12014-02-20 Mark Hahnenberg <mhahnenberg@apple.com> 2 3 CopiedBlock::pin can call into fastFree while forbidden 4 https://bugs.webkit.org/show_bug.cgi?id=128654 5 6 Reviewed by Oliver Hunt. 7 8 A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving 9 CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections. 10 11 EdenCollections always do copying, therefore they always clear all CopyWorkLists. 12 13 The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections 14 as well at the beginning. 15 16 * heap/CopiedBlock.h: 17 (JSC::CopiedBlock::didSurviveGC): 18 * heap/CopiedSpace.cpp: 19 (JSC::CopiedSpace::doneCopying): 20 212014-02-20 Mark Hahnenberg <mhahnenberg@apple.com> 22 23 Add a JSC option to disable EdenCollections 24 https://bugs.webkit.org/show_bug.cgi?id=128849 25 26 Reviewed by Mark Lam. 27 28 This will help quickly identify whether or not GenGC is responsible for a 29 particular crash by prematurely collecting a live object. 30 31 * heap/Heap.cpp: 32 (JSC::Heap::collect): 33 (JSC::Heap::shouldDoFullCollection): 34 * heap/Heap.h: 35 * runtime/Options.h: 36 372014-02-20 Michael Saboff <msaboff@apple.com> 38 39 REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build 40 https://bugs.webkit.org/show_bug.cgi?id=129118 41 42 Reviewed by Filip Pizlo. 43 44 Changed 32 bit version of SpeculativeJIT::compile handling of Jump nodes to match 45 what is in the 64 bit build. 46 47 * dfg/DFGSpeculativeJIT32_64.cpp: 48 (JSC::DFG::SpeculativeJIT::compile): 49 502014-02-20 Zan Dobersek <zdobersek@igalia.com> 51 52 [Automake] Collect the JavaScript files required for JSC builtins through a wildcard 53 https://bugs.webkit.org/show_bug.cgi?id=129115 54 55 Reviewed by Oliver Hunt. 56 57 * GNUmakefile.list.am: Simplify adding new JavaScriptCore builtins by using a wildcard 58 to gather all the JavaScript files instead of listing each file explicitly. 59 602014-02-20 Mark Hahnenberg <mhahnenberg@apple.com> 61 62 Replace uses of deprecated POSIX index() with strchr() in ObjcRuntimeExtras.h 63 https://bugs.webkit.org/show_bug.cgi?id=128610 64 65 Reviewed by Anders Carlsson. 66 67 index() is deprecated in favor of strchr() so we should use the latter. 68 69 * API/JSWrapperMap.mm: 70 (selectorToPropertyName): 71 * API/ObjcRuntimeExtras.h: 72 (parseObjCType): 73 742014-02-19 Filip Pizlo <fpizlo@apple.com> 75 76 FTL should not emit stack overflow checks in leaf functions 77 https://bugs.webkit.org/show_bug.cgi?id=129085 78 79 Reviewed by Michael Saboff. 80 81 Miniscule (0.5%) speed-up on V8v7. 82 83 * ftl/FTLLowerDFGToLLVM.cpp: 84 (JSC::FTL::LowerDFGToLLVM::lower): 85 (JSC::FTL::LowerDFGToLLVM::didOverflowStack): 86 872014-02-20 Mark Hahnenberg <mhahnenberg@apple.com> 88 89 Dynamically generated JSExport protocols added to a class results in a crash 90 https://bugs.webkit.org/show_bug.cgi?id=129108 91 92 Reviewed by Oliver Hunt. 93 94 We're not getting any information from the runtime about the types of the methods on 95 these protocols because they didn't exist at compile time. We should handle this gracefully. 96 97 * API/ObjCCallbackFunction.mm: 98 (objCCallbackFunctionForInvocation): 99 * API/tests/JSExportTests.mm: 100 (+[JSExportTests exportDynamicallyGeneratedProtocolTest]): 101 (runJSExportTests): 102 1032014-02-20 Gabor Rapcsanyi <rgabor@webkit.org> 104 105 ASSERTION FAILED: isUInt16() on ARMv7 after r113253. 106 https://bugs.webkit.org/show_bug.cgi?id=129101 107 108 Reviewed by Michael Saboff. 109 110 If the immediate value type is encoded then we shouldn't reach this assert. 111 Check the immediate type to avoid assertion in alignemnt check. 112 113 * assembler/ARMv7Assembler.h: 114 (JSC::ARMv7Assembler::add): 115 1162014-02-20 Csaba Osztrogonác <ossy@webkit.org> 117 118 Get rid of redundant Platform.h includes 119 https://bugs.webkit.org/show_bug.cgi?id=128817 120 121 Reviewed by Brent Fulgham. 122 123 * API/tests/JSNode.c: 124 * API/tests/JSNodeList.c: 125 * API/tests/minidom.c: 126 * API/tests/testapi.c: 127 * assembler/MacroAssembler.h: 128 * bytecode/ByValInfo.h: 129 * bytecode/CallLinkInfo.h: 130 * bytecode/CallReturnOffsetToBytecodeOffset.h: 131 * bytecode/CodeType.h: 132 * bytecode/HandlerInfo.h: 133 * bytecode/MethodOfGettingAValueProfile.h: 134 * bytecode/PolymorphicAccessStructureList.h: 135 * bytecode/PolymorphicPutByIdList.h: 136 * bytecode/StructureStubClearingWatchpoint.h: 137 * bytecode/StructureStubInfo.h: 138 * bytecode/ValueRecovery.h: 139 * bytecode/VirtualRegister.h: 140 * dfg/DFGAbstractHeap.h: 141 * dfg/DFGAbstractInterpreter.h: 142 * dfg/DFGAbstractInterpreterInlines.h: 143 * dfg/DFGAbstractValue.h: 144 * dfg/DFGAdjacencyList.h: 145 * dfg/DFGAllocator.h: 146 * dfg/DFGAnalysis.h: 147 * dfg/DFGArgumentsSimplificationPhase.h: 148 * dfg/DFGArrayMode.h: 149 * dfg/DFGArrayifySlowPathGenerator.h: 150 * dfg/DFGAtTailAbstractState.h: 151 * dfg/DFGBackwardsPropagationPhase.h: 152 * dfg/DFGBinarySwitch.h: 153 * dfg/DFGBlockInsertionSet.h: 154 * dfg/DFGBranchDirection.h: 155 * dfg/DFGCFAPhase.h: 156 * dfg/DFGCFGSimplificationPhase.h: 157 * dfg/DFGCPSRethreadingPhase.h: 158 * dfg/DFGCSEPhase.h: 159 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 160 * dfg/DFGCapabilities.h: 161 * dfg/DFGClobberSet.h: 162 * dfg/DFGClobberize.h: 163 * dfg/DFGCommon.h: 164 * dfg/DFGCommonData.h: 165 * dfg/DFGConstantFoldingPhase.h: 166 * dfg/DFGCriticalEdgeBreakingPhase.h: 167 * dfg/DFGDCEPhase.h: 168 * dfg/DFGDesiredIdentifiers.h: 169 * dfg/DFGDesiredStructureChains.h: 170 * dfg/DFGDesiredWatchpoints.h: 171 * dfg/DFGDisassembler.h: 172 * dfg/DFGDominators.h: 173 * dfg/DFGDriver.h: 174 * dfg/DFGEdge.h: 175 * dfg/DFGEdgeDominates.h: 176 * dfg/DFGEdgeUsesStructure.h: 177 * dfg/DFGFailedFinalizer.h: 178 * dfg/DFGFiltrationResult.h: 179 * dfg/DFGFinalizer.h: 180 * dfg/DFGFixupPhase.h: 181 * dfg/DFGFlushFormat.h: 182 * dfg/DFGFlushLivenessAnalysisPhase.h: 183 * dfg/DFGFlushedAt.h: 184 * dfg/DFGGraph.h: 185 * dfg/DFGInPlaceAbstractState.h: 186 * dfg/DFGInsertionSet.h: 187 * dfg/DFGInvalidationPointInjectionPhase.h: 188 * dfg/DFGJITCode.h: 189 * dfg/DFGJITFinalizer.h: 190 * dfg/DFGLICMPhase.h: 191 * dfg/DFGLazyJSValue.h: 192 * dfg/DFGLivenessAnalysisPhase.h: 193 * dfg/DFGLongLivedState.h: 194 * dfg/DFGLoopPreHeaderCreationPhase.h: 195 * dfg/DFGMinifiedGraph.h: 196 * dfg/DFGMinifiedID.h: 197 * dfg/DFGMinifiedNode.h: 198 * dfg/DFGNaturalLoops.h: 199 * dfg/DFGNode.h: 200 * dfg/DFGNodeAllocator.h: 201 * dfg/DFGNodeFlags.h: 202 * dfg/DFGNodeType.h: 203 * dfg/DFGOSRAvailabilityAnalysisPhase.h: 204 * dfg/DFGOSREntrypointCreationPhase.h: 205 * dfg/DFGOSRExit.h: 206 * dfg/DFGOSRExitBase.h: 207 * dfg/DFGOSRExitCompilationInfo.h: 208 * dfg/DFGOSRExitCompiler.h: 209 * dfg/DFGOSRExitCompilerCommon.h: 210 * dfg/DFGOSRExitJumpPlaceholder.h: 211 * dfg/DFGPhase.h: 212 * dfg/DFGPlan.h: 213 * dfg/DFGPredictionInjectionPhase.h: 214 * dfg/DFGPredictionPropagationPhase.h: 215 * dfg/DFGResurrectionForValidationPhase.h: 216 * dfg/DFGSSAConversionPhase.h: 217 * dfg/DFGSafeToExecute.h: 218 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: 219 * dfg/DFGSilentRegisterSavePlan.h: 220 * dfg/DFGSlowPathGenerator.h: 221 * dfg/DFGSpeculativeJIT.h: 222 * dfg/DFGStackLayoutPhase.h: 223 * dfg/DFGStructureAbstractValue.h: 224 * dfg/DFGThunks.h: 225 * dfg/DFGTierUpCheckInjectionPhase.h: 226 * dfg/DFGToFTLDeferredCompilationCallback.h: 227 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: 228 * dfg/DFGTypeCheckHoistingPhase.h: 229 * dfg/DFGUnificationPhase.h: 230 * dfg/DFGUseKind.h: 231 * dfg/DFGValidate.h: 232 * dfg/DFGValueRecoveryOverride.h: 233 * dfg/DFGValueSource.h: 234 * dfg/DFGVariableAccessData.h: 235 * dfg/DFGVariableAccessDataDump.h: 236 * dfg/DFGVariableEvent.h: 237 * dfg/DFGVariableEventStream.h: 238 * dfg/DFGVirtualRegisterAllocationPhase.h: 239 * dfg/DFGWatchpointCollectionPhase.h: 240 * dfg/DFGWorklist.h: 241 * disassembler/Disassembler.h: 242 * ftl/FTLAbbreviatedTypes.h: 243 * ftl/FTLAbbreviations.h: 244 * ftl/FTLAbstractHeap.h: 245 * ftl/FTLAbstractHeapRepository.h: 246 * ftl/FTLCapabilities.h: 247 * ftl/FTLCommonValues.h: 248 * ftl/FTLCompile.h: 249 * ftl/FTLExitArgument.h: 250 * ftl/FTLExitArgumentForOperand.h: 251 * ftl/FTLExitArgumentList.h: 252 * ftl/FTLExitThunkGenerator.h: 253 * ftl/FTLExitValue.h: 254 * ftl/FTLFail.h: 255 * ftl/FTLForOSREntryJITCode.h: 256 * ftl/FTLFormattedValue.h: 257 * ftl/FTLIntrinsicRepository.h: 258 * ftl/FTLJITCode.h: 259 * ftl/FTLJITFinalizer.h: 260 * ftl/FTLLink.h: 261 * ftl/FTLLocation.h: 262 * ftl/FTLLowerDFGToLLVM.h: 263 * ftl/FTLLoweredNodeValue.h: 264 * ftl/FTLOSREntry.h: 265 * ftl/FTLOSRExit.h: 266 * ftl/FTLOSRExitCompilationInfo.h: 267 * ftl/FTLOSRExitCompiler.h: 268 * ftl/FTLOutput.h: 269 * ftl/FTLSaveRestore.h: 270 * ftl/FTLStackMaps.h: 271 * ftl/FTLState.h: 272 * ftl/FTLSwitchCase.h: 273 * ftl/FTLThunks.h: 274 * ftl/FTLTypedPointer.h: 275 * ftl/FTLValueFormat.h: 276 * ftl/FTLValueFromBlock.h: 277 * heap/JITStubRoutineSet.h: 278 * interpreter/AbstractPC.h: 279 * jit/AssemblyHelpers.h: 280 * jit/CCallHelpers.h: 281 * jit/ClosureCallStubRoutine.h: 282 * jit/GCAwareJITStubRoutine.h: 283 * jit/HostCallReturnValue.h: 284 * jit/JITDisassembler.h: 285 * jit/JITStubRoutine.h: 286 * jit/JITThunks.h: 287 * jit/JITToDFGDeferredCompilationCallback.h: 288 * jit/RegisterSet.h: 289 * jit/Repatch.h: 290 * jit/ScratchRegisterAllocator.h: 291 * jit/TempRegisterSet.h: 292 * jit/ThunkGenerator.h: 293 * llint/LLIntData.h: 294 * llint/LLIntEntrypoint.h: 295 * llint/LLIntExceptions.h: 296 * llint/LLIntOfflineAsmConfig.h: 297 * llint/LLIntOpcode.h: 298 * llint/LLIntSlowPaths.h: 299 * llint/LLIntThunks.h: 300 * llint/LowLevelInterpreter.h: 301 * llvm/InitializeLLVM.h: 302 * llvm/InitializeLLVMPOSIX.h: 303 * llvm/LLVMAPI.h: 304 * os-win32/inttypes.h: 305 * runtime/ArrayStorage.h: 306 * runtime/Butterfly.h: 307 * runtime/CommonSlowPaths.h: 308 * runtime/CommonSlowPathsExceptions.h: 309 * runtime/IndexingHeader.h: 310 * runtime/JSExportMacros.h: 311 * runtime/PropertyOffset.h: 312 * runtime/SparseArrayValueMap.h: 313 3142014-02-19 Filip Pizlo <fpizlo@apple.com> 315 316 DFG should have a way of carrying and preserving conditional branch weights 317 https://bugs.webkit.org/show_bug.cgi?id=129083 318 319 Reviewed by Michael Saboff. 320 321 Branch and Switch now have branch counts/weights for each target. This is encapsulated 322 behind DFG::BranchTarget. We carry this data all the way to the FTL, and the DFG 323 backend ignores it. 324 325 We don't set this data yet; that's for https://bugs.webkit.org/show_bug.cgi?id=129055. 326 327 * dfg/DFGByteCodeParser.cpp: 328 (JSC::DFG::ByteCodeParser::branchData): 329 (JSC::DFG::ByteCodeParser::handleInlining): 330 (JSC::DFG::ByteCodeParser::parseBlock): 331 (JSC::DFG::ByteCodeParser::linkBlock): 332 * dfg/DFGCFGSimplificationPhase.cpp: 333 (JSC::DFG::CFGSimplificationPhase::run): 334 * dfg/DFGFixupPhase.cpp: 335 (JSC::DFG::FixupPhase::fixupNode): 336 * dfg/DFGGraph.cpp: 337 (JSC::DFG::Graph::dump): 338 * dfg/DFGGraph.h: 339 * dfg/DFGInPlaceAbstractState.cpp: 340 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): 341 * dfg/DFGJITCompiler.cpp: 342 (JSC::DFG::JITCompiler::link): 343 * dfg/DFGNode.cpp: 344 (JSC::DFG::BranchTarget::dump): 345 * dfg/DFGNode.h: 346 (JSC::DFG::BranchTarget::BranchTarget): 347 (JSC::DFG::BranchTarget::setBytecodeIndex): 348 (JSC::DFG::BranchTarget::bytecodeIndex): 349 (JSC::DFG::BranchData::withBytecodeIndices): 350 (JSC::DFG::BranchData::takenBytecodeIndex): 351 (JSC::DFG::BranchData::notTakenBytecodeIndex): 352 (JSC::DFG::BranchData::forCondition): 353 (JSC::DFG::SwitchCase::SwitchCase): 354 (JSC::DFG::SwitchCase::withBytecodeIndex): 355 (JSC::DFG::SwitchData::SwitchData): 356 (JSC::DFG::Node::targetBytecodeOffsetDuringParsing): 357 (JSC::DFG::Node::targetBlock): 358 (JSC::DFG::Node::branchData): 359 (JSC::DFG::Node::successor): 360 (JSC::DFG::Node::successorForCondition): 361 * dfg/DFGSpeculativeJIT.cpp: 362 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): 363 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 364 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): 365 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch): 366 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): 367 (JSC::DFG::SpeculativeJIT::compileRegExpExec): 368 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): 369 (JSC::DFG::SpeculativeJIT::emitSwitchImm): 370 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): 371 (JSC::DFG::SpeculativeJIT::emitSwitchChar): 372 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): 373 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): 374 (JSC::DFG::SpeculativeJIT::emitSwitchString): 375 * dfg/DFGSpeculativeJIT32_64.cpp: 376 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 377 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 378 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 379 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 380 (JSC::DFG::SpeculativeJIT::emitBranch): 381 (JSC::DFG::SpeculativeJIT::compile): 382 * dfg/DFGSpeculativeJIT64.cpp: 383 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 384 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 385 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 386 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 387 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch): 388 (JSC::DFG::SpeculativeJIT::emitBranch): 389 (JSC::DFG::SpeculativeJIT::compile): 390 * ftl/FTLLowerDFGToLLVM.cpp: 391 (JSC::FTL::LowerDFGToLLVM::compileJump): 392 (JSC::FTL::LowerDFGToLLVM::compileBranch): 393 (JSC::FTL::LowerDFGToLLVM::compileSwitch): 394 (JSC::FTL::LowerDFGToLLVM::buildSwitch): 395 3962014-02-19 ChangSeok Oh <changseok.oh@collabora.com> 397 398 Unreviewed build fix after r164396 399 400 * GNUmakefile.list.am: Added Promises.prototype.js properly 401 4022014-02-19 Geoffrey Garen <ggaren@apple.com> 403 404 Crash after -[JSContext evaluateScript:] when initializing JSContext with JSVirtualMachine 405 https://bugs.webkit.org/show_bug.cgi?id=129070 406 407 Reviewed by Mark Hahnenberg. 408 409 Clear our exception explicitly before throwing away the VM because our 410 exception references VM memory. 411 412 * API/JSContext.mm: 413 (-[JSContext dealloc]): 414 * API/tests/testapi.mm: 415 (testObjectiveCAPI): 416 4172014-02-19 Brent Fulgham <bfulgham@apple.com> 418 419 Unreviewed build fix after r164391 420 421 * runtime/Arguments.h: Make SlowArgumentData public so template libraries can 422 access its methods. 423 4242014-02-19 Mark Lam <mark.lam@apple.com> 425 426 Need to align sp before calling operationLoadVarargs on 32-bit platforms. 427 <https://webkit.org/b/129056> 428 429 Reviewed by Michael Saboff. 430 431 In JIT::compileLoadVarargs(), we'll call operationSizeFrameForVarargs() 432 to compute the amount of stack space we need for the varargs, adjust the 433 stack pointer to make room for those varargs, and then call 434 operationLoadVarargs() to fill in the varargs. Currently, the stack 435 pointer adjustment takes care of allocating space for the varargs, but 436 does not align the stack pointer for the call to operationLoadVarargs(). 437 The fix is to align the stack pointer there. 438 439 Note: The stack pointer adjustment is based on the new CallFrame pointer 440 value returned by operationSizeFrameForVarargs(). On 64-bit platforms, 441 both the stack pointer and call frame pointer are similarly aligned 442 (i.e. low nibbles are 0). Hence, no additional adjustment is needed. 443 Only the 32-bit code needs the fix. 444 445 Note: The LLINT also works this way i.e. aligns the stack pointer before 446 calling llint_slow_path_call_varargs(). 447 448 * jit/JITCall32_64.cpp: 449 (JSC::JIT::compileLoadVarargs): 450 4512014-02-19 Sam Weinig <sam@webkit.org> 452 453 [JS] Convert Promise.prototype.catch to be a built-in 454 https://bugs.webkit.org/show_bug.cgi?id=129052 455 456 Reviewed by Geoffrey Garen. 457 458 * GNUmakefile.list.am: 459 * JavaScriptCore.xcodeproj/project.pbxproj: 460 * builtins/Promise.prototype.js: Added. 461 (catch): Add JS based implementation of Promise.prototype.catch. 462 463 * runtime/JSPromisePrototype.cpp: 464 Remove the C++ implementation of Promise.prototype.catch. 465 4662014-02-19 Filip Pizlo <fpizlo@apple.com> 467 468 FTL should allow LLVM to allocate data sections with alignment > 8 469 https://bugs.webkit.org/show_bug.cgi?id=129066 470 471 Reviewed by Geoffrey Garen. 472 473 We were previously using the native allocator's alignment guarantees (which we presumed 474 to be 8 bytes), and further hinting our desires by using the LSectionWord type (which 475 was 8 bytes). This breaks now that LLVM will sometimes ask for 16 byte alignment on 476 some sections. 477 478 This changes our data section allocation strategy to use the new FTL::DataSection, 479 which can handle arbitrary 2^k alignment. 480 481 * JavaScriptCore.xcodeproj/project.pbxproj: 482 * ftl/FTLCompile.cpp: 483 (JSC::FTL::mmAllocateDataSection): 484 (JSC::FTL::dumpDataSection): 485 (JSC::FTL::compile): 486 * ftl/FTLDataSection.cpp: Added. 487 (JSC::FTL::DataSection::DataSection): 488 (JSC::FTL::DataSection::~DataSection): 489 * ftl/FTLDataSection.h: Added. 490 (JSC::FTL::DataSection::base): 491 (JSC::FTL::DataSection::size): 492 * ftl/FTLJITCode.cpp: 493 (JSC::FTL::JITCode::addDataSection): 494 * ftl/FTLJITCode.h: 495 (JSC::FTL::JITCode::dataSections): 496 * ftl/FTLState.h: 497 4982014-02-19 Filip Pizlo <fpizlo@apple.com> 499 500 Unreviewed, fix comment. 501 502 * ftl/FTLWeight.h: 503 (JSC::FTL::Weight::scaleToTotal): 504 5052014-02-19 Anders Carlsson <andersca@apple.com> 506 507 Add WTF_MAKE_FAST_ALLOCATED to more classes 508 https://bugs.webkit.org/show_bug.cgi?id=129064 509 510 Reviewed by Andreas Kling. 511 512 * dfg/DFGSpeculativeJIT.h: 513 * heap/CopyWorkList.h: 514 * heap/Region.h: 515 * runtime/Arguments.h: 516 * runtime/SymbolTable.h: 517 * runtime/WriteBarrier.h: 518 5192014-02-19 Michael Saboff <msaboff@apple.com> 520 521 Unreviewed build fix after r164374 522 523 * llint/LLIntOfflineAsmConfig.h: Added #define OFFLINE_ASM_X86_WIN 0 524 for ENABLE(LLINT_C_LOOP). 525 5262014-02-19 Filip Pizlo <fpizlo@apple.com> 527 528 FTL should be able to convey branch weights to LLVM 529 https://bugs.webkit.org/show_bug.cgi?id=129054 530 531 Reviewed by Michael Saboff. 532 533 This introduces a really nice way to convey branch weights to LLVM. The basic class 534 is Weight, which just wraps a float; NaN is used when you are not sure. You can 535 pass this alongside a LBasicBlock to branching instructions like condbr and switch. 536 But for simplicity, you can just pass a WeightedTarget, which is a tuple of the 537 two. And for even greater simplicity, you can create WeightedTargets from 538 LBasicBlocks by doing: 539 540 usually(b) => WeightedTarget(b, Weight(1)) 541 rarely(b) => WeightedTarget(b, Weight(0)) 542 unsure(b) => WeightedTarget(b, Weight()) or WeightedTarget(b, Weight(NaN)) 543 544 This allows for constructs like: 545 546 m_out.branch(isCell(value), usually(isCellCase), rarely(slowCase)); 547 548 This was intended to be perf-neutral for now, but it did end up creating a ~1% 549 speed-up on V8v7 and Octane2. 550 551 * JavaScriptCore.xcodeproj/project.pbxproj: 552 * ftl/FTLAbbreviations.h: 553 (JSC::FTL::mdNode): 554 * ftl/FTLCommonValues.cpp: 555 (JSC::FTL::CommonValues::CommonValues): 556 * ftl/FTLCommonValues.h: 557 * ftl/FTLLowerDFGToLLVM.cpp: 558 (JSC::FTL::LowerDFGToLLVM::lower): 559 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): 560 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): 561 (JSC::FTL::LowerDFGToLLVM::compileToThis): 562 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 563 (JSC::FTL::LowerDFGToLLVM::compileArithDiv): 564 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 565 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): 566 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): 567 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): 568 (JSC::FTL::LowerDFGToLLVM::compileGetById): 569 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 570 (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset): 571 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 572 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 573 (JSC::FTL::LowerDFGToLLVM::compileArrayPush): 574 (JSC::FTL::LowerDFGToLLVM::compileArrayPop): 575 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): 576 (JSC::FTL::LowerDFGToLLVM::compileToString): 577 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive): 578 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): 579 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): 580 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): 581 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): 582 (JSC::FTL::LowerDFGToLLVM::compileBranch): 583 (JSC::FTL::LowerDFGToLLVM::compileSwitch): 584 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): 585 (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare): 586 (JSC::FTL::LowerDFGToLLVM::allocateCell): 587 (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd): 588 (JSC::FTL::LowerDFGToLLVM::boolify): 589 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 590 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds): 591 (JSC::FTL::LowerDFGToLLVM::buildSwitch): 592 (JSC::FTL::LowerDFGToLLVM::doubleToInt32): 593 (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32): 594 (JSC::FTL::LowerDFGToLLVM::lowDouble): 595 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue): 596 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): 597 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject): 598 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): 599 (JSC::FTL::LowerDFGToLLVM::callCheck): 600 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 601 * ftl/FTLOutput.cpp: 602 (JSC::FTL::Output::initialize): 603 (JSC::FTL::Output::appendTo): 604 (JSC::FTL::Output::newBlock): 605 (JSC::FTL::Output::sensibleDoubleToInt): 606 (JSC::FTL::Output::load): 607 (JSC::FTL::Output::store): 608 (JSC::FTL::Output::baseIndex): 609 (JSC::FTL::Output::branch): 610 (JSC::FTL::Output::crashNonTerminal): 611 * ftl/FTLOutput.h: 612 (JSC::FTL::Output::branch): 613 (JSC::FTL::Output::switchInstruction): 614 * ftl/FTLSwitchCase.h: 615 (JSC::FTL::SwitchCase::SwitchCase): 616 (JSC::FTL::SwitchCase::weight): 617 * ftl/FTLWeight.h: Added. 618 (JSC::FTL::Weight::Weight): 619 (JSC::FTL::Weight::isSet): 620 (JSC::FTL::Weight::operator!): 621 (JSC::FTL::Weight::value): 622 (JSC::FTL::Weight::scaleToTotal): 623 * ftl/FTLWeightedTarget.h: Added. 624 (JSC::FTL::WeightedTarget::WeightedTarget): 625 (JSC::FTL::WeightedTarget::target): 626 (JSC::FTL::WeightedTarget::weight): 627 (JSC::FTL::usually): 628 (JSC::FTL::rarely): 629 (JSC::FTL::unsure): 630 6312014-02-19 peavo@outlook.com <peavo@outlook.com> 632 633 [Win][LLINT] Incorrect stack alignment. 634 https://bugs.webkit.org/show_bug.cgi?id=129045 635 636 Reviewed by Michael Saboff. 637 638 LLINT expects the stack to be 16 byte aligned, but with MSVC it is not. 639 To align the stack, a new backend, X86_WIN, is created. 640 641 * llint/LLIntOfflineAsmConfig.h: Use X86_WIN backend on Windows. 642 * llint/LowLevelInterpreter.asm: Align stack to 16 byte boundaries. Otherwise, use same implementation for X86_WIN as for X86. 643 * llint/LowLevelInterpreter32_64.asm: Adjust stack offset to retrieve function parameters now that the stack is aligned. 644 * offlineasm/backends.rb: Added X86_WIN backend. 645 * offlineasm/x86.rb: Fix crash caused by incorrect assembly code for double types. 646 6472014-02-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> 648 649 ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970 650 https://bugs.webkit.org/show_bug.cgi?id=128740 651 652 Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970 653 DateConstructor will now check if the number fits into an Int32 before casting 654 655 Reviewed by Geoffrey Garen. 656 657 * runtime/DateConstructor.cpp: 658 (JSC::constructDate): 659 (JSC::dateUTC): 660 6612014-02-19 Mark Hahnenberg <mhahnenberg@apple.com> 662 663 Dedicated worker crash caused by global DFG worklists + GC 664 https://bugs.webkit.org/show_bug.cgi?id=128537 665 666 Reviewed by Filip Pizlo. 667 668 The process-global DFG worklists were causing objects to participate in the garbage collections of VMs 669 other than the one they were allocated in. This started manifesting in the worker tests because they're 670 one of the few WebKit tests that do multithreaded JS. 671 672 The fix is to filter out Plans from other VMs during collection. 673 674 * dfg/DFGSafepoint.cpp: 675 (JSC::DFG::Safepoint::vm): 676 * dfg/DFGSafepoint.h: 677 * dfg/DFGWorklist.cpp: 678 (JSC::DFG::Worklist::isActiveForVM): 679 (JSC::DFG::Worklist::suspendAllThreads): 680 (JSC::DFG::Worklist::resumeAllThreads): 681 (JSC::DFG::Worklist::visitChildren): 682 * dfg/DFGWorklist.h: 683 * heap/Heap.cpp: 684 (JSC::Heap::deleteAllCompiledCode): 685 * heap/SlotVisitorInlines.h: 686 (JSC::SlotVisitor::copyLater): 687 6882014-02-19 Brady Eidson <beidson@apple.com> 689 690 Add FeatureDefines for image controls 691 https://bugs.webkit.org/show_bug.cgi?id=129022 692 693 Reviewed by Jer Noble. 694 695 * Configurations/FeatureDefines.xcconfig: 696 6972014-02-19 Dan Bernstein <mitz@apple.com> 698 699 Simplify PLATFORM(MAC) && !PLATFORM(IOS) and similar expressions 700 https://bugs.webkit.org/show_bug.cgi?id=129029 701 702 Reviewed by Mark Rowe. 703 704 * API/JSValueRef.cpp: 705 (JSValueUnprotect): 706 * jit/ExecutableAllocatorFixedVMPool.cpp: 707 7082014-02-18 Filip Pizlo <fpizlo@apple.com> 709 710 Correctly install libllvmForJSC.dylib in production builds 711 https://bugs.webkit.org/show_bug.cgi?id=129023 712 713 Reviewed by Mark Rowe. 714 715 In non-production builds, we copy it as before. In production builds, we use the install 716 path. 717 718 Also roll http://trac.webkit.org/changeset/164348 back in. 719 720 * Configurations/Base.xcconfig: 721 * Configurations/LLVMForJSC.xcconfig: 722 * JavaScriptCore.xcodeproj/project.pbxproj: 723 7242014-02-18 Filip Pizlo <fpizlo@apple.com> 725 726 Unreviewed, roll out http://trac.webkit.org/changeset/164348 because it broke some 727 builds. 728 729 * JavaScriptCore.xcodeproj/project.pbxproj: 730 7312014-02-18 Filip Pizlo <fpizlo@apple.com> 732 733 Don't call LLVMInitializeNativeTarget() because it can be all messed up if you cross-compile LLVM 734 https://bugs.webkit.org/show_bug.cgi?id=129020 735 736 Reviewed by Dan Bernstein. 737 738 LLVMInitializeNativeTarget() is this super special inline function in llvm-c/Target.h that 739 depends on some #define's that come from some really weird magic in autoconf/configure.ac. 740 That magic fails miserably for cross-compiles. So, we need to manually initialize the things 741 that InitializeNativeTarget initializes. 742 743 * llvm/library/LLVMExports.cpp: 744 (initializeAndGetJSCLLVMAPI): 745 7462014-02-18 Filip Pizlo <fpizlo@apple.com> 747 748 The shell scripts in the Xcode build system should tell you when they failed 749 https://bugs.webkit.org/show_bug.cgi?id=129018 750 751 Reviewed by Mark Rowe. 752 753 * JavaScriptCore.xcodeproj/project.pbxproj: 754 7552014-02-17 Gavin Barraclough <barraclough@apple.com> 756 757 Add fast mapping from StringImpl to JSString 758 https://bugs.webkit.org/show_bug.cgi?id=128625 759 760 Reviewed by Geoff Garen & Andreas Kling. 761 762 * runtime/JSString.cpp: 763 (JSC::JSString::WeakOwner::finalize): 764 - once the JSString weakly owned by a StringImpl becomed unreachable remove the WeakImpl. 765 * runtime/JSString.h: 766 (JSC::jsStringWithWeakOwner): 767 - create a JSString wrapping a StringImpl, and weakly caches the JSString on the StringImpl. 768 * runtime/VM.cpp: 769 (JSC::VM::VM): 770 - initialize jsStringWeakOwner. 771 (JSC::VM::createLeakedForMainThread): 772 - initialize jsStringWeakOwner - the main thread gets to use the weak pointer 773 on StringImpl to cache a JSString wrapper. 774 * runtime/VM.h: 775 - renamed createLeaked -> createLeakedForMainThread to make it clear this 776 should only be used to cretae the main thread VM. 777 7782014-02-18 Oliver Hunt <oliver@apple.com> 779 780 Prevent builtin js named with C++ reserved words from breaking the build 781 https://bugs.webkit.org/show_bug.cgi?id=129017 782 783 Reviewed by Sam Weinig. 784 785 Simple change to a couple of macros to make sure we don't create functions 786 named using reserved words. 787 788 * builtins/BuiltinExecutables.cpp: 789 * builtins/BuiltinNames.h: 790 7912014-02-18 Filip Pizlo <fpizlo@apple.com> 792 793 FTL should build on ARM64 794 https://bugs.webkit.org/show_bug.cgi?id=129010 795 796 Reviewed by Sam Weinig. 797 798 * disassembler/X86Disassembler.cpp: Just because we have the LLVM disassembler doesn't mean we're on X86. 799 * ftl/FTLLocation.cpp: DWARF parsing for ARM64 is super easy. 800 (JSC::FTL::Location::isGPR): 801 (JSC::FTL::Location::gpr): 802 (JSC::FTL::Location::isFPR): 803 (JSC::FTL::Location::fpr): 804 (JSC::FTL::Location::restoreInto): This function wasn't even X86-specific to begin with so move it out of the #if stuff. 805 * ftl/FTLUnwindInfo.cpp: They're called q not d. 806 (JSC::FTL::UnwindInfo::parse): 807 * jit/GPRInfo.h: 808 (JSC::GPRInfo::toArgumentRegister): Add this method; we alraedy had it on X86. 809 8102014-02-18 Filip Pizlo <fpizlo@apple.com> 811 812 FTL unwind parsing should handle ARM64 813 https://bugs.webkit.org/show_bug.cgi?id=128984 814 815 Reviewed by Oliver Hunt. 816 817 This makes unwind parsing handle ARM64 and it makes all clients of unwind info capable of 818 dealing with that architecture. 819 820 The big difference is that ARM64 has callee-save double registers. This is conceptually easy 821 to handle, but out code for dealing with callee-saves spoke of "GPRReg". We've been in this 822 situation before: code that needs to deal with either a GPRReg or a FPRReg. In the past we'd 823 hacked around the problem, but this time I decided to do a full frontal assault. This patch 824 adds a Reg class, which is a box for either GPRReg or FPRReg along with tools for iterating 825 over all possible registers. Then, I threaded this through SaveRestore, RegisterSet, 826 RegisterAtOffset, and UnwindInfo. With the help of Reg, it was easy to refactor the code to 827 handle FPRs in addition to GPRs. 828 829 * CMakeLists.txt: 830 * GNUmakefile.list.am: 831 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 832 * JavaScriptCore.xcodeproj/project.pbxproj: 833 * ftl/FTLOSRExitCompiler.cpp: 834 (JSC::FTL::compileStub): 835 * ftl/FTLRegisterAtOffset.cpp: 836 (JSC::FTL::RegisterAtOffset::dump): 837 * ftl/FTLRegisterAtOffset.h: 838 (JSC::FTL::RegisterAtOffset::RegisterAtOffset): 839 (JSC::FTL::RegisterAtOffset::operator!): 840 (JSC::FTL::RegisterAtOffset::reg): 841 (JSC::FTL::RegisterAtOffset::operator==): 842 (JSC::FTL::RegisterAtOffset::operator<): 843 (JSC::FTL::RegisterAtOffset::getReg): 844 * ftl/FTLSaveRestore.cpp: 845 (JSC::FTL::offsetOfReg): 846 * ftl/FTLSaveRestore.h: 847 * ftl/FTLUnwindInfo.cpp: 848 (JSC::FTL::UnwindInfo::parse): 849 (JSC::FTL::UnwindInfo::find): 850 (JSC::FTL::UnwindInfo::indexOf): 851 * ftl/FTLUnwindInfo.h: 852 * jit/Reg.cpp: Added. 853 (JSC::Reg::dump): 854 * jit/Reg.h: Added. 855 (JSC::Reg::Reg): 856 (JSC::Reg::fromIndex): 857 (JSC::Reg::first): 858 (JSC::Reg::last): 859 (JSC::Reg::next): 860 (JSC::Reg::index): 861 (JSC::Reg::isSet): 862 (JSC::Reg::operator!): 863 (JSC::Reg::isGPR): 864 (JSC::Reg::isFPR): 865 (JSC::Reg::gpr): 866 (JSC::Reg::fpr): 867 (JSC::Reg::operator==): 868 (JSC::Reg::operator!=): 869 (JSC::Reg::operator<): 870 (JSC::Reg::operator>): 871 (JSC::Reg::operator<=): 872 (JSC::Reg::operator>=): 873 (JSC::Reg::hash): 874 (JSC::Reg::invalid): 875 * jit/RegisterSet.h: 876 (JSC::RegisterSet::set): 877 (JSC::RegisterSet::clear): 878 (JSC::RegisterSet::get): 879 8802014-02-17 Filip Pizlo <fpizlo@apple.com> 881 882 More ARM FTL glue 883 https://bugs.webkit.org/show_bug.cgi?id=128948 884 885 Reviewed by Sam Weinig. 886 887 * Configurations/Base.xcconfig: Allow for an header search directory for LLVM's generated files. 888 * Configurations/LLVMForJSC.xcconfig: Link the right things for ARM. 889 * assembler/ARM64Assembler.h: Builds fix. 890 (JSC::ARM64Assembler::fillNops): 891 * disassembler/LLVMDisassembler.cpp: Use the right target triples. 892 (JSC::tryToDisassembleWithLLVM): 893 * ftl/FTLCompile.cpp: 894 (JSC::FTL::fixFunctionBasedOnStackMaps): Build fix. 895 * jit/GPRInfo.h: Builds fix. 896 * llvm/library/LLVMExports.cpp: Link the right things. 897 (initializeAndGetJSCLLVMAPI): 898 8992014-02-17 Anders Carlsson <andersca@apple.com> 900 901 Remove ENABLE_GLOBAL_FASTMALLOC_NEW 902 https://bugs.webkit.org/show_bug.cgi?id=127067 903 904 Reviewed by Geoffrey Garen. 905 906 * parser/Nodes.h: 907 9082014-02-17 Sergio Correia <sergio.correia@openbossa.org> 909 910 Replace uses of PassOwnPtr/OwnPtr with std::unique_ptr in WebCore/inspector 911 https://bugs.webkit.org/show_bug.cgi?id=128681 912 913 Reviewed by Timothy Hatcher. 914 915 Another step towards getting rid of PassOwnPtr/OwnPtr, now targeting 916 WebCore/inspector/*. Besides files in there, a few other files in 917 JavaScriptCore/inspector, WebKit/, WebKit2/WebProcess/WebCoreSupport/ 918 and WebCore/testing were touched. 919 920 921 * inspector/ContentSearchUtilities.cpp: 922 * inspector/ContentSearchUtilities.h: 923 * inspector/agents/InspectorConsoleAgent.cpp: 924 * inspector/agents/InspectorConsoleAgent.h: 925 9262014-02-17 Filip Pizlo <fpizlo@apple.com> 927 928 FTL should support ToPrimitive and the DFG should fold it correctly 929 https://bugs.webkit.org/show_bug.cgi?id=128892 930 931 Reviewed by Geoffrey Garen. 932 933 * dfg/DFGAbstractInterpreterInlines.h: 934 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 935 * dfg/DFGConstantFoldingPhase.cpp: 936 (JSC::DFG::ConstantFoldingPhase::foldConstants): 937 * dfg/DFGSpeculativeJIT64.cpp: 938 (JSC::DFG::SpeculativeJIT::compile): 939 * ftl/FTLCapabilities.cpp: 940 (JSC::FTL::canCompile): 941 * ftl/FTLLowerDFGToLLVM.cpp: 942 (JSC::FTL::LowerDFGToLLVM::compileNode): 943 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive): 944 * tests/stress/fold-to-primitive-in-cfa.js: Added. 945 (foo): 946 (.result.foo): 947 * tests/stress/fold-to-primitive-to-identity-in-cfa.js: Added. 948 (foo): 949 (.result.foo): 950 9512014-02-17 Filip Pizlo <fpizlo@apple.com> 952 953 Register preservation wrapper should know about the possibility of callee-saved FPRs 954 https://bugs.webkit.org/show_bug.cgi?id=128923 955 956 Reviewed by Mark Hahnenberg. 957 958 * jit/RegisterPreservationWrapperGenerator.cpp: 959 (JSC::generateRegisterPreservationWrapper): 960 (JSC::generateRegisterRestoration): 961 * jit/RegisterSet.cpp: 962 9632014-02-17 Filip Pizlo <fpizlo@apple.com> 964 965 lr is a special register on ARM64 966 https://bugs.webkit.org/show_bug.cgi?id=128922 967 968 Reviewed by Mark Hahnenberg. 969 970 * jit/RegisterSet.cpp: 971 (JSC::RegisterSet::specialRegisters): 972 9732014-02-17 Filip Pizlo <fpizlo@apple.com> 974 975 Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64 976 https://bugs.webkit.org/show_bug.cgi?id=128921 977 978 Reviewed by Mark Hahnenberg. 