From 0d0b7ae573962c7777116e32644f3a66cff7c92b Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Wed, 27 Mar 2013 10:19:03 +0100 Subject: Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled https://bugs.webkit.org/show_bug.cgi?id=108991 Reviewed by Oliver Hunt. Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location may step on calleeGPR is it happen to be nonArgGPR2. * dfg/DFGRepatch.cpp: (JSC::DFG::dfgLinkClosureCall): Change-Id: I2d27a111ae1edbfea9335f3a06c5cc53e065a673 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141951 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGRepatch.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGRepatch.cpp b/Source/JavaScriptCore/dfg/DFGRepatch.cpp index 07a509061..13653a647 100644 --- a/Source/JavaScriptCore/dfg/DFGRepatch.cpp +++ b/Source/JavaScriptCore/dfg/DFGRepatch.cpp @@ -1214,12 +1214,12 @@ void dfgLinkClosureCall(ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* JITCompiler::Jump done = stubJit.jump(); slowPath.link(&stubJit); - stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2); - stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2); stubJit.move(calleeGPR, GPRInfo::nonArgGPR0); #if USE(JSVALUE32_64) stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1); #endif + stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2); + stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2); JITCompiler::Jump slow = stubJit.jump(); LinkBuffer patchBuffer(*globalData, &stubJit, callerCodeBlock); -- cgit v1.2.1 From e0892c4f8d16204aa21b9915b457ab23ae1df37c Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 12:15:35 +0200 Subject: DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 https://bugs.webkit.org/show_bug.cgi?id=106978 Reviewed by Filip Pizlo. Source/JavaScriptCore: Changed the numerator equal to -2^31 check to just return if we expect an integer result, since the check is after we have determined that the denominator is -1. The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): LayoutTests: Added a new DFG check for -2^31 / -1 when we expect and integer result. * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt: * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js: (myDivExpectingInt): Change-Id: Ifd8dd24e75e60520a140c09948dd3ab49aaa3fa8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139835 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index d7f7b2fab..96a994059 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -3097,11 +3097,11 @@ void SpeculativeJIT::compileIntegerArithDivForX86(Node& node) speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1))); } else { JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR); - JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); + JITCompiler::Jump isNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); zero.link(&m_jit); m_jit.move(TrustedImm32(0), eax.gpr()); + isNeg2ToThe31.link(&m_jit); done = m_jit.jump(); - notNeg2ToThe31.link(&m_jit); } safeDenominator.link(&m_jit); -- cgit v1.2.1 From 2c526bdf6b7096aea3e7aa62d1c0233cb5e619b3 Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 4 Apr 2013 12:17:12 +0200 Subject: Dont use a node reference after appending to the graph. https://bugs.webkit.org/show_bug.cgi?id=103305 Reviewed by Mark Hahnenberg. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): Change-Id: I48ebd652e936ca5781fd6d1bab2df012b2027c34 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139264 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- .../dfg/DFGArgumentsSimplificationPhase.cpp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp index b02e0112c..35c553cf8 100644 --- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp @@ -621,26 +621,27 @@ public: continue; for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) { NodeIndex nodeIndex = block->at(indexInBlock); - Node& node = m_graph[nodeIndex]; - if (node.op() != CreateArguments) + Node* nodePtr = &m_graph[nodeIndex]; + if (nodePtr->op() != CreateArguments) continue; // If this is a CreateArguments for an InlineCallFrame* that does // not create arguments, then replace it with a PhantomArguments. // PhantomArguments is a non-executing node that