should end up being correctly initialized
https://bugs.webkit.org/show_bug.cgi?id=106363
Reviewed by Mark Hahnenberg.
Source/JavaScriptCore:
* runtime/JSArray.h:
(JSC::JSArray::tryCreateUninitialized):
LayoutTests:
* fast/js/jsc-test-list:
* fast/js/new-array-double-with-holes-expected.txt: Added.
* fast/js/new-array-double-with-holes.html: Added.
* fast/js/script-tests/new-array-double-with-holes.js: Added.
(foo):
Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=104988
Reviewed by Sam Weinig.
This assertion doesn't accomplish anything other than crashes.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
Change-Id: I16848f37dd75c3de061e737097f0a09a01e31626
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137705 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JavaScriptCore bindings
https://bugs.webkit.org/show_bug.cgi?id=104623
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
in some cases. This appears to be perf-neutral on benchmarks that we track.
* dfg/DFGRepatch.cpp:
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDProtoList):
* jit/JITStubs.cpp:
(JSC::JITThunks::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSTypeInfo.h:
(JSC):
(JSC::TypeInfo::hasImpureGetOwnPropertySlot):
* runtime/Operations.h:
(JSC::normalizePrototypeChainForChainAccess):
Source/WebCore:
All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as
HasImpureGetOwnPropertySlot.
Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps
fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
LayoutTests:
* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):
* fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):
Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=103998
Reviewed by Simon Hausmann.
Source/JavaScriptCore:
Implements the activity triggered garbage collector.
* runtime/GCActivityCallback.cpp:
(JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
(JSC::DefaultGCActivityCallback::scheduleTimer):
(JSC::DefaultGCActivityCallback::cancelTimer):
* runtime/GCActivityCallback.h:
(GCActivityCallback):
(DefaultGCActivityCallback):
Source/WebCore:
Implements the activity triggered garbage collector,
and disables the timer based fallback.
* bindings/js/GCController.cpp:
(WebCore::GCController::GCController):
(WebCore::GCController::garbageCollectSoon):
* bindings/js/GCController.h:
(GCController):
Change-Id: Idd8f714e71871b3cc991f8d1866cdd271a47eff4
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=105339
Reviewed by Filip Pizlo.
Currently the DFG has a single branch in the inline allocation path for property/array storage where
it checks to see if the number of bytes requested will fit in the current block. This does not match
what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then
if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations
that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when
the collector tries to perform some operation on a CopiedBlock.
To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that
oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find
the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and
we should figure out if a block is oversize by some other method than just whatever the JSObject says
it is. One way we could record this info Region of the block, since we allocate a one-off Region for
oversize blocks.
* heap/BlockAllocator.h:
(JSC::Region::isCustomSize):
(Region):
(JSC::Region::createCustomSize):
(JSC::Region::Region):
(JSC::BlockAllocator::deallocateCustomSize):
* heap/CopiedBlock.h:
(CopiedBlock):
(JSC::CopiedBlock::isOversize):
(JSC):
* heap/CopiedSpace.cpp:
(JSC::CopiedSpace::tryAllocateOversize):
(JSC::CopiedSpace::tryReallocate):
(JSC::CopiedSpace::tryReallocateOversize):
* heap/CopiedSpace.h:
(CopiedSpace):
* heap/CopiedSpaceInlines.h:
(JSC::CopiedSpace::contains):
(JSC::CopiedSpace::tryAllocate):
(JSC):
* heap/CopyVisitor.h:
(CopyVisitor):
* heap/CopyVisitorInlines.h:
(JSC::CopyVisitor::checkIfShouldCopy):
(JSC::CopyVisitor::didCopy):
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::copyLater):
* runtime/JSObject.cpp:
(JSC::JSObject::copyButterfly):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138067 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: Icebcfe83d82ace7c3e1db6a979306f604459c5ae
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=105221
Reviewed by Filip Pizlo.
Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly
objects purely by coincidence. We should add a new static function that null checks the old
Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for
use in the couple of places in JSObject that expect such behavior to work.
* runtime/Butterfly.h:
(Butterfly):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createOrGrowArrayRight):
(JSC):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: I643bc988f3e25b6f05be4e99f19fd2dc609152e4
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=105925
Reviewed by Sam Weinig.
As suggested by Sam, move the MinGW-w64 workaround into MathExtras.h
away from the JSC usage.
Source/JavaScriptCore:
* runtime/MathObject.cpp:
(JSC::mathPow):
Source/WTF:
* wtf/MathExtras.h:
(wtf_pow):
Change-Id: I49b2365baae6fdd9700667d1ef53c78bd70f6de3
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138705 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JSC::JSCell::classInfo is defined inline in JSDestructibleObject.h but
not all the classes that that inherit directly from JSCell include
JSDestructibleObject.h.
Move JSC::JSCell::classInfo from JSDestructibleObject.h into JSObject.h
to resolve the undefined reference errors when compiling with MinGW-w64.
JSDestructibleObject.h is already removed upstream in SVN r128851 but
the commit has a lot of other changes which don't apply cleanly.
Task-number: QTBUG-27764
Change-Id: I75b13c93dd13a346e672ca76fd7b23a616653a79
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Reviewed-by: Alexey Pavlov <alexey.pawlow@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=105087
Patch by Jonathan Liu <net147@gmail.com> on 2012-12-17
Reviewed by Simon Hausmann.
The MinGW-w64 runtime has different behaviour for pow()
compared to other C runtimes. This results in the following
test262 tests failing with the latest MinGW-w64 runtime:
- S15.8.2.13_A14
- S15.8.2.13_A16
- S15.8.2.13_A20
- S15.8.2.13_A22
Handle the special cases that are different with MinGW-w64.
* runtime/MathObject.cpp:
(JSC::mathPow):
Change-Id: Ifad1aa24ac36f2d452e9166a4298525793597da3
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137895 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=104425
Patch by Jonathan Liu <net147@gmail.com> on 2012-12-07
Reviewed by Kentaro Hara.
The header for the JSC::ArrayConstructor class is missing a forward
declaration for the JSC::ArrayAllocationProfile class which causes
compilation to fail when compiling with MinGW-w64.
* runtime/ArrayConstructor.h:
(JSC):
Change-Id: I33fc793e8af6be1445262fb2000157f8df1addf1
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137017 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@136242)
Final import for the Qt 5.x series that implements the QtWebKit / QtWebKitWidgets split
Extra fixes will be cherry-picked.
Change-Id: I844f1ebb99c6d6b75db31d6538c2acd628e79681
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
|
| |
|
|
|
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@136119)
New snapshot that includes the fix for installing the QtWebProcess into libexec
Change-Id: I01344e079cbdac5678c4cba6ffcc05f4597cf0d7
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
|
| |
|
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@135485)
Change-Id: I03774e5ac79721c13ffa30d152537a74d0b12e66
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
|
| |
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@133952)
Revert back to an older snapshot that should build on ARM
|
| |
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@134025)
New snapshot with numerious build fixes, including MSVC 2012 and ARM Thumb-2.
|
| |
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@133733)
New snapshot that contains all previous fixes as well as build fix for latest QtMultimedia API changes.
|
| |
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@132191)
New snapshot that should fix build with latest qtbase and the QPlastiqueStyle removal
|
| |
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@132067)
New snapshot that fixes build without QtWidgets
|
| |
|
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@131718)
New snapshot that includes the return of -fkeep-memory at link time
to reduce memory pressure as well as modularized documentation
|
| |
|
|
|
|
|
| |
(http://svn.webkit.org/repository/webkit/trunk@131592)
New snapshot that includes the build fixes for Mac OS X 10.6 and earlier as well
as the previously cherry-picked changes
|