979 980 * jit/RegisterSet.cpp: 981 (JSC::RegisterSet::calleeSaveRegisters): 982 9832014-02-17 Filip Pizlo <fpizlo@apple.com> 984 985 RegisterSet::calleeSaveRegisters() should know about ARM64 986 https://bugs.webkit.org/show_bug.cgi?id=128918 987 988 Reviewed by Mark Hahnenberg. 989 990 * jit/RegisterSet.cpp: 991 (JSC::RegisterSet::calleeSaveRegisters): 992 9932014-02-17 Csaba Osztrogonác <ossy@webkit.org> 994 995 Move back primary header includes next to config.h 996 https://bugs.webkit.org/show_bug.cgi?id=128912 997 998 Reviewed by Alexey Proskuryakov. 999 1000 * dfg/DFGAbstractHeap.cpp: 1001 * dfg/DFGAbstractValue.cpp: 1002 * dfg/DFGArgumentsSimplificationPhase.cpp: 1003 * dfg/DFGArithMode.cpp: 1004 * dfg/DFGArrayMode.cpp: 1005 * dfg/DFGAtTailAbstractState.cpp: 1006 * dfg/DFGAvailability.cpp: 1007 * dfg/DFGBackwardsPropagationPhase.cpp: 1008 * dfg/DFGBasicBlock.cpp: 1009 * dfg/DFGBinarySwitch.cpp: 1010 * dfg/DFGBlockInsertionSet.cpp: 1011 * dfg/DFGByteCodeParser.cpp: 1012 * dfg/DFGCFAPhase.cpp: 1013 * dfg/DFGCFGSimplificationPhase.cpp: 1014 * dfg/DFGCPSRethreadingPhase.cpp: 1015 * dfg/DFGCSEPhase.cpp: 1016 * dfg/DFGCapabilities.cpp: 1017 * dfg/DFGClobberSet.cpp: 1018 * dfg/DFGClobberize.cpp: 1019 * dfg/DFGCommon.cpp: 1020 * dfg/DFGCommonData.cpp: 1021 * dfg/DFGCompilationKey.cpp: 1022 * dfg/DFGCompilationMode.cpp: 1023 * dfg/DFGConstantFoldingPhase.cpp: 1024 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 1025 * dfg/DFGDCEPhase.cpp: 1026 * dfg/DFGDesiredIdentifiers.cpp: 1027 * dfg/DFGDesiredStructureChains.cpp: 1028 * dfg/DFGDesiredTransitions.cpp: 1029 * dfg/DFGDesiredWatchpoints.cpp: 1030 * dfg/DFGDesiredWeakReferences.cpp: 1031 * dfg/DFGDesiredWriteBarriers.cpp: 1032 * dfg/DFGDisassembler.cpp: 1033 * dfg/DFGDominators.cpp: 1034 * dfg/DFGEdge.cpp: 1035 * dfg/DFGFailedFinalizer.cpp: 1036 * dfg/DFGFinalizer.cpp: 1037 * dfg/DFGFixupPhase.cpp: 1038 * dfg/DFGFlushFormat.cpp: 1039 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 1040 * dfg/DFGFlushedAt.cpp: 1041 * dfg/DFGGraph.cpp: 1042 * dfg/DFGGraphSafepoint.cpp: 1043 * dfg/DFGInPlaceAbstractState.cpp: 1044 * dfg/DFGIntegerCheckCombiningPhase.cpp: 1045 * dfg/DFGInvalidationPointInjectionPhase.cpp: 1046 * dfg/DFGJITCode.cpp: 1047 * dfg/DFGJITCompiler.cpp: 1048 * dfg/DFGJITFinalizer.cpp: 1049 * dfg/DFGJumpReplacement.cpp: 1050 * dfg/DFGLICMPhase.cpp: 1051 * dfg/DFGLazyJSValue.cpp: 1052 * dfg/DFGLivenessAnalysisPhase.cpp: 1053 * dfg/DFGLongLivedState.cpp: 1054 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 1055 * dfg/DFGMinifiedNode.cpp: 1056 * dfg/DFGNaturalLoops.cpp: 1057 * dfg/DFGNode.cpp: 1058 * dfg/DFGNodeFlags.cpp: 1059 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 1060 * dfg/DFGOSREntry.cpp: 1061 * dfg/DFGOSREntrypointCreationPhase.cpp: 1062 * dfg/DFGOSRExit.cpp: 1063 * dfg/DFGOSRExitBase.cpp: 1064 * dfg/DFGOSRExitCompiler.cpp: 1065 * dfg/DFGOSRExitCompiler32_64.cpp: 1066 * dfg/DFGOSRExitCompiler64.cpp: 1067 * dfg/DFGOSRExitCompilerCommon.cpp: 1068 * dfg/DFGOSRExitJumpPlaceholder.cpp: 1069 * dfg/DFGOSRExitPreparation.cpp: 1070 * dfg/DFGPhase.cpp: 1071 * dfg/DFGPlan.cpp: 1072 * dfg/DFGPredictionInjectionPhase.cpp: 1073 * dfg/DFGPredictionPropagationPhase.cpp: 1074 * dfg/DFGResurrectionForValidationPhase.cpp: 1075 * dfg/DFGSSAConversionPhase.cpp: 1076 * dfg/DFGSSALoweringPhase.cpp: 1077 * dfg/DFGSafepoint.cpp: 1078 * dfg/DFGSpeculativeJIT.cpp: 1079 * dfg/DFGSpeculativeJIT32_64.cpp: 1080 * dfg/DFGSpeculativeJIT64.cpp: 1081 * dfg/DFGStackLayoutPhase.cpp: 1082 * dfg/DFGStoreBarrierElisionPhase.cpp: 1083 * dfg/DFGStrengthReductionPhase.cpp: 1084 * dfg/DFGThreadData.cpp: 1085 * dfg/DFGThunks.cpp: 1086 * dfg/DFGTierUpCheckInjectionPhase.cpp: 1087 * dfg/DFGToFTLDeferredCompilationCallback.cpp: 1088 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: 1089 * dfg/DFGTypeCheckHoistingPhase.cpp: 1090 * dfg/DFGUnificationPhase.cpp: 1091 * dfg/DFGUseKind.cpp: 1092 * dfg/DFGValidate.cpp: 1093 * dfg/DFGValueSource.cpp: 1094 * dfg/DFGVariableAccessDataDump.cpp: 1095 * dfg/DFGVariableEvent.cpp: 1096 * dfg/DFGVariableEventStream.cpp: 1097 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 1098 * dfg/DFGWatchpointCollectionPhase.cpp: 1099 * dfg/DFGWorklist.cpp: 1100 * heap/JITStubRoutineSet.cpp: 1101 * jit/GCAwareJITStubRoutine.cpp: 1102 * jit/JIT.cpp: 1103 * jit/JITDisassembler.cpp: 1104 * jit/JITOperations.cpp: 1105 * jit/JITStubRoutine.cpp: 1106 * jit/JITStubs.cpp: 1107 * jit/TempRegisterSet.cpp: 1108 11092014-02-16 Filip Pizlo <fpizlo@apple.com> 1110 1111 FTL OSR exit shouldn't make X86-specific assumptions 1112 https://bugs.webkit.org/show_bug.cgi?id=128890 1113 1114 Reviewed by Mark Hahnenberg. 1115 1116 Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment. 1117 1118 * assembler/MacroAssembler.h: 1119 (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters): 1120 (JSC::MacroAssembler::pushToSaveByteOffset): 1121 * assembler/MacroAssemblerARM64.h: 1122 (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters): 1123 (JSC::MacroAssemblerARM64::pushToSaveByteOffset): 1124 * ftl/FTLExitThunkGenerator.cpp: 1125 (JSC::FTL::ExitThunkGenerator::emitThunk): 1126 * ftl/FTLOSRExitCompiler.cpp: 1127 (JSC::FTL::compileStub): 1128 * ftl/FTLThunks.cpp: 1129 (JSC::FTL::osrExitGenerationThunkGenerator): 1130 11312014-02-17 Filip Pizlo <fpizlo@apple.com> 1132 1133 Unreviewed, make this test pass without DFG. It was assuming that you always have DFG 1134 and that it would always tier-up to the DFG - both wrong assumptions. 1135 1136 * tests/stress/tricky-array-bounds-checks.js: 1137 (foo): 1138 11392014-02-17 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> 1140 1141 Fix the CLoop build after r163760 1142 https://bugs.webkit.org/show_bug.cgi?id=128900 1143 1144 Reviewed by Csaba Osztrogonác. 1145 1146 * llint/LLIntThunks.cpp: 1147 11482014-02-17 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> 1149 1150 CLoop buildfix after r164207 1151 https://bugs.webkit.org/show_bug.cgi?id=128899 1152 1153 Reviewed by Csaba Osztrogonác. 1154 1155 * dfg/DFGCommon.h: 1156 (JSC::DFG::shouldShowDisassembly): 1157 11582014-02-16 Filip Pizlo <fpizlo@apple.com> 1159 1160 Unreviewed, 32-bit build fix. 1161 1162 * assembler/MacroAssembler.h: 1163 (JSC::MacroAssembler::lshiftPtr): 1164 11652014-02-15 Filip Pizlo <fpizlo@apple.com> 1166 1167 FTL should inline polymorphic heap accesses 1168 https://bugs.webkit.org/show_bug.cgi?id=128795 1169 1170 Reviewed by Oliver Hunt. 1171 1172 We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR 1173 as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of 1174 read. 1175 1176 2% speed-up on Octane mostly due to a 18% speed-up on deltablue. 1177 1178 * CMakeLists.txt: 1179 * GNUmakefile.list.am: 1180 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 1181 * JavaScriptCore.xcodeproj/project.pbxproj: 1182 * bytecode/CodeBlock.cpp: 1183 (JSC::CodeBlock::dumpBytecode): 1184 * bytecode/ExitingJITType.cpp: Added. 1185 (WTF::printInternal): 1186 * bytecode/ExitingJITType.h: 1187 * bytecode/GetByIdStatus.cpp: 1188 (JSC::GetByIdStatus::computeFromLLInt): 1189 (JSC::GetByIdStatus::computeForChain): 1190 (JSC::GetByIdStatus::computeForStubInfo): 1191 (JSC::GetByIdStatus::computeFor): 1192 (JSC::GetByIdStatus::dump): 1193 * bytecode/GetByIdStatus.h: 1194 (JSC::GetByIdStatus::GetByIdStatus): 1195 (JSC::GetByIdStatus::numVariants): 1196 (JSC::GetByIdStatus::variants): 1197 (JSC::GetByIdStatus::at): 1198 (JSC::GetByIdStatus::operator[]): 1199 * bytecode/GetByIdVariant.cpp: Added. 1200 (JSC::GetByIdVariant::dump): 1201 (JSC::GetByIdVariant::dumpInContext): 1202 * bytecode/GetByIdVariant.h: Added. 1203 (JSC::GetByIdVariant::GetByIdVariant): 1204 (JSC::GetByIdVariant::isSet): 1205 (JSC::GetByIdVariant::operator!): 1206 (JSC::GetByIdVariant::structureSet): 1207 (JSC::GetByIdVariant::chain): 1208 (JSC::GetByIdVariant::specificValue): 1209 (JSC::GetByIdVariant::offset): 1210 * dfg/DFGAbstractInterpreterInlines.h: 1211 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 1212 * dfg/DFGByteCodeParser.cpp: 1213 (JSC::DFG::ByteCodeParser::emitPrototypeChecks): 1214 (JSC::DFG::ByteCodeParser::handleGetById): 1215 (JSC::DFG::ByteCodeParser::parseBlock): 1216 * dfg/DFGCSEPhase.cpp: 1217 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 1218 (JSC::DFG::CSEPhase::performNodeCSE): 1219 * dfg/DFGClobberize.h: 1220 (JSC::DFG::clobberize): 1221 * dfg/DFGCommon.h: 1222 (JSC::DFG::verboseCompilationEnabled): 1223 (JSC::DFG::logCompilationChanges): 1224 (JSC::DFG::shouldShowDisassembly): 1225 * dfg/DFGConstantFoldingPhase.cpp: 1226 (JSC::DFG::ConstantFoldingPhase::foldConstants): 1227 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): 1228 * dfg/DFGDriver.cpp: 1229 (JSC::DFG::compileImpl): 1230 * dfg/DFGFixupPhase.cpp: 1231 (JSC::DFG::FixupPhase::fixupNode): 1232 * dfg/DFGGraph.cpp: 1233 (JSC::DFG::Graph::dump): 1234 * dfg/DFGGraph.h: 1235 (JSC::DFG::Graph::convertToConstant): 1236 * dfg/DFGNode.h: 1237 (JSC::DFG::Node::convertToGetByOffset): 1238 (JSC::DFG::Node::hasHeapPrediction): 1239 (JSC::DFG::Node::hasMultiGetByOffsetData): 1240 (JSC::DFG::Node::multiGetByOffsetData): 1241 * dfg/DFGNodeType.h: 1242 * dfg/DFGPhase.h: 1243 (JSC::DFG::Phase::graph): 1244 (JSC::DFG::runAndLog): 1245 * dfg/DFGPlan.cpp: 1246 (JSC::DFG::dumpAndVerifyGraph): 1247 (JSC::DFG::Plan::compileInThread): 1248 (JSC::DFG::Plan::compileInThreadImpl): 1249 * dfg/DFGPredictionPropagationPhase.cpp: 1250 (JSC::DFG::PredictionPropagationPhase::propagate): 1251 * dfg/DFGSafeToExecute.h: 1252 (JSC::DFG::safeToExecute): 1253 * dfg/DFGSpeculativeJIT32_64.cpp: 1254 (JSC::DFG::SpeculativeJIT::compile): 1255 * dfg/DFGSpeculativeJIT64.cpp: 1256 (JSC::DFG::SpeculativeJIT::compile): 1257 * dfg/DFGTypeCheckHoistingPhase.cpp: 1258 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 1259 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 1260 * ftl/FTLCapabilities.cpp: 1261 (JSC::FTL::canCompile): 1262 * ftl/FTLCompile.cpp: 1263 (JSC::FTL::fixFunctionBasedOnStackMaps): 1264 (JSC::FTL::compile): 1265 * ftl/FTLLowerDFGToLLVM.cpp: 1266 (JSC::FTL::LowerDFGToLLVM::compileNode): 1267 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): 1268 * ftl/FTLState.h: 1269 (JSC::FTL::verboseCompilationEnabled): 1270 (JSC::FTL::showDisassembly): 1271 * jsc.cpp: 1272 (GlobalObject::finishCreation): 1273 (functionEffectful42): 1274 * runtime/IntendedStructureChain.cpp: 1275 (JSC::IntendedStructureChain::dump): 1276 (JSC::IntendedStructureChain::dumpInContext): 1277 * runtime/IntendedStructureChain.h: 1278 * runtime/Options.cpp: 1279 (JSC::recomputeDependentOptions): 1280 * runtime/Options.h: 1281 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added. 1282 (foo): 1283 (bar): 1284 * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added. 1285 (foo): 1286 (bar): 1287 * tests/stress/multi-get-by-offset-proto-and-self.js: Added. 1288 (foo): 1289 (Foo): 1290 12912014-02-16 Filip Pizlo <fpizlo@apple.com> 1292 1293 DFG::prepareOSREntry should be nice to the stack 1294 https://bugs.webkit.org/show_bug.cgi?id=128883 1295 1296 Reviewed by Oliver Hunt. 1297 1298 Previously OSR entry had some FIXME's and some really badly commented-out code for 1299 clearing stack entries to help GC. It also did some permutations on a stack frame 1300 above us, in such a way that it wasn't obviously that we wouldn't clobber our own 1301 stack frame. This function also crashed in ASan. 1302 1303 It just seems like there was too much badness to the whole idea of prepareOSREntry 1304 directly editing the stack. So, I changed it to create a stack frame in a scratch 1305 buffer on the side and then have some assembly code just copy it into place. This 1306 works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us 1307 make more progress with ASan. 1308 1309 * dfg/DFGOSREntry.cpp: 1310 (JSC::DFG::prepareOSREntry): 1311 * dfg/DFGOSREntry.h: 1312 * dfg/DFGThunks.cpp: 1313 (JSC::DFG::osrEntryThunkGenerator): 1314 * dfg/DFGThunks.h: 1315 * jit/JITOpcodes.cpp: 1316 (JSC::JIT::emitSlow_op_loop_hint): 1317 * jit/JITOperations.cpp: 1318 13192014-02-15 Filip Pizlo <fpizlo@apple.com> 1320 1321 Vector with inline capacity should work with non-PODs 1322 https://bugs.webkit.org/show_bug.cgi?id=128864 1323 1324 Reviewed by Michael Saboff. 1325 1326 Deques no longer have inline capacity because it was broken, and we didn't need it 1327 here anyway. 1328 1329 * dfg/DFGWorklist.h: 1330 13312014-02-15 Filip Pizlo <fpizlo@apple.com> 1332 1333 Unreviewed, roll out r164166. 1334 1335 This broke three unique tests: 1336 1337 ** The following JSC stress test failures have been introduced: 1338 regress/script-tests/variadic-closure-call.js.default-ftl 1339 regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate 1340 regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation 1341 regress/script-tests/variadic-closure-call.js.ftl-eager 1342 regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit 1343 regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation 1344 jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit 1345 regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit 1346 regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation 1347 1348 * bytecode/PolymorphicAccessStructureList.h: 1349 * ftl/FTLCapabilities.cpp: 1350 (JSC::FTL::canCompile): 1351 * ftl/FTLLowerDFGToLLVM.cpp: 1352 (JSC::FTL::LowerDFGToLLVM::compileNode): 1353 * tests/stress/ftl-getbyval-arguments.js: 1354 13552014-02-15 Matthew Mirman <mmirman@apple.com> 1356 1357 Added GetMyArgumentByVal to FTL 1358 https://bugs.webkit.org/show_bug.cgi?id=128850 1359 1360 Reviewed by Filip Pizlo. 1361 1362 * ftl/FTLCapabilities.cpp: 1363 (JSC::FTL::canCompile): 1364 * ftl/FTLLowerDFGToLLVM.cpp: 1365 (JSC::FTL::LowerDFGToLLVM::compileNode): 1366 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): 1367 * tests/stress/ftl-getbyval-arguments.js: Added. 1368 (foo): 1369 13702014-02-15 peavo@outlook.com <peavo@outlook.com> 1371 1372 [Win] LLINT is not working. 1373 https://bugs.webkit.org/show_bug.cgi?id=128115 1374 1375 Reviewed by Mark Lam. 1376 1377 This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM). 1378 By creating an asm file instead of a header file with inline assembly, we can support 64-bit. 1379 Only 32-bit compilation has been tested, not 64-bit. 1380 The aim of this patch is to get LLINT up and running on Windows. 1381 1382 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file. 1383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 1384 * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend. 1385 * bytecode/CallLinkStatus.cpp: 1386 (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled. 1387 * bytecode/GetByIdStatus.cpp: 1388 (JSC::GetByIdStatus::computeFor): Ditto. 1389 * bytecode/GetByIdStatus.h: Ditto. 1390 * bytecode/PutByIdStatus.cpp: 1391 (JSC::PutByIdStatus::computeFor): Ditto. 1392 * bytecode/PutByIdStatus.h: Ditto. 1393 * llint/LLIntData.cpp: 1394 (JSC::LLInt::initialize): Compile fix. 1395 * llint/LLIntSlowPaths.h: Added llint_crash function. 1396 * llint/LLIntSlowPaths.cpp: Ditto. 1397 * llint/LowLevelInterpreter.cpp: Disable code for Windows. 1398 * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead. 1399 Make local labels visible to MASM on Windows. 1400 * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows. 1401 * offlineasm/asm.rb: Generate asm file with Intel assembly syntax. 1402 * offlineasm/settings.rb: Ditto. 1403 * offlineasm/x86.rb: Ditto. 1404 14052014-02-14 Joseph Pecoraro <pecoraro@apple.com> 1406 1407 Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext 1408 https://bugs.webkit.org/show_bug.cgi?id=127757 1409 1410 Reviewed by Timothy Hatcher. 1411 1412 The problem was that the lifetime of the InspectorController and all agents 1413 was tied to the remote inspector session. So, if a remote inspector was 1414 disconnected while in the nested run loop, everything would get torn 1415 down and when execution continued out of the nested runloop we would be 1416 back in the original call stack of destroyed objects. 1417 1418 This patch changes the lifetime of the InspectorController and agents to 1419 the JSGlobalObject. This way the agents are always alive, just the 1420 frontend and backend channels are destroyed and recreated each remote 1421 inspector session. This matches the agent lifetime for WebCore agents. 1422 We can also later take advantage of the agents being alive before 1423 and between inspector debug sessions to stash exception messages to 1424 pass on to a debugger if a debugger is connected later. 1425 1426 * inspector/JSGlobalObjectInspectorController.h: 1427 * inspector/JSGlobalObjectInspectorController.cpp: 1428 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 1429 Cleaner initialization of agents. Easier to follow. 1430 1431 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): 1432 Move InjectedScript disconnection only once the global object is destroyed. 1433 This way if a developer has attached once and included an injected script, 1434 we will keep it around with any state it might want to remember until 1435 the global object is destroyed. 1436 1437 (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed): 1438 Disconnect agents and injected scripts when the global object is destroyed. 1439 1440 * inspector/InjectedScriptManager.cpp: 1441 (Inspector::InjectedScriptManager::disconnect): 1442 Now that the injected script manager is reused between remote 1443 inspector sessions, don't clear the pointer on disconnect calls. 1444 We now only call this once when the global object is getting 1445 destroyed anyways so it doesn't matter. But if we wanted to call 1446 disconnect multiple times, e.g. once per session, we could. 1447 1448 * inspector/ScriptDebugServer.cpp: 1449 (Inspector::ScriptDebugServer::dispatchFunctionToListeners): 1450 If the only listener was removed during the nested runloop, then when 1451 we dispatch an event after the nested runloop the listener list will 1452 be empty. Instead of asserting, just pass by an empty list. 1453 1454 * runtime/JSGlobalObject.h: 1455 (JSC::JSGlobalObject::inspectorController): 1456 Tie the inspector controller lifetime to the JSGlobalObject. 1457 1458 * runtime/JSGlobalObject.cpp: 1459 (JSC::JSGlobalObject::~JSGlobalObject): 1460 (JSC::JSGlobalObject::init): 1461 Create the inspector controller, and eagerly signal teardown 1462 in destruction. 1463 1464 * runtime/JSGlobalObjectDebuggable.h: 1465 * runtime/JSGlobalObjectDebuggable.cpp: 1466 (JSC::JSGlobalObjectDebuggable::connect): 1467 (JSC::JSGlobalObjectDebuggable::disconnect): 1468 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): 1469 Simplify by using the inspector controller on JSGlobalObject. 1470 14712014-02-14 Mark Hahnenberg <mhahnenberg@apple.com> 1472 1473 -[JSManagedValue value] needs to be protected by the API lock 1474 https://bugs.webkit.org/show_bug.cgi?id=128857 1475 1476 Reviewed by Mark Lam. 1477 1478 * API/APICast.h: 1479 (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef 1480 can allocate objects so we need to be holding the lock. 1481 * API/APIShims.h: Removed outdated comments. 1482 * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue. 1483 (-[JSManagedValue initWithValue:]): Initialize the m_lock field. 1484 (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise. 1485 * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock. 1486 (JSC::JSLock::lock): 1487 14882014-02-14 Oliver Hunt <oliver@apple.com> 1489 1490 Implement a few more Array prototype functions in JS 1491 https://bugs.webkit.org/show_bug.cgi?id=128788 1492 1493 Reviewed by Gavin Barraclough. 1494 1495 Remove a pile of awful C++, and rewrite in simple JS. 1496 1497 Needed to make a few other changes to get fully builtins 1498 behavior to more accurately match a host function's. 1499 1500 * builtins/Array.prototype.js: 1501 (every): 1502 (forEach): 1503 (filter): 1504 (map): 1505 (some): 1506 * builtins/BuiltinExecutables.cpp: 1507 (JSC::BuiltinExecutables::BuiltinExecutables): 1508 (JSC::BuiltinExecutables::createBuiltinExecutable): 1509 * bytecompiler/BytecodeGenerator.cpp: 1510 (JSC::BytecodeGenerator::BytecodeGenerator): 1511 (JSC::BytecodeGenerator::emitPutByVal): 1512 * bytecompiler/BytecodeGenerator.h: 1513 (JSC::BytecodeGenerator::emitExpressionInfo): 1514 * interpreter/Interpreter.cpp: 1515 (JSC::GetStackTraceFunctor::operator()): 1516 * parser/Nodes.h: 1517 (JSC::FunctionBodyNode::overrideName): 1518 * profiler/LegacyProfiler.cpp: 1519 (JSC::createCallIdentifierFromFunctionImp): 1520 * runtime/ArrayPrototype.cpp: 1521 * runtime/JSFunction.cpp: 1522 (JSC::JSFunction::deleteProperty): 1523 * runtime/JSFunction.h: 1524 15252014-02-14 Mark Hahnenberg <mhahnenberg@apple.com> 1526 1527 ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors 1528 https://bugs.webkit.org/show_bug.cgi?id=128840 1529 1530 Reviewed by Joseph Pecoraro. 1531 1532 We need to add APIEntryShims around places where we allocate errors in JSC. 1533 Also converted some of the createTypeError call sites to use ASCIILiteral. 1534 1535 * API/JSValue.mm: 1536 (valueToArray): 1537 (valueToDictionary): 1538 * API/ObjCCallbackFunction.mm: 1539 (JSC::objCCallbackFunctionCallAsConstructor): 1540 (JSC::ObjCCallbackFunctionImpl::call): 1541 * API/tests/testapi.mm: 1542 15432014-02-14 Mark Hahnenberg <mhahnenberg@apple.com> 1544 1545 Baseline JIT should have a fast path to bypass the write barrier on op_enter 1546 https://bugs.webkit.org/show_bug.cgi?id=128832 1547 1548 Reviewed by Filip Pizlo. 1549 1550 * jit/JIT.h: Removed some random commented out functions.h 1551 * jit/JITOpcodes.cpp: 1552 (JSC::JIT::emit_op_enter): 1553 * jit/JITPropertyAccess.cpp: 1554 (JSC::JIT::emitWriteBarrier): 1555 15562014-02-14 Filip Pizlo <fpizlo@apple.com> 1557 1558 Don't optimize variadic closure calls 1559 https://bugs.webkit.org/show_bug.cgi?id=128835 1560 1561 Reviewed by Gavin Barraclough. 1562 1563 Read the check that had been in JITStubs.cpp, back in the day. This code came 1564 from the DFG and the DFG didn't need these checks. 1565 1566 * jit/JITOperations.cpp: 1567 15682014-02-14 David Kilzer <ddkilzer@apple.com> 1569 1570 [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors 1571 <http://webkit.org/b/128819> 1572 1573 Reviewed by Filip Pizlo. 1574 1575 * interpreter/JSStack.cpp: 1576 (JSC::JSStack::sanitizeStack): When building with the clang 1577 address sanitizer, don't sanitize the stack since it will 1578 trigger false-positive stack-buffer-overflow errors. Disabling 1579 this only results in a performance penalty, not a correctness 1580 penalty. 1581 15822014-02-14 Andres Gomez <agomez@igalia.com> 1583 1584 Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope 1585 https://bugs.webkit.org/show_bug.cgi?id=127595 1586 1587 Reviewed by Mario Sanchez Prada. 1588 1589 JSStaticScopeObject was renamed to JSNameScope and removed long 1590 ago but the files were left behind empty and the CMake compilation 1591 in need of its existance. Now, we are definitely getting rid of 1592 them. 1593 1594 * CMakeLists.txt: 1595 * runtime/JSStaticScopeObject.cpp: Removed. 1596 * runtime/JSStaticScopeObject.h: Removed. 1597 15982014-02-13 Filip Pizlo <fpizlo@apple.com> 1599 1600 Kill some of the last vestiges of the C++ interpreter's PICs 1601 https://bugs.webkit.org/show_bug.cgi?id=128796 1602 1603 Reviewed by Michael Saboff. 1604 1605 * bytecode/BytecodeUseDef.h: 1606 (JSC::computeUsesForBytecodeOffset): 1607 (JSC::computeDefsForBytecodeOffset): 1608 * bytecode/CodeBlock.cpp: 1609 (JSC::CodeBlock::printGetByIdOp): 1610 (JSC::CodeBlock::printGetByIdCacheStatus): 1611 (JSC::CodeBlock::dumpBytecode): 1612 (JSC::CodeBlock::CodeBlock): 1613 * bytecode/GetByIdStatus.cpp: 1614 (JSC::GetByIdStatus::computeForStubInfo): 1615 * bytecode/Opcode.h: 1616 (JSC::padOpcodeName): 1617 * bytecode/PolymorphicAccessStructureList.h: 1618 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo): 1619 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): 1620 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): 1621 (JSC::PolymorphicAccessStructureList::visitWeak): 1622 * bytecode/StructureStubInfo.cpp: 1623 (JSC::StructureStubInfo::deref): 1624 (JSC::StructureStubInfo::visitWeakReferences): 1625 * bytecode/StructureStubInfo.h: 1626 (JSC::isGetByIdAccess): 1627 * jit/JIT.cpp: 1628 (JSC::JIT::privateCompileMainPass): 1629 * jit/Repatch.cpp: 1630 (JSC::getPolymorphicStructureList): 1631 (JSC::tryBuildGetByIDList): 1632 * llint/LowLevelInterpreter.asm: 1633 16342014-02-13 Mark Lam <mark.lam@apple.com> 1635 1636 The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2. 1637 <https://webkit.org/b/128764> 1638 1639 Reviewed by Mark Hahnenberg. 1640 1641 toJS() is the wrong cast function to use. We need to use toJSForGC() instead. 1642 Also we need to acquire the JSLock to prevent concurrent accesses to the 1643 Strong handle list. 1644 1645 * API/JSValue.mm: 1646 (JSContainerConvertor::add): 1647 (containerValueToObject): 1648 (ObjcContainerConvertor::add): 1649 (objectToValue): 1650 16512014-02-13 Mark Hahnenberg <mhahnenberg@apple.com> 1652 1653 JSManagedValue::dealloc modifies NSMapTable while iterating it 1654 https://bugs.webkit.org/show_bug.cgi?id=128713 1655 1656 Reviewed by Geoffrey Garen. 1657 1658 Having to write a test for this revealed a bug in how addManagedReference:withOwner: 1659 actually notifies JSManagedValues of new owners. 1660 1661 * API/JSManagedValue.mm: 1662 (-[JSManagedValue dealloc]): 1663 * API/JSVirtualMachine.mm: 1664 (-[JSVirtualMachine addManagedReference:withOwner:]): 1665 (-[JSVirtualMachine removeManagedReference:withOwner:]): 1666 * API/tests/testapi.mm: 1667 (testObjectiveCAPI): 1668 16692014-02-13 Filip Pizlo <fpizlo@apple.com> 1670 1671 Unreviewed, fix build. 1672 1673 * ftl/FTLLowerDFGToLLVM.cpp: 1674 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): 1675 16762014-02-13 Ryosuke Niwa <rniwa@webkit.org> 1677 1678 Speculative Release build fix after r164077. 1679 1680 * API/JSValue.mm: 1681 16822014-02-13 Mark Lam <mark.lam@apple.com> 1683 1684 The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. 1685 <https://webkit.org/b/128764> 1686 1687 Reviewed by Mark Hahnenberg. 1688 1689 Added a vector of Strong<Unknown> references in the 2 containers, and append 1690 the newly created JSValues to those vectors. This will keep all those JS objects 1691 alive for the duration of the conversion. 1692 1693 * API/JSValue.mm: 1694 (JSContainerConvertor::add): 1695 (ObjcContainerConvertor::add): 1696 16972014-02-13 Matthew Mirman <mmirman@apple.com> 1698 1699 Added GetMyArgumentsLength to FTL 1700 https://bugs.webkit.org/show_bug.cgi?id=128758 1701 1702 Reviewed by Filip Pizlo. 1703 1704 * ftl/FTLCapabilities.cpp: 1705 (JSC::FTL::canCompile): 1706 * ftl/FTLLowerDFGToLLVM.cpp: 1707 (JSC::FTL::LowerDFGToLLVM::compileNode): 1708 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): 1709 * tests/stress/ftl-getmyargumentslength.js: Added. 1710 (foo): 1711 17122014-02-13 Filip Pizlo <fpizlo@apple.com> 1713 1714 Unreviewed, roll out http://trac.webkit.org/changeset/164066. 1715 1716 It broke tests and it was just plain wrong. 1717 1718 * bytecode/GetByIdStatus.cpp: 1719 (JSC::GetByIdStatus::computeFromLLInt): 1720 (JSC::GetByIdStatus::computeForStubInfo): 1721 * runtime/Structure.h: 1722 (JSC::Structure::takesSlowPathInDFGForImpureProperty): 1723 17242014-02-13 Ryuan Choi <ryuan.choi@samsung.com> 1725 1726 Unreviewed build fix. 1727 1728 Fixed typo. 1729 1730 * dfg/DFGIntegerCheckCombiningPhase.cpp: 1731 (JSC::DFG::IntegerCheckCombiningPhase::run): 1732 17332014-02-13 Michael Saboff <msaboff@apple.com> 1734 1735 Change FTL stack check to use VM's stackLimit 1736 https://bugs.webkit.org/show_bug.cgi?id=128561 1737 1738 Reviewed by Filip Pizlo. 1739 1740 Changes FTL function entry to check the call frame register against the FTL 1741 specific stack limit (VM::m_ftlStackLimit) and throw an exception if the 1742 stack limit has been exceeded. Updated the exception handling code to have 1743 a second entry that will unroll the current frame to the caller, since that 1744 is where the exception should be processed. 1745 1746 * ftl/FTLCompile.cpp: 1747 (JSC::FTL::fixFunctionBasedOnStackMaps): 1748 * ftl/FTLIntrinsicRepository.h: 1749 * ftl/FTLLowerDFGToLLVM.cpp: 1750 (JSC::FTL::LowerDFGToLLVM::lower): 1751 * ftl/FTLState.h: 1752 * runtime/VM.h: 1753 (JSC::VM::addressOfFTLStackLimit): 1754 17552014-02-13 Filip Pizlo <fpizlo@apple.com> 1756 1757 GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything 1758 https://bugs.webkit.org/show_bug.cgi?id=128772 1759 1760 Reviewed by Mark Hahnenberg. 1761 1762 * bytecode/GetByIdStatus.cpp: 1763 (JSC::GetByIdStatus::computeFromLLInt): 1764 (JSC::GetByIdStatus::computeForStubInfo): 1765 * runtime/Structure.h: 1766 (JSC::Structure::takesSlowPathInDFGForImpureProperty): 1767 17682014-02-13 Mark Hahnenberg <mhahnenberg@apple.com> 1769 1770 Add some RELEASE_ASSERTs to catch JSLock bugs earlier 1771 https://bugs.webkit.org/show_bug.cgi?id=128762 1772 1773 Reviewed by Mark Lam. 1774 1775 * interpreter/Interpreter.cpp: 1776 (JSC::Interpreter::execute): 1777 * runtime/JSLock.cpp: 1778 (JSC::JSLock::DropAllLocks::DropAllLocks): 1779 17802014-02-12 Filip Pizlo <fpizlo@apple.com> 1781 1782 Hoist and combine array bounds checks 1783 https://bugs.webkit.org/show_bug.cgi?id=125433 1784 1785 Reviewed by Mark Hahnenberg. 1786 1787 This adds a phase for reasoning about overflow checks and array bounds checks. It's 1788 block-local, and removes both overflow checks and bounds checks in one go. 1789 1790 This also improves reasoning about commutative operations, and CSE between 1791 CheckOverflow and Unchecked arithmetic. 1792 1793 This strangely uncovered a DFG backend bug where we were trying to extract an int32 1794 from a constant even when that constant was just simply a number. I fixed that bug. 1795 1796 * CMakeLists.txt: 1797 * GNUmakefile.list.am: 1798 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 1799 * JavaScriptCore.xcodeproj/project.pbxproj: 1800 * dfg/DFGAbstractInterpreterInlines.h: 1801 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 1802 * dfg/DFGAbstractValue.cpp: 1803 (JSC::DFG::AbstractValue::set): 1804 * dfg/DFGArgumentsSimplificationPhase.cpp: 1805 (JSC::DFG::ArgumentsSimplificationPhase::run): 1806 * dfg/DFGArithMode.h: 1807 (JSC::DFG::subsumes): 1808 * dfg/DFGByteCodeParser.cpp: 1809 (JSC::DFG::ByteCodeParser::handleIntrinsic): 1810 * dfg/DFGCSEPhase.cpp: 1811 (JSC::DFG::CSEPhase::pureCSE): 1812 (JSC::DFG::CSEPhase::int32ToDoubleCSE): 1813 (JSC::DFG::CSEPhase::performNodeCSE): 1814 * dfg/DFGClobberize.h: 1815 (JSC::DFG::clobberize): 1816 * dfg/DFGEdge.cpp: 1817 (JSC::DFG::Edge::dump): 1818 * dfg/DFGEdge.h: 1819 (JSC::DFG::Edge::sanitized): 1820 (JSC::DFG::Edge::hash): 1821 * dfg/DFGFixupPhase.cpp: 1822 (JSC::DFG::FixupPhase::fixupNode): 1823 * dfg/DFGGraph.h: 1824 (JSC::DFG::Graph::valueOfInt32Constant): 1825 * dfg/DFGInsertionSet.h: 1826 (JSC::DFG::InsertionSet::insertConstant): 1827 * dfg/DFGIntegerCheckCombiningPhase.cpp: Added. 1828 (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase): 1829 (JSC::DFG::IntegerCheckCombiningPhase::run): 1830 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): 1831 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): 1832 (JSC::DFG::IntegerCheckCombiningPhase::isValid): 1833 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd): 1834 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): 1835 (JSC::DFG::performIntegerCheckCombining): 1836 * dfg/DFGIntegerCheckCombiningPhase.h: Added. 1837 * dfg/DFGNode.h: 1838 (JSC::DFG::Node::willHaveCodeGenOrOSR): 1839 * dfg/DFGNodeType.h: 1840 * dfg/DFGPlan.cpp: 1841 (JSC::DFG::Plan::compileInThreadImpl): 1842 * dfg/DFGPredictionPropagationPhase.cpp: 1843 (JSC::DFG::PredictionPropagationPhase::propagate): 1844 * dfg/DFGSafeToExecute.h: 1845 (JSC::DFG::safeToExecute): 1846 * dfg/DFGSpeculativeJIT.cpp: 1847 (JSC::DFG::SpeculativeJIT::compileAdd): 1848 * dfg/DFGSpeculativeJIT32_64.cpp: 1849 (JSC::DFG::SpeculativeJIT::compile): 1850 * dfg/DFGSpeculativeJIT64.cpp: 1851 (JSC::DFG::SpeculativeJIT::compile): 1852 * dfg/DFGStrengthReductionPhase.cpp: 1853 (JSC::DFG::StrengthReductionPhase::handleNode): 1854 (JSC::DFG::StrengthReductionPhase::handleCommutativity): 1855 * dfg/DFGTypeCheckHoistingPhase.cpp: 1856 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 1857 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 1858 * ftl/FTLCapabilities.cpp: 1859 (JSC::FTL::canCompile): 1860 * ftl/FTLLowerDFGToLLVM.cpp: 1861 (JSC::FTL::LowerDFGToLLVM::compileNode): 1862 * jsc.cpp: 1863 (GlobalObject::finishCreation): 1864 (functionFalse): 1865 * runtime/Identifier.h: 1866 * runtime/Intrinsic.h: 1867 * runtime/JSObject.h: 1868 * tests/stress/get-by-id-untyped.js: Added. 1869 (foo): 1870 * tests/stress/inverted-additive-subsumption.js: Added. 1871 (foo): 1872 * tests/stress/redundant-add-overflow-checks.js: Added. 1873 (foo): 1874 * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added. 1875 (foo): 1876 (arraycmp): 1877 * tests/stress/redundant-array-bounds-checks-addition.js: Added. 1878 (foo): 1879 (arraycmp): 1880 * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added. 1881 (foo): 1882 (arraycmp): 1883 * tests/stress/redundant-array-bounds-checks.js: Added. 1884 (foo): 1885 (arraycmp): 1886 * tests/stress/tricky-array-bounds-checks.js: Added. 1887 (foo): 1888 (arraycmp): 1889 18902014-02-13 Filip Pizlo <fpizlo@apple.com> 1891 1892 FTL should be OK with __compact_unwind in a data section 1893 https://bugs.webkit.org/show_bug.cgi?id=128756 1894 1895 Reviewed by Mark Hahnenberg. 1896 1897 * ftl/FTLCompile.cpp: 1898 (JSC::FTL::mmAllocateCodeSection): 1899 (JSC::FTL::mmAllocateDataSection): 1900 19012014-02-13 Michael Saboff <msaboff@apple.com> 1902 1903 CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed 1904 https://bugs.webkit.org/show_bug.cgi?id=127205 1905 1906 Reviewed by Geoffrey Garen. 1907 1908 Removed ununsed references to VM::currentReturnThunkPC. 1909 1910 * jit/ThunkGenerators.cpp: 1911 (JSC::arityFixup): 1912 * runtime/VM.h: 1913 19142014-02-13 Tamas Gergely <tgergely.u-szeged@partner.samsung.com> 1915 1916 Code cleanup: remove gcc<4.7 guards. 1917 https://bugs.webkit.org/show_bug.cgi?id=128729 1918 1919 Reviewed by Anders Carlsson. 1920 1921 Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions, 1922 as WK does not compile with earlier gcc versions. 1923 1924 * assembler/MIPSAssembler.h: 1925 (JSC::MIPSAssembler::cacheFlush): 1926 * interpreter/StackVisitor.cpp: 1927 (JSC::printif): 1928 19292014-02-12 Mark Lam <mark.lam@apple.com> 1930 1931 No need to save reservedZoneSize when dropping the JSLock. 1932 <https://webkit.org/b/128719> 1933 1934 Reviewed by Geoffrey Garen. 1935 1936 The reservedZoneSize does not change due to the VM being run on a different 1937 thread. Hence, there is no need to save and restore its value. Instead of 1938 calling updateReservedZoneSize() to update the stack limit, we now call 1939 setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry() 1940 will update the stackPointerAtVMEntry and delegate to updateStackLimit() to 1941 update the stack limit based on the new stackPointerAtVMEntry. 