just indicates // that the node should be reified as an arguments object on OSR // exit. - if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame)) + if (m_createsArguments.contains(nodePtr->codeOrigin.inlineCallFrame)) continue; - if (node.shouldGenerate()) { - Node phantom(Phantom, node.codeOrigin); - phantom.children = node.children; + if (nodePtr->shouldGenerate()) { + Node phantom(Phantom, nodePtr->codeOrigin); + phantom.children = nodePtr->children; phantom.ref(); NodeIndex phantomNodeIndex = m_graph.size(); m_graph.append(phantom); insertionSet.append(indexInBlock, phantomNodeIndex); + nodePtr = &m_graph[nodeIndex]; } - node.setOpAndDefaultFlags(PhantomArguments); - node.children.reset(); + nodePtr->setOpAndDefaultFlags(PhantomArguments); + nodePtr->children.reset(); changed = true; } insertionSet.execute(*block); -- cgit v1.2.1 From 23bde0cf8565bb36b9df638de874ad04607e84d3 Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 4 Apr 2013 12:19:52 +0200 Subject: If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized https://bugs.webkit.org/show_bug.cgi?id=106363 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: * runtime/JSArray.h: (JSC::JSArray::tryCreateUninitialized): LayoutTests: * fast/js/jsc-test-list: * fast/js/new-array-double-with-holes-expected.txt: Added. * fast/js/new-array-double-with-holes.html: Added. * fast/js/script-tests/new-array-double-with-holes.js: Added. (foo): Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/JSArray.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h index ea1ed9047..cef3b53ad 100644 --- a/Source/JavaScriptCore/runtime/JSArray.h +++ b/Source/JavaScriptCore/runtime/JSArray.h @@ -245,6 +245,10 @@ inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Struct butterfly = Butterfly::fromBase(temp, 0, 0); butterfly->setVectorLength(vectorLength); butterfly->setPublicLength(initialLength); + if (hasDouble(structure->indexingType())) { + for (unsigned i = initialLength; i < vectorLength; ++i) + butterfly->contiguousDouble()[i] = QNaN; + } } else { void* temp; if (!globalData.heap.tryAllocateStorage(Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp)) -- cgit v1.2.1 From b5924dc9e872e73489c30efec775bcfe78a345e5 Mon Sep 17 00:00:00 2001 From: Tobias Netzel Date: Thu, 4 Apr 2013 13:59:03 +0200 Subject: Yarr JIT isn't big endian compatible https://bugs.webkit.org/show_bug.cgi?id=102897 Patch by Tobias Netzel on 2013-01-22 Reviewed by Oliver Hunt. This patch was tested in the current mozilla codebase only and has passed the regexp tests there. * yarr/YarrJIT.cpp: (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): Change-Id: I1eb463aa79a7976a87d1f36a6c0123b058c3ec87 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140438 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/yarr/YarrJIT.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/yarr/YarrJIT.cpp b/Source/JavaScriptCore/yarr/YarrJIT.cpp index d5b215413..1aef49bdf 100644 --- a/Source/JavaScriptCore/yarr/YarrJIT.cpp +++ b/Source/JavaScriptCore/yarr/YarrJIT.cpp @@ -756,7 +756,11 @@ class YarrGenerator : private MacroAssembler { const RegisterID character = regT0; int maxCharactersAtOnce = m_charSize == Char8 ? 4 : 2; unsigned ignoreCaseMask = 0; +#if CPU(BIG_ENDIAN) + int allCharacters = ch << (m_charSize == Char8 ? 24 : 16); +#else int allCharacters = ch; +#endif int numberCharacters; int startTermPosition = term->inputPosition; @@ -765,7 +769,11 @@ class YarrGenerator : private MacroAssembler { ASSERT(!m_pattern.m_ignoreCase || isASCIIAlpha(ch) || isCanonicallyUnique(ch)); if (m_pattern.m_ignoreCase && isASCIIAlpha(ch)) +#if CPU(BIG_ENDIAN) + ignoreCaseMask |= 32 << (m_charSize == Char8 ? 24 : 16); +#else ignoreCaseMask |= 32; +#endif for (numberCharacters = 1; numberCharacters < maxCharactersAtOnce && nextOp->m_op == OpTerm; ++numberCharacters, nextOp = &m_ops[opIndex + numberCharacters]) { PatternTerm* nextTerm = nextOp->m_term; @@ -778,7 +786,11 @@ class YarrGenerator : private MacroAssembler { nextOp->m_isDeadCode = true; +#if CPU(BIG_ENDIAN) + int shiftAmount = (m_charSize == Char8 ? 24 : 16) - ((m_charSize == Char8 ? 8 : 16) * numberCharacters); +#else int shiftAmount = (m_charSize == Char8 ? 