1942 1943 * runtime/ErrorHandlingScope.cpp: 1944 (JSC::ErrorHandlingScope::ErrorHandlingScope): 1945 (JSC::ErrorHandlingScope::~ErrorHandlingScope): 1946 - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This 1947 means that the stackPointerAtVMEntry may not be initialize when we 1948 instantiate the ErrorHandlingScope. And so, we needed to initialize the 1949 stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not 1950 already initialized. 1951 1952 Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock, 1953 we are guaranteed that it will be initialized by the time we instantiate 1954 the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code 1955 to just assert that the stackPointerAtVMEntry is initialized instead. 1956 1957 * runtime/InitializeThreading.cpp: 1958 (JSC::initializeThreading): 1959 - We no longer need to save the reservedZoneSize. Remove the related code. 1960 1961 * runtime/JSLock.cpp: 1962 (JSC::JSLock::lock): 1963 - When we grab the JSLock mutex for the first time, there is no reason why 1964 the stackPointerAtVMEntry should be initialized. By definition, grabbing 1965 the lock for the first time equates to entering the VM for the first time. 1966 Hence, we can just assert that stackPointerAtVMEntry is uninitialized, 1967 and initialize it unconditionally. 1968 1969 The only exception to this is if we're locking to regrab the JSLock in 1970 grabAllLocks(), but grabAllLocks() will take care of restoring the 1971 stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry 1972 should still be 0 when we've just locked the JSLock. So, the above assertion 1973 always holds true. 1974 1975 Note: VM::setStackPointerAtVMEntry() will take care of calling 1976 VM::updateStackLimit() based on the new stackPointerAtVMEntry. 1977 1978 - There is no need to save the reservedZoneSize. The reservedZoneSize is 1979 set to Options::reservedZoneSize() when the VM is initialized. Thereafter, 1980 the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize() 1981 when we're handling an error, and it will restore it afterwards. There is 1982 no other reason we should be changing the reservedZoneSize. Hence, we can 1983 remove the unnecessary code to save it here. 1984 1985 (JSC::JSLock::unlock): 1986 - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with 1987 exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and 1988 update the stackLimit. Exiting the VM should have no effect on the VM 1989 reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it. 1990 1991 (JSC::JSLock::dropAllLocks): 1992 - When dropping locks, we do not need to save the reservedZoneSize because 1993 the reservedZoneSize should remain the same regardless of which thread 1994 we are executing JS on. Hence, we can remove the unnecessary code to save 1995 the reservedZoneSize here. 1996 1997 (JSC::JSLock::grabAllLocks): 1998 - When re-grabbing locks, restoring the stackPointerAtVMEntry via 1999 VM::setStackPointerAtVMEntry() will take care of updating the stack limit. 2000 As explained above, there's no need to save the reservedZoneSize. Hence, 2001 there's no need to "restore" it here. 2002 2003 * runtime/VM.cpp: 2004 (JSC::VM::VM): 2005 (JSC::VM::setStackPointerAtVMEntry): 2006 - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update 2007 the stack limit based on the new stackPointerAtVMEntry. 2008 (JSC::VM::updateStackLimit): 2009 * runtime/VM.h: 2010 (JSC::VM::stackPointerAtVMEntry): 2011 - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private. 2012 Added a stackPointerAtVMEntry() function to read the value. 2013 20142014-02-12 Mark Hahnenberg <mhahnenberg@apple.com> 2015 2016 DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong 2017 https://bugs.webkit.org/show_bug.cgi?id=128641 2018 2019 Reviewed by Michael Saboff. 2020 2021 We were improperly handling the case where the DelayedReleaseScope 2022 in tryAllocateHelper would cause us to drop the API lock, allowing 2023 another thread to sneak in and allocate a new block after we had already 2024 concluded that there were no more blocks to allocate out of. 2025 2026 The fix is to call tryAllocateHelper in a loop until we know for sure 2027 that this did not happen. 2028 2029 There was also a race condition with the DelayedReleaseScope in addBlock. 2030 We would add the block to the MarkedBlock's list, sweep it, and then return, 2031 causing us to drop the API lock momentarily. Another thread could then 2032 grab the lock, and allocate out of the new block to the point where the 2033 free list was empty. Then we would return to the original thread, who thinks 2034 it's impossible to not allocate successfully at this point. 2035 Instead we should just let tryAllocate do all the hard work with correctly 2036 sweeping and getting a valid result. 2037 2038 There was another race condition in didFinishIterating. We would call resumeAllocating, 2039 which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 2040 API lock before we set m_isIterating back to false, which would potentially confuse 2041 other threads. 2042 2043 * heap/MarkedAllocator.cpp: 2044 (JSC::MarkedAllocator::tryAllocateHelper): 2045 (JSC::MarkedAllocator::tryPopFreeList): 2046 (JSC::MarkedAllocator::tryAllocate): 2047 (JSC::MarkedAllocator::addBlock): 2048 * heap/MarkedAllocator.h: 2049 20502014-02-12 Brian Burg <bburg@apple.com> 2051 2052 Web Replay: capture and replay nondeterminism of Date.now() and Math.random() 2053 https://bugs.webkit.org/show_bug.cgi?id=128633 2054 2055 Reviewed by Filip Pizlo. 2056 2057 Upstream the only two sources of script-visible nondeterminism in JavaScriptCore. 2058 2059 The random seed for WeakRandom is memoized when the owning JSGlobalObject is 2060 constructed. It is deterministically initialized during replay before any 2061 scripts execute with the global object. 2062 2063 The implementations of `Date.now()` and `new Date()` eventually obtain the 2064 current time from jsCurrentTime(). When capturing, we save return values of 2065 jsCurrentTime() into the recording. When replaying, we use memoized values from 2066 the recording instead of obtaining values from the platform-specific currentTime() 2067 implementation. No other code calls jsCurrentTime(). 2068 2069 * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json. 2070 * JavaScriptCore.xcodeproj/project.pbxproj: 2071 * replay/JSInputs.json: Added. Includes specifications for replay inputs 2072 "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input 2073 cases once sufficient replay machinery has been added. 2074 2075 * replay/NondeterministicInput.h: NondeterministicInput should not have 2076 been marked 'final'. 2077 2078 * runtime/DateConstructor.cpp: 2079 (JSC::deterministicCurrentTime): Added. Load or store the current time depending 2080 on what kind of InputCursor is attached to the JSGlobalObject. 2081 2082 (JSC::constructDate): Use deterministicCurrentTime(). 2083 (JSC::dateNow): Use deterministicCurrentTime(). 2084 * runtime/JSGlobalObject.cpp: 2085 (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor, 2086 immediately store or load the "SetRandomSeed" input and initialize WeakRandom's 2087 random seed with it. The input cursor (and thus random seed) must be set before 2088 any scripts are evaluated with this JSGlobalObject. 2089 2090 * runtime/WeakRandom.h: 2091 (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class. 2092 (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a 2093 separate method so it can be called outside of the JSGlobalObject constructor. 2094 20952014-02-12 Joseph Pecoraro <pecoraro@apple.com> 2096 2097 Web Inspector: Cleanup JavaScriptCore/inspector 2098 https://bugs.webkit.org/show_bug.cgi?id=128662 2099 2100 Reviewed by Timothy Hatcher. 2101 2102 Now that the code has settled, do a cleanup pass. 2103 2104 * inspector/ContentSearchUtilities.cpp: 2105 * inspector/InspectorValues.cpp: 2106 (Inspector::InspectorValue::asObject): 2107 (Inspector::InspectorValue::asArray): 2108 (Inspector::InspectorValue::parseJSON): 2109 (Inspector::InspectorObjectBase::getObject): 2110 (Inspector::InspectorObjectBase::getArray): 2111 (Inspector::InspectorObjectBase::get): 2112 * inspector/ScriptCallStackFactory.cpp: 2113 * inspector/ScriptDebugServer.cpp: 2114 * inspector/agents/JSGlobalObjectConsoleAgent.h: 2115 21162014-02-12 Ryosuke Niwa <rniwa@webkit.org> 2117 2118 Windows build fix attempt after r163960. 2119 2120 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2121 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2122 21232014-02-12 Michael Saboff <msaboff@apple.com> 2124 2125 Adjust VM::stackLimit based on the size of the largest FTL stack produced 2126 https://bugs.webkit.org/show_bug.cgi?id=128562 2127 2128 Reviewed by Mark Lam. 2129 2130 Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled 2131 function. Added VM::m_ftlStackLimit for FTL functions stack limit. Renamed 2132 VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize. Renamed 2133 VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the 2134 stack limits, including taking into account m_largestFTLStackSize. 2135 2136 * ftl/FTLJITFinalizer.cpp: 2137 (JSC::FTL::JITFinalizer::finalizeFunction): 2138 * runtime/ErrorHandlingScope.cpp: 2139 (JSC::ErrorHandlingScope::ErrorHandlingScope): 2140 (JSC::ErrorHandlingScope::~ErrorHandlingScope): 2141 * runtime/JSLock.cpp: 2142 (JSC::JSLock::lock): 2143 (JSC::JSLock::unlock): 2144 (JSC::JSLock::grabAllLocks): 2145 * runtime/VM.cpp: 2146 (JSC::VM::VM): 2147 (JSC::VM::updateReservedZoneSize): 2148 (JSC::VM::updateStackLimit): 2149 (JSC::VM::updateFTLLargestStackSize): 2150 * runtime/VM.h: 2151 21522014-02-11 Oliver Hunt <oliver@apple.com> 2153 2154 Make it possible to implement JS builtins in JS 2155 https://bugs.webkit.org/show_bug.cgi?id=127887 2156 2157 Reviewed by Michael Saboff. 2158 2159 This patch makes it possible to write builtin functions in JS. 2160 The bindings, generators, and definitions are all created automatically 2161 based on js files in the builtins/ directory. This patch includes one 2162 such case: Array.prototype.js with an implementation of every(). 2163 2164 There's a lot of refactoring to make it possible for CommonIdentifiers 2165 to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp}) 2166 without breaking the offset extractor. The result of this refactoring 2167 is that CommonIdentifiers, and a few other miscellaneous headers now 2168 need to be included directly as they were formerly captured through other 2169 paths. 2170 2171 In addition this adds a flag to the Lookup table's hashentry to indicate 2172 that a static function is actually backed by JS. There is then a lot of 2173 logic to thread the special nature of the functon to where it matters. 2174 This allows toString(), .caller, etc to mimic the behaviour of a host 2175 function. 2176 2177 Notes on writing builtins: 2178 - Each function is compiled independently of the others, and those 2179 implementations cannot currently capture all global properties (as 2180 that could be potentially unsafe). If a function does capture a 2181 global we will deliberately crash. 2182 - For those "global" properties that we do want access to, we use 2183 the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers 2184 are private names, and behave just like regular properties, only 2185 without the risk of adulteration. Again, in the @Object case, we 2186 explicitly duplicate the ObjectConstructor reference on the GlobalObject 2187 so that we have guaranteed access to the original version of the 2188 constructor. 2189 - call, apply, eval, and Function are all rejected identifiers, again 2190 to prevent anything from accidentally using an adulterated object. 2191 Instead @call and @apply are available, and happily they completely 2192 drop the neq_ptr instruction as they're defined as always being the 2193 original call/apply functions. 2194 2195 These restrictions are just intended to make it harder to accidentally 2196 make changes that are incorrect (for instance calling whatever has been 2197 assigned to global.Object, instead of the original constructor function). 2198 However, making a mistake like this should result in a purely semantic 2199 error as fundamentally these functions are treated as though they were 2200 regular JS code in the host global, and have no more privileges than 2201 any other JS. 2202 2203 The initial proof of concept is Array.prototype.every, this shows a 65% 2204 performance improvement, and that improvement is significantly hurt by 2205 our poor optimisation of op_in. 2206 2207 As this is such a limited function, we have not yet exported all symbols 2208 that we could possibly need, but as we implement more, the likelihood 2209 of encountering missing features will reduce. 2210 2211 2212 * API/JSCallbackObjectFunctions.h: 2213 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot): 2214 (JSC::JSCallbackObject<Parent>::put): 2215 (JSC::JSCallbackObject<Parent>::deleteProperty): 2216 (JSC::JSCallbackObject<Parent>::getStaticValue): 2217 (JSC::JSCallbackObject<Parent>::staticFunctionGetter): 2218 (JSC::JSCallbackObject<Parent>::callbackGetter): 2219 * CMakeLists.txt: 2220 * DerivedSources.make: 2221 * GNUmakefile.am: 2222 * GNUmakefile.list.am: 2223 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2224 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2225 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 2226 * JavaScriptCore.vcxproj/copy-files.cmd: 2227 * JavaScriptCore.xcodeproj/project.pbxproj: 2228 * builtins/Array.prototype.js: 2229 (every): 2230 * builtins/BuiltinExecutables.cpp: Added. 2231 (JSC::BuiltinExecutables::BuiltinExecutables): 2232 (JSC::BuiltinExecutables::createBuiltinExecutable): 2233 * builtins/BuiltinExecutables.h: 2234 (JSC::BuiltinExecutables::create): 2235 * builtins/BuiltinNames.h: Added. 2236 (JSC::BuiltinNames::BuiltinNames): 2237 (JSC::BuiltinNames::getPrivateName): 2238 (JSC::BuiltinNames::getPublicName): 2239 * bytecode/CodeBlock.cpp: 2240 (JSC::CodeBlock::CodeBlock): 2241 * bytecode/UnlinkedCodeBlock.cpp: 2242 (JSC::generateFunctionCodeBlock): 2243 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 2244 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 2245 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 2246 * bytecode/UnlinkedCodeBlock.h: 2247 (JSC::ExecutableInfo::ExecutableInfo): 2248 (JSC::UnlinkedFunctionExecutable::create): 2249 (JSC::UnlinkedFunctionExecutable::toStrictness): 2250 (JSC::UnlinkedFunctionExecutable::isBuiltinFunction): 2251 (JSC::UnlinkedCodeBlock::isBuiltinFunction): 2252 * bytecompiler/BytecodeGenerator.cpp: 2253 (JSC::BytecodeGenerator::BytecodeGenerator): 2254 * bytecompiler/BytecodeGenerator.h: 2255 (JSC::BytecodeGenerator::isBuiltinFunction): 2256 (JSC::BytecodeGenerator::makeFunction): 2257 * bytecompiler/NodesCodegen.cpp: 2258 (JSC::CallFunctionCallDotNode::emitBytecode): 2259 (JSC::ApplyFunctionCallDotNode::emitBytecode): 2260 * create_hash_table: 2261 * generate-js-builtins: Added. 2262 (getCopyright): 2263 (getFunctions): 2264 (generateCode): 2265 (mangleName): 2266 (FunctionExecutable): 2267 (Identifier): 2268 (JSGlobalObject): 2269 (SourceCode): 2270 (UnlinkedFunctionExecutable): 2271 (VM): 2272 * interpreter/CachedCall.h: 2273 (JSC::CachedCall::CachedCall): 2274 * parser/ASTBuilder.h: 2275 (JSC::ASTBuilder::makeFunctionCallNode): 2276 * parser/Lexer.cpp: 2277 (JSC::Lexer<T>::Lexer): 2278 (JSC::isSafeBuiltinIdentifier): 2279 (JSC::Lexer<LChar>::parseIdentifier): 2280 (JSC::Lexer<UChar>::parseIdentifier): 2281 (JSC::Lexer<T>::lex): 2282 * parser/Lexer.h: 2283 (JSC::isSafeIdentifier): 2284 (JSC::Lexer<T>::lexExpectIdentifier): 2285 * parser/Nodes.cpp: 2286 (JSC::ProgramNode::setClosedVariables): 2287 * parser/Nodes.h: 2288 (JSC::ScopeNode::capturedVariables): 2289 (JSC::ScopeNode::setClosedVariables): 2290 (JSC::ProgramNode::closedVariables): 2291 * parser/Parser.cpp: 2292 (JSC::Parser<LexerType>::Parser): 2293 (JSC::Parser<LexerType>::parseInner): 2294 (JSC::Parser<LexerType>::didFinishParsing): 2295 (JSC::Parser<LexerType>::printUnexpectedTokenText): 2296 * parser/Parser.h: 2297 (JSC::Scope::getUsedVariables): 2298 (JSC::Parser::closedVariables): 2299 (JSC::parse): 2300 * parser/ParserModes.h: 2301 * parser/ParserTokens.h: 2302 * runtime/ArrayPrototype.cpp: 2303 * runtime/CodeCache.cpp: 2304 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 2305 * runtime/CommonIdentifiers.cpp: 2306 (JSC::CommonIdentifiers::CommonIdentifiers): 2307 (JSC::CommonIdentifiers::~CommonIdentifiers): 2308 (JSC::CommonIdentifiers::getPrivateName): 2309 (JSC::CommonIdentifiers::getPublicName): 2310 * runtime/CommonIdentifiers.h: 2311 (JSC::CommonIdentifiers::builtinNames): 2312 * runtime/ExceptionHelpers.cpp: 2313 (JSC::createUndefinedVariableError): 2314 * runtime/Executable.h: 2315 (JSC::EvalExecutable::executableInfo): 2316 (JSC::ProgramExecutable::executableInfo): 2317 (JSC::FunctionExecutable::isBuiltinFunction): 2318 * runtime/FunctionPrototype.cpp: 2319 (JSC::functionProtoFuncToString): 2320 * runtime/JSActivation.cpp: 2321 (JSC::JSActivation::symbolTableGet): 2322 (JSC::JSActivation::symbolTablePut): 2323 (JSC::JSActivation::symbolTablePutWithAttributes): 2324 * runtime/JSFunction.cpp: 2325 (JSC::JSFunction::createBuiltinFunction): 2326 (JSC::JSFunction::calculatedDisplayName): 2327 (JSC::JSFunction::sourceCode): 2328 (JSC::JSFunction::isHostOrBuiltinFunction): 2329 (JSC::JSFunction::isBuiltinFunction): 2330 (JSC::JSFunction::callerGetter): 2331 (JSC::JSFunction::getOwnPropertySlot): 2332 (JSC::JSFunction::getOwnNonIndexPropertyNames): 2333 (JSC::JSFunction::put): 2334 (JSC::JSFunction::defineOwnProperty): 2335 * runtime/JSFunction.h: 2336 * runtime/JSFunctionInlines.h: 2337 (JSC::JSFunction::nativeFunction): 2338 (JSC::JSFunction::nativeConstructor): 2339 (JSC::isHostFunction): 2340 * runtime/JSGlobalObject.cpp: 2341 (JSC::JSGlobalObject::reset): 2342 (JSC::JSGlobalObject::visitChildren): 2343 * runtime/JSGlobalObject.h: 2344 (JSC::JSGlobalObject::objectConstructor): 2345 (JSC::JSGlobalObject::symbolTableHasProperty): 2346 * runtime/JSObject.cpp: 2347 (JSC::getClassPropertyNames): 2348 (JSC::JSObject::reifyStaticFunctionsForDelete): 2349 (JSC::JSObject::putDirectBuiltinFunction): 2350 * runtime/JSObject.h: 2351 * runtime/JSSymbolTableObject.cpp: 2352 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 2353 * runtime/JSSymbolTableObject.h: 2354 (JSC::symbolTableGet): 2355 (JSC::symbolTablePut): 2356 (JSC::symbolTablePutWithAttributes): 2357 * runtime/Lookup.cpp: 2358 (JSC::setUpStaticFunctionSlot): 2359 * runtime/Lookup.h: 2360 (JSC::HashEntry::builtinGenerator): 2361 (JSC::HashEntry::propertyGetter): 2362 (JSC::HashEntry::propertyPutter): 2363 (JSC::HashTable::entry): 2364 (JSC::getStaticPropertySlot): 2365 (JSC::getStaticValueSlot): 2366 (JSC::putEntry): 2367 * runtime/NativeErrorConstructor.cpp: 2368 (JSC::NativeErrorConstructor::finishCreation): 2369 * runtime/NativeErrorConstructor.h: 2370 * runtime/PropertySlot.h: 2371 * runtime/VM.cpp: 2372 (JSC::VM::VM): 2373 * runtime/VM.h: 2374 (JSC::VM::builtinExecutables): 2375 23762014-02-11 Brent Fulgham <bfulgham@apple.com> 2377 2378 Remove some unintended copies in ranged for loops 2379 https://bugs.webkit.org/show_bug.cgi?id=128644 2380 2381 Reviewed by Anders Carlsson. 2382 2383 * inspector/InjectedScriptHost.cpp: 2384 (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying 2385 a std::pair<> and pointer each loop iteration. 2386 * parser/Parser.cpp: 2387 (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string 2388 each loop iteration. 2389 23902014-02-11 Ryosuke Niwa <rniwa@webkit.org> 2391 2392 Debug build fix after r163946. 2393 2394 * dfg/DFGByteCodeParser.cpp: 2395 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 2396 23972014-02-11 Filip Pizlo <fpizlo@apple.com> 2398 2399 Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget 2400 https://bugs.webkit.org/show_bug.cgi?id=128635 2401 2402 Reviewed by Michael Saboff. 2403 2404 Originally nodes just had a codeOrigin. But then we started doing code motion, and we 2405 needed to separate the codeOrigin that designated where to exit from the codeOrigin 2406 that designated everything else. The "everything else" is actually pretty important: 2407 it includes profiling, exception handling, and the actual semantics of the node. For 2408 example some nodes use the origin's global object in some way. 2409 2410 This all sort of worked except for one quirk: the facilities for creating nodes all 2411 assumed that there really was only one origin. LICM would work around this by setting 2412 the codeOriginForExitTarget manually. But, that means that: 2413 2414 - If we did hoist a node twice, then the second time around, we would forget the node's 2415 original exit target. 2416 2417 - If we did an insertNode() to insert a node before a hoisted node, the inserted node 2418 would have the wrong exit target. 2419 2420 Most of the time, if we copy the code origin, we actually want to copy both origins. 2421 So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a 2422 forExit code origin that says where to exit, and a semantic code origin for everything 2423 else. 2424 2425 This also (annoyingly?) means that we are always more explicit about which code origin 2426 we refer to. That means that a lot of "node->codeOrigin" expressions had to change to 2427 "node->origin.semantic". This was partly a ploy on my part to ensure that this 2428 refactoring was complete: to get the code to compile I really had to audit all uses of 2429 CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome 2430 then we can reintroduce the Node::codeOrigin field. For now I kinda like it though. 2431 2432 * GNUmakefile.list.am: 2433 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2434 * JavaScriptCore.xcodeproj/project.pbxproj: 2435 * dfg/DFGAbstractInterpreterInlines.h: 2436 (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult): 2437 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 2438 * dfg/DFGArgumentsSimplificationPhase.cpp: 2439 (JSC::DFG::ArgumentsSimplificationPhase::run): 2440 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse): 2441 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse): 2442 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): 2443 * dfg/DFGArrayMode.cpp: 2444 (JSC::DFG::ArrayMode::originalArrayStructure): 2445 (JSC::DFG::ArrayMode::alreadyChecked): 2446 * dfg/DFGByteCodeParser.cpp: 2447 (JSC::DFG::ByteCodeParser::addToGraph): 2448 * dfg/DFGCFGSimplificationPhase.cpp: 2449 (JSC::DFG::CFGSimplificationPhase::run): 2450 (JSC::DFG::CFGSimplificationPhase::convertToJump): 2451 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 2452 (JSC::DFG::CFGSimplificationPhase::jettisonBlock): 2453 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 2454 * dfg/DFGCPSRethreadingPhase.cpp: 2455 (JSC::DFG::CPSRethreadingPhase::addPhiSilently): 2456 (JSC::DFG::CPSRethreadingPhase::addPhi): 2457 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 2458 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 2459 (JSC::DFG::CPSRethreadingPhase::propagatePhis): 2460 * dfg/DFGCSEPhase.cpp: 2461 (JSC::DFG::CSEPhase::setLocalStoreElimination): 2462 * dfg/DFGClobberize.h: 2463 (JSC::DFG::clobberize): 2464 * dfg/DFGCommonData.cpp: 2465 (JSC::DFG::CommonData::notifyCompilingStructureTransition): 2466 * dfg/DFGConstantFoldingPhase.cpp: 2467 (JSC::DFG::ConstantFoldingPhase::foldConstants): 2468 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 2469 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 2470 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): 2471 * dfg/DFGDCEPhase.cpp: 2472 (JSC::DFG::DCEPhase::fixupBlock): 2473 * dfg/DFGDisassembler.cpp: 2474 (JSC::DFG::Disassembler::createDumpList): 2475 * dfg/DFGFixupPhase.cpp: 2476 (JSC::DFG::FixupPhase::fixupNode): 2477 (JSC::DFG::FixupPhase::createToString): 2478 (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): 2479 (JSC::DFG::FixupPhase::convertStringAddUse): 2480 (JSC::DFG::FixupPhase::fixupToPrimitive): 2481 (JSC::DFG::FixupPhase::fixupToString): 2482 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): 2483 (JSC::DFG::FixupPhase::checkArray): 2484 (JSC::DFG::FixupPhase::blessArrayOperation): 2485 (JSC::DFG::FixupPhase::fixEdge): 2486 (JSC::DFG::FixupPhase::insertStoreBarrier): 2487 (JSC::DFG::FixupPhase::fixIntEdge): 2488 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 2489 (JSC::DFG::FixupPhase::truncateConstantToInt32): 2490 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): 2491 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): 2492 (JSC::DFG::FixupPhase::convertToGetArrayLength): 2493 (JSC::DFG::FixupPhase::prependGetArrayLength): 2494 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset): 2495 (JSC::DFG::FixupPhase::addPhantomsIfNecessary): 2496 * dfg/DFGGraph.cpp: 2497 (JSC::DFG::Graph::dumpCodeOrigin): 2498 (JSC::DFG::Graph::amountOfNodeWhiteSpace): 2499 (JSC::DFG::Graph::dump): 2500 (JSC::DFG::Graph::dumpBlockHeader): 2501 * dfg/DFGGraph.h: 2502 (JSC::DFG::Graph::hasExitSite): 2503 (JSC::DFG::Graph::valueProfileFor): 2504 (JSC::DFG::Graph::methodOfGettingAValueProfileFor): 2505 * dfg/DFGInvalidationPointInjectionPhase.cpp: 2506 (JSC::DFG::InvalidationPointInjectionPhase::handle): 2507 (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck): 2508 * dfg/DFGLICMPhase.cpp: 2509 (JSC::DFG::LICMPhase::attemptHoist): 2510 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 2511 (JSC::DFG::createPreHeader): 2512 * dfg/DFGNode.h: 2513 (JSC::DFG::Node::Node): 2514 (JSC::DFG::Node::isStronglyProvedConstantIn): 2515 * dfg/DFGNodeOrigin.h: Added. 2516 (JSC::DFG::NodeOrigin::NodeOrigin): 2517 (JSC::DFG::NodeOrigin::isSet): 2518 * dfg/DFGOSREntrypointCreationPhase.cpp: 2519 (JSC::DFG::OSREntrypointCreationPhase::run): 2520 * dfg/DFGResurrectionForValidationPhase.cpp: 2521 (JSC::DFG::ResurrectionForValidationPhase::run): 2522 * dfg/DFGSSAConversionPhase.cpp: 2523 (JSC::DFG::SSAConversionPhase::run): 2524 * dfg/DFGSSALoweringPhase.cpp: 2525 (JSC::DFG::SSALoweringPhase::handleNode): 2526 (JSC::DFG::SSALoweringPhase::lowerBoundsCheck): 2527 * dfg/DFGSpeculativeJIT.cpp: 2528 (JSC::DFG::SpeculativeJIT::compileIn): 2529 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 2530 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 2531 (JSC::DFG::SpeculativeJIT::compileNewTypedArray): 2532 * dfg/DFGSpeculativeJIT.h: 2533 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid): 2534 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): 2535 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException): 2536 (JSC::DFG::SpeculativeJIT::appendCallSetResult): 2537 (JSC::DFG::SpeculativeJIT::appendCall): 2538 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 2539 * dfg/DFGSpeculativeJIT32_64.cpp: 2540 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 2541 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 2542 (JSC::DFG::SpeculativeJIT::emitCall): 2543 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 2544 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 2545 (JSC::DFG::SpeculativeJIT::compile): 2546 * dfg/DFGSpeculativeJIT64.cpp: 2547 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 2548 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 2549 (JSC::DFG::SpeculativeJIT::emitCall): 2550 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 2551 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 2552 (JSC::DFG::SpeculativeJIT::compile): 2553 * dfg/DFGStrengthReductionPhase.cpp: 2554 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): 2555 (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): 2556 * dfg/DFGTierUpCheckInjectionPhase.cpp: 2557 (JSC::DFG::TierUpCheckInjectionPhase::run): 2558 * dfg/DFGTypeCheckHoistingPhase.cpp: 2559 (JSC::DFG::TypeCheckHoistingPhase::run): 2560 * dfg/DFGValidate.cpp: 2561 (JSC::DFG::Validate::validateSSA): 2562 * dfg/DFGWatchpointCollectionPhase.cpp: 2563 (JSC::DFG::WatchpointCollectionPhase::handle): 2564 (JSC::DFG::WatchpointCollectionPhase::handleEdge): 2565 (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined): 2566 (JSC::DFG::WatchpointCollectionPhase::globalObject): 2567 * ftl/FTLJSCall.cpp: 2568 (JSC::FTL::JSCall::link): 2569 * ftl/FTLLink.cpp: 2570 (JSC::FTL::link): 2571 * ftl/FTLLowerDFGToLLVM.cpp: 2572 (JSC::FTL::LowerDFGToLLVM::compileNode): 2573 (JSC::FTL::LowerDFGToLLVM::compileToThis): 2574 (JSC::FTL::LowerDFGToLLVM::compilePutById): 2575 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 2576 (JSC::FTL::LowerDFGToLLVM::compileNewArray): 2577 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): 2578 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): 2579 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): 2580 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): 2581 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): 2582 (JSC::FTL::LowerDFGToLLVM::getById): 2583 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 2584 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure): 2585 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid): 2586 (JSC::FTL::LowerDFGToLLVM::callPreflight): 2587 25882014-02-11 Filip Pizlo <fpizlo@apple.com> 2589 2590 Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:) 2591 https://bugs.webkit.org/show_bug.cgi?id=128648 2592 2593 Reviewed by Mark Lam. 2594 2595 I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong. 2596 That's what I get for running tests in release mode. It's hard to write a test for 2597 the incorrect codegen; that's kind of why the assertions are there. 2598 2599 * ftl/FTLLowerDFGToLLVM.cpp: 2600 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 2601 26022014-02-11 Filip Pizlo <fpizlo@apple.com> 2603 2604 Unreviewed, trivial change to silence FTL assertions 2605 2606 Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it 2607 on ObjectOrOtherUse because we execute the speculation ourselves. The way you're 2608 supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not 2609 to assert. 2610 2611 * ftl/FTLLowerDFGToLLVM.cpp: 2612 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): 2613 26142014-02-11 Filip Pizlo <fpizlo@apple.com> 2615 2616 Use LLVM's dead store elimination 2617 https://bugs.webkit.org/show_bug.cgi?id=128638 2618 2619 Reviewed by Mark Hahnenberg. 2620 2621 DFG's store elimination was being run too soon for comfort on the FTL path. It's 2622 really only sound when run after all other optimizations. Remove it from the FTL 2623 path. 2624 2625 Enable LLVM store elimination. It's both easier to reason about and more 2626 comprehensive. 2627 2628 * dfg/DFGPlan.cpp: 2629 (JSC::DFG::Plan::compileInThreadImpl): 2630 * ftl/FTLCompile.cpp: 2631 (JSC::FTL::compile): 2632 26332014-02-11 Brian Burg <bburg@apple.com> 2634 2635 Web Replay: upstream replay input code generator and EncodedValue class 2636 https://bugs.webkit.org/show_bug.cgi?id=128215 2637 2638 Reviewed by Joseph Pecoraro. 2639 2640 Add the replay inputs code generator. Most features of the input generator are 2641 exercised by included generator regression tests, which produce useful but 2642 non-compilable test replay inputs. 2643 2644 Add EncodedValue, the main replay input serialization class that encodes and 2645 decodes inputs and their data between C++ types and the JSON-based replay recording 2646 format. EncodedValue uses EncodingTraits specializations for type-specific encoding. 2647 Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based. 2648 EncodedValue uses InspectorValue subclasses as its backing data structure. 2649 2650 Add some missing numerical conversions to InspectorValue. 2651 2652 * JavaScriptCore.xcodeproj/project.pbxproj: 2653 * inspector/InspectorValues.cpp: 2654 (Inspector::InspectorValue::asNumber): 2655 (Inspector::InspectorBasicValue::asNumber): 2656 * inspector/InspectorValues.h: 2657 * replay/EncodedValue.cpp: Added. 2658 (JSC::EncodedValue::asObject): 2659 (JSC::EncodedValue::asArray): 2660 (JSC::ScalarEncodingTraits<bool>::encodeValue): 2661 (JSC::ScalarEncodingTraits<double>::encodeValue): 2662 (JSC::ScalarEncodingTraits<float>::encodeValue): 2663 (JSC::ScalarEncodingTraits<int32_t>::encodeValue): 2664 (JSC::ScalarEncodingTraits<int64_t>::encodeValue): 2665 (JSC::ScalarEncodingTraits<uint32_t>::encodeValue): 2666 (JSC::ScalarEncodingTraits<uint64_t>::encodeValue): 2667 (JSC::long>::encodeValue): 2668 (JSC::EncodedValue::convertTo<bool>): 2669 (JSC::EncodedValue::convertTo<double>): 2670 (JSC::EncodedValue::convertTo<float>): 2671 (JSC::EncodedValue::convertTo<int32_t>): 2672 (JSC::EncodedValue::convertTo<int64_t>): 2673 (JSC::EncodedValue::convertTo<uint32_t>): 2674 (JSC::EncodedValue::convertTo<uint64_t>): 2675 (JSC::long>): 2676 (JSC::EncodedValue::convertTo<String>): 2677 (JSC::EncodedValue::put<EncodedValue>): 2678 (JSC::EncodedValue::append<EncodedValue>): 2679 (JSC::EncodedValue::get<EncodedValue>): 2680 * replay/EncodedValue.h: Added. 2681 (JSC::EncodedValue::EncodedValue): 2682 (JSC::EncodedValue::createObject): 2683 (JSC::EncodedValue::createArray): 2684 (JSC::EncodedValue::createString): 2685 (JSC::EncodedValue::~EncodedValue): 2686 (JSC::ScalarEncodingTraits::decodeValue): 2687 (JSC::EncodingTraits<String>::encodeValue): 2688 (JSC::EncodedValue::put): 2689 (JSC::EncodedValue::append): 2690 (JSC::EncodedValue::get): 2691 * replay/scripts/CodeGeneratorReplayInputs.py: Added. 2692 (ParseException): 2693 (TypecheckException): 2694 (Framework): 2695 (Framework.__init__): 2696 (Framework.setting): 2697 (Framework.fromString): 2698 (Frameworks): 2699 (InputQueue): 2700 (InputQueue.__init__): 2701 (InputQueue.setting): 2702 (InputQueue.fromString): 2703 (InputQueues): 2704 (Input): 2705 (Input.__init__): 2706 (Input.setting): 2707 (InputMember): 2708 (InputMember.__init__): 2709 (InputMember.has_flag): 2710 (TypeMode): 2711 (TypeMode.__init__): 2712 (TypeMode.fromString): 2713 (TypeModes): 2714 (Type): 2715 (Type.__init__): 2716 (Type.__eq__): 2717 (Type.__hash__): 2718 (Type.has_flag): 2719 (Type.is_struct): 2720 (Type.is_enum): 2721 (Type.is_enum_class): 2722 (Type.declaration_kind): 2723 (Type.qualified_prefix): 2724 (Type.qualified_prefix.is): 2725 (Type.type_name): 2726 (Type.storage_type): 2727 (Type.borrow_type): 2728 (Type.argument_type): 2729 (check_properties): 2730 (VectorType): 2731 (VectorType.__init__): 2732 (VectorType.has_flag): 2733 (VectorType.is_struct): 2734 (VectorType.is_enum): 2735 (VectorType.is_enum_class): 2736 (VectorType.qualified_prefix): 2737 (VectorType.type_name): 2738 (VectorType.argument_type): 2739 (InputsModel): 2740 (InputsModel.__init__): 2741 (InputsModel.enum_types): 2742 (InputsModel.get_type_for_member): 2743 (InputsModel.parse_toplevel): 2744 (InputsModel.parse_type_with_framework_name): 2745 (InputsModel.parse_input): 2746 (InputsModel.typecheck): 2747 (InputsModel.typecheck_type): 2748 (InputsModel.typecheck_input): 2749 (InputsModel.typecheck_input_member): 2750 (IncrementalFileWriter): 2751 (IncrementalFileWriter.__init__): 2752 (IncrementalFileWriter.write): 2753 (IncrementalFileWriter.close): 2754 (lcfirst): 2755 (wrap_with_guard): 2756 (Generator): 2757 (Generator.__init__): 2758 (Generator.setting): 2759 (Generator.output_filename): 2760 (Generator.write_output_files): 2761 (Generator.generate_header): 2762 (Generator.generate_implementation): 2763 (Generator.generate_license): 2764 (Generator.generate_includes): 2765 (Generator.generate_includes.declaration): 2766 (Generator.generate_includes.declaration.is): 2767 (Generator.generate_type_forward_declarations): 2768 (Generator.generate_type_forward_declarations.is): 2769 (Generator.generate_class_declaration): 2770 (Generator.generate_input_constructor_declaration): 2771 (Generator.generate_input_destructor_declaration): 2772 (Generator.generate_input_member_getter): 2773 (Generator.generate_input_member_declaration): 2774 (Generator.generate_input_member_tuples): 2775 (Generator.qualified_input_name): 2776 (Generator.generate_input_trait_declaration): 2777 (Generator.generate_enum_trait_declaration): 2778 (Generator.generate_for_each_macro): 2779 (Generator.generate_class_implementation): 2780 (Generator.generate_enum_trait_implementation): 2781 (Generator.generate_enum_trait_implementation.is): 2782 (Generator.generate_input_trait_implementation): 2783 (Generator.generate_input_encode_implementation): 2784 (Generator.generate_input_decode_implementation): 2785 (Generator.generate_constructor_initializer_list): 2786 (Generator.generate_constructor_formals_list): 2787 (Generator.generate_member_borrow_expression): 2788 (Generator.generate_member_move_expression): 2789 (Generator.generate_constructor_arguments_list): 2790 (generate_from_specification): 2791 * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added. 2792 (Templates): 2793 * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added. 2794 * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added. 2795 * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added. 2796 * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added. 2797 * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added. 2798 * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added. 2799 * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added. 2800 * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added. 2801 * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added. 2802 * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added. 2803 * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added. 2804 * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added. 2805 * replay/scripts/tests/expected/fail-on-no-types.json-error: Added. 2806 * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added. 2807 * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added. 2808 * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added. 2809 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added. 2810 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added. 2811 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added. 2812 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added. 2813 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added. 2814 * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added. 2815 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added. 2816 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added. 2817 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added. 2818 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added. 2819 * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added. 2820 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added. 2821 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added. 2822 * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added. 2823 * replay/scripts/tests/fail-on-duplicate-input-names.json: Added. 2824 * replay/scripts/tests/fail-on-duplicate-type-names.json: Added. 2825 * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added. 2826 * replay/scripts/tests/fail-on-missing-input-member-name.json: Added. 2827 * replay/scripts/tests/fail-on-missing-input-name.json: Added. 2828 * replay/scripts/tests/fail-on-missing-input-queue.json: Added. 2829 * replay/scripts/tests/fail-on-missing-type-mode.json: Added. 2830 * replay/scripts/tests/fail-on-missing-type-name.json: Added. 2831 * replay/scripts/tests/fail-on-no-inputs.json: Added. 2832 * replay/scripts/tests/fail-on-no-types.json: Added. 2833 * replay/scripts/tests/fail-on-unknown-input-queue.json: Added. 2834 * replay/scripts/tests/fail-on-unknown-member-type.json: Added. 2835 * replay/scripts/tests/fail-on-unknown-type-mode.json: Added. 2836 * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added. 2837 * replay/scripts/tests/generate-enum-encoding-helpers.json: Added. 2838 * replay/scripts/tests/generate-event-loop-shape-types.json: Added. 2839 * replay/scripts/tests/generate-input-with-guard.json: Added. 2840 * replay/scripts/tests/generate-input-with-vector-members.json: Added. 2841 * replay/scripts/tests/generate-inputs-with-flags.json: Added. 2842 * replay/scripts/tests/generate-memoized-type-modes.json: Added. 2843 28442014-02-11 Joseph Pecoraro <pecoraro@apple.com> 2845 2846 Add Availability Macros to new JSC APIs 2847 https://bugs.webkit.org/show_bug.cgi?id=128615 2848 2849 Reviewed by Mark Rowe. 2850 2851 * API/JSContext.h: 2852 * API/JSContextRef.h: 2853 28542014-02-11 Filip Pizlo <fpizlo@apple.com> 2855 2856 FTL should support CompareEq(ObjectOrOther:, Object:) 2857 https://bugs.webkit.org/show_bug.cgi?id=127752 2858 2859 Reviewed by Oliver Hunt. 2860 2861 Also introduce some helpers for reasoning about nullness and truthyness. 2862 2863 * ftl/FTLCapabilities.cpp: 2864 (JSC::FTL::canCompile): 2865 * ftl/FTLLowerDFGToLLVM.cpp: 2866 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 2867 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): 2868 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): 2869 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 2870 (JSC::FTL::LowerDFGToLLVM::isNotNully): 2871 (JSC::FTL::LowerDFGToLLVM::isNully): 2872 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): 2873 * tests/stress/compare-eq-object-or-other-to-object.js: Added. 2874 (foo): 2875 (test): 2876 * tests/stress/compare-eq-object-to-object-or-other.js: Added. 2877 (foo): 2878 (test): 2879 28802014-02-11 Mark Hahnenberg <mhahnenberg@apple.com> 2881 2882 32-bit LLInt writeBarrierOnGlobalObject is wrong 2883 https://bugs.webkit.org/show_bug.cgi?id=128556 2884 2885 Reviewed by Geoffrey Garen. 2886 2887 * llint/LowLevelInterpreter32_64.asm: 2888 * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit. 2889 28902014-02-11 Gabor Rapcsanyi <rgabor@webkit.org> 2891 2892 LLInt typo error after r139004. 2893 https://bugs.webkit.org/show_bug.cgi?id=128592 2894 2895 Reviewed by Michael Saboff. 2896 2897 * offlineasm/arm.rb: change immediate to register in the condition 2898 28992014-02-10 Filip Pizlo <fpizlo@apple.com> 2900 2901 LICM should gracefully handle unprofiled code 2902 https://bugs.webkit.org/show_bug.cgi?id=127848 2903 2904 Reviewed by Mark Hahnenberg. 2905 2906 * dfg/DFGLICMPhase.cpp: 2907 (JSC::DFG::LICMPhase::run): 2908 29092014-02-11 Mark Hahnenberg <mhahnenberg@apple.com> 2910 2911 Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature 2912 https://bugs.webkit.org/show_bug.cgi?id=128540 2913 2914 Reviewed by Oliver Hunt. 2915 2916 The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 2917 type signature of a method, we assume that what follows the '@' is a class name, 2918 so we call objc_getClass, and if that returns nil then we give up on the method 2919 and don't export it. 2920 2921 This assumption doesn't work in the case of id<Protocol> because it's the name 2922 of the protocol that follows the '@', not the name of a class. We should have 2923 another fallback case for protocol names. 2924 2925 There's another case that also doesn't work, and that's the case of a named class 2926 with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 2927 There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 2928 which will also cause objc_getClass to return nil. 2929 2930 * API/ObjcRuntimeExtras.h: 2931 (parseObjCType): 2932 * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool 2933 for the DateTests. 2934 * API/tests/JSExportTests.h: Added. 2935 * API/tests/JSExportTests.mm: Added. 2936 (-[TruthTeller returnTrue]): 2937 (-[ExportMethodWithIdProtocol methodWithIdProtocol:]): 2938 (-[ExportMethodWithClassProtocol methodWithClassProtocol:]): 2939 (+[JSExportTests exportInstanceMethodWithIdProtocolTest]): 2940 (+[JSExportTests exportInstanceMethodWithClassProtocolTest]): 2941 (runJSExportTests): 2942 * API/tests/testapi.mm: 2943 * JavaScriptCore.xcodeproj/project.pbxproj: 2944 29452014-02-10 Michael Saboff <msaboff@apple.com> 2946 2947 Re-enable ARM Thumb2 disassembler 2948 https://bugs.webkit.org/show_bug.cgi?id=128577 2949 2950 Reviewed by Filip Pizlo. 2951 2952 Changed signature of tryToDisassemble() to match updates. 2953 Fixed typo in disassembler. 2954 2955 * disassembler/ARMv7/ARMv7DOpcode.cpp: 2956 * disassembler/ARMv7Disassembler.cpp: 2957 (JSC::tryToDisassemble): 2958 29592014-02-10 Mark Lam <mark.lam@apple.com> 2960 2961 Removing limitation on JSLock's lockDropDepth. 2962 <https://webkit.org/b/128570> 2963 2964 Reviewed by Geoffrey Garen. 2965 2966 Now that we've switched to using the C stack, we no longer need to limit 2967 the JSLock::lockDropDepth to 2. 2968 2969 For C loop builds which still use the separate JSStack, the JSLock will 2970 enforce ordering for re-grabbing the lock after dropping it. Re-grabbing 2971 must occur in the reverse order of the dropping of the locks. 2972 2973 Ordering is achieved by JSLock::dropAllLocks() stashing away the 2974 JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth 2975 before unlocking the lock. Subsequently, JSLock::grabAllLocks() will 2976 ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's 2977 m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it 2978 will yield execution and retry again later. 2979 2980 Note: because JSLocks::m_lockDropDepth is protected by the JSLock's 2981 mutex, grabAllLocks() will optimistically lock the JSLock before doing 2982 the check on m_lockDropDepth. If the check fails, it will unlock the 2983 JSLock, yield, and then relock it again later before retrying the check. 2984 This ensures that m_lockDropDepth remains under the protection of the 2985 JSLock's mutex. 2986 2987 * runtime/JSLock.cpp: 2988 (JSC::JSLock::dropAllLocks): 2989 (JSC::JSLock::grabAllLocks): 2990 (JSC::JSLock::DropAllLocks::DropAllLocks): 2991 (JSC::JSLock::DropAllLocks::~DropAllLocks): 2992 * runtime/JSLock.h: 2993 (JSC::JSLock::DropAllLocks::setDropDepth): 2994 (JSC::JSLock::DropAllLocks::dropDepth): 2995 29962014-02-10 Filip Pizlo <fpizlo@apple.com> 2997 2998 FTL should support ToThis 2999 https://bugs.webkit.org/show_bug.cgi?id=127751 3000 3001 Reviewed by Oliver Hunt. 3002 3003 * ftl/FTLCapabilities.cpp: 3004 (JSC::FTL::canCompile): 3005 * ftl/FTLIntrinsicRepository.h: 3006 * ftl/FTLLowerDFGToLLVM.cpp: 3007 (JSC::FTL::LowerDFGToLLVM::compileNode): 3008 (JSC::FTL::LowerDFGToLLVM::compileToThis): 3009 * tests/stress/to-this-polymorphic.js: Added. 3010 (foo): 3011 30122014-02-10 Filip Pizlo <fpizlo@apple.com> 3013 3014 Rename Operations.h to JSCInlines.h 3015 https://bugs.webkit.org/show_bug.cgi?id=128543 3016 3017 Rubber stamped by Geoffrey Garen. 3018 3019 Well, what this actually does is it splits Operations.h into a real Operations.h that 3020 actually contains "operations", and JSCInlines.h, which serves the role of being an 3021 inlines umbrella. 3022 3023 * API/JSBase.cpp: 3024 * API/JSCTestRunnerUtils.cpp: 3025 * API/JSCallbackConstructor.cpp: 3026 * API/JSCallbackFunction.cpp: 3027 * API/JSCallbackObject.cpp: 3028 * API/JSClassRef.cpp: 3029 * API/JSContext.mm: 3030 * API/JSContextRef.cpp: 3031 * API/JSManagedValue.mm: 3032 * API/JSObjectRef.cpp: 3033 * API/JSScriptRef.cpp: 3034 * API/JSValue.mm: 3035 * API/JSValueRef.cpp: 3036 * API/JSWeakObjectMapRefPrivate.cpp: 3037 * API/JSWrapperMap.mm: 3038 * GNUmakefile.list.am: 3039 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 3040 * JavaScriptCore.xcodeproj/project.pbxproj: 3041 * assembler/LinkBuffer.cpp: 3042 * bindings/ScriptFunctionCall.cpp: 3043 * bindings/ScriptObject.cpp: 3044 * bytecode/ArrayAllocationProfile.cpp: 3045 * bytecode/ArrayProfile.cpp: 3046 * bytecode/BytecodeBasicBlock.cpp: 3047 * bytecode/CallLinkInfo.cpp: 3048 * bytecode/CallLinkStatus.cpp: 3049 * bytecode/CodeBlock.cpp: 3050 * bytecode/CodeBlockJettisoningWatchpoint.cpp: 3051 * bytecode/CodeOrigin.cpp: 3052 * bytecode/ExecutionCounter.cpp: 3053 * bytecode/GetByIdStatus.cpp: 3054 * bytecode/LazyOperandValueProfile.cpp: 3055 * bytecode/MethodOfGettingAValueProfile.cpp: 3056 * bytecode/PreciseJumpTargets.cpp: 3057 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 3058 * bytecode/PutByIdStatus.cpp: 3059 * bytecode/SamplingTool.cpp: 3060 * bytecode/SpecialPointer.cpp: 3061 * bytecode/SpeculatedType.cpp: 3062 * bytecode/StructureStubClearingWatchpoint.cpp: 3063 * bytecode/UnlinkedCodeBlock.cpp: 3064 * bytecode/ValueRecovery.cpp: 3065 * bytecompiler/BytecodeGenerator.cpp: 3066 * bytecompiler/NodesCodegen.cpp: 3067 * debugger/Debugger.cpp: 3068 * debugger/DebuggerActivation.cpp: 3069 * debugger/DebuggerCallFrame.cpp: 3070 * dfg/DFGAbstractHeap.cpp: 3071 * dfg/DFGAbstractValue.cpp: 3072 * dfg/DFGArgumentsSimplificationPhase.cpp: 3073 * dfg/DFGArithMode.cpp: 3074 * dfg/DFGArrayMode.cpp: 3075 * dfg/DFGAtTailAbstractState.cpp: 3076 * dfg/DFGAvailability.cpp: 3077 * dfg/DFGBackwardsPropagationPhase.cpp: 3078 * dfg/DFGBasicBlock.cpp: 3079 * dfg/DFGBinarySwitch.cpp: 3080 * dfg/DFGBlockInsertionSet.cpp: 3081 * dfg/DFGByteCodeParser.cpp: 3082 * dfg/DFGCFAPhase.cpp: 3083 * dfg/DFGCFGSimplificationPhase.cpp: 3084 * dfg/DFGCPSRethreadingPhase.cpp: 3085 * dfg/DFGCSEPhase.cpp: 3086 * dfg/DFGCapabilities.cpp: 3087 * dfg/DFGClobberSet.cpp: 3088 * dfg/DFGClobberize.cpp: 3089 * dfg/DFGCommon.cpp: 3090 * dfg/DFGCommonData.cpp: 3091 * dfg/DFGCompilationKey.cpp: 3092 * dfg/DFGCompilationMode.cpp: 3093 * dfg/DFGConstantFoldingPhase.cpp: 3094 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 3095 * dfg/DFGDCEPhase.cpp: 3096 * dfg/DFGDesiredIdentifiers.cpp: 3097 * dfg/DFGDesiredStructureChains.cpp: 3098 * dfg/DFGDesiredTransitions.cpp: 3099 * dfg/DFGDesiredWatchpoints.cpp: 3100 * dfg/DFGDesiredWeakReferences.cpp: 3101 * dfg/DFGDesiredWriteBarriers.cpp: 3102 * dfg/DFGDisassembler.cpp: 3103 * dfg/DFGDominators.cpp: 3104 * dfg/DFGDriver.cpp: 3105 * dfg/DFGEdge.cpp: 3106 * dfg/DFGFailedFinalizer.cpp: 3107 * dfg/DFGFinalizer.cpp: 3108 * dfg/DFGFixupPhase.cpp: 3109 * dfg/DFGFlushFormat.cpp: 3110 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3111 * dfg/DFGFlushedAt.cpp: 3112 * dfg/DFGGraph.cpp: 3113 * dfg/DFGGraphSafepoint.cpp: 3114 * dfg/DFGInPlaceAbstractState.cpp: 3115 * dfg/DFGInvalidationPointInjectionPhase.cpp: 3116 * dfg/DFGJITCode.cpp: 3117 * dfg/DFGJITCompiler.cpp: 3118 * dfg/DFGJITFinalizer.cpp: 3119 * dfg/DFGJumpReplacement.cpp: 3120 * dfg/DFGLICMPhase.cpp: 3121 * dfg/DFGLazyJSValue.cpp: 3122 * dfg/DFGLivenessAnalysisPhase.cpp: 3123 * dfg/DFGLongLivedState.cpp: 3124 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 3125 * dfg/DFGMinifiedNode.cpp: 3126 * dfg/DFGNaturalLoops.cpp: 3127 * dfg/DFGNode.cpp: 3128 * dfg/DFGNodeFlags.cpp: 3129 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 3130 * dfg/DFGOSREntry.cpp: 3131 * dfg/DFGOSREntrypointCreationPhase.cpp: 3132 * dfg/DFGOSRExit.cpp: 3133 * dfg/DFGOSRExitBase.cpp: 3134 * dfg/DFGOSRExitCompiler.cpp: 3135 * dfg/DFGOSRExitCompiler32_64.cpp: 3136 * dfg/DFGOSRExitCompiler64.cpp: 3137 * dfg/DFGOSRExitCompilerCommon.cpp: 3138 * dfg/DFGOSRExitJumpPlaceholder.cpp: 3139 * dfg/DFGOSRExitPreparation.cpp: 3140 * dfg/DFGOperations.cpp: 3141 * dfg/DFGPhase.cpp: 3142 * dfg/DFGPlan.cpp: 3143 * dfg/DFGPredictionInjectionPhase.cpp: 3144 * dfg/DFGPredictionPropagationPhase.cpp: 3145 * dfg/DFGResurrectionForValidationPhase.cpp: 3146 * dfg/DFGSSAConversionPhase.cpp: 3147 * dfg/DFGSSALoweringPhase.cpp: 3148 * dfg/DFGSafepoint.cpp: 3149 * dfg/DFGSpeculativeJIT.cpp: 3150 * dfg/DFGSpeculativeJIT32_64.cpp: 3151 * dfg/DFGSpeculativeJIT64.cpp: 3152 * dfg/DFGStackLayoutPhase.cpp: 3153 * dfg/DFGStoreBarrierElisionPhase.cpp: 3154 * dfg/DFGStrengthReductionPhase.cpp: 3155 * dfg/DFGThreadData.cpp: 3156 * dfg/DFGThunks.cpp: 3157 * dfg/DFGTierUpCheckInjectionPhase.cpp: 3158 * dfg/DFGToFTLDeferredCompilationCallback.cpp: 3159 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: 3160 * dfg/DFGTypeCheckHoistingPhase.cpp: 3161 * dfg/DFGUnificationPhase.cpp: 3162 * dfg/DFGUseKind.cpp: 3163 * dfg/DFGValidate.cpp: 3164 * dfg/DFGValueSource.cpp: 3165 * dfg/DFGVariableAccessDataDump.cpp: 3166 * dfg/DFGVariableEvent.cpp: 3167 * dfg/DFGVariableEventStream.cpp: 3168 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3169 * dfg/DFGWatchpointCollectionPhase.cpp: 3170 * dfg/DFGWorklist.cpp: 3171 * ftl/FTLAbstractHeap.cpp: 3172 * ftl/FTLAbstractHeapRepository.cpp: 3173 * ftl/FTLExitValue.cpp: 3174 * ftl/FTLLink.cpp: 3175 * ftl/FTLLowerDFGToLLVM.cpp: 3176 * ftl/FTLOSREntry.cpp: 3177 * ftl/FTLOSRExit.cpp: 3178 * ftl/FTLOSRExitCompiler.cpp: 3179 * ftl/FTLSlowPathCall.cpp: 3180 * heap/BlockAllocator.cpp: 3181 * heap/CodeBlockSet.cpp: 3182 * heap/ConservativeRoots.cpp: 3183 * heap/CopiedSpace.cpp: 3184 * heap/CopyVisitor.cpp: 3185 * heap/DeferGC.cpp: 3186 * heap/GCThread.cpp: 3187 * heap/GCThreadSharedData.cpp: 3188 * heap/HandleSet.cpp: 3189 * heap/HandleStack.cpp: 3190 * heap/Heap.cpp: 3191 * heap/HeapStatistics.cpp: 3192 * heap/HeapTimer.cpp: 3193 * heap/IncrementalSweeper.cpp: 3194 * heap/JITStubRoutineSet.cpp: 3195 * heap/MachineStackMarker.cpp: 3196 * heap/MarkStack.cpp: 3197 * heap/MarkedAllocator.cpp: 3198 * heap/MarkedBlock.cpp: 3199 * heap/MarkedSpace.cpp: 3200 * heap/SlotVisitor.cpp: 3201 * heap/SuperRegion.cpp: 3202 * heap/Weak.cpp: 3203 * heap/WeakBlock.cpp: 3204 * heap/WeakHandleOwner.cpp: 3205 * heap/WeakSet.cpp: 3206 * heap/WriteBarrierBuffer.cpp: 3207 * heap/WriteBarrierSupport.cpp: 3208 * inspector/InjectedScript.cpp: 3209 * inspector/InjectedScriptBase.cpp: 3210 * inspector/JSGlobalObjectScriptDebugServer.cpp: 3211 * inspector/JSInjectedScriptHost.cpp: 3212 * inspector/ScriptArguments.cpp: 3213 * inspector/ScriptCallStackFactory.cpp: 3214 * interpreter/AbstractPC.cpp: 3215 * interpreter/CallFrame.cpp: 3216 * interpreter/Interpreter.cpp: 3217 * interpreter/JSStack.cpp: 3218 * interpreter/ProtoCallFrame.cpp: 3219 * interpreter/StackVisitor.cpp: 3220 * interpreter/VMInspector.cpp: 3221 * jit/ArityCheckFailReturnThunks.cpp: 3222 * jit/AssemblyHelpers.cpp: 3223 * jit/ClosureCallStubRoutine.cpp: 3224 * jit/ExecutableAllocator.cpp: 3225 * jit/ExecutableAllocatorFixedVMPool.cpp: 3226 * jit/GCAwareJITStubRoutine.cpp: 3227 * jit/HostCallReturnValue.cpp: 3228 * jit/JIT.cpp: 3229 * jit/JITArithmetic.cpp: 3230 * jit/JITArithmetic32_64.cpp: 3231 * jit/JITCall.cpp: 3232 * jit/JITCall32_64.cpp: 3233 * jit/JITCode.cpp: 3234 * jit/JITDisassembler.cpp: 3235 * jit/JITExceptions.cpp: 3236 * jit/JITInlineCacheGenerator.cpp: 3237 * jit/JITInlines.h: 3238 * jit/JITOperations.cpp: 3239 * jit/JITOperationsMSVC64.cpp: 3240 * jit/JITStubRoutine.cpp: 3241 * jit/JITStubs.cpp: 3242 * jit/JITThunks.cpp: 3243 * jit/JITToDFGDeferredCompilationCallback.cpp: 3244 * jit/RegisterPreservationWrapperGenerator.cpp: 3245 * jit/RegisterSet.cpp: 3246 * jit/Repatch.cpp: 3247 * jit/TempRegisterSet.cpp: 3248 * jit/ThunkGenerators.cpp: 3249 * jsc.cpp: 3250 * llint/LLIntExceptions.cpp: 3251 * llint/LLIntSlowPaths.cpp: 3252 * llint/LowLevelInterpreter.cpp: 3253 * parser/Lexer.cpp: 3254 * parser/Nodes.cpp: 3255 * parser/Parser.cpp: 3256 * parser/ParserArena.cpp: 3257 * parser/SourceCode.cpp: 3258 * parser/SourceProvider.cpp: 3259 * parser/SourceProviderCache.cpp: 3260 * profiler/LegacyProfiler.cpp: 3261 * profiler/ProfileGenerator.cpp: 3262 * profiler/ProfilerBytecode.cpp: 3263 * profiler/ProfilerBytecodeSequence.cpp: 3264 * profiler/ProfilerBytecodes.cpp: 3265 * profiler/ProfilerCompilation.cpp: 3266 * profiler/ProfilerCompiledBytecode.cpp: 3267 * profiler/ProfilerDatabase.cpp: 3268 * profiler/ProfilerOSRExit.cpp: 3269 * profiler/ProfilerOSRExitSite.cpp: 3270 * profiler/ProfilerOrigin.cpp: 3271 * profiler/ProfilerOriginStack.cpp: 3272 * profiler/ProfilerProfiledBytecodes.cpp: 3273 * runtime/ArgList.cpp: 3274 * runtime/Arguments.cpp: 3275 * runtime/ArgumentsIteratorPrototype.cpp: 3276 * runtime/ArrayBuffer.cpp: 3277 * runtime/ArrayBufferNeuteringWatchpoint.cpp: 3278 * runtime/ArrayConstructor.cpp: 3279 * runtime/ArrayPrototype.cpp: 3280 * runtime/BooleanConstructor.cpp: 3281 * runtime/BooleanObject.cpp: 3282 * runtime/BooleanPrototype.cpp: 3283 * runtime/CallData.cpp: 3284 * runtime/CodeCache.cpp: 3285 * runtime/CommonSlowPaths.cpp: 3286 * runtime/CommonSlowPathsExceptions.cpp: 3287 * runtime/Completion.cpp: 3288 * runtime/ConstructData.cpp: 3289 * runtime/DateConstructor.cpp: 3290 * runtime/DateInstance.cpp: 3291 * runtime/DatePrototype.cpp: 3292 * runtime/Error.cpp: 3293 * runtime/ErrorConstructor.cpp: 3294 * runtime/ErrorInstance.cpp: 3295 * runtime/ErrorPrototype.cpp: 3296 * runtime/ExceptionHelpers.cpp: 3297 * runtime/Executable.cpp: 3298 * runtime/FunctionConstructor.cpp: 3299 * runtime/FunctionPrototype.cpp: 3300 * runtime/GetterSetter.cpp: 3301 * runtime/Identifier.cpp: 3302 * runtime/IntendedStructureChain.cpp: 3303 * runtime/InternalFunction.cpp: 3304 * runtime/JSActivation.cpp: 3305 * runtime/JSArgumentsIterator.cpp: 3306 * runtime/JSArray.cpp: 3307 * runtime/JSArrayBuffer.cpp: 3308 * runtime/JSArrayBufferConstructor.cpp: 3309 * runtime/JSArrayBufferPrototype.cpp: 3310 * runtime/JSArrayBufferView.cpp: 3311 * runtime/JSBoundFunction.cpp: 3312 * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h. 3313 * runtime/JSCell.cpp: 3314 * runtime/JSDataView.cpp: 3315 * runtime/JSDataViewPrototype.cpp: 3316 * runtime/JSDateMath.cpp: 3317 * runtime/JSFunction.cpp: 3318 * runtime/JSGlobalObject.cpp: 3319 * runtime/JSGlobalObjectFunctions.cpp: 3320 * runtime/JSLock.cpp: 3321 * runtime/JSNameScope.cpp: 3322 * runtime/JSNotAnObject.cpp: 3323 * runtime/JSONObject.cpp: 3324 * runtime/JSObject.cpp: 3325 * runtime/JSPropertyNameIterator.cpp: 3326 * runtime/JSPropertyNameIterator.h: 3327 * runtime/JSProxy.cpp: 3328 * runtime/JSScope.cpp: 3329 * runtime/JSSegmentedVariableObject.cpp: 3330 * runtime/JSString.cpp: 3331 * runtime/JSStringJoiner.cpp: 3332 * runtime/JSSymbolTableObject.cpp: 3333 * runtime/JSTypedArrayConstructors.cpp: 3334 * runtime/JSTypedArrayPrototypes.cpp: 3335 * runtime/JSTypedArrays.cpp: 3336 * runtime/JSVariableObject.cpp: 3337 * runtime/JSWithScope.cpp: 3338 * runtime/JSWrapperObject.cpp: 3339 * runtime/LiteralParser.cpp: 3340 * runtime/Lookup.cpp: 3341 * runtime/MathObject.cpp: 3342 * runtime/NameConstructor.cpp: 3343 * runtime/NameInstance.cpp: 3344 * runtime/NamePrototype.cpp: 3345 * runtime/NativeErrorConstructor.cpp: 3346 * runtime/NativeErrorPrototype.cpp: 3347 * runtime/NumberConstructor.cpp: 3348 * runtime/NumberObject.cpp: 3349 * runtime/NumberPrototype.cpp: 3350 * runtime/ObjectConstructor.cpp: 3351 * runtime/ObjectPrototype.cpp: 3352 * runtime/Operations.cpp: 3353 * runtime/Operations.h: 3354 * runtime/PropertyDescriptor.cpp: 3355 * runtime/PrototypeMap.cpp: 3356 * runtime/RegExp.cpp: 3357 * runtime/RegExpCache.cpp: 3358 * runtime/RegExpCachedResult.cpp: 3359 * runtime/RegExpConstructor.cpp: 3360 * runtime/RegExpMatchesArray.cpp: 3361 * runtime/RegExpObject.cpp: 3362 * runtime/RegExpPrototype.cpp: 3363 * runtime/SimpleTypedArrayController.cpp: 3364 * runtime/SmallStrings.cpp: 3365 * runtime/SparseArrayValueMap.cpp: 3366 * runtime/StrictEvalActivation.cpp: 3367 * runtime/StringConstructor.cpp: 3368 * runtime/StringObject.cpp: 3369 * runtime/StringPrototype.cpp: 3370 * runtime/StringRecursionChecker.cpp: 3371 * runtime/Structure.cpp: 3372 * runtime/StructureChain.cpp: 3373 * runtime/StructureRareData.cpp: 3374 * runtime/SymbolTable.cpp: 3375 * runtime/TestRunnerUtils.cpp: 3376 * runtime/VM.cpp: 3377 * testRegExp.cpp: 3378 33792014-02-10 Matthew Mirman <mmirman@apple.com> 3380 3381 Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage 3382 https://bugs.webkit.org/show_bug.cgi?id=128566 3383 3384 Reviewed by Filip Pizlo. 3385 3386 * dfg/DFGSpeculativeJIT.cpp: 3387 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 3388 33892014-02-10 Filip Pizlo <fpizlo@apple.com> 3390 3391 Rename getRecordMap to computeRecordMap. 3392 3393 Rubber stamped by Michael Saboff. 3394 3395 "get" is such a weird prefix. It implies a getter. We don't prefix our getters with 3396 anything in WebKit. Also, this isn't a getter. It actually does work to transform 3397 the stackmaps into a hashmap. So, computeRecordMap is a much better name. 3398 3399 * ftl/FTLCompile.cpp: 3400 (JSC::FTL::compile): 3401 * ftl/FTLJITFinalizer.cpp: 3402 (JSC::FTL::JITFinalizer::finalizeFunction): 3403 * ftl/FTLStackMaps.cpp: 3404 (JSC::FTL::StackMaps::computeRecordMap): 3405 * ftl/FTLStackMaps.h: 3406 34072014-02-10 Matthew Mirman <mmirman@apple.com> 3408 3409 ReallocatePropertyStorage in FTL 3410 https://bugs.webkit.org/show_bug.cgi?id=128352 3411 3412 Reviewed by Filip Pizlo. 3413 3414 * ftl/FTLCapabilities.cpp: 3415 (JSC::FTL::canCompile): 3416 * ftl/FTLIntrinsicRepository.h: 3417 * ftl/FTLLowerDFGToLLVM.cpp: 3418 (JSC::FTL::LowerDFGToLLVM::compileNode): 3419 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage): 3420 * tests/stress/ftl-reallocatepropertystorage.js: Added. 3421 (foo): 3422 34232014-02-10 Michael Saboff <msaboff@apple.com> 3424 3425 Fail FTL compilation if the required stack is too big 3426 https://bugs.webkit.org/show_bug.cgi?id=128560 3427 3428 Reviewed by Filip Pizlo. 3429 3430 Added StackSize struct to FTLStackMaps and populated it. Added and updated 3431 related dump functions. Use the stack size found at the end of the compilation 3432 to compare against the value of a new option, llvmMaxStackSize. We fail the 3433 compile if the function's stack size is greater than llvmMaxStackSize. 3434 3435 * dfg/DFGPlan.cpp: 3436 (JSC::DFG::Plan::compileInThreadImpl): 3437 * ftl/FTLStackMaps.cpp: 3438 (JSC::FTL::StackMaps::StackSize::parse): 3439 (JSC::FTL::StackMaps::StackSize::dump): 3440 (JSC::FTL::StackMaps::parse): 3441 (JSC::FTL::StackMaps::dump): 3442 (JSC::FTL::StackMaps::dumpMultiline): 3443 (JSC::FTL::StackMaps::getStackSize): 3444 * ftl/FTLStackMaps.h: 3445 * runtime/Options.h: 3446 34472014-02-10 Mark Lam <mark.lam@apple.com> 3448 3449 Change JSLock::dropAllLocks() and friends to use lock() and unlock(). 3450 <https://webkit.org/b/128451> 3451 3452 Reviewed by Geoffrey Garen. 3453 3454 Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and 3455 grabAllLocks() implement locking / unlocking by duplicating the code from 3456 lock() and unlock(). Instead, they should just call lock() and unlock(). 3457 3458 * runtime/JSLock.cpp: 3459 (JSC::JSLock::lock): 3460 (JSC::JSLock::unlock): 3461 - Modified lock() and unlock() into a version that takes an entry count 3462 to lock / unlock. The previous lock() and unlock() now calls these 3463 new versions with an entry count of 1. 3464 3465 (JSC::JSLock::dropAllLocks): 3466 (JSC::JSLock::dropAllLocksUnconditionally): 3467 (JSC::JSLock::grabAllLocks): 3468 - Delegate to unlock() and lock() instead of duplicating the lock / unlock 3469 code. 3470 - There a some differences with calling lock() instead of duplicating its 3471 code in grabAllLock() i.e. lock() does the following additional work: 3472 3473 1. lock() does a re-entry check that is not needed by grabAllLocks(). 3474 However, this is effectively a no-op since we never own the JSLock 3475 before calling grabAllLocks(). 3476 3477 2. set VM stackPointerAtVMEntry. 3478 3. update VM stackLimit and reservedZoneSize. 3479 4. set VM lastStackTop. 3480 These 3 steps are just busy work which are also effective no-ops 3481 because immediately after lock() returns, grabAllLocks() will write 3482 over those values with their saved versions in the threadData. 3483 3484 * runtime/JSLock.h: 3485 34862014-02-10 Anders Carlsson <andersca@apple.com> 3487 3488 Try to fix the Windows build. 3489 3490 * heap/UnconditionalFinalizer.h: 3491 * runtime/SymbolTable.h: 3492 34932014-02-10 Andreas Kling <akling@apple.com> 3494 3495 Make the Identifier::add() family return PassRef<StringImpl>. 3496 <https://webkit.org/b/128542> 3497 3498 This knocks one branch off of creating an Identifier from another 3499 string source. 3500 3501 Reviewed by Oliver Hunt. 3502 3503 * runtime/Identifier.cpp: 3504 (JSC::Identifier::add): 3505 (JSC::Identifier::add8): 3506 (JSC::Identifier::addSlowCase): 3507 * runtime/Identifier.h: 3508 (JSC::Identifier::add): 3509 * runtime/Lookup.cpp: 3510 (JSC::HashTable::createTable): 3511 35122014-02-09 Mark Lam <mark.lam@apple.com> 3513 3514 Remove unnecessary spinLock in JSLock. 3515 <https://webkit.org/b/128450> 3516 3517 Reviewed by Filip Pizlo. 3518 3519 The JSLock's mutex already provides protection for write access to 3520 JSLock's internal state. The only JSLock state that needs to be read 3521 from any thread including threads that don't own the JSLock is 3522 m_ownerThread, which is used in currentThreadIsHoldingLock() to do an 3523 ownership test on the lock. 3524 3525 It is safe for other threads to read from m_ownerThread because they 3526 only need to know whether its value matches their own thread id 3527 (provided by WTF::currentThread()). 3528 3529 Here are the scenarios for how the ownership test can go: 3530 3531 1. The JSLock has just been initialized and is not owned by any thread. 3532 3533 In this case, m_ownerThread will be 0 and will not match any thread's 3534 thread id. The checking thread will know that it needs to lock the 3535 JSLock before using the VM. 3536 3537 2. The JSLock was previously locked, but now is unlocked. 3538 3539 When we unlock it in JSLock::unlock(), the owner thread clears 3540 m_ownerThread to 0. Hence, this case is the same as (1) above. 3541 3542 3. The JSLock is locked by Thread A. Thread B is checking ownership. 3543 3544 In this case, m_ownerThread will contains the Thread A's thread id. 3545 Thread B will see that the thread id does not match its own and will 3546 proceed to block on the JSLock's mutex to wait for its turn to use 3547 the VM. 3548 3549 With Weak Memory Ordering architectures, Thread A's thread id may 3550 not get written out to memory before Thread B inspects m_ownerThread. 3551 However, though Thread B may not see Thread A's thread id in 3552 m_ownerThread, it will see 0 which is the last value written to it 3553 before the JSLock mutex was unlocked. The mutex unlock would have 3554 executed a memory fence which would have flushed the 0 to 3555 m_ownerThread in memory. Hence, Thread B will know that it does not 3556 own the lock. 3557 3558 Apart from removing the unneeded spin lock code, I also changed the 3559 JSLock code to use currentThreadIsHoldingLock() and setOwnerThread() 3560 instead of accessing m_ownerThread directly. 3561 3562 * runtime/JSLock.cpp: 3563 (JSC::JSLock::JSLock): 3564 3565 (JSC::JSLock::lock): 3566 - Removed spinLock but left the indentation as is to keep the diff to a 3567 minimum for better readability. Will unindent in a subsequent patch. 3568 3569 (JSC::JSLock::unlock): 3570 - Before unlocking the mutex, clear m_ownerThread to indicate that the 3571 lock is no longer owned. 3572 3573 (JSC::JSLock::currentThreadIsHoldingLock): 3574 - Removed the check of m_lockCount for determining ownership. Checking 3575 m_ownerThread is sufficient. 3576 3577 (JSC::JSLock::dropAllLocks): 3578 (JSC::JSLock::dropAllLocksUnconditionally): 3579 - Renamed local locksToDrop to the better name droppedLockCount. 3580 - Clear m_ownerThread since we're unlocking the JSLock. 3581 3582 (JSC::JSLock::grabAllLocks): 3583 - Removed unneeded lock ownership test for lock re-entry case because 3584 grabAllLocks() is never used to re-enter a locked JSLock. 3585 3586 (JSC::JSLock::DropAllLocks::DropAllLocks): 3587 (JSC::JSLock::DropAllLocks::~DropAllLocks): 3588 3589 * runtime/JSLock.h: 3590 (JSC::JSLock::setOwnerThread): 3591 35922014-02-10 Filip Pizlo <fpizlo@apple.com> 3593 3594 Unreviewed, roll out http://trac.webkit.org/changeset/163796 3595 3596 The change was not justified in any way and it has a net negative effect on the code. 3597 3598 * dfg/DFGAbstractInterpreter.h: 3599 * dfg/DFGAbstractValue.h: 3600 * dfg/DFGAdjacencyList.h: 3601 * dfg/DFGArgumentPosition.h: 3602 * dfg/DFGArgumentsSimplificationPhase.cpp: 3603 * dfg/DFGArrayMode.cpp: 3604 * dfg/DFGArrayifySlowPathGenerator.h: 3605 * dfg/DFGAtTailAbstractState.h: 3606 * dfg/DFGAvailability.h: 3607 * dfg/DFGBackwardsPropagationPhase.cpp: 3608 * dfg/DFGBasicBlock.h: 3609 * dfg/DFGBasicBlockInlines.h: 3610 * dfg/DFGByteCodeParser.cpp: 3611 * dfg/DFGCFAPhase.cpp: 3612 * dfg/DFGCFGSimplificationPhase.cpp: 3613 * dfg/DFGCPSRethreadingPhase.cpp: 3614 * dfg/DFGCSEPhase.cpp: 3615 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 3616 * dfg/DFGCapabilities.cpp: 3617 * dfg/DFGCapabilities.h: 3618 * dfg/DFGClobberize.h: 3619 * dfg/DFGCommonData.cpp: 3620 * dfg/DFGConstantFoldingPhase.cpp: 3621 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 3622 * dfg/DFGDCEPhase.cpp: 3623 * dfg/DFGDominators.h: 3624 * dfg/DFGDriver.cpp: 3625 * dfg/DFGDriver.h: 3626 * dfg/DFGFixupPhase.cpp: 3627 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3628 * dfg/DFGGenerationInfo.h: 3629 * dfg/DFGGraph.cpp: 3630 * dfg/DFGGraph.h: 3631 * dfg/DFGInPlaceAbstractState.cpp: 3632 * dfg/DFGInPlaceAbstractState.h: 3633 * dfg/DFGInlineCacheWrapperInlines.h: 3634 * dfg/DFGInvalidationPointInjectionPhase.cpp: 3635 * dfg/DFGJITCode.h: 3636 * dfg/DFGJITCompiler.cpp: 3637 * dfg/DFGJITCompiler.h: 3638 * dfg/DFGJITFinalizer.cpp: 3639 * dfg/DFGJITFinalizer.h: 3640 * dfg/DFGLICMPhase.cpp: 3641 * dfg/DFGLivenessAnalysisPhase.cpp: 3642 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 3643 * dfg/DFGMinifiedNode.h: 3644 * dfg/DFGNaturalLoops.h: 3645 * dfg/DFGNode.cpp: 3646 * dfg/DFGNode.h: 3647 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 3648 * dfg/DFGOSREntry.cpp: 3649 * dfg/DFGOSREntrypointCreationPhase.cpp: 3650 * dfg/DFGOSRExit.cpp: 3651 * dfg/DFGOSRExit.h: 3652 * dfg/DFGOSRExitBase.cpp: 3653 * dfg/DFGOSRExitCompilationInfo.h: 3654 * dfg/DFGOSRExitCompiler.cpp: 3655 * dfg/DFGOSRExitCompiler32_64.cpp: 3656 * dfg/DFGOSRExitCompiler64.cpp: 3657 * dfg/DFGOSRExitJumpPlaceholder.cpp: 3658 * dfg/DFGOperations.cpp: 3659 * dfg/DFGPhase.h: 3660 * dfg/DFGPlan.h: 3661 * dfg/DFGPredictionInjectionPhase.cpp: 3662 * dfg/DFGPredictionPropagationPhase.cpp: 3663 * dfg/DFGResurrectionForValidationPhase.cpp: 3664 * dfg/DFGSSAConversionPhase.cpp: 3665 * dfg/DFGSSALoweringPhase.cpp: 3666 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: 3667 * dfg/DFGSlowPathGenerator.h: 3668 * dfg/DFGSpeculativeJIT.cpp: 3669 * dfg/DFGSpeculativeJIT.h: 3670 * dfg/DFGSpeculativeJIT32_64.cpp: 3671 * dfg/DFGSpeculativeJIT64.cpp: 3672 * dfg/DFGStackLayoutPhase.cpp: 3673 * dfg/DFGStoreBarrierElisionPhase.cpp: 3674 * dfg/DFGStrengthReductionPhase.cpp: 3675 * dfg/DFGThunks.cpp: 3676 * dfg/DFGTierUpCheckInjectionPhase.cpp: 3677 * dfg/DFGTypeCheckHoistingPhase.cpp: 3678 * dfg/DFGUnificationPhase.cpp: 3679 * dfg/DFGValidate.h: 3680 * dfg/DFGValueSource.h: 3681 * dfg/DFGVariableAccessData.h: 3682 * dfg/DFGVariableAccessDataDump.cpp: 3683 * dfg/DFGVariableEvent.h: 3684 * dfg/DFGVariableEventStream.h: 3685 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3686 * dfg/DFGWatchpointCollectionPhase.cpp: 3687 * dfg/DFGWorklist.cpp: 3688 36892014-02-10 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 3690 3691 Remove extra includes from DFG 3692 https://bugs.webkit.org/show_bug.cgi?id=126983 3693 3694 Reviewed by Andreas Kling. 