8 : 16) * numberCharacters; +#endif UChar currentCharacter = nextTerm->patternCharacter; -- cgit v1.2.1 From 6ab46a19bac261f42b664c62f8c2477b294b86ea Mon Sep 17 00:00:00 2001 From: Balazs Kilvady Date: Thu, 4 Apr 2013 13:51:09 +0200 Subject: r134080 causes heap problem on linux systems where PAGESIZE != 4096 https://bugs.webkit.org/show_bug.cgi?id=102828 Patch by Balazs Kilvady on 2013-01-18 Reviewed by Mark Hahnenberg. Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * heap/MarkStack.cpp: (JSC): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (CapacityFromSize): (MarkStackArray): * heap/MarkStackInlines.h: (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::append): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::size): * runtime/Options.h: (JSC): Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/heap/MarkStack.cpp | 12 ++++-------- Source/JavaScriptCore/heap/MarkStack.h | 16 +++++----------- Source/JavaScriptCore/heap/MarkStackInlines.h | 10 +++++----- Source/JavaScriptCore/runtime/Options.h | 1 - 4 files changed, 14 insertions(+), 25 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/heap/MarkStack.cpp b/Source/JavaScriptCore/heap/MarkStack.cpp index 755a0ad50..39907c715 100644 --- a/Source/JavaScriptCore/heap/MarkStack.cpp +++ b/Source/JavaScriptCore/heap/MarkStack.cpp @@ -31,7 +31,6 @@ #include "CopiedSpace.h" #include "CopiedSpaceInlines.h" #include "Heap.h" -#include "Options.h" #include "JSArray.h" #include "JSCell.h" #include "JSObject.h" @@ -45,13 +44,13 @@ namespace JSC { +COMPILE_ASSERT(MarkStackSegment::blockSize == WeakBlock::blockSize, blockSizeMatch); + MarkStackArray::MarkStackArray(BlockAllocator& blockAllocator) : m_blockAllocator(blockAllocator) - , m_segmentCapacity(MarkStackSegment::capacityFromSize(Options::gcMarkStackSegmentSize())) , m_top(0) , m_numberOfSegments(0) { - ASSERT(MarkStackSegment::blockSize == WeakBlock::blockSize); m_segments.push(MarkStackSegment::create(m_blockAllocator.allocate())); m_numberOfSegments++; } @@ -64,7 +63,7 @@ MarkStackArray::~MarkStackArray() void MarkStackArray::expand() { - ASSERT(m_segments.head()->m_top == m_segmentCapacity); + ASSERT(m_segments.head()->m_top == s_segmentCapacity); MarkStackSegment* nextSegment = MarkStackSegment::create(m_blockAllocator.allocate()); m_numberOfSegments++; @@ -97,8 +96,6 @@ void MarkStackArray::donateSomeCellsTo(MarkStackArray& other) // we prefer donating whole segments over donating individual cells, // even if this skews away from our 1 / 2 target. - ASSERT(m_segmentCapacity == other.m_segmentCapacity); - size_t segmentsToDonate = m_numberOfSegments / 2; // If we only have one segment (our head) we don't donate any segments. if (!segmentsToDonate) { @@ -141,7 +138,6 @@ void MarkStackArray::stealSomeCellsFrom(MarkStackArray& other, size_t idleThread // To reduce copying costs, we prefer stealing a whole segment over stealing // individual cells, even if this skews away from our 1 / N target. - ASSERT(m_segmentCapacity == other.m_segmentCapacity); validatePrevious(); other.validatePrevious(); @@ -151,7 +147,7 @@ void MarkStackArray::stealSomeCellsFrom(MarkStackArray& other, size_t idleThread MarkStackSegment* otherHead = other.m_segments.removeHead(); MarkStackSegment* myHead = m_segments.removeHead(); - ASSERT(other.m_segments.head()->m_top == m_segmentCapacity); + ASSERT(other.m_segments.head()->m_top == s_segmentCapacity); m_segments.push(other.m_segments.removeHead()); diff --git a/Source/JavaScriptCore/heap/MarkStack.h b/Source/JavaScriptCore/heap/MarkStack.h index 2a7f04450..c97b6a735 100644 --- a/Source/JavaScriptCore/heap/MarkStack.h +++ b/Source/JavaScriptCore/heap/MarkStack.h @@ -75,16 +75,6 @@ public: { return bitwise_cast(this + 1); } - - static size_t capacityFromSize(size_t size) - { - return (size - sizeof(MarkStackSegment)) / sizeof(const JSCell*); - } - - static size_t sizeFromCapacity(size_t capacity) - { - return sizeof(MarkStackSegment) + capacity * sizeof(const JSCell*); - } static const size_t blockSize = 4 * KB; @@ -111,6 +101,10 @@ public: bool isEmpty(); private: + template struct CapacityFromSize { + static const size_t value = (size - sizeof(MarkStackSegment)) / sizeof(const JSCell*); + }; + JS_EXPORT_PRIVATE void expand(); size_t postIncTop(); @@ -124,7 +118,7 @@ private: DoublyLinkedList m_segments; BlockAllocator& m_blockAllocator; - size_t m_segmentCapacity; + JS_EXPORT_PRIVATE static const size_t s_segmentCapacity = CapacityFromSize::value; size_t m_top; size_t m_numberOfSegments; diff --git a/Source/JavaScriptCore/heap/MarkStackInlines.h b/Source/JavaScriptCore/heap/MarkStackInlines.h index 1595e843e..c577de602 100644 --- a/Source/JavaScriptCore/heap/MarkStackInlines.h +++ b/Source/JavaScriptCore/heap/MarkStackInlines.h @@ -52,8 +52,8 @@ inline size_t MarkStackArray::preDecTop() inline void MarkStackArray::setTopForFullSegment() { - ASSERT(m_segments.head()->m_top == m_segmentCapacity); - m_top = m_segmentCapacity; + ASSERT(m_segments.head()->m_top == s_segmentCapacity); + m_top = s_segmentCapacity; } inline void MarkStackArray::setTopForEmptySegment() @@ -82,7 +82,7 @@ inline void MarkStackArray::validatePrevious() inline void MarkStackArray::append(const JSCell* cell) { - if (m_top == m_segmentCapacity) + if (m_top == s_segmentCapacity) expand(); m_segments.head()->data()[postIncTop()] = cell; } @@ -102,7 +102,7 @@ inline bool MarkStackArray::isEmpty() if (m_top) return false; if (m_segments.head()->next()) { - ASSERT(m_segments.head()->next()->m_top == m_segmentCapacity); + ASSERT(m_segments.head()->next()->m_top == s_segmentCapacity); return false; } return true; @@ -110,7 +110,7 @@ inline bool MarkStackArray::isEmpty() inline size_t MarkStackArray::size() { - return m_top + m_segmentCapacity * (m_numberOfSegments - 1); + return m_top + s_segmentCapacity * (m_numberOfSegments - 1); } } // namespace JSC diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h index 5ad30bde3..bf4a0cf75 100644 --- a/Source/JavaScriptCore/runtime/Options.h +++ b/Source/JavaScriptCore/runtime/Options.h @@ -117,7 +117,6 @@ namespace JSC { v(double, structureCheckVoteRatioForHoisting, 1) \ \ v(unsigned, minimumNumberOfScansBetweenRebalance, 100) \ - v(unsigned, gcMarkStackSegmentSize, pageSize()) \ v(unsigned, numberOfGCMarkers, computeNumberOfGCMarkers(7)) \ v(unsigned, opaqueRootMergeThreshold, 1000) \ v(double, minHeapUtilization, 0.8) \ -- cgit v1.2.1 From 7b17fd4f1afe569e92757e2b41fbaf01a285cc7b Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:55:51 +0200 Subject: Fix up of ArithDiv nodes for non-x86 CPUs is broken https://bugs.webkit.org/show_bug.cgi?id=107309 Reviewed by Filip Pizlo. Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixDoubleEdge): Change-Id: I8e73ad242feb65c143857d3a4190e095aa5e9d06 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140201 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index 1ba40def3..556904aca 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -540,7 +540,7 @@ private: Node& source = m_graph[m_compileIndex]; Edge& edge = m_graph.child(source, childIndex); - if (!m_graph[edge].shouldSpeculateInteger()) { + if (m_graph[edge].prediction() & SpecDouble) { edge.setUseKind(DoubleUse); return; } -- cgit v1.2.1 From d549f4b4ab324e2d4871db8cbf83c27af4ba7866 Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:57:06 +0200 Subject: Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly https://bugs.webkit.org/show_bug.cgi?id=107321 Reviewed by Filip Pizlo. Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up an ArithDiv node with integer inputs and output for platforms that don't have integer division. Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node without any further checks. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixDoubleEdge): (FixupPhase): (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Change-Id: Ic79f2823a7cfb9ce52bb935536972f48508579fd git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140203 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index 556904aca..b98d824f5 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -317,8 +317,8 @@ private: && node.canSpeculateInteger()) { if (isX86()) break; - fixDoubleEdge(0); - fixDoubleEdge(1); + injectInt32ToDoubleNode(0); + injectInt32ToDoubleNode(1); Node& oldDivision = m_graph[m_compileIndex]; @@ -545,6 +545,14 @@ private: return; } + injectInt32ToDoubleNode(childIndex); + } + + void injectInt32ToDoubleNode(unsigned childIndex) + { + Node& source = m_graph[m_compileIndex]; + Edge& edge = m_graph.child(source, childIndex); + NodeIndex resultIndex = (NodeIndex)m_graph.size(); #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE) -- cgit v1.2.1 From 4fa26ee918729063f9b731d801064b22ae7d8fd9 Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:58:00 +0200 Subject: Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html https://bugs.webkit.org/show_bug.cgi?id=107340 Reviewed by Filip Pizlo. Due to the change landed in r140201, more nodes might end up generating Int32ToDouble nodes. Therefore, changed the JSVALUE64 constant path of compileInt32ToDouble() to use the more restrictive isInt32Constant() check on the input. This check was the same as the existing ASSERT() so the ASSERT was eliminated. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Change-Id: I8e9f3858414e37f5b8232a58d8f6f9dada755343 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140221 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index 96a994059..4f2889b8f 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -2250,8 +2250,7 @@ void SpeculativeJIT::compileInt32ToDouble(Node& node) // than a int->double conversion. On 32_64, unfortunately, we currently don't have // any such mechanism - though we could have it, if we just provisioned some memory // in CodeBlock for the double form of integer constants. - if (at(node.child1()).hasConstant()) { - ASSERT(isInt32Constant(node.child1().index())); + if (isInt32Constant(node.child1().index())) { FPRTemporary result(this); GPRTemporary temp(this); m_jit.move(MacroAssembler::Imm64(reinterpretDoubleToInt64(valueOfNumberConstant(node.child1().index()))), temp.gpr()); -- cgit v1.2.1 From cbfaf355aca8ef61c9876615ddc99ed1de39ed9a Mon Sep 17 00:00:00 2001 From: Gabor Rapcsanyi Date: Thu, 4 Apr 2013 14:25:30 +0200 Subject: JSC asserting with long parameter list functions in debug mode on ARM traditional https://bugs.webkit.org/show_bug.cgi?id=109565 Reviewed by Zoltan Herczeg. Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80. * jit/JIT.h: Change-Id: I593f09494314a36cb50f2511908f6243fd43f902 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142616 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/jit/JIT.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h index c0d60add1..bbbc3b1c7 100644 --- a/Source/JavaScriptCore/jit/JIT.h +++ b/Source/JavaScriptCore/jit/JIT.h @@ -555,7 +555,7 @@ namespace JSC { static const int sequenceGetByIdHotPathInstructionSpace = 36; static const int sequenceGetByIdHotPathConstantSpace = 4; // sequenceGetByIdSlowCase - static const int sequenceGetByIdSlowCaseInstructionSpace = 64; + static const int sequenceGetByIdSlowCaseInstructionSpace = 80; static const int sequenceGetByIdSlowCaseConstantSpace = 4; // sequencePutById static const int sequencePutByIdInstructionSpace = 36; -- cgit v1.2.1 From 13ed0e19388202143b5a794754de1d0826f447a0 Mon Sep 17 00:00:00 2001 From: Mark Hahnenberg Date: Thu, 4 Apr 2013 14:31:14 +0200 Subject: WeakSet::removeAllocator leaks WeakBlocks https://bugs.webkit.org/show_bug.cgi?id=110228 Reviewed by Geoffrey Garen. We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy. * heap/WeakSet.cpp: (JSC::WeakSet::removeAllocator): Change-Id: Iba6cff23e3d8b7a544a825dd1e435cf986b0d35f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143351 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/heap/WeakSet.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/heap/WeakSet.cpp b/Source/JavaScriptCore/heap/WeakSet.cpp index 67b1d0613..7cedaee85 100644 --- a/Source/JavaScriptCore/heap/WeakSet.cpp +++ b/Source/JavaScriptCore/heap/WeakSet.cpp @@ -84,7 +84,7 @@ WeakBlock::FreeCell* WeakSet::addAllocator() void WeakSet::removeAllocator(WeakBlock* block) { m_blocks.remove(block); - WeakBlock::destroy(block); + heap()->blockAllocator().deallocate(WeakBlock::destroy(block)); } } // namespace JSC -- cgit v1.2.1 From d6ffb6e0ba2941ff69c9b8eaf6ccf383c5d03063 Mon Sep 17 00:00:00 2001 From: Andras Becsi Date: Thu, 4 Apr 2013 19:14:29 +0200 Subject: Fix the build with GCC 4.8 https://bugs.webkit.org/show_bug.cgi?id=113147 Reviewed by Allan Sandfeld Jensen. Source/JavaScriptCore: Initialize JSObject* exception to suppress warnings that make the build fail because of -Werror=maybe-uninitialized. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): Source/WTF: Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8 since dummy typedefs are commonly used in the codebase. * wtf/Compiler.h: Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627 Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/Executable.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/runtime/Executable.cpp b/Source/JavaScriptCore/runtime/Executable.cpp index 746e281e3..ff4c2ff76 100644 --- a/Source/JavaScriptCore/runtime/Executable.cpp +++ b/Source/JavaScriptCore/runtime/Executable.cpp @@ -522,7 +522,7 @@ JSObject* FunctionExecutable::compileForCallInternal(ExecState* exec, JSScope* s UNUSED_PARAM(bytecodeIndex); #endif ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForCall); - JSObject* exception; + JSObject* exception = 0; OwnPtr newCodeBlock = produceCodeBlockFor(scope, CodeForCall, exception); if (!newCodeBlock) return exception; @@ -558,7 +558,7 @@ JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, JSSco #endif ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForConstruct); - JSObject* exception; + JSObject* exception = 0; OwnPtr newCodeBlock = produceCodeBlockFor(scope, CodeForConstruct, exception); if (!newCodeBlock) return exception; -- cgit v1.2.1 From 9e5eaab34ec9fe2a0e0ba169c939a23bef8df900 Mon Sep 17 00:00:00 2001 From: Oliver Hunt Date: Tue, 16 Apr 2013 11:58:22 +0200 Subject: Add more assertions to the property storage use in arrays https://bugs.webkit.org/show_bug.cgi?id=107728 Reviewed by Filip Pizlo. Add a bunch of assertions to array and object butterfly usage. This should make debugging somewhat easier. I also converted a couple of assertions to release asserts as they were so low cost it seemed a sensible thing to do. * runtime/JSArray.cpp: (JSC::JSArray::sortVector): (JSC::JSArray::compactForSorting): * runtime/JSObject.h: (JSC::JSObject::getHolyIndexQuickly): Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/JSArray.cpp | 24 +++++++++++++++++++----- Source/JavaScriptCore/runtime/JSObject.h | 1 + 2 files changed, 20 insertions(+), 5 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp index 4ba5cc2bd..c742804f7 100644 --- a/Source/JavaScriptCore/runtime/JSArray.cpp +++ b/Source/JavaScriptCore/runtime/JSArray.cpp @@ -1347,7 +1347,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call // Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree. for (; numDefined < usedVectorLength; ++numDefined) { - if (numDefined > m_butterfly->vectorLength()) + if (numDefined >= m_butterfly->vectorLength()) break; JSValue v = getHolyIndexQuickly(numDefined); if (!v || v.isUndefined()) @@ -1356,7 +1356,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call tree.insert(numDefined); } for (unsigned i = numDefined; i < usedVectorLength; ++i) { - if (i > m_butterfly->vectorLength()) + if (i >= m_butterfly->vectorLength()) break; JSValue v = getHolyIndexQuickly(i); if (v) { @@ -1384,6 +1384,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call iter.start_iter_least(tree); JSGlobalData& globalData = exec->globalData(); for (unsigned i = 0; i < elementsToExtractThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); if (structure()->indexingType() == ArrayWithDouble) butterfly()->contiguousDouble()[i] = tree.abstractor().m_nodes[*iter].value.asNumber(); else @@ -1398,12 +1399,15 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call break; default: - for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) + for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); currentIndexingData()[i].setUndefined(); + } } // Ensure that unused values in the vector are zeroed out. for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); if (structure()->indexingType() == ArrayWithDouble) butterfly()->contiguousDouble()[i] = QNaN; else @@ -1533,6 +1537,7 @@ void JSArray::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t le vector = 0; vectorEnd = 0; for (; i < m_butterfly->publicLength(); ++i) { + ASSERT(i < butterfly()->vectorLength()); double v = m_butterfly->contiguousDouble()[i]; if (v != v) break; @@ -1578,6 +1583,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt unsigned numUndefined = 0; for (; numDefined < myRelevantLength; ++numDefined) { + ASSERT(numDefined < m_butterfly->vectorLength()); if (indexingType == ArrayWithInt32) { JSValue v = m_butterfly->contiguousInt32()[numDefined].get(); if (!v) @@ -1597,11 +1603,13 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt } for (unsigned i = numDefined; i < myRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); if (indexingType == ArrayWithInt32) { JSValue v = m_butterfly->contiguousInt32()[i].get(); if (!v) continue; ASSERT(v.isInt32()); + ASSERT(numDefined < m_butterfly->vectorLength()); m_butterfly->contiguousInt32()[numDefined++].setWithoutWriteBarrier(v); continue; } @@ -1609,6 +1617,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt double v = m_butterfly->contiguousDouble()[i]; if (v != v) continue; + ASSERT(numDefined < m_butterfly->vectorLength()); m_butterfly->contiguousDouble()[numDefined++] = v; continue; } @@ -1616,8 +1625,10 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt if (v) { if (v.isUndefined()) ++numUndefined; - else + else { + ASSERT(numDefined < m_butterfly->vectorLength()); indexingData()[numDefined++].setWithoutWriteBarrier(v); + } } } @@ -1633,11 +1644,14 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt break; default: - for (unsigned i = numDefined; i < newRelevantLength; ++i) + for (unsigned i = numDefined; i < newRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); indexingData()[i].setUndefined(); + } break; } for (unsigned i = newRelevantLength; i < myRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); if (indexingType == ArrayWithDouble) m_butterfly->contiguousDouble()[i] = QNaN; else diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h index 957ba8227..428e51f3c 100644 --- a/Source/JavaScriptCore/runtime/JSObject.h +++ b/Source/JavaScriptCore/runtime/JSObject.h @@ -862,6 +862,7 @@ protected: JSValue getHolyIndexQuickly(unsigned i) { + ASSERT(i < m_butterfly->vectorLength()); switch (structure()->indexingType()) { case ALL_INT32_INDEXING_TYPES: case ALL_CONTIGUOUS_INDEXING_TYPES: -- cgit v1.2.1 From 018937c7ba8b9afb85b8ae7ccb2aba438768cdf5 Mon Sep 17 00:00:00 2001 From: Jonathan Liu Date: Thu, 18 Apr 2013 10:11:22 +0000 Subject: Implement JIT for MinGW-w64 64-bit https://bugs.webkit.org/show_bug.cgi?id=114580 Reviewed by Jocelyn Turcotte. * jit/JITStubs.cpp: (JSC): Change-Id: Ibdda0a09ba3db010bbd7858b745834dff2d92260 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148663 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/jit/JITStubs.cpp | 71 +++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/jit/JITStubs.cpp b/Source/JavaScriptCore/jit/JITStubs.cpp index eca0fb079..64acfeef5 100644 --- a/Source/JavaScriptCore/jit/JITStubs.cpp +++ b/Source/JavaScriptCore/jit/JITStubs.cpp @@ -364,7 +364,7 @@ SYMBOL_STRING(ctiOpThrowNotCaught) ":" "\n" #else // USE(JSVALUE32_64) -#if COMPILER(GCC) && CPU(X86_64) +#if COMPILER(GCC) && CPU(X86_64) && !OS(WINDOWS) // These ASSERTs remind you that, if you change the layout of JITStackFrame, you // need to change the assembly trampolines below to match. @@ -433,6 +433,75 @@ SYMBOL_STRING(ctiOpThrowNotCaught) ":" "\n" "ret" "\n" ); +#elif COMPILER(GCC) && CPU(X86_64) && OS(WINDOWS) + +// These ASSERTs remind you that, if you change the layout of JITStackFrame, you +// need to change the assembly trampolines below to match. +COMPILE_ASSERT(offsetof(struct JITStackFrame, code) % 16 == 0x0, JITStackFrame_maintains_16byte_stack_alignment); +COMPILE_ASSERT(offsetof(struct JITStackFrame, savedRBX) == 0x58, JITStackFrame_stub_argument_space_matches_ctiTrampoline); + +asm ( +".text\n" +".globl " SYMBOL_STRING(ctiTrampoline) "\n" +HIDE_SYMBOL(ctiTrampoline) "\n" +SYMBOL_STRING(ctiTrampoline) ":" "\n" + // Dump register parameters to their home address + "movq %r9, 0x20(%rsp)" "\n" + "movq %r8, 0x18(%rsp)" "\n" + "movq %rdx, 0x10(%rsp)" "\n" + "movq %rcx, 0x8(%rsp)" "\n" + + "pushq %rbp" "\n" + "movq %rsp, %rbp" "\n" + "pushq %r12" "\n" + "pushq %r13" "\n" + "pushq %r14" "\n" + "pushq %r15" "\n" + "pushq %rbx" "\n" + + // Decrease rsp to point to the start of our JITStackFrame + "subq $0x58, %rsp" "\n" + "movq $512, %r12" "\n" + "movq $0xFFFF000000000000, %r14" "\n" + "movq $0xFFFF000000000002, %r15" "\n" + "movq %r8, %r13" "\n" + "call *%rcx" "\n" + "addq $0x58, %rsp" "\n" + "popq %rbx" "\n" + "popq %r15" "\n" + "popq %r14" "\n" + "popq %r13" "\n" + "popq %r12" "\n" + "popq %rbp" "\n" + "ret" "\n" +".globl " SYMBOL_STRING(ctiTrampolineEnd) "\n" +HIDE_SYMBOL(ctiTrampolineEnd) "\n" +SYMBOL_STRING(ctiTrampolineEnd) ":" "\n" +); + +asm ( +".globl " SYMBOL_STRING(ctiVMThrowTrampoline) "\n" +HIDE_SYMBOL(ctiVMThrowTrampoline) "\n" +SYMBOL_STRING(ctiVMThrowTrampoline) ":" "\n" + "movq %rsp, %rcx" "\n" + "call " LOCAL_REFERENCE(cti_vm_throw) "\n" + "int3" "\n" +); + +asm ( +".globl " SYMBOL_STRING(ctiOpThrowNotCaught) "\n" +HIDE_SYMBOL(ctiOpThrowNotCaught) "\n" +SYMBOL_STRING(ctiOpThrowNotCaught) ":" "\n" + "addq $0x58, %rsp" "\n" + "popq %rbx" "\n" + "popq %r15" "\n" + "popq %r14" "\n" + "popq %r13" "\n" + "popq %r12" "\n" + "popq %rbp" "\n" + "ret" "\n" +); + #elif COMPILER(MSVC) && CPU(X86_64) // These ASSERTs remind you that, if you change the layout of JITStackFrame, you -- cgit v1.2.1 From 40edeaa8d852af7d9a1eb8cf39528a023a310c1d Mon Sep 17 00:00:00 2001 From: Andras Becsi Date: Thu, 18 Apr 2013 13:14:09 +0200 Subject: [Qt] Use GNU ar's thin archive format for intermediate static libs https://bugs.webkit.org/show_bug.cgi?id=109052 http://trac.webkit.org/changeset/142088 Reviewed by Jocelyn Turcotte. With debug builds we exceed the 4GiB limit of GNU ar when creating the WebCore intermediate static library which results in build failure even with a x86_64 toolchain (http://sourceware.org/bugzilla/show_bug.cgi?id=14625). When using a GNU toolchain we can use the thin archive format for these static libraries which also has the benefit of not copying the object files, thus drastically reducing disk usage and overall compile time. Currently qmake does not support GNU ar's thin archive format so for now we need to do the magic in the build system as a stopgap solution. Adjust project files that used activeBuildConfig() to use targetSubDir(). Change-Id: I68604d5fc6acc32d45a734271aa87bfa5a14647f Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/JavaScriptCore.pri | 2 +- Source/JavaScriptCore/LLIntOffsetsExtractor.pro | 6 +++--- Source/JavaScriptCore/Target.pri | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/JavaScriptCore.pri b/Source/JavaScriptCore/JavaScriptCore.pri index 859f4a20d..629a4838c 100644 --- a/Source/JavaScriptCore/JavaScriptCore.pri +++ b/Source/JavaScriptCore/JavaScriptCore.pri @@ -33,7 +33,7 @@ INCLUDEPATH += \ $$JAVASCRIPTCORE_GENERATED_SOURCES_DIR # Pick up the right version of LLIntAssembly.h -macx:INCLUDEPATH+=$$JAVASCRIPTCORE_GENERATED_SOURCES_DIR/$$activeBuildConfig() +macx:INCLUDEPATH+=$$JAVASCRIPTCORE_GENERATED_SOURCES_DIR/$$targetSubDir() win32-*: LIBS += -lwinmm diff --git a/Source/JavaScriptCore/LLIntOffsetsExtractor.pro b/Source/JavaScriptCore/LLIntOffsetsExtractor.pro index 97b3529b7..d119bbf08 100644 --- a/Source/JavaScriptCore/LLIntOffsetsExtractor.pro +++ b/Source/JavaScriptCore/LLIntOffsetsExtractor.pro @@ -58,9 +58,9 @@ llint.CONFIG += no_link QMAKE_EXTRA_COMPILERS += llint macx { - DESTDIR = $$activeBuildConfig() - llint.output = $$activeBuildConfig()/$$llint.output - INCLUDEPATH += $$activeBuildConfig() + DESTDIR = $$targetSubDir() + llint.output = $$targetSubDir()/$$llint.output + INCLUDEPATH += $$targetSubDir() } # Compilation of this file will automatically depend on LLIntDesiredOffsets.h diff --git a/Source/JavaScriptCore/Target.pri b/Source/JavaScriptCore/Target.pri index e1da901c1..0f2659ec9 100644 --- a/Source/JavaScriptCore/Target.pri +++ b/Source/JavaScriptCore/Target.pri @@ -30,7 +30,7 @@ include(yarr/yarr.pri) INSTALLDEPS += all -debug_and_release: INCLUDEPATH += $$JAVASCRIPTCORE_GENERATED_SOURCES_DIR/$$activeBuildConfig() +debug_and_release: INCLUDEPATH += $$JAVASCRIPTCORE_GENERATED_SOURCES_DIR/$$targetSubDir() SOURCES += \ API/JSBase.cpp \ -- cgit v1.2.1