3695 3696 * dfg/DFGAbstractInterpreter.h: 3697 * dfg/DFGAbstractValue.h: 3698 * dfg/DFGAdjacencyList.h: 3699 * dfg/DFGArgumentPosition.h: 3700 * dfg/DFGArgumentsSimplificationPhase.cpp: 3701 * dfg/DFGArrayMode.cpp: 3702 * dfg/DFGArrayifySlowPathGenerator.h: 3703 * dfg/DFGAtTailAbstractState.h: 3704 * dfg/DFGAvailability.h: 3705 * dfg/DFGBackwardsPropagationPhase.cpp: 3706 * dfg/DFGBasicBlock.h: 3707 * dfg/DFGBasicBlockInlines.h: 3708 * dfg/DFGByteCodeParser.cpp: 3709 * dfg/DFGCFAPhase.cpp: 3710 * dfg/DFGCFGSimplificationPhase.cpp: 3711 * dfg/DFGCPSRethreadingPhase.cpp: 3712 * dfg/DFGCSEPhase.cpp: 3713 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 3714 * dfg/DFGCapabilities.cpp: 3715 * dfg/DFGCapabilities.h: 3716 * dfg/DFGClobberize.h: 3717 * dfg/DFGCommonData.cpp: 3718 * dfg/DFGConstantFoldingPhase.cpp: 3719 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 3720 * dfg/DFGDCEPhase.cpp: 3721 * dfg/DFGDominators.h: 3722 * dfg/DFGDriver.cpp: 3723 * dfg/DFGDriver.h: 3724 * dfg/DFGFixupPhase.cpp: 3725 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3726 * dfg/DFGGenerationInfo.h: 3727 * dfg/DFGGraph.cpp: 3728 * dfg/DFGGraph.h: 3729 * dfg/DFGInPlaceAbstractState.cpp: 3730 * dfg/DFGInPlaceAbstractState.h: 3731 * dfg/DFGInlineCacheWrapperInlines.h: 3732 * dfg/DFGInvalidationPointInjectionPhase.cpp: 3733 * dfg/DFGJITCode.h: 3734 * dfg/DFGJITCompiler.cpp: 3735 * dfg/DFGJITCompiler.h: 3736 * dfg/DFGJITFinalizer.cpp: 3737 * dfg/DFGJITFinalizer.h: 3738 * dfg/DFGLICMPhase.cpp: 3739 * dfg/DFGLivenessAnalysisPhase.cpp: 3740 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 3741 * dfg/DFGMinifiedNode.h: 3742 * dfg/DFGNaturalLoops.h: 3743 * dfg/DFGNode.cpp: 3744 * dfg/DFGNode.h: 3745 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 3746 * dfg/DFGOSREntry.cpp: 3747 * dfg/DFGOSREntrypointCreationPhase.cpp: 3748 * dfg/DFGOSRExit.cpp: 3749 * dfg/DFGOSRExit.h: 3750 * dfg/DFGOSRExitBase.cpp: 3751 * dfg/DFGOSRExitCompilationInfo.h: 3752 * dfg/DFGOSRExitCompiler.cpp: 3753 * dfg/DFGOSRExitCompiler32_64.cpp: 3754 * dfg/DFGOSRExitCompiler64.cpp: 3755 * dfg/DFGOSRExitJumpPlaceholder.cpp: 3756 * dfg/DFGOperations.cpp: 3757 * dfg/DFGPhase.h: 3758 * dfg/DFGPlan.h: 3759 * dfg/DFGPredictionInjectionPhase.cpp: 3760 * dfg/DFGPredictionPropagationPhase.cpp: 3761 * dfg/DFGResurrectionForValidationPhase.cpp: 3762 * dfg/DFGSSAConversionPhase.cpp: 3763 * dfg/DFGSSALoweringPhase.cpp: 3764 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: 3765 * dfg/DFGSlowPathGenerator.h: 3766 * dfg/DFGSpeculativeJIT.cpp: 3767 * dfg/DFGSpeculativeJIT.h: 3768 * dfg/DFGSpeculativeJIT32_64.cpp: 3769 * dfg/DFGSpeculativeJIT64.cpp: 3770 * dfg/DFGStackLayoutPhase.cpp: 3771 * dfg/DFGStoreBarrierElisionPhase.cpp: 3772 * dfg/DFGStrengthReductionPhase.cpp: 3773 * dfg/DFGThunks.cpp: 3774 * dfg/DFGTierUpCheckInjectionPhase.cpp: 3775 * dfg/DFGTypeCheckHoistingPhase.cpp: 3776 * dfg/DFGUnificationPhase.cpp: 3777 * dfg/DFGValidate.h: 3778 * dfg/DFGValueSource.h: 3779 * dfg/DFGVariableAccessData.h: 3780 * dfg/DFGVariableAccessDataDump.cpp: 3781 * dfg/DFGVariableEvent.h: 3782 * dfg/DFGVariableEventStream.h: 3783 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3784 * dfg/DFGWatchpointCollectionPhase.cpp: 3785 * dfg/DFGWorklist.cpp: 3786 37872014-02-10 Filip Pizlo <fpizlo@apple.com> 3788 3789 JSC environment variables should override other mechanisms for setting options 3790 https://bugs.webkit.org/show_bug.cgi?id=128511 3791 3792 Reviewed by Geoffrey Garen. 3793 3794 * runtime/Options.cpp: 3795 (JSC::Options::setOption): 3796 * runtime/Options.h: 3797 37982014-02-10 Darin Adler <darin@apple.com> 3799 3800 Stop using String::deprecatedCharacters to call WTF::Collator 3801 https://bugs.webkit.org/show_bug.cgi?id=128517 3802 3803 Reviewed by Alexey Proskuryakov. 3804 3805 * runtime/StringPrototype.cpp: 3806 (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now 3807 gives the default locale collation rules. Use the new arguments for Collator::collate, which 3808 are now StringView. These two changes together eliminate the need for a separate helper function. 3809 38102014-02-10 Filip Pizlo <fpizlo@apple.com> 3811 3812 <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput') 3813 https://bugs.webkit.org/show_bug.cgi?id=128278 3814 3815 Reviewed by Mark Hahnenberg. 3816 3817 Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last 3818 one. 3819 3820 * dfg/DFGByteCodeParser.cpp: 3821 (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live. 3822 * dfg/DFGGraph.cpp: 3823 (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be. 3824 * dfg/DFGTierUpCheckInjectionPhase.cpp: 3825 (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks. 3826 * ftl/FTLOSRExitCompiler.cpp: 3827 (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits. 3828 * runtime/Options.h: Ditto. 3829 * tests/stress/inlined-constructor-this-liveness.js: Added. 3830 (Foo): 3831 (foo): 3832 * tests/stress/inlined-function-this-liveness.js: Added. 3833 (bar): 3834 (foo): 3835 38362014-02-10 Filip Pizlo <fpizlo@apple.com> 3837 3838 Actually register those DFG::Safepoints 3839 https://bugs.webkit.org/show_bug.cgi?id=128521 3840 3841 Reviewed by Mark Hahnenberg. 3842 3843 No test because GC + thread + JIT = ???. 3844 3845 * dfg/DFGSafepoint.cpp: 3846 (JSC::DFG::Safepoint::~Safepoint): 3847 (JSC::DFG::Safepoint::begin): 3848 38492014-02-10 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 3850 3851 Fix EFL build with INSPECTOR disabled 3852 https://bugs.webkit.org/show_bug.cgi?id=125064 3853 3854 Reviewed by Csaba Osztrogonác. 3855 3856 * inspector/InjectedScriptManager.h: 3857 * inspector/ScriptDebugServer.cpp: 3858 * inspector/agents/InspectorAgent.h: 3859 * inspector/scripts/CodeGeneratorInspectorStrings.py: 3860 (Inspector): 3861 38622014-02-09 Filip Pizlo <fpizlo@apple.com> 3863 3864 GC blocks on FTL and then badness 3865 https://bugs.webkit.org/show_bug.cgi?id=128291 3866 3867 Reviewed by Oliver Hunt. 3868 3869 Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun 3870 mutex for your JIT thread, while supplying the GC with all of the information it would 3871 need to scan you at that moment in time. The default way of using this is 3872 DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in 3873 this patch just to make the Graph scannable. 3874 3875 We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM 3876 and (2) while invoking LLVM' optimizer and backend. 3877 3878 This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3% 3879 speed-up overall on Octane. 3880 3881 * CMakeLists.txt: 3882 * GNUmakefile.list.am: 3883 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 3884 * JavaScriptCore.xcodeproj/project.pbxproj: 3885 * dfg/DFGDriver.cpp: 3886 (JSC::DFG::compileImpl): 3887 * dfg/DFGGraph.cpp: 3888 (JSC::DFG::Graph::visitChildren): 3889 * dfg/DFGGraph.h: 3890 * dfg/DFGGraphSafepoint.cpp: Added. 3891 (JSC::DFG::GraphSafepoint::GraphSafepoint): 3892 (JSC::DFG::GraphSafepoint::~GraphSafepoint): 3893 * dfg/DFGGraphSafepoint.h: Added. 3894 * dfg/DFGOperations.h: 3895 * dfg/DFGPlan.cpp: 3896 (JSC::DFG::Plan::compileInThread): 3897 (JSC::DFG::Plan::compileInThreadImpl): 3898 * dfg/DFGPlan.h: 3899 * dfg/DFGSafepoint.cpp: Added. 3900 (JSC::DFG::Safepoint::Safepoint): 3901 (JSC::DFG::Safepoint::~Safepoint): 3902 (JSC::DFG::Safepoint::add): 3903 (JSC::DFG::Safepoint::begin): 3904 (JSC::DFG::Safepoint::visitChildren): 3905 * dfg/DFGSafepoint.h: Added. 3906 * dfg/DFGScannable.h: Added. 3907 (JSC::DFG::Scannable::Scannable): 3908 (JSC::DFG::Scannable::~Scannable): 3909 * dfg/DFGThreadData.cpp: Added. 3910 (JSC::DFG::ThreadData::ThreadData): 3911 (JSC::DFG::ThreadData::~ThreadData): 3912 * dfg/DFGThreadData.h: Added. 3913 * dfg/DFGWorklist.cpp: 3914 (JSC::DFG::Worklist::finishCreation): 3915 (JSC::DFG::Worklist::visitChildren): 3916 (JSC::DFG::Worklist::runThread): 3917 * dfg/DFGWorklist.h: 3918 * ftl/FTLCompile.cpp: 3919 (JSC::FTL::compile): 3920 * heap/SlotVisitor.h: 3921 * heap/SlotVisitorInlines.h: 3922 (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer): 3923 (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue): 3924 39252014-02-09 Filip Pizlo <fpizlo@apple.com> 3926 3927 Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead 3928 https://bugs.webkit.org/show_bug.cgi?id=128505 3929 3930 Reviewed by Mark Hahnenberg and Oliver Hunt. 3931 3932 * API/JSContextRef.cpp: 3933 * assembler/LinkBuffer.cpp: 3934 * bytecode/ArrayProfile.cpp: 3935 * bytecode/BytecodeBasicBlock.cpp: 3936 * bytecode/BytecodeLivenessAnalysisInlines.h: 3937 * bytecode/CallLinkInfo.cpp: 3938 * bytecode/CodeBlock.cpp: 3939 * bytecode/CodeBlock.h: 3940 * bytecode/CodeBlockJettisoningWatchpoint.cpp: 3941 * bytecode/ExecutionCounter.cpp: 3942 * bytecode/MethodOfGettingAValueProfile.cpp: 3943 * bytecode/PreciseJumpTargets.cpp: 3944 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 3945 * bytecode/SamplingTool.cpp: 3946 * bytecode/SpecialPointer.cpp: 3947 * bytecode/StructureStubClearingWatchpoint.cpp: 3948 * debugger/DebuggerCallFrame.cpp: 3949 * dfg/DFGAbstractHeap.cpp: 3950 * dfg/DFGAbstractValue.cpp: 3951 * dfg/DFGArgumentsSimplificationPhase.cpp: 3952 * dfg/DFGArithMode.cpp: 3953 * dfg/DFGArrayMode.cpp: 3954 * dfg/DFGAtTailAbstractState.cpp: 3955 * dfg/DFGAvailability.cpp: 3956 * dfg/DFGBackwardsPropagationPhase.cpp: 3957 * dfg/DFGBasicBlock.cpp: 3958 * dfg/DFGBinarySwitch.cpp: 3959 * dfg/DFGBlockInsertionSet.cpp: 3960 * dfg/DFGByteCodeParser.cpp: 3961 * dfg/DFGCFAPhase.cpp: 3962 * dfg/DFGCFGSimplificationPhase.cpp: 3963 * dfg/DFGCPSRethreadingPhase.cpp: 3964 * dfg/DFGCSEPhase.cpp: 3965 * dfg/DFGCapabilities.cpp: 3966 * dfg/DFGClobberSet.cpp: 3967 * dfg/DFGClobberize.cpp: 3968 * dfg/DFGCommon.cpp: 3969 * dfg/DFGCommonData.cpp: 3970 * dfg/DFGCompilationKey.cpp: 3971 * dfg/DFGCompilationMode.cpp: 3972 * dfg/DFGConstantFoldingPhase.cpp: 3973 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 3974 * dfg/DFGDCEPhase.cpp: 3975 * dfg/DFGDesiredIdentifiers.cpp: 3976 * dfg/DFGDesiredStructureChains.cpp: 3977 * dfg/DFGDesiredTransitions.cpp: 3978 * dfg/DFGDesiredWatchpoints.cpp: 3979 * dfg/DFGDisassembler.cpp: 3980 * dfg/DFGDisassembler.h: 3981 * dfg/DFGDominators.cpp: 3982 * dfg/DFGEdge.cpp: 3983 * dfg/DFGFailedFinalizer.cpp: 3984 * dfg/DFGFinalizer.cpp: 3985 * dfg/DFGFixupPhase.cpp: 3986 * dfg/DFGFlushFormat.cpp: 3987 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3988 * dfg/DFGFlushedAt.cpp: 3989 * dfg/DFGGraph.cpp: 3990 * dfg/DFGInPlaceAbstractState.cpp: 3991 * dfg/DFGInvalidationPointInjectionPhase.cpp: 3992 * dfg/DFGJITCode.cpp: 3993 * dfg/DFGJITCompiler.cpp: 3994 * dfg/DFGJITCompiler.h: 3995 * dfg/DFGJITFinalizer.cpp: 3996 * dfg/DFGJumpReplacement.cpp: 3997 * dfg/DFGLICMPhase.cpp: 3998 * dfg/DFGLazyJSValue.cpp: 3999 * dfg/DFGLivenessAnalysisPhase.cpp: 4000 * dfg/DFGLongLivedState.cpp: 4001 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 4002 * dfg/DFGMinifiedNode.cpp: 4003 * dfg/DFGNaturalLoops.cpp: 4004 * dfg/DFGNode.cpp: 4005 * dfg/DFGNodeFlags.cpp: 4006 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 4007 * dfg/DFGOSREntry.cpp: 4008 * dfg/DFGOSREntrypointCreationPhase.cpp: 4009 * dfg/DFGOSRExit.cpp: 4010 * dfg/DFGOSRExitBase.cpp: 4011 * dfg/DFGOSRExitCompiler.cpp: 4012 * dfg/DFGOSRExitCompiler32_64.cpp: 4013 * dfg/DFGOSRExitCompiler64.cpp: 4014 * dfg/DFGOSRExitCompilerCommon.cpp: 4015 * dfg/DFGOSRExitJumpPlaceholder.cpp: 4016 * dfg/DFGOSRExitPreparation.cpp: 4017 * dfg/DFGOperations.cpp: 4018 * dfg/DFGOperations.h: 4019 * dfg/DFGPhase.cpp: 4020 * dfg/DFGPlan.cpp: 4021 * dfg/DFGPredictionInjectionPhase.cpp: 4022 * dfg/DFGPredictionPropagationPhase.cpp: 4023 * dfg/DFGResurrectionForValidationPhase.cpp: 4024 * dfg/DFGSSAConversionPhase.cpp: 4025 * dfg/DFGSSALoweringPhase.cpp: 4026 * dfg/DFGSpeculativeJIT.cpp: 4027 * dfg/DFGSpeculativeJIT32_64.cpp: 4028 * dfg/DFGSpeculativeJIT64.cpp: 4029 * dfg/DFGStackLayoutPhase.cpp: 4030 * dfg/DFGStoreBarrierElisionPhase.cpp: 4031 * dfg/DFGStrengthReductionPhase.cpp: 4032 * dfg/DFGThunks.cpp: 4033 * dfg/DFGTierUpCheckInjectionPhase.cpp: 4034 * dfg/DFGToFTLDeferredCompilationCallback.cpp: 4035 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: 4036 * dfg/DFGTypeCheckHoistingPhase.cpp: 4037 * dfg/DFGUnificationPhase.cpp: 4038 * dfg/DFGUseKind.cpp: 4039 * dfg/DFGValidate.cpp: 4040 * dfg/DFGValueSource.cpp: 4041 * dfg/DFGVariableAccessDataDump.cpp: 4042 * dfg/DFGVariableEvent.cpp: 4043 * dfg/DFGVariableEventStream.cpp: 4044 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 4045 * dfg/DFGWatchpointCollectionPhase.cpp: 4046 * dfg/DFGWorklist.cpp: 4047 * disassembler/Disassembler.cpp: 4048 * ftl/FTLLink.cpp: 4049 * ftl/FTLOSRExitCompiler.cpp: 4050 * ftl/FTLSlowPathCall.cpp: 4051 * ftl/FTLThunks.cpp: 4052 (JSC::FTL::slowPathCallThunkGenerator): 4053 * heap/BlockAllocator.cpp: 4054 * heap/CodeBlockSet.cpp: 4055 * heap/ConservativeRoots.cpp: 4056 * heap/DeferGC.cpp: 4057 * heap/GCThread.cpp: 4058 * heap/GCThreadSharedData.cpp: 4059 * heap/HeapTimer.cpp: 4060 * heap/IncrementalSweeper.cpp: 4061 * heap/JITStubRoutineSet.cpp: 4062 * heap/MachineStackMarker.cpp: 4063 * heap/MarkStack.cpp: 4064 * heap/MarkedAllocator.cpp: 4065 * heap/MarkedSpace.cpp: 4066 * heap/SuperRegion.cpp: 4067 * heap/Weak.cpp: 4068 * heap/WeakHandleOwner.cpp: 4069 * heap/WeakSet.cpp: 4070 * heap/WriteBarrierBuffer.cpp: 4071 * heap/WriteBarrierSupport.cpp: 4072 * inspector/ScriptCallStackFactory.cpp: 4073 * interpreter/AbstractPC.cpp: 4074 * interpreter/JSStack.cpp: 4075 * interpreter/ProtoCallFrame.cpp: 4076 * interpreter/VMInspector.cpp: 4077 * jit/ArityCheckFailReturnThunks.cpp: 4078 * jit/AssemblyHelpers.cpp: 4079 * jit/ExecutableAllocator.cpp: 4080 * jit/ExecutableAllocatorFixedVMPool.cpp: 4081 * jit/GCAwareJITStubRoutine.cpp: 4082 * jit/HostCallReturnValue.cpp: 4083 * jit/JITDisassembler.cpp: 4084 * jit/JITDisassembler.h: 4085 * jit/JITExceptions.cpp: 4086 * jit/JITInlines.h: 4087 * jit/JITOperations.cpp: 4088 * jit/JITOperationsMSVC64.cpp: 4089 * jit/JITStubRoutine.cpp: 4090 * jit/JITStubs.cpp: 4091 * jit/JITToDFGDeferredCompilationCallback.cpp: 4092 * jit/RegisterPreservationWrapperGenerator.cpp: 4093 * jit/RegisterSet.cpp: 4094 * jit/Repatch.cpp: 4095 * jit/TempRegisterSet.cpp: 4096 * jsc.cpp: 4097 * parser/Lexer.cpp: 4098 * parser/Parser.cpp: 4099 * parser/ParserArena.cpp: 4100 * parser/SourceCode.cpp: 4101 * parser/SourceProvider.cpp: 4102 * parser/SourceProviderCache.cpp: 4103 * profiler/ProfileGenerator.cpp: 4104 * runtime/Arguments.cpp: 4105 * runtime/ArgumentsIteratorPrototype.cpp: 4106 * runtime/CommonSlowPathsExceptions.cpp: 4107 * runtime/JSArgumentsIterator.cpp: 4108 * runtime/JSFunction.cpp: 4109 * runtime/JSGlobalObjectFunctions.cpp: 4110 * runtime/ObjectConstructor.cpp: 4111 * runtime/Operations.h: 4112 * runtime/VM.cpp: 4113 41142014-02-09 Filip Pizlo <fpizlo@apple.com> 4115 4116 Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL. 4117 4118 * runtime/JSFunction.h: 4119 41202014-02-09 Anders Carlsson <andersca@apple.com> 4121 4122 Add WTF_MAKE_FAST_ALLOCATED to more classes 4123 https://bugs.webkit.org/show_bug.cgi?id=128506 4124 4125 Reviewed by Andreas Kling. 4126 4127 * bytecode/UnlinkedInstructionStream.h: 4128 * runtime/SymbolTable.h: 4129 * runtime/WriteBarrier.h: 4130 41312014-02-09 Mark Hahnenberg <mhahnenberg@apple.com> 4132 4133 Objective-C API NSDate conversion is off by 1000x (ms vs s) 4134 https://bugs.webkit.org/show_bug.cgi?id=128386 4135 4136 Reviewed by Michael Saboff. 4137 4138 * API/JSValue.mm: 4139 (valueToObjectWithoutCopy): 4140 (valueToDate): 4141 (objectToValueWithoutCopy): 4142 * API/tests/DateTests.h: Added. 4143 * API/tests/DateTests.mm: Added. 4144 (+[DateTests NSDateToJSDateTest]): 4145 (+[DateTests JSDateToNSDateTest]): 4146 (+[DateTests roundTripThroughJSDateTest]): 4147 (+[DateTests roundTripThroughObjCDateTest]): 4148 * API/tests/testapi.mm: 4149 (checkResult): 4150 * JavaScriptCore.xcodeproj/project.pbxproj: 4151 41522014-02-09 Andreas Kling <akling@apple.com> 4153 4154 Pass VM instead of ExecState to JSCell::fastGetOwnProperty(). 4155 <https://webkit.org/b/128497> 4156 4157 Knocks off a couple of instructions. 4158 4159 Reviewed by Anders Carlsson. 4160 4161 * dfg/DFGOperations.cpp: 4162 * jit/JITOperations.cpp: 4163 (JSC::getByVal): 4164 * llint/LLIntSlowPaths.cpp: 4165 (JSC::LLInt::getByVal): 4166 * runtime/JSCell.h: 4167 * runtime/JSCellInlines.h: 4168 (JSC::JSCell::fastGetOwnProperty): 4169 41702014-02-09 Anders Carlsson <andersca@apple.com> 4171 4172 Convert some JSC code over to std::mutex 4173 https://bugs.webkit.org/show_bug.cgi?id=128500 4174 4175 Reviewed by Dan Bernstein. 4176 4177 * API/JSVirtualMachine.mm: 4178 (wrapperCacheMutex): 4179 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): 4180 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): 4181 * heap/GCThreadSharedData.h: 4182 * heap/SlotVisitor.cpp: 4183 (JSC::SlotVisitor::mergeOpaqueRoots): 4184 * heap/SlotVisitorInlines.h: 4185 (JSC::SlotVisitor::containsOpaqueRootTriState): 4186 * inspector/remote/RemoteInspector.h: 4187 * inspector/remote/RemoteInspector.mm: 4188 (Inspector::RemoteInspector::registerDebuggable): 4189 (Inspector::RemoteInspector::unregisterDebuggable): 4190 (Inspector::RemoteInspector::updateDebuggable): 4191 (Inspector::RemoteInspector::sendMessageToRemoteFrontend): 4192 (Inspector::RemoteInspector::start): 4193 (Inspector::RemoteInspector::stop): 4194 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): 4195 (Inspector::RemoteInspector::xpcConnectionReceivedMessage): 4196 (Inspector::RemoteInspector::xpcConnectionFailed): 4197 (Inspector::RemoteInspector::pushListingSoon): 4198 (Inspector::RemoteInspector::receivedIndicateMessage): 4199 * inspector/remote/RemoteInspectorDebuggableConnection.h: 4200 * inspector/remote/RemoteInspectorDebuggableConnection.mm: 4201 (Inspector::RemoteInspectorDebuggableConnection::setup): 4202 (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable): 4203 (Inspector::RemoteInspectorDebuggableConnection::close): 4204 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend): 4205 * jit/ExecutableAllocator.cpp: 4206 (JSC::DemandExecutableAllocator::DemandExecutableAllocator): 4207 (JSC::DemandExecutableAllocator::~DemandExecutableAllocator): 4208 (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): 4209 (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): 4210 (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): 4211 (JSC::DemandExecutableAllocator::allocatorsMutex): 4212 42132014-02-09 Commit Queue <commit-queue@webkit.org> 4214 4215 Unreviewed, rolling out r163737. 4216 http://trac.webkit.org/changeset/163737 4217 https://bugs.webkit.org/show_bug.cgi?id=128491 4218 4219 Caused 8+ tests to fail on Mavericks and Mountain Lion bots 4220 (Requested by rniwa on #webkit). 4221 4222 * runtime/JSString.h: 4223 (JSC::jsSingleCharacterString): 4224 (JSC::jsSingleCharacterSubstring): 4225 (JSC::jsString): 4226 (JSC::jsSubstring8): 4227 * runtime/SmallStrings.cpp: 4228 (JSC::SmallStringsStorage::SmallStringsStorage): 4229 (JSC::SmallStrings::SmallStrings): 4230 42312014-02-08 Anders Carlsson <andersca@apple.com> 4232 4233 Simplify single character substrings in JSC 4234 https://bugs.webkit.org/show_bug.cgi?id=128483 4235 4236 Reviewed by Andreas Kling. 4237 4238 With the recent work to make StringImpl occupy less space, it is actually more 4239 efficient to allocate a single character string that it is to use createSubstringSharingImpl! 4240 4241 * runtime/JSString.h: 4242 (JSC::jsSingleCharacterString): 4243 (JSC::jsSingleCharacterSubstring): 4244 (JSC::jsString): 4245 (JSC::jsSubstring8): 4246 * runtime/SmallStrings.cpp: 4247 (JSC::SmallStringsStorage::SmallStringsStorage): 4248 (JSC::SmallStrings::SmallStrings): 4249 42502014-02-08 Mark Hahnenberg <mhahnenberg@apple.com> 4251 4252 Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier 4253 https://bugs.webkit.org/show_bug.cgi?id=128474 4254 4255 Reviewed by Michael Saboff. 4256 4257 * jit/JITPropertyAccess.cpp: 4258 (JSC::JIT::emitWriteBarrier): 4259 42602014-02-08 Mark Lam <mark.lam@apple.com> 4261 4262 Rename a field and some variables in JSLock to better describe what they contain. 4263 <https://webkit.org/b/128475> 4264 4265 Reviewed by Oliver Hunt. 4266 4267 * runtime/JSLock.cpp: 4268 (JSC::JSLock::dropAllLocks): 4269 (JSC::JSLock::dropAllLocksUnconditionally): 4270 (JSC::JSLock::grabAllLocks): 4271 (JSC::JSLock::DropAllLocks::DropAllLocks): 4272 (JSC::JSLock::DropAllLocks::~DropAllLocks): 4273 * runtime/JSLock.h: 4274 42752014-02-08 Anders Carlsson <andersca@apple.com> 4276 4277 Stop using getCharactersWithUpconvert in JavaScriptCore 4278 https://bugs.webkit.org/show_bug.cgi?id=128457 4279 4280 Reviewed by Andreas Kling. 4281 4282 Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting 4283 if the source or replacement strings area 16-bit. 4284 4285 * runtime/StringPrototype.cpp: 4286 (JSC::substituteBackreferencesSlow): 4287 (JSC::substituteBackreferences): 4288 42892014-02-08 Mark Rowe <mrowe@apple.com> 4290 4291 <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh 4292 4293 Reviewed by Dan Bernstein. 4294 4295 * postprocess-headers.sh: Pull the list of headers to process out of the environment. 4296 42972014-02-08 Mark Rowe <mrowe@apple.com> 4298 4299 Fix the iOS build. 4300 4301 * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS. 4302 43032014-02-07 Mark Rowe <mrowe@apple.com> 4304 4305 <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs 4306 4307 Reviewed by Dan Bernstein. 4308 4309 * API/JSContext.h: Remove some #ifs. 4310 * API/JSManagedValue.h: Ditto. 4311 * API/WebKitAvailability.h: #define the macros that availability macros mentioning 4312 newer OS X versions would expand to when building on older OS versions. 4313 * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh. 4314 * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content 4315 from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to 4316 process WebKitAvailability.h. 4317 43182014-02-07 Mark Lam <mark.lam@apple.com> 4319 4320 JSLock should not "restore" VM stack values if it did not re-grab locks. 4321 <https://webkit.org/b/128447> 4322 4323 Reviewed by Geoffrey Garen. 4324 4325 In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks 4326 in a thread that does not own the JSLock, then a bug will manifest where: 4327 4328 1. The DropAllLocks constructor will save the VM's stackPointerAtEntry, 4329 lastStackTop, and reservedZoneSize even though it will not drop the JSLock. 4330 2. The DropAllLocks destructor will restore those 3 values to the VM even 4331 though the JSLock will not grab its internal lock. 4332 4333 The former only causes busy work but does not impact correctness. The latter 4334 however, will corrupt those 3 VM values which belong to the thread that 4335 actually owns the JSLock. 4336 4337 The fix is to only save the values when the JSLock will actually drop its 4338 internal lock, and only restore the values if it did re-grab the internal lock. 4339 4340 * runtime/JSLock.cpp: 4341 (JSC::JSLock::dropAllLocks): 4342 (JSC::JSLock::dropAllLocksUnconditionally): 4343 (JSC::JSLock::grabAllLocks): 4344 (JSC::JSLock::DropAllLocks::DropAllLocks): 4345 - Moved the saving of VM stack values to dropAllLocks() and 4346 dropAllLocksUnconditionally(). 4347 (JSC::JSLock::DropAllLocks::~DropAllLocks): 4348 - Moved the restoring of VM stack values to grabAllLocks(). 4349 43502014-02-07 Filip Pizlo <fpizlo@apple.com> 4351 4352 Don't throw away code if there is code on the worklists 4353 https://bugs.webkit.org/show_bug.cgi?id=128443 4354 4355 Reviewed by Joseph Pecoraro. 4356 4357 If we throw away compiled code and there is code currently being JITed then the JIT 4358 will get confused after it resumes: it will see a code block that had claimed to belong 4359 to an executable except that it doesn't belong to any executables anymore. 4360 4361 * dfg/DFGWorklist.h: 4362 (JSC::DFG::Worklist::isActive): 4363 * heap/Heap.cpp: 4364 (JSC::Heap::deleteAllCompiledCode): 4365 43662014-02-07 Filip Pizlo <fpizlo@apple.com> 4367 4368 GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete 4369 https://bugs.webkit.org/show_bug.cgi?id=128297 4370 4371 Reviewed by Oliver Hunt. 4372 4373 This makes DFG worklist threads have a rightToRun lock that gives them the ability to 4374 be safepointed by the GC in much the same way as you'd expect from a fully 4375 multithreaded VM. 4376 4377 The idea is that the worklist threads's roots are the DFG::Plan. They only touch those 4378 roots when holding the rightToRun lock. They currently grab that lock to run the 4379 compiler, but relinquish it when accessing - and waiting on - the worklist. 4380 4381 * bytecode/CodeBlock.h: 4382 (JSC::CodeBlockSet::mark): 4383 * dfg/DFGCompilationKey.cpp: 4384 (JSC::DFG::CompilationKey::visitChildren): 4385 * dfg/DFGCompilationKey.h: 4386 * dfg/DFGDesiredStructureChains.cpp: 4387 (JSC::DFG::DesiredStructureChains::visitChildren): 4388 * dfg/DFGDesiredStructureChains.h: 4389 * dfg/DFGDesiredTransitions.cpp: 4390 (JSC::DFG::DesiredTransition::visitChildren): 4391 (JSC::DFG::DesiredTransitions::visitChildren): 4392 * dfg/DFGDesiredTransitions.h: 4393 * dfg/DFGDesiredWeakReferences.cpp: 4394 (JSC::DFG::DesiredWeakReferences::visitChildren): 4395 * dfg/DFGDesiredWeakReferences.h: 4396 * dfg/DFGDesiredWriteBarriers.cpp: 4397 (JSC::DFG::DesiredWriteBarrier::visitChildren): 4398 (JSC::DFG::DesiredWriteBarriers::visitChildren): 4399 * dfg/DFGDesiredWriteBarriers.h: 4400 * dfg/DFGPlan.cpp: 4401 (JSC::DFG::Plan::visitChildren): 4402 * dfg/DFGPlan.h: 4403 * dfg/DFGWorklist.cpp: 4404 (JSC::DFG::Worklist::~Worklist): 4405 (JSC::DFG::Worklist::finishCreation): 4406 (JSC::DFG::Worklist::suspendAllThreads): 4407 (JSC::DFG::Worklist::resumeAllThreads): 4408 (JSC::DFG::Worklist::visitChildren): 4409 (JSC::DFG::Worklist::runThread): 4410 (JSC::DFG::Worklist::threadFunction): 4411 * dfg/DFGWorklist.h: 4412 (JSC::DFG::numberOfWorklists): 4413 (JSC::DFG::worklistForIndexOrNull): 4414 * heap/CodeBlockSet.h: 4415 * heap/Heap.cpp: 4416 (JSC::Heap::markRoots): 4417 (JSC::Heap::collect): 4418 * runtime/IntendedStructureChain.cpp: 4419 (JSC::IntendedStructureChain::visitChildren): 4420 * runtime/IntendedStructureChain.h: 4421 * runtime/VM.cpp: 4422 (JSC::VM::~VM): 4423 (JSC::VM::prepareToDiscardCode): 4424 44252014-02-07 Mark Lam <mark.lam@apple.com> 4426 4427 Unify JSLock implementation for iOS and non-iOS ports. 4428 <https://webkit.org/b/128409> 4429 4430 Reviewed by Michael Saboff. 4431 4432 The iOS and non-iOS implementations of dropAllLocks(), 4433 dropAllLocksUnconditionally(), and grabAllLocks() effectively do the 4434 same work. The main difference is that the iOS implementation acquires 4435 the JSLock spin lock in the DropAllLocks class while the other ports 4436 acquire it when it calls JSLock::lock() and unlock(). 4437 4438 The other difference is that the iOS implementation will only increment 4439 m_locksDropDepth if it actually drops locks, whereas other ports will 4440 increment it unconditionally. Analogously, iOS decrements the depth only 4441 when needed while other ports will decrement it unconditionally when 4442 re-grabbing locks. 4443 4444 We can unify the 2 implementations by having both use the iOS 4445 implementation for a start. 4446 4447 * runtime/JSLock.cpp: 4448 (JSC::JSLock::dropAllLocks): 4449 (JSC::JSLock::dropAllLocksUnconditionally): 4450 (JSC::JSLock::grabAllLocks): 4451 (JSC::JSLock::DropAllLocks::DropAllLocks): 4452 (JSC::JSLock::DropAllLocks::~DropAllLocks): 4453 44542014-02-06 Filip Pizlo <fpizlo@apple.com> 4455 4456 More FTL build scaffolding 4457 https://bugs.webkit.org/show_bug.cgi?id=128330 4458 4459 Reviewed by Geoffrey Garen. 4460 4461 * Configurations/FeatureDefines.xcconfig: 4462 * llvm/library/LLVMAnchor.cpp: 4463 44642014-02-07 Mark Lam <mark.lam@apple.com> 4465 4466 iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks. 4467 <https://webkit.org/b/128424> 4468 4469 Reviewed by Geoffrey Garen. 4470 4471 The iOS code path for dropping locks differ from the non-iOS code path 4472 in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the 4473 VM stack limit. This is now fixed by copying that snippit from 4474 JSLock::unlock(). 4475 4476 * runtime/JSLock.cpp: 4477 (JSC::JSLock::dropAllLocks): 4478 (JSC::JSLock::dropAllLocksUnconditionally): 4479 44802014-02-07 Mark Lam <mark.lam@apple.com> 4481 4482 Removed superflous JSLock::entryStackPointer field. 4483 <https://webkit.org/b/128413> 4484 4485 Reviewed by Geoffrey Garen. 4486 4487 * runtime/JSLock.cpp: 4488 (JSC::JSLock::lock): 4489 * runtime/JSLock.h: 4490 44912014-02-07 Mark Lam <mark.lam@apple.com> 4492 4493 Revert workaround committed in http://trac.webkit.org/r163595. 4494 <https://webkit.org/b/128408> 4495 4496 Reviewed by Geoffrey Garen. 4497 4498 Now that we have fixed the bugs in JSLock's stack limit adjusments 4499 in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the 4500 workaround in r163595. 4501 4502 * API/JSContextRef.cpp: 4503 (JSContextGroupCreate): 4504 (JSGlobalContextCreateInGroup): 4505 * API/tests/testapi.js: 4506 * runtime/VM.cpp: 4507 (JSC::VM::VM): 4508 (JSC::VM::updateStackLimitWithReservedZoneSize): 4509 * runtime/VM.h: 4510 45112014-02-07 Mark Lam <mark.lam@apple.com> 4512 4513 Fix bug in stack limit adjustments in JSLock. 4514 <https://webkit.org/b/128406> 4515 4516 Reviewed by Geoffrey Garen. 4517 4518 1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when 4519 m_vm->stackPointerAtVMEntry == entryStackPointer. FYI, 4520 entryStackPointer is a field in JSLock. 4521 4522 When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks() 4523 to relock the JSLock, JSLock::grabAllLocks() will set a new 4524 entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will 4525 restore the saved VM::stackPointerAtEntry, which will now defer from 4526 the JSLock's entryStackPointer value. 4527 4528 It turns out that when m_vm->stackPointerAtVMEntry was initialized, 4529 it was set to whatever value entryStackPointer is set to. At no time 4530 do we ever expect the 2 values to differ. The only time it differs is 4531 when this bug manifests. 4532 4533 The fix is to remove the entryStackPointer field in JSLock and its uses 4534 altogether. 4535 4536 2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in 4537 its constructor instead of letting JSLock::unlock() do the clearing. 4538 4539 However, DropAllLocks will not actually drop locks if it isn't required 4540 to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've 4541 already drop locks once (i.e. JSLock::m_lockDropDepth is not 0). 4542 4543 We should not have cleared VM::stackPointerAtEntry here if we don't 4544 actually drop the locks. 4545 4546 * runtime/JSLock.cpp: 4547 (JSC::JSLock::unlock): 4548 (JSC::JSLock::DropAllLocks::DropAllLocks): 4549 45502014-02-07 Joseph Pecoraro <pecoraro@apple.com> 4551 4552 [iOS] Eliminate race between XPC connection queue and Notification queue 4553 https://bugs.webkit.org/show_bug.cgi?id=128384 4554 4555 Reviewed by Timothy Hatcher. 4556 4557 * inspector/remote/RemoteInspector.h: 4558 * inspector/remote/RemoteInspector.mm: 4559 (Inspector::RemoteInspector::RemoteInspector): 4560 (Inspector::RemoteInspector::start): 4561 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): 4562 Create the queue to use for RemoteInspector xpc connection 4563 management and the connection itself. 4564 4565 * inspector/remote/RemoteInspectorXPCConnection.h: 4566 * inspector/remote/RemoteInspectorXPCConnection.mm: 4567 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): 4568 Use the passed in queue instead of creating one for itself. 4569 45702014-02-07 Oliver Hunt <oliver@apple.com> 4571 4572 REGRESSION (r160628): LLint does not appear to handle impure get own property properly 4573 https://bugs.webkit.org/show_bug.cgi?id=127943 4574 4575 Reviewed by Filip Pizlo. 4576 4577 Make sure the LLINT doesn't attempt to cache property 4578 access on structures with impureGetOwnPropertySlot set. 4579 4580 * llint/LLIntSlowPaths.cpp: 4581 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 4582 45832014-02-06 Michael Saboff <msaboff@apple.com> 4584 4585 Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg 4586 https://bugs.webkit.org/show_bug.cgi?id=128347 4587 4588 Reviewed by Geoffrey Garen. 4589 4590 Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks. 4591 We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup(). 4592 4593 Disabled stack overflow tests in testapi.js since it uses these paths. 4594 4595 THis patch will be reverted as part of a comprehensive solution to the problem. 4596 4597 * API/JSContextRef.cpp: 4598 (JSContextGroupCreate): 4599 (JSGlobalContextCreateInGroup): 4600 * API/tests/testapi.js: 4601 * runtime/VM.cpp: 4602 (JSC::VM::VM): 4603 (JSC::VM::updateStackLimitWithReservedZoneSize): 4604 * runtime/VM.h: 4605 (JSC::VM::ignoreStackLimit): 4606 46072014-02-06 Mark Hahnenberg <mhahnenberg@apple.com> 4608 4609 +[JSContext currentCallee] should return the currently executing JS function 4610 https://bugs.webkit.org/show_bug.cgi?id=122621 4611 4612 Reviewed by Geoffrey Garen. 4613 4614 It would be useful if there was a +[JSContext currentObject] API which was 4615 callable from ObjC API callbacks. Its purpose would be to allow convenient 4616 access to the JSValue wrapper for the currently-executing block callback. 4617 4618 * API/JSContext.h: 4619 * API/JSContext.mm: 4620 (+[JSContext currentCallee]): 4621 (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]): 4622 * API/JSContextInternal.h: 4623 * API/ObjCCallbackFunction.mm: 4624 (JSC::objCCallbackFunctionCallAsFunction): 4625 (JSC::objCCallbackFunctionCallAsConstructor): 4626 * API/tests/testapi.mm: 4627 46282014-02-06 Mark Hahnenberg <mhahnenberg@apple.com> 4629 4630 Fix iOS builds after r163574 4631 4632 * API/JSManagedValue.h: 4633 46342014-02-06 Mark Hahnenberg <mhahnenberg@apple.com> 4635 4636 Heap::writeBarrier shouldn't be static 4637 https://bugs.webkit.org/show_bug.cgi?id=127807 4638 4639 Reviewed by Geoffrey Garen. 4640 4641 Currently it looks up the Heap in which to fire the write barrier by using 4642 the cell passed to it. Almost every call site already has a reference to the 4643 VM or the Heap itself. It seems wasteful to look it up all over again. 4644 4645 * GNUmakefile.list.am: 4646 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4647 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4648 * JavaScriptCore.xcodeproj/project.pbxproj: 4649 * heap/CopyWriteBarrier.h: 4650 (JSC::CopyWriteBarrier::set): 4651 * heap/Heap.cpp: 4652 (JSC::Heap::writeBarrier): 4653 * heap/Heap.h: 4654 (JSC::Heap::writeBarrier): 4655 * jit/JITOperations.cpp: 4656 * jit/JITWriteBarrier.h: 4657 (JSC::JITWriteBarrierBase::set): 4658 * llint/LLIntSlowPaths.cpp: 4659 (JSC::LLInt::llint_write_barrier_slow): 4660 * runtime/Arguments.h: 4661 * runtime/JSWeakMap.cpp: 4662 * runtime/MapData.cpp: 4663 (JSC::MapData::ensureSpaceForAppend): 4664 * runtime/PropertyTable.cpp: 4665 (JSC::PropertyTable::PropertyTable): 4666 * runtime/Structure.h: 4667 * runtime/WriteBarrier.h: 4668 * runtime/WriteBarrierInlines.h: Added. 4669 46702014-02-06 Mark Hahnenberg <mhahnenberg@apple.com> 4671 4672 JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc 4673 https://bugs.webkit.org/show_bug.cgi?id=124053 4674 4675 Reviewed by Geoffrey Garen. 4676 4677 * API/JSManagedValue.h: 4678 * API/JSManagedValue.mm: 4679 (+[JSManagedValue managedValueWithValue:andOwner:]): 4680 (-[JSManagedValue initWithValue:]): 4681 (-[JSManagedValue dealloc]): 4682 (-[JSManagedValue didAddOwner:]): 4683 (-[JSManagedValue didRemoveOwner:]): 4684 * API/JSManagedValueInternal.h: Added. 4685 * API/JSVirtualMachine.mm: 4686 (-[JSVirtualMachine addManagedReference:withOwner:]): 4687 (-[JSVirtualMachine removeManagedReference:withOwner:]): 4688 * API/WebKitAvailability.h: 4689 * API/tests/testapi.mm: 4690 (-[TextXYZ click]): 4691 * JavaScriptCore.xcodeproj/project.pbxproj: 4692 46932014-02-06 Joseph Pecoraro <pecoraro@apple.com> 4694 4695 Web Inspector: Add Console support to JSContext Inspection 4696 https://bugs.webkit.org/show_bug.cgi?id=127941 4697 4698 Reviewed by Geoffrey Garen. 4699 4700 * CMakeLists.txt: 4701 * DerivedSources.make: 4702 * GNUmakefile.am: 4703 * GNUmakefile.list.am: 4704 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4705 * JavaScriptCore.xcodeproj/project.pbxproj: 4706 Add new files. 4707 4708 * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp. 4709 * inspector/agents/InspectorConsoleAgent.h: Added. 4710 New agent moved from WebCore. Rename a method to work in JS only context. 4711 4712 * inspector/JSGlobalObjectInspectorController.cpp: 4713 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 4714 Instantiate ConsoleAgent. 4715 4716 * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h. 4717 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h. 4718 (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent): 4719 (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled): 4720 (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): 4721 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): 4722 JSGlobalObject implementation. 4723 4724 * inspector/agents/JSGlobalObjectDebuggerAgent.h: 4725 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: 4726 (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent): 4727 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): 4728 Use ConsoleAgent to report logs. 4729 4730 * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp. 4731 * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h. 4732 * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h. 4733 * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp. 4734 * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h. 4735 * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp. 4736 * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h. 4737 * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp. 4738 * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h. 4739 * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp. 4740 * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h. 4741 * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp. 4742 * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h. 4743 * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json. 4744 * inspector/scripts/generate-combined-inspector-json.py: 4745 47462014-02-06 Commit Queue <commit-queue@webkit.org> 4747 4748 Unreviewed, rolling out r163542. 4749 http://trac.webkit.org/changeset/163542 4750 https://bugs.webkit.org/show_bug.cgi?id=128324 4751 4752 Caused many assertion failures (Requested by ap on #webkit). 4753 4754 * GNUmakefile.list.am: 4755 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4756 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4757 * JavaScriptCore.xcodeproj/project.pbxproj: 4758 * heap/CopyWriteBarrier.h: 4759 (JSC::CopyWriteBarrier::set): 4760 * heap/Heap.cpp: 4761 (JSC::Heap::writeBarrier): 4762 * heap/Heap.h: 4763 (JSC::Heap::writeBarrier): 4764 * jit/JITOperations.cpp: 4765 * jit/JITWriteBarrier.h: 4766 (JSC::JITWriteBarrierBase::set): 4767 * llint/LLIntSlowPaths.cpp: 4768 (JSC::LLInt::llint_write_barrier_slow): 4769 * runtime/Arguments.h: 4770 * runtime/JSWeakMap.cpp: 4771 * runtime/MapData.cpp: 4772 (JSC::MapData::ensureSpaceForAppend): 4773 * runtime/PropertyTable.cpp: 4774 (JSC::PropertyTable::PropertyTable): 4775 * runtime/Structure.h: 4776 * runtime/WriteBarrier.h: 4777 (JSC::WriteBarrierBase::set): 4778 (JSC::WriteBarrierBase::setMayBeNull): 4779 (JSC::WriteBarrierBase::setEarlyValue): 4780 (JSC::WriteBarrierBase<Unknown>::set): 4781 * runtime/WriteBarrierInlines.h: Removed. 4782 47832014-02-06 Oliver Hunt <oliver@apple.com> 4784 4785 Make 32bit pass the correct this value to custom getters 4786 https://bugs.webkit.org/show_bug.cgi?id=128313 4787 4788 Reviewed by Mark Lam. 4789 4790 Now that the custom getter calling convetion uses a single register 4791 for the slot base we can easily pass the correct |thisValue| instead 4792 of simply relying on the thisValue not be relevant to existing 4793 custom getters. This also means that 32bit can call custom getters 4794 directly. 4795 4796 * jit/CCallHelpers.h: 4797 (JSC::CCallHelpers::setupArgumentsWithExecState): 4798 * jit/Repatch.cpp: 4799 (JSC::generateProtoChainAccessStub): 4800 (JSC::tryBuildGetByIDList): 4801 48022014-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 4803 4804 Heap::writeBarrier shouldn't be static 4805 https://bugs.webkit.org/show_bug.cgi?id=127807 4806 4807 Reviewed by Geoffrey Garen. 4808 4809 Currently it looks up the Heap in which to fire the write barrier by using 4810 the cell passed to it. Almost every call site already has a reference to the 4811 VM or the Heap itself. It seems wasteful to look it up all over again. 4812 4813 * GNUmakefile.list.am: 4814 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4815 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4816 * JavaScriptCore.xcodeproj/project.pbxproj: 4817 * heap/CopyWriteBarrier.h: 4818 (JSC::CopyWriteBarrier::set): 4819 * heap/Heap.cpp: 4820 (JSC::Heap::writeBarrier): 4821 * heap/Heap.h: 4822 (JSC::Heap::writeBarrier): 4823 * jit/JITOperations.cpp: 4824 * jit/JITWriteBarrier.h: 4825 (JSC::JITWriteBarrierBase::set): 4826 * llint/LLIntSlowPaths.cpp: 4827 (JSC::LLInt::llint_write_barrier_slow): 4828 * runtime/Arguments.h: 4829 * runtime/JSWeakMap.cpp: 4830 * runtime/MapData.cpp: 4831 (JSC::MapData::ensureSpaceForAppend): 4832 * runtime/PropertyTable.cpp: 4833 (JSC::PropertyTable::PropertyTable): 4834 * runtime/Structure.h: 4835 * runtime/WriteBarrier.h: 4836 * runtime/WriteBarrierInlines.h: Added. 4837 48382014-02-04 Filip Pizlo <fpizlo@apple.com> 4839 4840 Make FTL OSR entry something we only try after we've already compiled the function with the FTL and it still got stuck in a loop after that without ever returning like a sensible function oughta have 4841 https://bugs.webkit.org/show_bug.cgi?id=128234 4842 4843 Reviewed by Geoffrey Garen. 4844 4845 Use DFG::JITCode::osrEntryRetry as a counter to decide when to invoke OSR entry. That 4846 comes into play only after we've done a replacement compile. 4847 4848 This appears to still give us a speed-up on the kinds of things that OSR entry is good 4849 for, while also eliminating pointless OSR entry compilations on other things. 4850 4851 * dfg/DFGJITCode.cpp: 4852 (JSC::DFG::JITCode::JITCode): 4853 * dfg/DFGJITCode.h: 4854 * dfg/DFGOperations.cpp: 4855 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: 4856 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): 4857 * runtime/Options.h: 4858 48592014-02-04 Filip Pizlo <fpizlo@apple.com> 4860 4861 Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks 4862 https://bugs.webkit.org/show_bug.cgi?id=128229 4863 4864 Reviewed by Geoffrey Garen. 4865 4866 * dfg/DFGByteCodeParser.cpp: 4867 (JSC::DFG::ByteCodeParser::parseBlock): 4868 48692014-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 4870 4871 Handling of opaque roots is wrong in EdenCollections 4872 https://bugs.webkit.org/show_bug.cgi?id=128210 4873 4874 Reviewed by Oliver Hunt. 4875 4876 The set of opaque roots is always cleared during each collection. We should instead persist 4877 the set of opaque roots across EdenCollections and only clear it at the beginning of FullCollections. 4878 4879 Also added a couple of custom objects to the jsc shell that allow us to test this. 4880 4881 * heap/GCThreadSharedData.cpp: 4882 (JSC::GCThreadSharedData::reset): 4883 (JSC::GCThreadSharedData::didStartMarking): 4884 * heap/Heap.cpp: 4885 (JSC::Heap::markRoots): 4886 * heap/Heap.h: 4887 (JSC::Heap::setShouldDoFullCollection): 4888 * heap/SlotVisitor.cpp: 4889 (JSC::SlotVisitor::didStartMarking): 4890 (JSC::SlotVisitor::reset): 4891 * heap/SlotVisitor.h: 4892 * jsc.cpp: 4893 (WTF::Element::Element): 4894 (WTF::Element::root): 4895 (WTF::Element::setRoot): 4896 (WTF::Element::create): 4897 (WTF::Element::createStructure): 4898 (WTF::ElementHandleOwner::isReachableFromOpaqueRoots): 4899 (WTF::Root::Root): 4900 (WTF::Root::element): 4901 (WTF::Root::setElement): 4902 (WTF::Root::create): 4903 (WTF::Root::createStructure): 4904 (WTF::Root::visitChildren): 4905 (WTF::Element::handleOwner): 4906 (WTF::Element::finishCreation): 4907 (GlobalObject::finishCreation): 4908 (functionCreateRoot): 4909 (functionCreateElement): 4910 (functionGetElement): 4911 (functionSetElementRoot): 4912 (functionGCAndSweep): 4913 (functionFullGC): 4914 (functionEdenGC): 4915 49162014-02-05 Anders Carlsson <andersca@apple.com> 4917 4918 Remove unused functions. 4919 4920 * runtime/RegExpConstructor.cpp: 4921 (JSC::RegExpConstructor::getOwnPropertySlot): 4922 * runtime/RegExpObject.cpp: 4923 49242014-02-05 Oliver Hunt <oliver@apple.com> 4925 4926 Change custom getter signature to make the base reference an object pointer 4927 https://bugs.webkit.org/show_bug.cgi?id=128279 4928 4929 Reviewed by Geoffrey Garen. 4930 4931 Make custom getters take a JSObject* instead of EncodedJSValue as the base 4932 reference. This allows us to drop one pointer from the JSVALUE32_64 calling 4933 convention. 4934 4935 * API/JSCallbackObject.h: 4936 * API/JSCallbackObjectFunctions.h: 4937 (JSC::JSCallbackObject<Parent>::staticFunctionGetter): 4938 (JSC::JSCallbackObject<Parent>::callbackGetter): 4939 * jit/JITOperations.cpp: 4940 * jit/Repatch.cpp: 4941 (JSC::generateProtoChainAccessStub): 4942 (JSC::tryBuildGetByIDList): 4943 * runtime/JSActivation.cpp: 4944 (JSC::JSActivation::argumentsGetter): 4945 * runtime/JSActivation.h: 4946 * runtime/JSFunction.cpp: 4947 (JSC::JSFunction::argumentsGetter): 4948 (JSC::JSFunction::callerGetter): 4949 (JSC::JSFunction::lengthGetter): 4950 (JSC::JSFunction::nameGetter): 4951 * runtime/JSFunction.h: 4952 * runtime/JSObject.h: 4953 (JSC::PropertySlot::getValue): 4954 * runtime/NumberConstructor.cpp: 4955 (JSC::numberConstructorNaNValue): 4956 (JSC::numberConstructorNegInfinity): 4957 (JSC::numberConstructorPosInfinity): 4958 (JSC::numberConstructorMaxValue): 4959 (JSC::numberConstructorMinValue): 4960 * runtime/PropertySlot.h: 4961 * runtime/RegExpConstructor.cpp: 4962 (JSC::regExpConstructorDollar1): 4963 (JSC::regExpConstructorDollar2): 4964 (JSC::regExpConstructorDollar3): 4965 (JSC::regExpConstructorDollar4): 4966 (JSC::regExpConstructorDollar5): 4967 (JSC::regExpConstructorDollar6): 4968 (JSC::regExpConstructorDollar7): 4969 (JSC::regExpConstructorDollar8): 4970 (JSC::regExpConstructorDollar9): 4971 (JSC::regExpConstructorInput): 4972 (JSC::regExpConstructorMultiline): 4973 (JSC::regExpConstructorLastMatch): 4974 (JSC::regExpConstructorLastParen): 4975 (JSC::regExpConstructorLeftContext): 4976 (JSC::regExpConstructorRightContext): 4977 * runtime/RegExpObject.cpp: 4978 (JSC::regExpObjectGlobal): 4979 (JSC::regExpObjectIgnoreCase): 4980 (JSC::regExpObjectMultiline): 4981 (JSC::regExpObjectSource): 4982 49832014-02-05 Andreas Kling <akling@apple.com> 4984 4985 Remove ENABLE(DIRECTORY_UPLOAD). 4986 <https://webkit.org/b/128275> 4987 4988 Rubber-stamped by Ryosuke Niwa. 4989 4990 * Configurations/FeatureDefines.xcconfig: 4991 49922014-02-05 Filip Pizlo <fpizlo@apple.com> 4993 4994 Rename useExperimentalFTL to useFTLJIT. 4995 4996 Rubber stamped by Mark Hahnenberg. 4997 4998 * dfg/DFGTierUpCheckInjectionPhase.cpp: 4999 (JSC::DFG::TierUpCheckInjectionPhase::run): 5000 * runtime/Options.h: 5001 50022014-02-05 Brian Burg <bburg@apple.com> 5003 5004 Web Inspector: add probe manager and model objects to the frontend 5005 https://bugs.webkit.org/show_bug.cgi?id=127117 5006 5007 Reviewed by Timothy Hatcher. 5008 5009 The inspector frontend now assigns breakpoint action identifiers, 5010 rather than the backend. Remove return values containing breakpoint 5011 identifiers, and remove tracking and assignment of action identifiers. 5012 5013 * inspector/ScriptDebugListener.h: 5014 * inspector/ScriptDebugServer.cpp: 5015 (Inspector::ScriptDebugServer::evaluateBreakpointAction): 5016 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): 5017 Pass BreakpointAction by reference rather than just the action identifier. 5018 5019 * inspector/ScriptDebugServer.h: 5020 * inspector/agents/InspectorDebuggerAgent.cpp: 5021 (Inspector::objectGroupForBreakpointAction): 5022 (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): 5023 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): 5024 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): 5025 (Inspector::InspectorDebuggerAgent::setBreakpoint): 5026 (Inspector::InspectorDebuggerAgent::removeBreakpoint): 5027 (Inspector::InspectorDebuggerAgent::breakpointActionProbe): 5028 * inspector/agents/InspectorDebuggerAgent.h: 5029 * inspector/protocol/Debugger.json: Revert change to setBreakpoint return values. Add optional identifier to breakpoint actions. 5030 50312014-02-05 Filip Pizlo <fpizlo@apple.com> 5032 5033 JSC on Mac should pull LLVM from prefix=/usr/local/LLVMForJavaScriptCore and not /usr/local 5034 https://bugs.webkit.org/show_bug.cgi?id=128269 5035 5036 Reviewed by Mark Hahnenberg. 5037 5038 * Configurations/Base.xcconfig: 5039 * Configurations/LLVMForJSC.xcconfig: 5040 50412014-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 5042 5043 Fix 32-bit builds after r163471 5044 5045 * dfg/DFGOSRExitCompilerCommon.cpp: 5046 50472014-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 5048 5049 Can no longer run OctaneV2 in browser, crashes in speculationFromCell 5050 https://bugs.webkit.org/show_bug.cgi?id=128266 5051 5052 Reviewed by Filip Pizlo. 5053 5054 Move the OSR exit write barriers into OSRExitCompilerCommon. Also reorganize some 5055 of the code to be in more appropriate places. 5056 5057 * dfg/DFGOSRExitCompiler32_64.cpp: 5058 (JSC::DFG::OSRExitCompiler::compileExit): 5059 * dfg/DFGOSRExitCompiler64.cpp: 5060 (JSC::DFG::OSRExitCompiler::compileExit): 5061 * dfg/DFGOSRExitCompilerCommon.cpp: 5062 (JSC::DFG::osrWriteBarrier): 5063 (JSC::DFG::adjustAndJumpToTarget): 5064 * dfg/DFGSpeculativeJIT.cpp: 5065 * dfg/DFGSpeculativeJIT.h: 5066 * jit/AssemblyHelpers.h: 5067 (JSC::AssemblyHelpers::genericWriteBarrier): 5068 50692014-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 5070 5071 Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden 5072 https://bugs.webkit.org/show_bug.cgi?id=128202 5073 5074 Reviewed by Geoffrey Garen. 5075 5076 This patch uses the new GCSegmentedArray to replace the Vector that was used 5077 to record the set of currently executing CodeBlocks during the conservative 5078 stack scan. This is primarily to avoid the possibility of the Vector resizing 5079 while FastMalloc is forbidden. 5080 5081 * heap/BlockAllocator.h: 5082 * heap/CodeBlockSet.cpp: 5083 (JSC::CodeBlockSet::CodeBlockSet): 5084 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): 5085 * heap/CodeBlockSet.h: 5086 * heap/GCSegmentedArray.h: 5087 (JSC::GCSegmentedArray::begin): 5088 (JSC::GCSegmentedArray::end): 5089 (JSC::GCSegmentedArrayIterator::GCSegmentedArrayIterator): 5090 (JSC::GCSegmentedArrayIterator::get): 5091 (JSC::GCSegmentedArrayIterator::operator*): 5092 (JSC::GCSegmentedArrayIterator::operator->): 5093 (JSC::GCSegmentedArrayIterator::operator==): 5094 (JSC::GCSegmentedArrayIterator::operator!=): 5095 (JSC::GCSegmentedArrayIterator::operator++): 5096 * heap/Heap.cpp: 5097 (JSC::Heap::Heap): 5098 50992014-02-05 Wojciech Bielawski <w.bielawski@samsung.com> 5100 5101 XMLHttpRequest performs too many copies for ArrayBuffer results 5102 https://bugs.webkit.org/show_bug.cgi?id=117458 5103 5104 Reviewed by Alexey Proskuryakov. 5105 5106 Based on blink change: https://chromium.googlesource.com/chromium/blink/+/bed266aa5a43f7c080c87e527bd35e2b80ecc7b7 5107 5108 Add SharedBuffer::createArrayBuffer() and use it to create XMLHttpRequest's response in ArrayBuffer 5109 This cuts 5110 - two memsets (in ArrayBuffer::create and SharedBuffer::m_buffer::resize) 5111 - one copy (SharedBuffer::m_buffer to ArrayBufferContents::m_data) 5112 - one allocation (SharedBuffer::m_buffer) 5113 5114 * runtime/ArrayBuffer.h: 5115 51162014-02-05 Csaba Osztrogonác <ossy@webkit.org> 5117 5118 Remove ENABLE(SVG) guards 5119 https://bugs.webkit.org/show_bug.cgi?id=127991 5120 5121 Reviewed by Sam Weinig. 5122 5123 * Configurations/FeatureDefines.xcconfig: 5124 51252014-02-05 Zan Dobersek <zdobersek@igalia.com> 5126 5127 Remove CLASS_IF_GCC workarounds 5128 https://bugs.webkit.org/show_bug.cgi?id=128207 5129 5130 Reviewed by Anders Carlsson. 5131 5132 Remove the CLASS_IF_GCC macro that was defined to 'class' when using the GCC compiler. 5133 The macro was then used in class friendship declarations for templated classes to avoid 5134 corner-case compiler failures on both GCC pre-4.7 and MSVC pre-2013. The problematic 5135 versions of both compilers are no longer supported, so this macro is good to go. 5136 5137 * heap/HeapBlock.h: 5138 * heap/Region.h: 5139 51402014-02-04 Mark Lam <mark.lam@apple.com> 5141 5142 The stack limit computation does not work for Windows. 5143 <https://webkit.org/b/128226> 5144 5145 Reviewed by Geoffrey Garen. 5146 5147 * llint/LowLevelInterpreter.cpp: 5148 (JSC::CLoopRegister::CLoopRegister): 5149 (JSC::CLoop::execute): 5150 - Suppressed some compiler warnings for the C loop build. 5151 * runtime/VM.cpp: 5152 (JSC::VM::updateStackLimitWithReservedZoneSize): 5153 - Use the new StackBounds::recursionLimit() to compute the stack limit 5154 the right way. 5155 51562014-02-04 Andreas Kling <akling@apple.com> 5157 5158 Remove <iframe seamless> support. 5159 <https://webkit.org/b/128213> 5160 5161 Rubber-stamped by Antti Koivisto. 5162 5163 * Configurations/FeatureDefines.xcconfig: 5164 51652014-02-04 Mark Lam <mark.lam@apple.com> 5166 5167 DFG::operationTypeOf() needs to set the VM::topCallFrame. 5168 <https://webkit.org/b/128228> 5169 5170 Reviewed by Mark Hahnenberg. 5171 5172 * dfg/DFGOperations.cpp: 5173 - operationTypeOf() can end up calling into WebCore which may in turn 5174 call back to JSC, and need a valid VM::topCallFrame. So, we need to 5175 set the value of VM::topCallFrame at the top of operationTypeOf(). 5176 51772014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5178 5179 Fix !ENABLE(JIT) builds after r163418 5180 5181 * bytecode/CodeBlock.cpp: 5182 (JSC::CodeBlock::reoptimizationRetryCounter): Return 0 if there's no way for us to reoptimize. 5183 51842014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5185 5186 Reduce boilerplate in BlockAllocator.h 5187 https://bugs.webkit.org/show_bug.cgi?id=128222 5188 5189 Reviewed by Filip Pizlo. 5190 5191 There are a lot of template specializations for the various types of HeapBlocks 5192 in BlockAllocator.h. We could reduce the spew by using a macro. 5193 5194 * heap/BlockAllocator.h: 5195 51962014-02-04 Filip Pizlo <fpizlo@apple.com> 5197 5198 DFG PutByVal on typed arrays should detect OutOfBounds sooner 5199 https://bugs.webkit.org/show_bug.cgi?id=128162 5200 5201 Reviewed by Mark Hahnenberg. 5202 5203 Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in 5204 DFG::ArrayMode for typed arrays. 5205 5206 Also make it possible to have tests for convergence. 5207 5208 Also turn one of the LayoutTests/js/dfg- tests into a stress test because it 5209 was relying on a specific number of recompiles. Stress tests instead take 5210 the approach of just running for a while. That's more robust. 5211 5212 * bytecode/CodeBlock.h: 5213 * dfg/DFGArrayMode.cpp: 5214 (JSC::DFG::ArrayMode::fromObserved): 5215 (JSC::DFG::ArrayMode::refine): 5216 * dfg/DFGArrayMode.h: 5217 (JSC::DFG::ArrayMode::withSpeculationFromProfile): 5218 (JSC::DFG::ArrayMode::withProfile): 5219 * ftl/FTLLowerDFGToLLVM.cpp: 5220 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 5221 * jit/JITPropertyAccess.cpp: 5222 (JSC::JIT::emitIntTypedArrayPutByVal): 5223 (JSC::JIT::emitFloatTypedArrayPutByVal): 5224 * jsc.cpp: 5225 (GlobalObject::finishCreation): 5226 (functionReoptimizationRetryCount): 5227 * runtime/TestRunnerUtils.cpp: 5228 (JSC::getExecutableForFunction): 5229 (JSC::getSomeBaselineCodeBlockForFunction): 5230 (JSC::numberOfDFGCompiles): 5231 (JSC::setNeverInline): 5232 * runtime/TestRunnerUtils.h: 5233 * tests/stress/float32-repeat-out-of-bounds.js: Added. 5234 (foo): 5235 * tests/stress/int8-repeat-out-of-bounds.js: Added. 5236 (foo): 5237 * tests/stress/string-out-of-bounds-negative-proto-value.js: Added. 5238 (foo): 5239 52402014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5241 5242 Refactor MarkStackArray to allow more than JSCells to be stored 5243 https://bugs.webkit.org/show_bug.cgi?id=128203 5244 5245 Reviewed by Geoffrey Garen. 5246 5247 This patch refactors MarkStackArray into a separate template class named GCSegmentedArray. 5248 This class allows subclassing to add functionality that only MarkStackArray wants. 5249 Since it uses the JSC BlockAllocator instead of FastMalloc, this class can be used during 5250 conservative stack scanning, which disallows using FastMalloc. 5251 5252 * GNUmakefile.list.am: 5253 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 5254 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 5255 * JavaScriptCore.xcodeproj/project.pbxproj: 5256 * heap/BlockAllocator.h: 5257 * heap/GCSegmentedArray.h: Added. 5258 (JSC::GCArraySegment::GCArraySegment): 5259 (JSC::GCArraySegment::data): 5260 * heap/GCSegmentedArrayInlines.h: Added. 5261 (JSC::GCSegmentedArray<T>::GCSegmentedArray): 5262 (JSC::GCSegmentedArray<T>::~GCSegmentedArray): 5263 (JSC::GCSegmentedArray<T>::clear): 5264 (JSC::GCSegmentedArray<T>::expand): 5265 (JSC::GCSegmentedArray<T>::refill): 5266 (JSC::GCSegmentedArray<T>::fillVector): 5267 (JSC::GCArraySegment<T>::create): 5268 (JSC::GCSegmentedArray<T>::postIncTop): 5269 (JSC::GCSegmentedArray<T>::preDecTop): 5270 (JSC::GCSegmentedArray<T>::setTopForFullSegment): 5271 (JSC::GCSegmentedArray<T>::setTopForEmptySegment): 5272 (JSC::GCSegmentedArray<T>::top): 5273 (JSC::GCSegmentedArray<T>::validatePrevious): 5274 (JSC::GCSegmentedArray<T>::append): 5275 (JSC::GCSegmentedArray<T>::canRemoveLast): 5276 (JSC::GCSegmentedArray<T>::removeLast): 5277 (JSC::GCSegmentedArray<T>::isEmpty): 5278 (JSC::GCSegmentedArray<T>::size): 5279 * heap/MarkStack.cpp: 5280 (JSC::MarkStackArray::MarkStackArray): 5281 (JSC::MarkStackArray::~MarkStackArray): 5282 (JSC::MarkStackArray::donateSomeCellsTo): 5283 (JSC::MarkStackArray::stealSomeCellsFrom): 5284 * heap/MarkStack.h: 5285 * heap/MarkStackInlines.h: 5286 52872014-02-04 Anders Carlsson <andersca@apple.com> 5288 5289 Rename the substring sharing StringImpl::create variants to better indicate what they do 5290 https://bugs.webkit.org/show_bug.cgi?id=128214 5291 5292 Reviewed by Geoffrey Garen. 5293 5294 * runtime/JSString.h: 5295 (JSC::jsSingleCharacterSubstring): 5296 (JSC::jsSubstring8): 5297 (JSC::jsSubstring): 5298 * runtime/SmallStrings.cpp: 5299 (JSC::SmallStringsStorage::SmallStringsStorage): 5300 * runtime/StringPrototype.cpp: 5301 (JSC::jsSpliceSubstrings): 5302 (JSC::jsSpliceSubstringsWithSeparators): 5303 (JSC::replaceUsingStringSearch): 5304 53052014-02-04 Anders Carlsson <andersca@apple.com> 5306 5307 Rename StringImpl::getCharacters to StringImpl::characters 5308 https://bugs.webkit.org/show_bug.cgi?id=128205 5309 5310 Reviewed by Antti Koivisto. 5311 5312 Update for WTF changes. 5313 5314 * runtime/JSStringJoiner.cpp: 5315 (JSC::joinStrings): 5316 * runtime/StringPrototype.cpp: 5317 (JSC::splitStringByOneCharacterImpl): 5318 53192014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5320 5321 Fix a mismatch of uint64_t and size_t on 32-bit platforms. 5322 5323 * ftl/FTLDWARFDebugLineInfo.h: 5324 53252014-01-21 Mark Hahnenberg <mhahnenberg@apple.com> 5326 5327 JSC needs to be able to parse DWARF debug_line info 5328 https://bugs.webkit.org/show_bug.cgi?id=127394 5329 5330 Reviewed by Geoffrey Garen. 5331 5332 If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM, 5333 we'll need to know how to decode the .debug_line DWARF section. This patch implements 5334 an interpreter for the .debug_line DWARF section in accordance with the version 3 spec 5335 published at http://www.dwarfstd.org. 5336 5337 * JavaScriptCore.xcodeproj/project.pbxproj: 5338 * ftl/FTLDWARFDebugLineInfo.cpp: Added. 5339 (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter): 5340 (JSC::FTL::read): 5341 (JSC::FTL::DebugLineInterpreter::parseULEB128): 5342 (JSC::FTL::DebugLineInterpreter::parseSLEB128): 5343 (JSC::FTL::DebugLineInterpreter::run): 5344 (JSC::FTL::DebugLineInterpreter::parsePrologue): 5345 (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories): 5346 (JSC::FTL::DebugLineInterpreter::parseFileEntries): 5347 (JSC::FTL::DebugLineInterpreter::parseFileEntry): 5348 (JSC::FTL::DebugLineInterpreter::interpretStatementProgram): 5349 (JSC::FTL::DebugLineInterpreter::interpretOpcode): 5350 (JSC::FTL::DebugLineInterpreter::printLineInfo): 5351 (JSC::FTL::DebugLineInterpreter::resetInterpreterState): 5352 * ftl/FTLDWARFDebugLineInfo.h: Added. 5353 (JSC::FTL::DebugLineInterpreter::Prologue::Prologue): 5354 * ftl/FTLValueRange.cpp: Random build fix for !ENABLE(FTL_JIT). 5355 53562014-02-04 Anders Carlsson <andersca@apple.com> 5357 5358 Rename String::getCharacters to String::characters 5359 https://bugs.webkit.org/show_bug.cgi?id=128196 5360 5361 Reviewed by Andreas Kling. 5362 5363 Update for WTF::String changes. 5364 5365 * yarr/YarrParser.h: 5366 (JSC::Yarr::Parser::Parser): 5367 53682014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5369 5370 JSC needs to be able to parse DWARF debug_line info 5371 https://bugs.webkit.org/show_bug.cgi?id=127394 5372 5373 Reviewed by Geoffrey Garen. 5374 5375 If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM, 5376 we'll need to know how to decode the .debug_line DWARF section. This patch implements 5377 an interpreter for the .debug_line DWARF section in accordance with the version 3 spec 5378 published at http://www.dwarfstd.org. 5379 5380 * CMakeLists.txt: 5381 * GNUmakefile.list.am: 5382 * JavaScriptCore.xcodeproj/project.pbxproj: 5383 * ftl/FTLDWARFDebugLineInfo.cpp: Added. 5384 (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter): 5385 (JSC::FTL::read): 5386 (JSC::FTL::DebugLineInterpreter::parseULEB128): 5387 (JSC::FTL::DebugLineInterpreter::parseSLEB128): 5388 (JSC::FTL::DebugLineInterpreter::run): 5389 (JSC::FTL::DebugLineInterpreter::parsePrologue): 5390 (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories): 5391 (JSC::FTL::DebugLineInterpreter::parseFileEntries): 5392 (JSC::FTL::DebugLineInterpreter::parseFileEntry): 5393 (JSC::FTL::DebugLineInterpreter::interpretStatementProgram): 5394 (JSC::FTL::DebugLineInterpreter::interpretOpcode): 5395 (JSC::FTL::DebugLineInterpreter::printLineInfo): 5396 (JSC::FTL::DebugLineInterpreter::resetInterpreterState): 5397 * ftl/FTLDWARFDebugLineInfo.h: Added. 5398 (JSC::FTL::DebugLineInterpreter::Prologue::Prologue): 5399 54002014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5401 5402 ASSERT in speculateMachineInt on 32-bit platforms 5403 https://bugs.webkit.org/show_bug.cgi?id=128155 5404 5405 Reviewed by Filip Pizlo. 5406 5407 * dfg/DFGPredictionPropagationPhase.cpp: 5408 (JSC::DFG::PredictionPropagationPhase::propagate): 5409 54102014-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 5411 5412 GC timer should always do a FullCollection 5413 https://bugs.webkit.org/show_bug.cgi?id=128186 5414 5415 Reviewed by Michael Saboff. 5416 5417 Right now the GC timer does whatever type of collection the next collection 5418 would have been, which is almost always an EdenCollection. It then thinks 5419 that it has done all of the work it was supposed to do and never schedules 5420 another GC. Ideally we'd like to have some heuristics for the timer that 5421 would schedule both EdenCollections and FullCollections, but the easiest 5422 fix for now is to always do FullCollections since that will at least be 5423 a non-regression. 5424 5425 * heap/Heap.h: 5426 (JSC::Heap::gcTimerDidFire): 5427 * runtime/GCActivityCallback.cpp: 5428 (JSC::DefaultGCActivityCallback::doWork): 5429 54302014-02-03 Filip Pizlo <fpizlo@apple.com> 5431 5432 Lift the FTL tier-up threshold from 25000 to 100000 5433 https://bugs.webkit.org/show_bug.cgi?id=128158 5434 5435 Rubber stamped by Michael Saboff. 5436 5437 * runtime/Options.h: 5438 54392014-02-03 Mark Hahnenberg <mhahnenberg@apple.com> 5440 5441 LLInt: Regex for pseudo-instructions is too big 5442 https://bugs.webkit.org/show_bug.cgi?id=128148 5443 5444 Reviewed by Mark Lam. 5445 5446 * offlineasm/instructions.rb: 5447 * offlineasm/parser.rb: 5448 54492014-02-03 Brian Burg <bburg@apple.com> 5450 5451 Web Replay: upstream base input classes and the input cursor interface 5452 https://bugs.webkit.org/show_bug.cgi?id=128110 5453 5454 Reviewed by Joseph Pecoraro. 5455 5456 Add the base class for all replay inputs. Add InputTraits, a trait that 5457 provides an input's queue, type, and encode/decode methods statically so 5458 that they can be used within templated helper functions in InputCursor and 5459 EncodedValue. 5460 5461 Add the InputCursor base class which mediates the saving and fetching of 5462 replay inputs from a replay recording by instrumented nondeterministic code. 5463 5464 Add a dummy cursor implementation. This allows us to return a cursor reference 5465 to clients even if no capturing or replaying is happening. 5466 5467 Add the ability to set an InputCursor instance on a JSGlobalObject. This 5468 is the means for connecting a replay recording to a script context. 5469 5470 * JavaScriptCore.xcodeproj/project.pbxproj: 5471 * replay/EmptyInputCursor.h: Added. 5472 (JSC::EmptyInputCursor::~EmptyInputCursor): 5473 (JSC::EmptyInputCursor::create): 5474 (JSC::EmptyInputCursor::EmptyInputCursor): 5475 * replay/InputCursor.h: Added. 5476 (JSC::InputCursor::InputCursor): 5477 (JSC::InputCursor::~InputCursor): 5478 (JSC::InputCursor::appendInput): 5479 (JSC::InputCursor::fetchInput): 5480 * replay/NondeterministicInput.h: Added. 5481 (JSC::NondeterministicInputBase::NondeterministicInputBase): 5482 (JSC::NondeterministicInputBase::~NondeterministicInputBase): 5483 * runtime/JSGlobalObject.cpp: 5484 (JSC::JSGlobalObject::JSGlobalObject): 5485 (JSC::JSGlobalObject::setInputCursor): 5486 * runtime/JSGlobalObject.h: 5487 (JSC::JSGlobalObject::inputCursor): 5488 54892014-02-03 Mark Hahnenberg <mhahnenberg@apple.com> 5490 5491 Fix the cloop due to GenGC 5492 https://bugs.webkit.org/show_bug.cgi?id=128137 5493 5494 Reviewed by Geoffrey Garen. 5495 5496 * llint/LLIntSlowPaths.cpp: 5497 (JSC::LLInt::llint_write_barrier_slow): 5498 * llint/LLIntSlowPaths.h: 5499 * llint/LowLevelInterpreter.cpp: 5500 (JSC::CLoopRegister::operator JSCell*): 5501 * llint/LowLevelInterpreter32_64.asm: 5502 * llint/LowLevelInterpreter64.asm: 5503 * offlineasm/cloop.rb: 5504 * offlineasm/instructions.rb: 5505 55062014-02-03 Michael Saboff <msaboff@apple.com> 5507 5508 REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector 5509 https://bugs.webkit.org/show_bug.cgi?id=127901 5510 5511 Reviewed by Geoffrey Garen. 5512 5513 Set VM::topCallFrame before making calls to possible C++ code in 5514 generateProtoChainAccessStub() and tryBuildGetByIDList(). 5515 5516 * jit/Repatch.cpp: 5517 (JSC::generateProtoChainAccessStub): 5518 (JSC::tryBuildGetByIDList): 5519 55202014-02-03 Andreas Kling <akling@apple.com> 5521 5522 Keep only captured symbols in CodeBlock symbol tables. 5523 <https://webkit.org/b/128050> 5524 5525 Discard all uncaptured symbols at the end of codegen since only 5526 the captured ones will be used after that point. 5527 5528 ~2MB progression on Membuster OSUS. 5529 5530 Reviewed by Geoffrey Garen. 5531 5532 * bytecode/UnlinkedCodeBlock.h: 5533 (JSC::UnlinkedCodeBlock::setSymbolTable): 5534 * bytecompiler/BytecodeGenerator.cpp: 5535 (JSC::BytecodeGenerator::generate): 5536 55372014-02-03 Mark Hahnenberg <mhahnenberg@apple.com> 5538 5539 Fix the LLInt C loop 5540 5541 Rubber stamped by Mark Lam. 5542 5543 * llint/LLIntSlowPaths.cpp: 5544 (JSC::LLInt::llint_write_barrier_slow): 5545 * llint/LLIntSlowPaths.h: 5546 55472014-02-03 Dean Jackson <dino@apple.com> 5548 5549 Feature flag for shape-inside 5550 https://bugs.webkit.org/show_bug.cgi?id=128001 5551 5552 Reviewed by Simon Fraser. 5553 5554 Add CSS_SHAPE_INSIDE flag. 5555 5556 * Configurations/FeatureDefines.xcconfig: 5557 55582014-02-03 Oliver Hunt <oliver@apple.com> 5559 5560 Deconstructed parameters aren't being placed in the correct scope 5561 https://bugs.webkit.org/show_bug.cgi?id=128126 5562 5563 Reviewed by Antti Koivisto. 5564 5565 Make sure we declare the bound parameter names as variables when 5566 we reparse. In the BytecodeGenerator we now also directly ensure 5567 that bound parameters are placed in the symbol table of the function 5568 we're currently compiling. We then delay binding until just before 5569 we start codegen for the body of the function so that we can ensure 5570 the function has completely initialised all scope details. 5571 5572 * bytecompiler/BytecodeGenerator.cpp: 5573 (JSC::BytecodeGenerator::generate): 5574 (JSC::BytecodeGenerator::BytecodeGenerator): 5575 * bytecompiler/BytecodeGenerator.h: 5576 * parser/Parser.cpp: 5577 (JSC::Parser<LexerType>::Parser): 5578 (JSC::Parser<LexerType>::createBindingPattern): 5579 55802014-02-03 Alexey Proskuryakov <ap@apple.com> 5581 5582 Update JS whitespace definition for changes in Unicode 6.3 5583 https://bugs.webkit.org/show_bug.cgi?id=127450 5584 5585 Reviewed by Oliver Hunt. 5586 5587 * parser/Lexer.h: (JSC::Lexer<UChar>::isWhiteSpace): Part 2 of the fix, update lexer too. 5588 55892014-02-03 Matthew Mirman <mmirman@apple.com> 5590 5591 Added GetTypedArrayByteOffset to FTL 5592 https://bugs.webkit.org/show_bug.cgi?id=127589 5593 5594 Reviewed by Filip Pizlo. 5595 5596 * ftl/FTLAbstractHeapRepository.h: 5597 * ftl/FTLCapabilities.cpp: 5598 (JSC::FTL::canCompile): 5599 * ftl/FTLLowerDFGToLLVM.cpp: 5600 (JSC::FTL::LowerDFGToLLVM::compileNode): 5601 (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset): 5602 * tests/stress/ftl-gettypedarrayoffset-simple.js: Added. 5603 (foo): 5604 * tests/stress/ftl-gettypedarrayoffset-wasteful.js: Added. 5605 (foo): 5606 56072014-02-03 Mark Lam <mark.lam@apple.com> 5608 5609 Debugger created JSActivations should account for CodeBlock::framePointerOffsetToGetActivationRegisters(). 5610 <https://webkit.org/b/128112> 5611 5612 Reviewed by Geoffrey Garen. 5613 5614 Currently, when the DebuggerCallFrame creates the JSActivation object 5615 for a frame, it does not account for the framePointerOffsetToGetActivationRegisters() 5616 offset that needs to be added for DFG frames. 5617 5618 Instead of special casing the fix in DebuggerCallFrame::scope(), we fix 5619 this by adding CodeBlock::framePointerOffsetToGetActivationRegisters() to 5620 callFrame->registers() in the JSActivation::create() method that does not 5621 explicitly take a Register*. This ensures that JSActivation::create() will 5622 always do the right thing instead of only being a special case for the 5623 LLINT and baselineJIT. 5624 5625 Apart from the DebuggerCallFrame, this create() function is only called by 5626 slow paths in the LLINT and baselineJIT. Hence, it is not performance 5627 critical. 5628 5629 * runtime/JSActivation.h: 5630 (JSC::JSActivation::create): 5631 56322014-01-31 Geoffrey Garen <ggaren@apple.com> 5633 5634 Simplified name scope creation for function expressions 5635 https://bugs.webkit.org/show_bug.cgi?id=128031 5636 5637 Reviewed by Mark Lam. 5638 5639 3X speedup on js/regress/script-tests/function-with-eval.js. 5640 5641 We used to emit bytecode to push a name into local scope every 5642 time a function that needed such a name executed. Now, we push the name 5643 into scope once on the function object, and leave it there. 5644 5645 This is faster, and it also reduces the number of variable resolution 5646 modes you have to worry about when thinking about bytecode and the 5647 debugger. 5648 5649 This patch is slightly complicated by the fact that we don't know if 5650 a function needs a name scope until we parse its body. So, there's some 5651 glue code in here to delay filling in a function's scope until we parse 5652 its body for the first time. 5653 5654 * bytecode/UnlinkedCodeBlock.cpp: 5655 (JSC::generateFunctionCodeBlock): 5656 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 5657 * bytecode/UnlinkedCodeBlock.h: 5658 (JSC::UnlinkedFunctionExecutable::functionMode): Renamed 5659 functionNameIsInScopeToggle to functionMode. 5660 5661 * bytecompiler/BytecodeGenerator.cpp: 5662 (JSC::BytecodeGenerator::BytecodeGenerator): No need to emit convert_this 5663 when debugging. The debugger will perform the conversion as needed. 5664 5665 (JSC::BytecodeGenerator::resolveCallee): 5666 (JSC::BytecodeGenerator::addCallee): Simplified this code by removing 5667 the "my function needs a name scope, but didn't allocate one" mode. 5668 5669 * interpreter/Interpreter.cpp: 5670 (JSC::Interpreter::execute): 5671 (JSC::Interpreter::executeCall): 5672 (JSC::Interpreter::executeConstruct): 5673 (JSC::Interpreter::prepareForRepeatCall): Pass a scope slot through to 5674 CodeBlock generation, so we can add a function name scope if the parsed 5675 function body requires one. 5676 5677 * jit/JITOperations.cpp: 5678 * llint/LLIntSlowPaths.cpp: 5679 (JSC::LLInt::setUpCall): Ditto. 5680 5681 * parser/NodeConstructors.h: 5682 (JSC::FuncExprNode::FuncExprNode): 5683 (JSC::FuncDeclNode::FuncDeclNode): 5684 * parser/Nodes.cpp: 5685 (JSC::FunctionBodyNode::finishParsing): 5686 * parser/Nodes.h: 5687 (JSC::FunctionBodyNode::functionMode): Updated for rename. 5688 5689 * parser/ParserModes.h: 5690 (JSC::functionNameIsInScope): 5691 (JSC::functionNameScopeIsDynamic): Helper functions for reasoning about 5692 how crazy JavaScript language semantics are. 5693 5694 * runtime/ArrayPrototype.cpp: 5695 (JSC::isNumericCompareFunction): 5696 (JSC::attemptFastSort): Updated for interface changes above. 5697 5698 * runtime/Executable.cpp: 5699 (JSC::ScriptExecutable::newCodeBlockFor): 5700 (JSC::ScriptExecutable::prepareForExecutionImpl): 5701 (JSC::FunctionExecutable::FunctionExecutable): 5702 * runtime/Executable.h: 5703 (JSC::ScriptExecutable::prepareForExecution): 5704 (JSC::FunctionExecutable::functionMode): 5705 * runtime/JSFunction.cpp: 5706 (JSC::JSFunction::addNameScopeIfNeeded): 5707 * runtime/JSFunction.h: 5708 * runtime/JSNameScope.h: 5709 (JSC::JSNameScope::create): 5710 (JSC::JSNameScope::JSNameScope): Added machinery for pushing a function 5711 name scope onto a function when we first discover that it's needed. 5712 57132014-01-25 Darin Adler <darin@apple.com> 5714 5715 Stop using Unicode.h 5716 https://bugs.webkit.org/show_bug.cgi?id=127633 5717 5718 Reviewed by Anders Carlsson. 5719 5720 * parser/Lexer.h: 5721 * runtime/JSGlobalObjectFunctions.h: 5722 * yarr/YarrCanonicalizeUCS2.h: 5723 * yarr/YarrInterpreter.h: 5724 * yarr/YarrParser.h: 5725 * yarr/YarrPattern.h: 5726 Removed includes of <wtf/unicode/Unicode.h>, adding includes of 5727 ICU headers and <wtf/text/LChar.h> as needed to replace it. 5728 57292014-02-03 Dan Bernstein <mitz@apple.com> 5730 5731 Correctly address Darin’s review comment on the last change. 5732 5733 * runtime/Watchdog.h: Changed an OS(DARWIN) guard around formerly PLATFORM(MAC)-only member 5734 variables to the equivalent OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK). 5735 57362014-02-03 Dan Bernstein <mitz@apple.com> 5737 5738 Stop using PLATFORM(MAC) in JavaScriptCore except where it means “OS X but not iOS” 5739 https://bugs.webkit.org/show_bug.cgi?id=128098 5740 5741 Reviewed by Darin Adler. 5742 5743 * API/JSValueRef.cpp: 5744 (JSValueUnprotect): Added an explicit !PLATFORM(IOS) in guards for the Evernote workaround, 5745 which is only needed on OS X. 5746 5747 * API/tests/testapi.c: 5748 (main): Changed PLATFORM(MAC) || PLATFORM(IOS) guards to OS(DARWIN), because they were 5749 surrounding tests for code that is itself guarded by OS(DARWIN). 5750 5751 * runtime/Watchdog.h: Changed PLATFORM(MAC) to OS(DARWIN). 5752 5753 * tools/CodeProfiling.cpp: 5754 (JSC::CodeProfiling::begin): Changed PLATFORM(MAC) to 5755 OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK). 5756 (JSC::CodeProfiling::end): Ditto. 5757 57582014-02-02 Mark Lam <mark.lam@apple.com> 5759 5760 Repatch code is passing the wrong args to lookupExceptionHandler. 5761 <https://webkit.org/b/128085> 5762 5763 Reviewed by Oliver Hunt. 5764 5765 lookupExceptionHandler() is expecting 2 args: VM*, ExecState*. 5766 The repatch code was only passing an ExecState*. A crash ensues. 5767 This is now fixed. 5768 5769 * jit/JIT.cpp: 5770 (JSC::JIT::privateCompileExceptionHandlers): 5771 * jit/Repatch.cpp: 5772 (JSC::generateProtoChainAccessStub): 5773 57742014-02-01 Filip Pizlo <fpizlo@apple.com> 5775 5776 JSC profiler's stub info profiling support should work again 5777 https://bugs.webkit.org/show_bug.cgi?id=128057 5778 5779 Reviewed by Mark Lam. 5780 5781 * bytecode/CodeBlock.cpp: 5782 (JSC::CodeBlock::printGetByIdCacheStatus): We want to know if the cache was ever reset by GC, since the DFG uses this information. 5783 (JSC::CodeBlock::printLocationAndOp): This shouldn't have been inline. 5784 (JSC::CodeBlock::printLocationOpAndRegisterOperand): Ditto. 5785 (JSC::CodeBlock::dumpBytecode): Dump the profiling field, and make sure that the caller can pass a StubInfoMap, which is necessary for dumping StructureStubInfo profiling. 5786 * bytecode/CodeBlock.h: Out-of-line some methods and add the StubInfoMap parameter. 5787 * profiler/ProfilerBytecodeSequence.cpp: 5788 (JSC::Profiler::BytecodeSequence::BytecodeSequence): Create a StubInfoMap before dumping bytecodes. 5789 57902014-02-01 Filip Pizlo <fpizlo@apple.com> 5791 5792 JSC profiler should show reasons for jettison 5793 https://bugs.webkit.org/show_bug.cgi?id=128047 5794 5795 Reviewed by Geoffrey Garen. 5796 5797 Henceforth if you want to jettison a CodeBlock, you gotta tell the Profiler why you did 5798 it. This makes figuring out convergence issues - where some code seems to take a long 5799 time to get into the top tier compiler - a lot easier. 5800 5801 * CMakeLists.txt: 5802 * GNUmakefile.list.am: 5803 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 5804 * JavaScriptCore.xcodeproj/project.pbxproj: 5805 * bytecode/CodeBlock.cpp: 5806 (JSC::CodeBlock::finalizeUnconditionally): 5807 (JSC::CodeBlock::jettison): 5808 (JSC::CodeBlock::addBreakpoint): 5809 (JSC::CodeBlock::setSteppingMode): 5810 * bytecode/CodeBlock.h: 5811 * bytecode/CodeBlockJettisoningWatchpoint.cpp: 5812 (JSC::CodeBlockJettisoningWatchpoint::fireInternal): 5813 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 5814 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal): 5815 * dfg/DFGOperations.cpp: 5816 * jit/JITOperations.cpp: 5817 * profiler/ProfilerCompilation.cpp: 5818 (JSC::Profiler::Compilation::Compilation): 5819 (JSC::Profiler::Compilation::toJS): 5820 * profiler/ProfilerCompilation.h: 5821 (JSC::Profiler::Compilation::setJettisonReason): 5822 * profiler/ProfilerJettisonReason.cpp: Added. 5823 (WTF::printInternal): 5824 * profiler/ProfilerJettisonReason.h: Added. 5825 * runtime/CommonIdentifiers.h: 5826 * runtime/VM.cpp: 5827 (JSC::SetEnabledProfilerFunctor::operator()): 5828 58292014-02-01 Mark Lam <mark.lam@apple.com> 5830 5831 Saying "jitType() == JITCode::DFGJIT" is almost never correct. 5832 <http://webkit.org/b/128045> 5833 5834 Reviewed by Filip Pizlo. 5835 5836 JITCode::isOptimizingJIT(jitType()) is the right way to say it. 5837 5838 * bytecode/CodeBlock.cpp: 5839 (JSC::CodeBlock::addBreakpoint): 5840 (JSC::CodeBlock::setSteppingMode): 5841 * runtime/VM.cpp: 5842 (JSC::SetEnabledProfilerFunctor::operator()): 5843 58442014-02-01 Michael Saboff <msaboff@apple.com> 5845 5846 REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4 5847 https://bugs.webkit.org/show_bug.cgi?id=128037 5848 5849 Reviewed by Mark Lam. 5850 5851 op_call_varargs ops now needs an ArrayProfile since DFG inlines these since 5852 change set r162739. 5853 5854 * bytecode/CodeBlock.cpp: 5855 (JSC::CodeBlock::CodeBlock): 5856 * bytecompiler/BytecodeGenerator.cpp: 5857 (JSC::BytecodeGenerator::emitCallVarargs): 5858 58592014-01-31 Mark Lam <mark.lam@apple.com> 5860 5861 Gardening: fix build breakage. 5862 5863 Not reviewed. 5864 5865 * interpreter/CallFrame.h: 5866 58672014-01-31 Mark Lam <mark.lam@apple.com> 5868 5869 Gardening: Fix a merge problem to unbreak bots. 5870 5871 Not reviewed. 5872 5873 * bytecompiler/BytecodeGenerator.cpp: 5874 (JSC::BytecodeGenerator::BytecodeGenerator): 5875 58762014-01-31 Oliver Hunt <oliver@apple.com> 5877 5878 Rollout r163195 and related patches 5879 5880 * API/JSCallbackObjectFunctions.h: 5881 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot): 5882 (JSC::JSCallbackObject<Parent>::put): 5883 (JSC::JSCallbackObject<Parent>::deleteProperty): 5884 (JSC::JSCallbackObject<Parent>::getStaticValue): 5885 (JSC::JSCallbackObject<Parent>::staticFunctionGetter): 5886 (JSC::JSCallbackObject<Parent>::callbackGetter): 5887 * CMakeLists.txt: 5888 * DerivedSources.make: 5889 * GNUmakefile.am: 5890 * GNUmakefile.list.am: 5891 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 5892 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 5893 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 5894 * JavaScriptCore.vcxproj/copy-files.cmd: 5895 * JavaScriptCore.xcodeproj/project.pbxproj: 5896 * builtins/Array.prototype.js: Removed. 5897 * builtins/BuiltinExecutables.cpp: Removed. 5898 * builtins/BuiltinExecutables.h: Removed. 5899 * bytecode/CodeBlock.cpp: 5900 (JSC::CodeBlock::CodeBlock): 5901 * bytecode/CodeBlock.h: 5902 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 5903 * bytecode/UnlinkedCodeBlock.cpp: 5904 (JSC::generateFunctionCodeBlock): 5905 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 5906 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 5907 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 5908 * bytecode/UnlinkedCodeBlock.h: 5909 (JSC::ExecutableInfo::ExecutableInfo): 5910 (JSC::UnlinkedFunctionExecutable::create): 5911 * bytecompiler/BytecodeGenerator.cpp: 5912 (JSC::BytecodeGenerator::BytecodeGenerator): 5913 * bytecompiler/BytecodeGenerator.h: 5914 (JSC::BytecodeGenerator::makeFunction): 5915 * bytecompiler/NodesCodegen.cpp: 5916 (JSC::CallFunctionCallDotNode::emitBytecode): 5917 (JSC::ApplyFunctionCallDotNode::emitBytecode): 5918 * create_hash_table: 5919 * dfg/DFGDominators.cpp: 5920 * dfg/DFGJITCode.cpp: 5921 * dfg/DFGOperations.cpp: 5922 * generate-js-builtins: Removed. 5923 * interpreter/CachedCall.h: 5924 (JSC::CachedCall::CachedCall): 5925 * interpreter/Interpreter.cpp: 5926 * interpreter/ProtoCallFrame.cpp: 5927 * jit/JITOpcodes.cpp: 5928 * jit/JITOpcodes32_64.cpp: 5929 * jit/JITOperations.cpp: 5930 * jit/JITPropertyAccess.cpp: 5931 * jit/JITPropertyAccess32_64.cpp: 5932 * jsc.cpp: 5933 * llint/LLIntOffsetsExtractor.cpp: 5934 * llint/LLIntSlowPaths.cpp: 5935 * parser/ASTBuilder.h: 5936 (JSC::ASTBuilder::makeFunctionCallNode): 5937 * parser/Lexer.cpp: 5938 (JSC::Lexer<T>::Lexer): 5939 (JSC::Lexer<LChar>::parseIdentifier): 5940 (JSC::Lexer<UChar>::parseIdentifier): 5941 (JSC::Lexer<T>::lex): 5942 * parser/Lexer.h: 5943 (JSC::Lexer<T>::lexExpectIdentifier): 5944 * parser/Nodes.cpp: 5945 * parser/Nodes.h: 5946 * parser/Parser.cpp: 5947 (JSC::Parser<LexerType>::Parser): 5948 (JSC::Parser<LexerType>::parseInner): 5949 (JSC::Parser<LexerType>::didFinishParsing): 5950 (JSC::Parser<LexerType>::printUnexpectedTokenText): 5951 * parser/Parser.h: 5952 (JSC::parse): 5953 * parser/ParserModes.h: 5954 * parser/ParserTokens.h: 5955 * runtime/Arguments.h: 5956 * runtime/ArgumentsIteratorPrototype.cpp: 5957 * runtime/ArrayPrototype.cpp: 5958 (JSC::arrayProtoFuncEvery): 5959 * runtime/CodeCache.cpp: 5960 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 5961 * runtime/CommonIdentifiers.cpp: 5962 (JSC::CommonIdentifiers::CommonIdentifiers): 5963 * runtime/CommonIdentifiers.h: 5964 * runtime/CommonSlowPaths.cpp: 5965 * runtime/CommonSlowPathsExceptions.cpp: 5966 * runtime/ExceptionHelpers.cpp: 5967 (JSC::createUndefinedVariableError): 5968 * runtime/Executable.h: 5969 (JSC::EvalExecutable::executableInfo): 5970 (JSC::ProgramExecutable::executableInfo): 5971 (JSC::isHostFunction): 5972 * runtime/FunctionPrototype.cpp: 5973 (JSC::functionProtoFuncToString): 5974 * runtime/JSActivation.cpp: 5975 (JSC::JSActivation::symbolTableGet): 5976 (JSC::JSActivation::symbolTablePut): 5977 (JSC::JSActivation::symbolTablePutWithAttributes): 5978 * runtime/JSArgumentsIterator.cpp: 5979 * runtime/JSArray.cpp: 5980 * runtime/JSArrayIterator.cpp: 5981 * runtime/JSCJSValue.cpp: 5982 * runtime/JSCellInlines.h: 5983 * runtime/JSFunction.cpp: 5984 (JSC::JSFunction::calculatedDisplayName): 5985 (JSC::JSFunction::sourceCode): 5986 (JSC::JSFunction::callerGetter): 5987 (JSC::JSFunction::getOwnPropertySlot): 5988 (JSC::JSFunction::getOwnNonIndexPropertyNames): 5989 (JSC::JSFunction::put): 5990 (JSC::JSFunction::defineOwnProperty): 5991 * runtime/JSFunction.h: 5992 * runtime/JSFunctionInlines.h: 5993 (JSC::JSFunction::nativeFunction): 5994 (JSC::JSFunction::nativeConstructor): 5995 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 5996 * runtime/JSGenericTypedArrayViewInlines.h: 5997 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: 5998 * runtime/JSGlobalObject.cpp: 5999 (JSC::JSGlobalObject::reset): 6000 (JSC::JSGlobalObject::visitChildren): 6001 * runtime/JSGlobalObject.h: 6002 (JSC::JSGlobalObject::symbolTableHasProperty): 6003 * runtime/JSObject.cpp: 6004 (JSC::getClassPropertyNames): 6005 (JSC::JSObject::reifyStaticFunctionsForDelete): 6006 * runtime/JSObject.h: 6007 * runtime/JSPromiseConstructor.cpp: 6008 * runtime/JSPromiseDeferred.cpp: 6009 * runtime/JSPromisePrototype.cpp: 6010 * runtime/JSPromiseReaction.h: 6011 * runtime/JSPropertyNameIterator.cpp: 6012 * runtime/JSPropertyNameIterator.h: 6013 * runtime/JSString.h: 6014 (JSC::JSString::getStringPropertySlot): 6015 (JSC::inlineJSValueNotStringtoString): 6016 (JSC::JSValue::toWTFStringInline): 6017 * runtime/JSStringInlines.h: Removed. 6018 * runtime/JSSymbolTableObject.cpp: 6019 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 6020 * runtime/JSSymbolTableObject.h: 6021 (JSC::symbolTableGet): 6022 (JSC::symbolTablePut): 6023 (JSC::symbolTablePutWithAttributes): 6024 * runtime/Lookup.cpp: 6025 (JSC::setUpStaticFunctionSlot): 6026 * runtime/Lookup.h: 6027 (JSC::HashEntry::propertyGetter): 6028 (JSC::HashEntry::propertyPutter): 6029 (JSC::HashTable::entry): 6030 (JSC::getStaticPropertySlot): 6031 (JSC::getStaticValueSlot): 6032 (JSC::putEntry): 6033 * runtime/NativeErrorConstructor.cpp: 6034 * runtime/NativeErrorConstructor.h: 6035 (JSC::NativeErrorConstructor::finishCreation): 6036 * runtime/PropertySlot.h: 6037 * runtime/RegExpConstructor.cpp: 6038 * runtime/RegExpPrototype.cpp: 6039 * runtime/SetConstructor.cpp: 6040 * runtime/StringObject.cpp: 6041 * runtime/Structure.cpp: 6042 * runtime/VM.cpp: 6043 (JSC::VM::VM): 6044 * runtime/VM.h: 6045 60462014-01-31 Filip Pizlo <fpizlo@apple.com> 6047 6048 DFG->FTL tier-up shouldn't assume that LoopHints stay at the tops of loops 6049 https://bugs.webkit.org/show_bug.cgi?id=128030 6050 6051 Reviewed by Oliver Hunt. 6052 6053 Remove a bogus assertion. The only thing that matters is that the LoopHint had at one 6054 point in time been at the top of a loop header, and that it is now at the top of a 6055 basic block. But the basic block that it's at the top of now doesn't have to be the 6056 same as the loop header that it once was the top of. 6057 6058 * dfg/DFGTierUpCheckInjectionPhase.cpp: 6059 (JSC::DFG::TierUpCheckInjectionPhase::run): 6060 * tests/stress/tier-up-in-loop-with-cfg-simplification.js: Added. 6061 (foo): 6062 60632014-01-31 Mark Lam <mark.lam@apple.com> 6064 6065 Avoid eagerly creating the JSActivation when the debugger is attached. 6066 <https://webkit.org/b/127910> 6067 6068 Reviewed by Oliver Hunt. 6069 6070 Octane scores for this patch: 6071 baseline w/o WebInspector: 11621 6072 patched w/o WebInspector: 11801 6073 baseline w/ WebInspector: 3295 6074 patched w/ WebInspector: 7070 2.1x improvement 6075 6076 1. Because debugger can potentially create a closure from any call frame, 6077 we need every function to allocate an activation register and check for 6078 the need to tear off the activation (if needed) on return. 6079 6080 However, we do not need to eagerly create the activation object. 6081 This patch implements the optimization to defer creation of the 6082 activation object until we actually need it i.e. when: 6083 6084 1. We encounter a "eval", "with", or "catch" statement. 6085 2. We've paused in the debugger, and called DebuggerCallFrame::scope(). 6086 6087 2. The UnlinkedCodeBlock provides a needsFullScopeChain flag that is used 6088 to indicate whether the linked CodeBlock will need an activation 6089 object or not. Under normal circumstances, needsFullScopeChain and 6090 needsActivation are synonymous. However, with a debugger attached, we 6091 want the CodeBlock to always allocate an activationRegister even if 6092 it does not need a "full scope chain". 6093 6094 Hence, we apply the following definitions to the "flags": 6095 6096 1. UnlinkedCodeBlock::needsFullScopeChain() - this flag indicates that 6097 the parser discovered JS artifacts (e.g. use of "eval", "with", etc.) 6098 that requires an activation. 6099 6100 BytecodeGenerator's destinationForAssignResult() and leftHandSideNeedsCopy() 6101 checks needsFullScopeChain(). 6102 6103 2. UnlinkedCodeBlock::hasActivationRegister() - this flag indicates that 6104 an activation register was created for the UnlinkedCodeBlock either 6105 because it needsFullScopeChain() or because the debugger is attached. 6106 6107 3. CodeBlock::needsActivation() reflects UnlinkedCodeBlock's 6108 hasActivationRegister(). 6109 6110 3. Introduced BytecodeGenerator::emitPushFunctionNameScope() and 6111 BytecodeGenerator::emitPushCatchScope() because the JSNameScope 6112 pushed for a function name cannot be popped unlike the JSNameScope 6113 pushed for a "catch". Hence, we have 2 functions to handle the 2 cases 6114 differently. 6115 6116 4. Removed DebuggerCallFrame::evaluateWithCallFrame() and require that all 6117 debugger evaluations go through the DebuggerCallFrame::evaluate(). This 6118 ensures that debugger evaluations require a DebuggerCallFrame. 6119 6120 DebuggerCallFrame::evaluateWithCallFrame() was used previously because 6121 we didn't want to instantiate a DebuggerCallFrame on every debug hook 6122 callback. However, we now only call the debug hooks when needed, and 6123 this no longer poses a performance problem. 6124 6125 In addition, when the debug hook does an eval to test a breakpoint 6126 condition, it is incorrect to evaluate it without a DebuggerCallFrame 6127 anyway. 6128 6129 5. Added some utility functions to the CallFrame to make it easier to work 6130 with the activation register in the frame (if present). These utility 6131 functions should only be called if the CodeBlock::needsActivation() is 6132 true (which indicates the presence of the activation register). The 6133 utlity functions are: 6134 6135 1. CallFrame::hasActivation() 6136 - checks if the frame's activation object has been created. 6137 6138 2. CallFrame::activation() 6139 - returns the frame's activation object. 6140 6141 3. CallFrame::uncheckedActivation() 6142 - returns the JSValue in the frame's activation register. May be null. 6143 6144 4. CallFrame::setActivation() 6145 - sets the frame's activation object. 6146 6147 * bytecode/CodeBlock.cpp: 6148 (JSC::CodeBlock::dumpBytecode): 6149 - added symbollic dumping of ResolveMode and ResolveType values for some 6150 bytecodes. 6151 (JSC::CodeBlock::CodeBlock): 6152 * bytecode/CodeBlock.h: 6153 (JSC::CodeBlock::activationRegister): 6154 (JSC::CodeBlock::uncheckedActivationRegister): 6155 (JSC::CodeBlock::needsActivation): 6156 * bytecode/UnlinkedCodeBlock.h: 6157 (JSC::UnlinkedCodeBlock::needsFullScopeChain): 6158 (JSC::UnlinkedCodeBlock::hasActivationRegister): 6159 * bytecompiler/BytecodeGenerator.cpp: 6160 (JSC::BytecodeGenerator::BytecodeGenerator): 6161 (JSC::BytecodeGenerator::resolveCallee): 6162 (JSC::BytecodeGenerator::createActivationIfNecessary): 6163 (JSC::BytecodeGenerator::emitCallEval): 6164 (JSC::BytecodeGenerator::emitReturn): 6165 (JSC::BytecodeGenerator::emitPushWithScope): 6166 (JSC::BytecodeGenerator::emitPushFunctionNameScope): 6167 (JSC::BytecodeGenerator::emitPushCatchScope): 6168 * bytecompiler/BytecodeGenerator.h: 6169 * bytecompiler/NodesCodegen.cpp: 6170 (JSC::TryNode::emitBytecode): 6171 * debugger/Debugger.cpp: 6172 (JSC::Debugger::hasBreakpoint): 6173 (JSC::Debugger::pauseIfNeeded): 6174 * debugger/DebuggerCallFrame.cpp: 6175 (JSC::DebuggerCallFrame::scope): 6176 (JSC::DebuggerCallFrame::evaluate): 6177 * debugger/DebuggerCallFrame.h: 6178 * dfg/DFGByteCodeParser.cpp: 6179 (JSC::DFG::ByteCodeParser::parseCodeBlock): 6180 * dfg/DFGGraph.h: 6181 - Removed an unused function DFGGraph::needsActivation(). 6182 * interpreter/CallFrame.cpp: 6183 (JSC::CallFrame::activation): 6184 (JSC::CallFrame::setActivation): 6185 * interpreter/CallFrame.h: 6186 (JSC::ExecState::hasActivation): 6187 (JSC::ExecState::registers): 6188 * interpreter/CallFrameInlines.h: 6189 (JSC::CallFrame::uncheckedActivation): 6190 * interpreter/Interpreter.cpp: 6191 (JSC::unwindCallFrame): 6192 (JSC::Interpreter::unwind): 6193 * jit/JITOperations.cpp: 6194 * llint/LLIntSlowPaths.cpp: 6195 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 6196 * runtime/CommonSlowPaths.cpp: 6197 (JSC::SLOW_PATH_DECL): 6198 6199 * runtime/JSScope.cpp: 6200 * runtime/JSScope.h: 6201 (JSC::resolveModeName): 6202 (JSC::resolveTypeName): 6203 - utility functions for decoding names of the ResolveMode and ResolveType. 6204 These are used in CodeBlock::dumpBytecode(). 6205 62062014-01-31 Michael Saboff <msaboff@apple.com> 6207 6208 REGRESSION: Crash in sanitizeStackForVMImpl when scrolling @ lifehacker.com.au 6209 https://bugs.webkit.org/show_bug.cgi?id=128017 6210 6211 Reviewed by Filip Pizlo. 6212 6213 Moved the setting and saving of VM::stackPointerAtVMEntry and the corresponding stack limit 6214 to JSLock and JSLock::DropAllLocks. The saved data is now stored in per-thread in 6215 WTFThreadData. 6216 6217 * runtime/InitializeThreading.cpp: 6218 (JSC::initializeThreading): 6219 * runtime/JSLock.cpp: 6220 (JSC::JSLock::lock): 6221 (JSC::JSLock::unlock): 6222 (JSC::JSLock::DropAllLocks::DropAllLocks): 6223 (JSC::JSLock::DropAllLocks::~DropAllLocks): 6224 * runtime/JSLock.h: 6225 * runtime/VMEntryScope.cpp: 6226 (JSC::VMEntryScope::VMEntryScope): 6227 (JSC::VMEntryScope::~VMEntryScope): 6228 * runtime/VMEntryScope.h: 6229 62302014-01-31 Mark Lam <mark.lam@apple.com> 6231 6232 Don't need a JSNameScope for the callee name just for the debugger. 6233 <https://webkit.org/b/128024> 6234 6235 Reviewed by Geoffrey Garen. 6236 6237 Currently, in the bytecode for a function, we push a JSNamedScope for 6238 the name of the function when a debugger is attached. The name scope for 6239 the function name is only needed for evals which can redefine the name 6240 to resolve to something else, and can later delete the redefined name 6241 which should revert the resolution of the name to the original function. 6242 The debugger does not need this feature because it declares all new vars 6243 in a temporary nested scope. Hence, we can remove the presence of the 6244 debugger as a criteria for pushing the JSNameScope. 6245 6246 * bytecompiler/BytecodeGenerator.cpp: 6247 (JSC::BytecodeGenerator::resolveCallee): 6248 (JSC::BytecodeGenerator::addCallee): 6249 62502014-01-31 Filip Pizlo <fpizlo@apple.com> 6251 6252 Unreviewed, build fix. 6253 6254 * ftl/FTLOSREntry.cpp: 6255 62562014-01-31 Oliver Hunt <oliver@apple.com> 6257 6258 Fix windows 6259 6260 * generate-js-builtins: 6261 62622014-01-31 Oliver Hunt <oliver@apple.com> 6263 6264 Fix 32bit. 6265 6266 * jit/JITPropertyAccess32_64.cpp: 6267 62682014-01-31 Mark Lam <mark.lam@apple.com> 6269 6270 Add options to force debugger / profiler bytecode generation. 6271 <https://webkit.org/b/128014> 6272 6273 Reviewed by Oliver Hunt. 6274 6275 Add Options::forceDebuggerBytecodeGeneration() and 6276 Options::forceProfilerBytecodeGeneration(). These options make it more 6277 convenient to do correctness testing when debugger / profiler bytecodes 6278 are generated. 6279 6280 These options are disabled by default. 6281 6282 * bytecompiler/BytecodeGenerator.cpp: 6283 (JSC::BytecodeGenerator::BytecodeGenerator): 6284 * runtime/Options.h: 6285 62862014-01-29 Oliver Hunt <oliver@apple.com> 6287 6288 Make it possible to implement JS builtins in JS 6289 https://bugs.webkit.org/show_bug.cgi?id=127887 6290 6291 Reviewed by Michael Saboff. 6292 6293 This patch makes it possible to write builtin functions in JS. 6294 The bindings, generators, and definitions are all created automatically 6295 based on js files in the builtins/ directory. This patch includes one 6296 such case: Array.prototype.js with an implementation of every(). 6297 6298 There's a lot of refactoring to make it possible for CommonIdentifiers 6299 to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp}) 6300 without breaking the offset extractor. The result of this refactoring 6301 is that CommonIdentifiers, and a few other miscellaneous headers now 6302 need to be included directly as they were formerly captured through other 6303 paths. 6304 6305 In addition this adds a flag to the Lookup table's hashentry to indicate 6306 that a static function is actually backed by JS. There is then a lot of 6307 logic to thread the special nature of the functon to where it matters. 6308 This allows toString(), .caller, etc to mimic the behaviour of a host 6309 function. 6310 6311 Notes on writing builtins: 6312 - Each function is compiled independently of the others, and those 6313 implementations cannot currently capture all global properties (as 6314 that could be potentially unsafe). If a function does capture a 6315 global we will deliberately crash. 6316 - For those "global" properties that we do want access to, we use 6317 the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers 6318 are private names, and behave just like regular properties, only 6319 without the risk of adulteration. Again, in the @Object case, we 6320 explicitly duplicate the ObjectConstructor reference on the GlobalObject 6321 so that we have guaranteed access to the original version of the 6322 constructor. 6323 - call, apply, eval, and Function are all rejected identifiers, again 6324 to prevent anything from accidentally using an adulterated object. 6325 Instead @call and @apply are available, and happily they completely 6326 drop the neq_ptr instruction as they're defined as always being the 6327 original call/apply functions. 6328 6329 These restrictions are just intended to make it harder to accidentally 6330 make changes that are incorrect (for instance calling whatever has been 6331 assigned to global.Object, instead of the original constructor function). 6332 However, making a mistake like this should result in a purely semantic 6333 error as fundamentally these functions are treated as though they were 6334 regular JS code in the host global, and have no more privileges than 6335 any other JS. 6336 6337 The initial proof of concept is Array.prototype.every, this shows a 65% 6338 performance improvement, and that improvement is significantly hurt by 6339 our poor optimisation of op_in. 6340 6341 As this is such a limited function, we have not yet exported all symbols 6342 that we could possibly need, but as we implement more, the likelihood 6343 of encountering missing features will reduce. 6344 6345 This did require breaking out a JSStringInlines header, and required 6346 fixing a few objects that were trying to using PropertyName::publicName 6347 rather than PropertyName::uid. 6348 6349 * API/JSCallbackObjectFunctions.h: 6350 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot): 6351 (JSC::JSCallbackObject<Parent>::put): 6352 (JSC::JSCallbackObject<Parent>::deleteProperty): 6353 (JSC::JSCallbackObject<Parent>::getStaticValue): 6354 (JSC::JSCallbackObject<Parent>::staticFunctionGetter): 6355 (JSC::JSCallbackObject<Parent>::callbackGetter): 6356 * CMakeLists.txt: 6357 * DerivedSources.make: 6358 * GNUmakefile.list.am: 6359 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 6360 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 6361 * JavaScriptCore.xcodeproj/project.pbxproj: 6362 * builtins/Array.prototype.js: 6363 (every): 6364 * builtins/BuiltinExecutables.cpp: Added. 6365 (JSC::BuiltinExecutables::BuiltinExecutables): 6366 (JSC::BuiltinExecutables::createBuiltinExecutable): 6367 * builtins/BuiltinExecutables.h: 6368 (JSC::BuiltinExecutables::create): 6369 * bytecode/CodeBlock.cpp: 6370 (JSC::CodeBlock::CodeBlock): 6371 * bytecode/CodeBlock.h: 6372 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 6373 * bytecode/UnlinkedCodeBlock.cpp: 6374 (JSC::generateFunctionCodeBlock): 6375 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 6376 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 6377 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 6378 * bytecode/UnlinkedCodeBlock.h: 6379 (JSC::ExecutableInfo::ExecutableInfo): 6380 (JSC::UnlinkedFunctionExecutable::create): 6381 (JSC::UnlinkedFunctionExecutable::toStrictness): 6382 (JSC::UnlinkedFunctionExecutable::isBuiltinFunction): 6383 (JSC::UnlinkedCodeBlock::isBuiltinFunction): 6384 * bytecompiler/BytecodeGenerator.cpp: 6385 (JSC::BytecodeGenerator::BytecodeGenerator): 6386 * bytecompiler/BytecodeGenerator.h: 6387 (JSC::BytecodeGenerator::isBuiltinFunction): 6388 (JSC::BytecodeGenerator::makeFunction): 6389 * bytecompiler/NodesCodegen.cpp: 6390 (JSC::CallFunctionCallDotNode::emitBytecode): 6391 (JSC::ApplyFunctionCallDotNode::emitBytecode): 6392 * create_hash_table: 6393 * dfg/DFGOperations.cpp: 6394 * generate-js-builtins: Added. 6395 (getCopyright): 6396 (getFunctions): 6397 (generateCode): 6398 (mangleName): 6399 (FunctionExecutable): 6400 (Identifier): 6401 (JSGlobalObject): 6402 (SourceCode): 6403 (UnlinkedFunctionExecutable): 6404 (VM): 6405 * interpreter/Interpreter.cpp: 6406 * interpreter/ProtoCallFrame.cpp: 6407 * jit/JITOpcodes.cpp: 6408 * jit/JITOpcodes32_64.cpp: 6409 * jit/JITOperations.cpp: 6410 * jit/JITPropertyAccess.cpp: 6411 * jit/JITPropertyAccess32_64.cpp: 6412 * jsc.cpp: 6413 * llint/LLIntSlowPaths.cpp: 6414 * parser/ASTBuilder.h: 6415 (JSC::ASTBuilder::makeFunctionCallNode): 6416 * parser/Lexer.cpp: 6417 (JSC::Lexer<T>::Lexer): 6418 (JSC::isSafeIdentifier): 6419 (JSC::Lexer<LChar>::parseIdentifier): 6420 (JSC::Lexer<UChar>::parseIdentifier): 6421 (JSC::Lexer<T>::lex): 6422 * parser/Lexer.h: 6423 (JSC::isSafeIdentifier): 6424 (JSC::Lexer<T>::lexExpectIdentifier): 6425 * parser/Nodes.cpp: 6426 (JSC::ProgramNode::setClosedVariables): 6427 * parser/Nodes.h: 6428 (JSC::ScopeNode::capturedVariables): 6429 (JSC::ScopeNode::setClosedVariables): 6430 (JSC::ProgramNode::closedVariables): 6431 * parser/Parser.cpp: 6432 (JSC::Parser<LexerType>::Parser): 6433 (JSC::Parser<LexerType>::parseInner): 6434 (JSC::Parser<LexerType>::didFinishParsing): 6435 (JSC::Parser<LexerType>::printUnexpectedTokenText): 6436 * parser/Parser.h: 6437 (JSC::Scope::getUsedVariables): 6438 (JSC::Parser::closedVariables): 6439 (JSC::parse): 6440 * parser/ParserModes.h: 6441 * parser/ParserTokens.h: 6442 * runtime/ArgList.cpp: 6443 * runtime/Arguments.cpp: 6444 * runtime/Arguments.h: 6445 * runtime/ArgumentsIteratorConstructor.cpp: 6446 * runtime/ArgumentsIteratorPrototype.cpp: 6447 * runtime/ArrayPrototype.cpp: 6448 * runtime/CodeCache.cpp: 6449 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 6450 * runtime/CommonIdentifiers.cpp: 6451 (JSC::CommonIdentifiers::CommonIdentifiers): 6452 (JSC::CommonIdentifiers::getPrivateName): 6453 (JSC::CommonIdentifiers::getPublicName): 6454 * runtime/CommonIdentifiers.h: 6455 * runtime/CommonSlowPaths.cpp: 6456 * runtime/CommonSlowPathsExceptions.cpp: 6457 * runtime/ExceptionHelpers.cpp: 6458 (JSC::createUndefinedVariableError): 6459 * runtime/Executable.h: 6460 (JSC::EvalExecutable::executableInfo): 6461 (JSC::ProgramExecutable::executableInfo): 6462 (JSC::FunctionExecutable::isBuiltinFunction): 6463 * runtime/FunctionPrototype.cpp: 6464 (JSC::functionProtoFuncToString): 6465 * runtime/JSActivation.cpp: 6466 (JSC::JSActivation::symbolTableGet): 6467 (JSC::JSActivation::symbolTablePut): 6468 (JSC::JSActivation::symbolTablePutWithAttributes): 6469 * runtime/JSArgumentsIterator.cpp: 6470 * runtime/JSArray.cpp: 6471 * runtime/JSArrayIterator.cpp: 6472 * runtime/JSCJSValue.cpp: 6473 * runtime/JSCellInlines.h: 6474 * runtime/JSFunction.cpp: 6475 (JSC::JSFunction::createBuiltinFunction): 6476 (JSC::JSFunction::calculatedDisplayName): 6477 (JSC::JSFunction::sourceCode): 6478 (JSC::JSFunction::isHostOrBuiltinFunction): 6479 (JSC::JSFunction::isBuiltinFunction): 6480 (JSC::JSFunction::callerGetter): 6481 (JSC::JSFunction::getOwnPropertySlot): 6482 (JSC::JSFunction::getOwnNonIndexPropertyNames): 6483 (JSC::JSFunction::put): 6484 (JSC::JSFunction::defineOwnProperty): 6485 * runtime/JSFunction.h: 6486 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 6487 * runtime/JSGenericTypedArrayViewInlines.h: 6488 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: 6489 * runtime/JSGlobalObject.cpp: 6490 (JSC::JSGlobalObject::reset): 6491 (JSC::JSGlobalObject::visitChildren): 6492 * runtime/JSGlobalObject.h: 6493 (JSC::JSGlobalObject::objectConstructor): 6494 (JSC::JSGlobalObject::symbolTableHasProperty): 6495 * runtime/JSObject.cpp: 6496 (JSC::getClassPropertyNames): 6497 (JSC::JSObject::reifyStaticFunctionsForDelete): 6498 (JSC::JSObject::putDirectBuiltinFunction): 6499 * runtime/JSObject.h: 6500 * runtime/JSPropertyNameIterator.cpp: 6501 * runtime/JSPropertyNameIterator.h: 6502 * runtime/JSString.h: 6503 * runtime/JSStringInlines.h: Added. 6504 (JSC::JSString::getStringPropertySlot): 6505 (JSC::inlineJSValueNotStringtoString): 6506 (JSC::JSValue::toWTFStringInline): 6507 * runtime/JSSymbolTableObject.cpp: 6508 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 6509 Don't report private names. 6510 * runtime/JSSymbolTableObject.h: 6511 (JSC::symbolTableGet): 6512 (JSC::symbolTablePut): 6513 (JSC::symbolTablePutWithAttributes): 6514 * runtime/Lookup.cpp: 6515 (JSC::setUpStaticFunctionSlot): 6516 * runtime/Lookup.h: 6517 (JSC::HashEntry::builtinGenerator): 6518 (JSC::HashEntry::propertyGetter): 6519 (JSC::HashEntry::propertyPutter): 6520 (JSC::HashTable::entry): 6521 (JSC::getStaticPropertySlot): 6522 (JSC::getStaticValueSlot): 6523 (JSC::putEntry): 6524 * runtime/NativeErrorConstructor.cpp: 6525 (JSC::NativeErrorConstructor::finishCreation): 6526 * runtime/NativeErrorConstructor.h: 6527 * runtime/PropertySlot.h: 6528 * runtime/RegExpPrototype.cpp: 6529 * runtime/SetConstructor.cpp: 6530 * runtime/StringObject.cpp: 6531 * runtime/Structure.cpp: 6532 * runtime/VM.cpp: 6533 (JSC::VM::VM): 6534 * runtime/VM.h: 6535 (JSC::VM::builtinExecutables): 6536 65372014-01-31 Gabor Rapcsanyi <rgabor@webkit.org> 6538 6539 Fix the ARM Thumb2 build after jsCStack branch merge 6540 https://bugs.webkit.org/show_bug.cgi?id=127903 6541 6542 Reviewed by Michael Saboff. 6543 6544 SP register cannot be used as a destination register of SUB or ADD on Thumb mode. 6545 6546 * llint/LowLevelInterpreter.asm: 6547 * llint/LowLevelInterpreter32_64.asm: 6548 65492014-01-31 Julien Brianceau <jbriance@cisco.com> 6550 6551 [arm] Add missing pushPair/popPair implementations in MacroAssemblerARM.h 6552 https://bugs.webkit.org/show_bug.cgi?id=127904 6553 6554 Reviewed by Zoltan Herczeg. 6555 6556 * assembler/MacroAssemblerARM.h: 6557 (JSC::MacroAssemblerARM::popPair): 6558 (JSC::MacroAssemblerARM::pushPair): 6559 65602014-01-30 Martin Robinson <mrobinson@igalia.com> 6561 6562 [GTK] [CMake] Add support for building against GTK+ 2 6563 https://bugs.webkit.org/show_bug.cgi?id=127959 6564 6565 Reviewed by Anders Carlsson. 6566 6567 * PlatformGTK.cmake: Use the new API version variable and don't use GTK3 directly. 6568 65692014-01-30 Andreas Kling <akling@apple.com> 6570 6571 CodeBlock's cloned SymbolTables only need the captured names. 6572 <https://webkit.org/b/127978> 6573 6574 Renamed SymbolTable::clone() to SymbolTable::cloneCapturedNames() 6575 and make it skip over any symbols that aren't captured, since those 6576 won't be needed after codegen. 6577 6578 This is a first step towards getting rid of redundant symbol tables. 6579 6580 Reviewed by Geoffrey Garen. 6581 6582 * bytecode/CodeBlock.cpp: 6583 (JSC::CodeBlock::CodeBlock): 6584 * runtime/SymbolTable.cpp: 6585 (JSC::SymbolTable::cloneCapturedNames): 6586 * runtime/SymbolTable.h: 6587 65882014-01-28 Timothy Hatcher <timothy@apple.com> 6589 6590 Add column number and call timing support to LegacyProfiler. 6591 6592 https://bugs.webkit.org/show_bug.cgi?id=127764 6593 6594 Reviewed by Joseph Pecoraro. 6595 6596 * interpreter/Interpreter.cpp: 6597 (JSC::Interpreter::execute): 6598 * profiler/CallIdentifier.h: 6599 (JSC::CallIdentifier::CallIdentifier): 6600 (JSC::CallIdentifier::functionName): 6601 (JSC::CallIdentifier::url): 6602 (JSC::CallIdentifier::lineNumber): 6603 (JSC::CallIdentifier::columnNumber): 6604 (JSC::CallIdentifier::operator==): 6605 (JSC::CallIdentifier::operator!=): 6606 (JSC::CallIdentifier::Hash::hash): 6607 (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue): 6608 (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue): 6609 * profiler/LegacyProfiler.cpp: 6610 (JSC::LegacyProfiler::willExecute): 6611 (JSC::LegacyProfiler::didExecute): 6612 (JSC::LegacyProfiler::exceptionUnwind): 6613 (JSC::LegacyProfiler::createCallIdentifier): 6614 (JSC::createCallIdentifierFromFunctionImp): 6615 * profiler/LegacyProfiler.h: 6616 * profiler/Profile.cpp: 6617 (JSC::Profile::Profile): 6618 * profiler/Profile.h: 6619 (JSC::Profile::uid): 6620 (JSC::Profile::idleTime): 6621 (JSC::Profile::setIdleTime): 6622 * profiler/ProfileGenerator.cpp: 6623 (JSC::AddParentForConsoleStartFunctor::operator()): 6624 (JSC::ProfileGenerator::addParentForConsoleStart): 6625 (JSC::ProfileGenerator::willExecute): 6626 (JSC::ProfileGenerator::didExecute): 6627 (JSC::ProfileGenerator::stopProfiling): 6628 (JSC::ProfileGenerator::removeProfileStart): 6629 (JSC::ProfileGenerator::removeProfileEnd): 6630 * profiler/ProfileNode.cpp: 6631 (JSC::ProfileNode::ProfileNode): 6632 (JSC::ProfileNode::stopProfiling): 6633 (JSC::ProfileNode::endAndRecordCall): 6634 (JSC::ProfileNode::startTimer): 6635 (JSC::ProfileNode::debugPrintData): 6636 * profiler/ProfileNode.h: 6637 (JSC::ProfileNode::Call::Call): 6638 (JSC::ProfileNode::Call::startTime): 6639 (JSC::ProfileNode::Call::setStartTime): 6640 (JSC::ProfileNode::Call::totalTime): 6641 (JSC::ProfileNode::Call::setTotalTime): 6642 (JSC::ProfileNode::id): 6643 (JSC::ProfileNode::functionName): 6644 (JSC::ProfileNode::url): 6645 (JSC::ProfileNode::lineNumber): 6646 (JSC::ProfileNode::columnNumber): 6647 (JSC::ProfileNode::calls): 6648 (JSC::ProfileNode::lastCall): 6649 (JSC::ProfileNode::numberOfCalls): 6650 66512014-01-26 Timothy Hatcher <timothy@apple.com> 6652 6653 Include profile with FunctionCall and EvaluateScript Timeline records. 6654 6655 https://bugs.webkit.org/show_bug.cgi?id=127663 6656 6657 Reviewed by Joseph Pecoraro. 6658 6659 * inspector/InjectedScriptBase.cpp: 6660 (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): 6661 * inspector/InspectorEnvironment.h: 6662 * inspector/JSGlobalObjectInspectorController.h: 6663 66642014-01-29 Filip Pizlo <fpizlo@apple.com> 6665 6666 FTL should support GetById(Untyped:) 6667 https://bugs.webkit.org/show_bug.cgi?id=127750 6668 6669 Reviewed by Oliver Hunt. 6670 6671 This was supposed to be easy. Indeed, the actual GetById UntypedUse case was easy. But 6672 then it expanded coverage by a lot and I got to deal with three bugs. So, this has 6673 some additional changes: 6674 6675 Also make it safe for LLVM to duplicate calls to patchpoints and stackmaps. Previously 6676 we incorrectly assumed that if we emitted a patchpoint, then there would only be one 6677 copy of that patchpoint (with that ID) in the resulting machine code and in the 6678 stackmaps section. That's obviously a bad assumption - LLVM is allowed to do anything 6679 it wants so long as the outcome of executing the code has a semantically equivalent 6680 meaning to the IR we gave it, and duplicating code is trivially OK under this rule. We 6681 should be OK with it, too. The solution is to add Vectors in a bunch of places that 6682 previously just thought they only had one value. For example, an InlineCacheDescriptor 6683 now has a Vector of generators - one generator for each copy that LLVM stamped out. 6684 Normally there will only be one copy, of course - since duplication is usually 6685 unprofitable. But, if LLVM decides that copying would be groovy then we will no longer 6686 barf. 6687 6688 Also fix SSA conversion. It turns out that we mishandled the case where a block had 6689 multiple Phi functions for the same local. If any of those CPS Phis fail to trivialize 6690 in the Aycock-Horspool fixpoint, we need to insert an SSA Phi. Previously, it was 6691 assuming that so long as the head CPS Phi was trivial, we could forego SSA Phi 6692 insertion. That's wrong if the head CPS Phi trivialized but ended up pointing to a 6693 non-trivial CPS Phi in the same block. This madness with trees of Phis occurs because 6694 we try to save on compile times: no Phi ever has more than three children even if the 6695 block has more than three predecessors; we just build out a tree of Phis to satisfy 6696 all predecessors. So weird. 6697 6698 And finally, fix DFG->FTL OSR entry's reconstruction of 'this' in a constructor. That 6699 reconstruction code, JITCode::reconstruct(), had a work-around for the case where we 6700 were entering into a constructor at the prologue. In that case, 'this' is definitely 6701 unavailable. But the OSR code does reconstructions at LoopHints, which aren't at the 6702 prologue, and so 'this' should totally be available. 6703 6704 * dfg/DFGGraph.cpp: 6705 (JSC::DFG::Graph::dump): 6706 * dfg/DFGJITCode.cpp: 6707 (JSC::DFG::JITCode::reconstruct): 6708 * dfg/DFGNode.h: 6709 (JSC::DFG::Node::tryGetVariableAccessData): 6710 * dfg/DFGSSAConversionPhase.cpp: 6711 (JSC::DFG::SSAConversionPhase::run): 6712 * ftl/FTLCapabilities.cpp: 6713 (JSC::FTL::canCompile): 6714 * ftl/FTLCompile.cpp: 6715 (JSC::FTL::generateICFastPath): 6716 (JSC::FTL::fixFunctionBasedOnStackMaps): 6717 * ftl/FTLInlineCacheDescriptor.h: 6718 * ftl/FTLJITFinalizer.cpp: 6719 (JSC::FTL::JITFinalizer::codeSize): 6720 * ftl/FTLJSCall.cpp: 6721 (JSC::FTL::JSCall::JSCall): 6722 * ftl/FTLJSCall.h: 6723 * ftl/FTLLowerDFGToLLVM.cpp: 6724 (JSC::FTL::LowerDFGToLLVM::compileGetById): 6725 (JSC::FTL::LowerDFGToLLVM::getById): 6726 * ftl/FTLOSREntry.cpp: 6727 (JSC::FTL::prepareOSREntry): 6728 * ftl/FTLStackMaps.cpp: 6729 (JSC::FTL::StackMaps::getRecordMap): 6730 * ftl/FTLStackMaps.h: 6731 * tests/stress/get-by-id-untyped.js: Added. 6732 (foo): 6733 67342014-01-30 Geoffrey Garen <ggaren@apple.com> 6735 6736 Part 2: REGRESSION: JavascriptCore crash during OS Installation (due to 6737 Heap::m_operationInProgress ASSERT vs DelayedReleaseScope) 6738 https://bugs.webkit.org/show_bug.cgi?id=127950 6739 6740 Reviewed by Mark Hahnenberg. 6741 6742 Scope the APICallbackShim to make sure that we re-acquire the lock 6743 before putting the heap back into the "unsafe to allocate" state. 6744 Otherwise, the heap will seem to be in the "unsafe to allocate" state 6745 during any GC that happens before we re-acquire the lock. 6746 6747 No regression test because threads. 6748 6749 * heap/DelayedReleaseScope.h: 6750 (JSC::DelayedReleaseScope::~DelayedReleaseScope): 6751 67522014-01-30 Filip Pizlo <fpizlo@apple.com> 6753 6754 Update FTL StackMaps parser to stackSize change 6755 https://bugs.webkit.org/show_bug.cgi?id=127933 6756 6757 Reviewed by Oliver Hunt. 6758 6759 * ftl/FTLStackMaps.cpp: 6760 (JSC::FTL::StackMaps::parse): 6761 67622014-01-30 Zan Dobersek <zdobersek@igalia.com> 6763 6764 [GTK] Only disable -ftree-dce optimization when compiling with GCC 6765 https://bugs.webkit.org/show_bug.cgi?id=127911 6766 6767 Reviewed by Carlos Garcia Campos. 6768 6769 * GNUmakefile.am: Only disable the -ftree-dce optimization when using the GCC compiler. 6770 Some Clang versions/configurations don't support the flag. 6771 67722014-01-30 Zan Dobersek <zdobersek@igalia.com> 6773 6774 [GTK] Disable optimizations for JSC that turned out malignant after jsCStack branch merge 6775 https://bugs.webkit.org/show_bug.cgi?id=127909 6776 6777 Reviewed by Carlos Garcia Campos. 6778 6779 * GNUmakefile.am: Disable the -fomit-frame-pointer optimization to achieve proper register usage 6780 in operationCallEval. Disable the -ftree-dce optimization since it is causing additional failures 6781 when using GCC 4.8, possibly due to a bug in the compiler itself. 6782 67832014-01-29 Csaba Osztrogonác <ossy@webkit.org> 6784 6785 Remove ENABLE(JAVASCRIPT_DEBUGGER) leftovers 6786 https://bugs.webkit.org/show_bug.cgi?id=127845 6787 6788 Reviewed by Joseph Pecoraro. 6789 6790 * Configurations/FeatureDefines.xcconfig: 6791 67922014-01-29 Joseph Pecoraro <pecoraro@apple.com> 6793 6794 Web Inspector: Play Breakpoint Sound in Frontend 6795 https://bugs.webkit.org/show_bug.cgi?id=127885 6796 6797 Reviewed by Timothy Hatcher. 6798 6799 * inspector/ScriptDebugListener.h: 6800 * inspector/ScriptDebugServer.cpp: 6801 (Inspector::ScriptDebugServer::evaluateBreakpointAction): 6802 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): 6803 * inspector/ScriptDebugServer.h: 6804 Pass the breakpoint action identifier through when the 6805 sound breakpoint action is triggered. 6806 6807 * inspector/protocol/Debugger.json: 6808 New "playBreakpointActionSound" event when a "sound" breakpoint action triggers. 6809 6810 * inspector/agents/InspectorDebuggerAgent.h: 6811 * inspector/agents/InspectorDebuggerAgent.cpp: 6812 (Inspector::InspectorDebuggerAgent::breakpointActionSound): 6813 Send the new event so the frontend can handle it. 6814 68152014-01-29 Filip Pizlo <fpizlo@apple.com> 6816 6817 Merge final changesets from the jsCStack branch (r162969, r162975, r162992, r163004, r163069). 6818 6819 2014-01-29 Filip Pizlo <fpizlo@apple.com> 6820 6821 DFG ArrayPop double array mishandles the NaN hole installation 6822 https://bugs.webkit.org/show_bug.cgi?id=127813 6823 6824 Reviewed by Mark Rowe. 6825 6826 Our object model for arrays inferred double dictates that we use quiet NaN (QNaN) to 6827 mark holes. Holes, in this context, are any entries in the allocated array buffer 6828 (i.e. from index 0 up to the vectorLength) that don't currently hold a value. Popping 6829 creates a hole, since it deletes the value at publicLength - 1. 6830 6831 But, because of some sloppy copy-and-paste, we were storing (int64_t)0 when creating 6832 the hole, instead of storing QNaN. That's likely because for other kinds of arrays, 6833 64-bit zero is the hole marker, instead of QNaN. 6834 6835 The attached test case illustrates the problem. In the LLInt and Baseline JIT, the 6836 result returned from foo() is "1.5,2.5,,4.5", since array.pop() removes 3.5 and 6837 replaces it with a hole and then the assignment "array[3] = 4.5" creates an element 6838 just beyond that hole. But, once we tier-up to the DFG, the result previously became 6839 "1.5,2.5,0,4.5", which is wrong. The 0 appeared because the IEEE double 6840 interpretation of 64-bit zero is simply zero. 6841 6842 This patch fixes that problem. Now the DFG agrees with the other engines. 6843 6844 This patch also fixes style. For some reason that copy-pasted code wasn't even 6845 indented correctly. 6846 6847 * dfg/DFGSpeculativeJIT64.cpp: 6848 (JSC::DFG::SpeculativeJIT::compile): 6849 * tests/stress/array-pop-double-hole.js: Added. 6850 (foo): 6851 6852 2014-01-28 Filip Pizlo <fpizlo@apple.com> 6853 6854 FTL should support ArrayPush 6855 https://bugs.webkit.org/show_bug.cgi?id=127748 6856 6857 Not reviewed, remove some debug code. 6858 6859 * ftl/FTLLowerDFGToLLVM.cpp: 6860 (JSC::FTL::LowerDFGToLLVM::compileArrayPush): 6861 6862 2014-01-27 Filip Pizlo <fpizlo@apple.com> 6863 6864 FTL should support ArrayPush 6865 https://bugs.webkit.org/show_bug.cgi?id=127748 6866 6867 Reviewed by Oliver Hunt. 6868 6869 * ftl/FTLAbstractHeapRepository.h: 6870 (JSC::FTL::AbstractHeapRepository::forArrayType): 6871 * ftl/FTLCapabilities.cpp: 6872 (JSC::FTL::canCompile): 6873 * ftl/FTLIntrinsicRepository.h: 6874 * ftl/FTLLowerDFGToLLVM.cpp: 6875 (JSC::FTL::LowerDFGToLLVM::compileNode): 6876 (JSC::FTL::LowerDFGToLLVM::compileArrayPush): 6877 * tests/stress/array-push-contiguous.js: Added. 6878 (foo): 6879 * tests/stress/array-push-double.js: Added. 6880 (foo): 6881 6882 2014-01-28 Filip Pizlo <fpizlo@apple.com> 6883 6884 FTL should support ArrayPop 6885 https://bugs.webkit.org/show_bug.cgi?id=127749 6886 6887 Reviewed by Geoffrey Garen. 6888 6889 * ftl/FTLCapabilities.cpp: 6890 (JSC::FTL::canCompile): 6891 * ftl/FTLIntrinsicRepository.h: 6892 * ftl/FTLLowerDFGToLLVM.cpp: 6893 (JSC::FTL::LowerDFGToLLVM::compileNode): 6894 (JSC::FTL::LowerDFGToLLVM::compileArrayPush): 6895 (JSC::FTL::LowerDFGToLLVM::compileArrayPop): 6896 * tests/stress/array-pop-contiguous.js: Added. 6897 (foo): 6898 * tests/stress/array-pop-double.js: Added. 6899 (foo): 6900 * tests/stress/array-pop-int32.js: Added. 6901 (foo): 6902 69032014-01-29 Filip Pizlo <fpizlo@apple.com> 6904 6905 DFG::ByteCodeParser::m_dfgCodeBlock is sometimes uninitialized 6906 <rdar://problem/15939032> 6907 6908 Reviewed by Dan Bernstein. 6909 6910 * dfg/DFGByteCodeParser.cpp: 6911 (JSC::DFG::ByteCodeParser::parse): 6912 69132014-01-29 Geoffrey Garen <ggaren@apple.com> 6914 6915 50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome) 6916 https://bugs.webkit.org/show_bug.cgi?id=127879 6917 6918 Reviewed by Gavin Barraclough. 6919 6920 Let's not dynamically resize an array whose size is statically known, 6921 mmmkay? 6922 6923 * runtime/ArrayPrototype.cpp: 6924 (JSC::arrayProtoFuncConcat): Use nullptr to disambiguate vs the numeric 6925 argument. 6926 6927 (JSC::arrayProtoFuncSlice): The fix. 6928 6929 (JSC::arrayProtoFuncSort): 6930 (JSC::arrayProtoFuncSplice): 6931 (JSC::arrayProtoFuncFilter): 6932 (JSC::arrayProtoFuncMap): Use nullptr. 6933 69342014-01-29 Joseph Pecoraro <pecoraro@apple.com> 6935 6936 Web Inspector: Run JSC Inspector EventLoop in a custom run loop mode to prevent default observers from running 6937 https://bugs.webkit.org/show_bug.cgi?id=127865 6938 6939 Reviewed by Geoffrey Garen. 6940 6941 When hitting a breakpoint in a JSContext Inspector we want to entirely 6942 pause the process and all access to the JSContext and only move forward 6943 based on debugger commands. Having the nested run loop run in a default 6944 mode allowed NSTimers scheduled on the thread to regularly run and 6945 evaluate code in the JSContext. Using a custom run loop mode gets us 6946 a bit closer to locking down the context. This doesn't handle scenarios 6947 where background threads also access the JSContext, but it handles the 6948 most common scenario. 6949 6950 * inspector/EventLoop.cpp: 6951 (Inspector::EventLoop::cycle): 6952 69532014-01-29 Joseph Pecoraro <pecoraro@apple.com> 6954 6955 Web Inspector: Deadlock hitting breakpoint while inspecting JSContext 6956 https://bugs.webkit.org/show_bug.cgi?id=127864 6957 6958 Reviewed by Geoffrey Garen. 6959 6960 Temporarily drop the lock while we run the nested runloop. 6961 6962 * inspector/JSGlobalObjectScriptDebugServer.cpp: 6963 (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused): 6964 69652014-01-28 Oliver Hunt <oliver@apple.com> 6966 6967 Make DOM attributes appear to be faux accessor properties 6968 https://bugs.webkit.org/show_bug.cgi?id=127797 6969 6970 Reviewed by Michael Saboff. 6971 6972 Add flag so we can identify which properties should have the old 6973 custom property semantics vs. the new faux accessors. Update the 6974 inspector protocol accordingly. 6975 6976 These faux accessors produce descriptors with "get" and "set" 6977 properties, but both values are undefined so can't be used 6978 directly. A few custom properties actually require their 6979 existing magical behaviour, so we now have a flag to 6980 distinguish the expected output. 6981 6982 * inspector/InjectedScriptSource.js: 6983 (.): 6984 * runtime/JSObject.cpp: 6985 (JSC::JSObject::getOwnPropertyDescriptor): 6986 * runtime/PropertyDescriptor.cpp: 6987 (JSC::PropertyDescriptor::setCustomDescriptor): 6988 * runtime/PropertyDescriptor.h: 6989 * runtime/PropertySlot.h: 6990 69912014-01-29 Beth Dakin <bdakin@apple.com> 6992 6993 Build fix. 6994 6995 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 6996 * llint/LowLevelInterpreter.cpp: 6997 69982014-01-29 Dan Bernstein <mitz@apple.com> 6999 7000 Build fix. 7001 7002 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added a newline at the end of the 7003 file. 7004 70052014-01-28 Michael Saboff <msaboff@apple.com> 7006 7007 Merge the jsCStack branch 7008 https://bugs.webkit.org/show_bug.cgi?id=127763 7009 7010 Reviewed by Mark Hahnenberg. 7011 7012 Changes from http://svn.webkit.org/repository/webkit/branches/jsCStack 7013 up to changeset 162958. 7014 70152014-01-29 Csaba Osztrogonác <ossy@webkit.org> 7016 7017 Remove ENABLE(JAVASCRIPT_DEBUGGER) guards 7018 https://bugs.webkit.org/show_bug.cgi?id=127840 7019 7020 Reviewed by Mark Lam. 7021 7022 * inspector/scripts/CodeGeneratorInspector.py: 7023 70242014-01-28 Commit Queue <commit-queue@webkit.org> 7025 7026 Unreviewed, rolling out r162987. 7027 http://trac.webkit.org/changeset/162987 7028 https://bugs.webkit.org/show_bug.cgi?id=127825 7029 7030 Broke Mountain Lion build (Requested by andersca on #webkit). 7031 7032 * inspector/InjectedScriptSource.js: 7033 (.): 7034 * runtime/JSObject.cpp: 7035 (JSC::JSObject::getOwnPropertyDescriptor): 7036 * runtime/PropertyDescriptor.cpp: 7037 * runtime/PropertyDescriptor.h: 7038 * runtime/PropertySlot.h: 7039 70402014-01-28 Oliver Hunt <oliver@apple.com> 7041 7042 Make DOM attributes appear to be faux accessor properties 7043 https://bugs.webkit.org/show_bug.cgi?id=127797 7044 7045 Reviewed by Michael Saboff. 7046 7047 Add flag so we can identify which properties should have the old 7048 custom property semantics vs. the new faux accessors. Update the 7049 inspector protocol accordingly. 7050 7051 These faux accessors produce descriptors with "get" and "set" 7052 properties, but both values are undefined so can't be used 7053 directly. A few custom properties actually require their 7054 existing magical behaviour, so we now have a flag to 7055 distinguish the expected output. 7056 7057 * inspector/InjectedScriptSource.js: 7058 (.): 7059 * runtime/JSObject.cpp: 7060 (JSC::JSObject::getOwnPropertyDescriptor): 7061 * runtime/PropertyDescriptor.cpp: 7062 (JSC::PropertyDescriptor::setCustomDescriptor): 7063 * runtime/PropertyDescriptor.h: 7064 * runtime/PropertySlot.h: 7065 70662014-01-28 Mark Lam <mark.lam@apple.com> 7067 7068 Remove some unneeded debugger code. 7069 https://bugs.webkit.org/show_bug.cgi?id=127805. 7070 7071 Reviewed by Oliver Hunt. 7072 7073 JSC will now always support the debugger. Hence, the #if ENABLE(JAVASCRIPT_DEBUGGER) 7074 checks can be removed. 7075 7076 DebuggerCallFrame::callFrame() is also unused and will be removed. 7077 7078 * debugger/Breakpoint.h: 7079 * debugger/Debugger.cpp: 7080 * debugger/DebuggerCallFrame.h: 7081 * inspector/InjectedScript.cpp: 7082 (Inspector::InjectedScript::wrapCallFrames): 7083 * inspector/InjectedScript.h: 7084 * inspector/JSGlobalObjectScriptDebugServer.cpp: 7085 * inspector/JSGlobalObjectScriptDebugServer.h: 7086 * inspector/JSJavaScriptCallFrame.cpp: 7087 * inspector/JSJavaScriptCallFrame.h: 7088 * inspector/JSJavaScriptCallFramePrototype.cpp: 7089 * inspector/JSJavaScriptCallFramePrototype.h: 7090 * inspector/JavaScriptCallFrame.cpp: 7091 * inspector/JavaScriptCallFrame.h: 7092 * inspector/ScriptDebugListener.h: 7093 * inspector/ScriptDebugServer.cpp: 7094 * inspector/ScriptDebugServer.h: 7095 * inspector/agents/InspectorDebuggerAgent.cpp: 7096 * inspector/agents/InspectorDebuggerAgent.h: 7097 * inspector/agents/InspectorRuntimeAgent.cpp: 7098 (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent): 7099 (Inspector::setPauseOnExceptionsState): 7100 (Inspector::InspectorRuntimeAgent::evaluate): 7101 (Inspector::InspectorRuntimeAgent::callFunctionOn): 7102 (Inspector::InspectorRuntimeAgent::getProperties): 7103 * inspector/agents/InspectorRuntimeAgent.h: 7104 71052014-01-28 Geoffrey Garen <ggaren@apple.com> 7106 7107 REGRESSION: JavascriptCore crash during OS Installation (due to 7108 Heap::m_operationInProgress ASSERT vs DelayedReleaseScope) 7109 https://bugs.webkit.org/show_bug.cgi?id=127793 7110 7111 Reviewed by Mark Hahnenberg. 7112 7113 This was a mistaken ASSERT. 7114 7115 * API/tests/testapi.mm: 7116 (-[EvilAllocationObject doEvilThingsWithContext:]): Added a test to verify 7117 that GC from a DelayedReleaseScope doesn't crash. 7118 7119 * heap/DelayedReleaseScope.h: 7120 (JSC::DelayedReleaseScope::~DelayedReleaseScope): Our contract is that 7121 it is valid to do anything while running a DelayedReleaseScope -dealloc 7122 method, so the Heap must be ready for new allocations and collections. 7123 7124 Change the Heap's operationInProgress value to NoOperation while running 7125 -dealloc methods, so that it doesn't ASSERT in the face of new allocations 7126 and collections. 7127 7128 * heap/Heap.h: Made DelayedReleaseScope a friend because exposing a setter 7129 for m_operationInProgress seemed like the worse of the two options for 7130 encapsulation: we don't really want arbitrary clients to set the Heap's 7131 m_operationInProgress. 7132 71332014-01-28 Mark Lam <mark.lam@apple.com> 7134 7135 Jettison DFG code when neither breakpoints or the profiler are active. 7136 <https://webkit.org/b/127766> 7137 7138 Reviewed by Geoffrey Garen. 7139 7140 We need to jettison the DFG CodeBlocks under the following circumstances: 7141 1. When adding breakpoints to a CodeBlock, jettison it if it is a DFG CodeBlock. 7142 2. When enabling stepping mode in a CodeBlock, jettison it if it a DFG CodeBlock. 7143 3. When settign the enabled profiler in the VM, we need to jettison all DFG 7144 CodeBlocks. 7145 7146 Instead of emitting speculation checks, the DFG code will now treat Breakpoint, 7147 ProfileWillCall, and ProfileDidCall as no-ops similar to a Phantom node. We 7148 still need to track these nodes so that they match the corresponding opcodes 7149 in the baseline JIT when we jettison and OSR exit. Without them, we would OSR 7150 exit to the wrong location in the baseline JIT code. 7151 7152 In DFGDriver's compileImpl() and DFGPlan's finalizeWithoutNotifyingCallback() 7153 we fail the compilation effort with a CompilationInvalidated result. This allows 7154 the DFG compiler to re-attampt the compilation of the function after some time 7155 if it is hot. The CompilationInvalidated result is supposed to cause the DFG 7156 to exercise an exponential back off before re-attempting compilation again 7157 (see runtime/CompilationResult.h). 7158 7159 This patch improves the Octane score from ~2950 to ~3067. 7160 7161 * bytecode/CodeBlock.cpp: 7162 (JSC::CodeBlock::addBreakpoint): 7163 (JSC::CodeBlock::setSteppingMode): 7164 * bytecode/CodeBlock.h: 7165 * debugger/Debugger.h: 7166 * dfg/DFGAbstractInterpreterInlines.h: 7167 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 7168 * dfg/DFGClobberize.h: 7169 (JSC::DFG::clobberize): 7170 * dfg/DFGDriver.cpp: 7171 (JSC::DFG::compileImpl): 7172 * dfg/DFGPlan.cpp: 7173 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): 7174 * dfg/DFGSpeculativeJIT32_64.cpp: 7175 (JSC::DFG::SpeculativeJIT::compile): 7176 * dfg/DFGSpeculativeJIT64.cpp: 7177 (JSC::DFG::SpeculativeJIT::compile): 7178 * profiler/LegacyProfiler.cpp: 7179 (JSC::LegacyProfiler::startProfiling): 7180 (JSC::LegacyProfiler::stopProfiling): 7181 * runtime/VM.cpp: 7182 (JSC::VM::VM): 7183 (JSC::SetEnabledProfilerFunctor::operator()): 7184 (JSC::VM::setEnabledProfiler): 7185 * runtime/VM.h: 7186 (JSC::VM::enabledProfiler): 7187 71882014-01-27 Joseph Pecoraro <pecoraro@apple.com> 7189 7190 -[JSContext evaluteScript:] calls JSEvaluteScript with startingLineNumber 0, later interpreted as a oneBasedInt 7191 https://bugs.webkit.org/show_bug.cgi?id=127648 7192 7193 Reviewed by Geoffrey Garen. 7194 7195 The actual bug being fixed here is that the line number for 7196 scripts evaluated via the JSC APIs is now sane. However, 7197 there is no good infrastructure in place right now to test that. 7198 7199 * API/tests/testapi.c: 7200 (main): 7201 * API/tests/testapi.mm: 7202 (testObjectiveCAPI): 7203 Add tests for exception line numbers and handling of bad 7204 startingLineNumbers in public APIs. These tests were already 7205 passing, I just add them to make sure they are not regressed 7206 in the future. 7207 7208 * API/JSBase.cpp: 7209 (JSEvaluateScript): 7210 (JSCheckScriptSyntax): 7211 * API/JSBase.h: 7212 * API/JSObjectRef.cpp: 7213 (JSObjectMakeFunction): 7214 * API/JSObjectRef.h: 7215 * API/JSScriptRef.cpp: 7216 * API/JSScriptRefPrivate.h: 7217 * API/JSStringRef.h: 7218 - Clarify documentation that startingLineNumber is 1 based and clamped. 7219 - Add clamping in the implementation to put sane values into JSC::SourceProvider. 7220 7221 * inspector/agents/InspectorDebuggerAgent.cpp: 7222 (Inspector::InspectorDebuggerAgent::didParseSource): 7223 Remove the FIXME now that the SourceProvider is giving us expected values. 7224 72252014-01-27 Joseph Pecoraro <pecoraro@apple.com> 7226 7227 Web Inspector: CRASH when debugger closes remote inspecting JSContext 7228 https://bugs.webkit.org/show_bug.cgi?id=127738 7229 7230 Reviewed by Timothy Hatcher. 7231 7232 RemoteInspectorXPCConnection could be accessed in a background dispatch 7233 queue, while being deallocated on the main thread when a connection 7234 was suddenly terminated. 7235 7236 Make RemoteInspectorXPCConnection a ThreadSafeRefCounted object. Always 7237 keep the connection object ref'd until the main thread calls close() 7238 and removes its reference. At that point we can close the connection, 7239 queue, and deref safely on the background queue. 7240 7241 * inspector/remote/RemoteInspector.h: 7242 * inspector/remote/RemoteInspector.mm: 7243 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): 7244 (Inspector::RemoteInspector::xpcConnectionFailed): 7245 For simplicity RemoteInspectorXPCConnections's don't have any threading 7246 primatives to prevent client callbacks after they are closed. RemoteInspector 7247 does, so it just ignores possible callbacks from connections it no longer 7248 cares about. 7249 7250 * inspector/remote/RemoteInspectorXPCConnection.h: 7251 * inspector/remote/RemoteInspectorXPCConnection.mm: 7252 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): 7253 (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection): 7254 (Inspector::RemoteInspectorXPCConnection::close): 7255 Keep the connection alive as long as the queue it can be used on 7256 is alive. Clean up everything on the queue when close() is called. 7257 7258 (Inspector::RemoteInspectorXPCConnection::handleEvent): 7259 Checking if closed here is not thread safe so it is meaningless. 7260 Remove the check. 7261 7262 (Inspector::RemoteInspectorXPCConnection::sendMessage): 7263 Bail based on the m_closed state. 7264 72652014-01-27 Joseph Pecoraro <pecoraro@apple.com> 7266 7267 JavaScriptCore: Enable -Wimplicit-fallthrough and add FALLTHROUGH annotation where needed 7268 https://bugs.webkit.org/show_bug.cgi?id=127647 7269 7270 Reviewed by Anders Carlsson. 7271 7272 Explicitly annotate switch case fallthroughs in JavaScriptCore and 7273 enable warnings for unannotated fallthroughs. 7274 7275 * dfg/DFGArithMode.h: 7276 (doesOverflow): 7277 Only insert FALLTHROUGH in release builds. In debug builds, the 7278 FALLTHROUGH would be unreachable (due to the ASSERT_NOT_REACHED) 7279 and would through a warning. 7280 7281 * dfg/DFGSpeculativeJIT64.cpp: 7282 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 7283 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 7284 Due to the templatized nature of this function, a fallthrough 7285 in one of the template expansions would be unreachable. Disable 7286 the warning for this function. 7287 7288 * Configurations/Base.xcconfig: 7289 * bytecode/CodeBlock.cpp: 7290 (JSC::CodeBlock::CodeBlock): 7291 * dfg/DFGCFGSimplificationPhase.cpp: 7292 (JSC::DFG::CFGSimplificationPhase::run): 7293 * dfg/DFGValidate.cpp: 7294 (JSC::DFG::Validate::validateCPS): 7295 * parser/Lexer.cpp: 7296 (JSC::Lexer<T>::lex): 7297 * parser/Parser.cpp: 7298 (JSC::Parser<LexerType>::parseStatement): 7299 (JSC::Parser<LexerType>::parseProperty): 7300 * runtime/JSArray.cpp: 7301 (JSC::JSArray::push): 7302 * runtime/JSONObject.cpp: 7303 (JSC::Walker::walk): 7304 * runtime/JSObject.cpp: 7305 (JSC::JSObject::putByIndex): 7306 (JSC::JSObject::putByIndexBeyondVectorLength): 7307 * runtime/JSObject.h: 7308 (JSC::JSObject::setIndexQuickly): 7309 (JSC::JSObject::initializeIndex): 7310 * runtime/LiteralParser.cpp: 7311 (JSC::LiteralParser<CharType>::parse): 7312 * yarr/YarrInterpreter.cpp: 7313 (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin): 7314 (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd): 7315 * yarr/YarrParser.h: 7316 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter): 7317 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass): 7318 (JSC::Yarr::Parser::parseEscape): 7319 (JSC::Yarr::Parser::parseTokens): 7320 73212014-01-27 Andy Estes <aestes@apple.com> 7322 7323 Scrub WebKit API headers of WTF macros 7324 https://bugs.webkit.org/show_bug.cgi?id=127706 7325 7326 Reviewed by David Kilzer. 7327 7328 * Configurations/FeatureDefines.xcconfig: Added ENABLE_INSPECTOR. 7329 73302014-01-27 Mark Lam <mark.lam@apple.com> 7331 7332 Remove unused CodeBlock::createActivation(). 7333 <https://webkit.org/b/127686> 7334 7335 Reviewed by Filip Pizlo. 7336 7337 * bytecode/CodeBlock.cpp: 7338 * bytecode/CodeBlock.h: 7339 73402014-01-26 Andreas Kling <akling@apple.com> 7341 7342 JSC: Pack unlinked instructions harder. 7343 <https://webkit.org/b/127660> 7344 7345 Store UnlinkedCodeBlock's instructions in a variable-length stream 7346 to reduce memory usage. Compression rate ends up around 60-61%. 7347 7348 The format is very simple. Every instruction starts with a 1 byte 7349 opcode. It's followed by an opcode-dependent number of argument 7350 values, each encoded separately for maximum packing. There are 7351 7 packed value formats: 7352 7353 5-bit positive integer 7354 5-bit negative integer 7355 13-bit positive integer 7356 13-bit positive integer 7357 5-bit constant register index 7358 13-bit constant register index 7359 32-bit value (fallback) 7360 7361 27.5 MB progression on Membuster3. (~2% of total memory.) 7362 7363 Reviewed by Filip Pizlo. 7364 7365 * JavaScriptCore.xcodeproj/project.pbxproj: 7366 * bytecode/UnlinkedInstructionStream.h: Added. 7367 (JSC::UnlinkedInstructionStream::count): 7368 (JSC::UnlinkedInstructionStream::Reader::atEnd): 7369 * bytecode/UnlinkedInstructionStream.cpp: Added. 7370 (JSC::UnlinkedInstructionStream::Reader::Reader): 7371 (JSC::UnlinkedInstructionStream::Reader::read8): 7372 (JSC::UnlinkedInstructionStream::Reader::read32): 7373 (JSC::UnlinkedInstructionStream::Reader::next): 7374 (JSC::append8): 7375 (JSC::append32): 7376 (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream): 7377 (JSC::UnlinkedInstructionStream::unpackForDebugging): 7378 * bytecompiler/BytecodeGenerator.cpp: 7379 * bytecode/CodeBlock.cpp: 7380 (JSC::CodeBlock::CodeBlock): 7381 * bytecode/UnlinkedCodeBlock.cpp: 7382 (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): 7383 (JSC::dumpLineColumnEntry): 7384 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): 7385 (JSC::UnlinkedCodeBlock::setInstructions): 7386 (JSC::UnlinkedCodeBlock::instructions): 7387 * bytecode/UnlinkedCodeBlock.h: 7388 (JSC::BytecodeGenerator::generate): 7389 73902014-01-26 Joseph Pecoraro <pecoraro@apple.com> 7391 7392 Web Inspector: Move InspectorDebuggerAgent into JavaScriptCore 7393 https://bugs.webkit.org/show_bug.cgi?id=127629 7394 7395 Rubber-stamped by Sam Weinig. 7396 7397 * CMakeLists.txt: 7398 * GNUmakefile.list.am: 7399 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7400 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 7401 * JavaScriptCore.xcodeproj/project.pbxproj: 7402 - Add new files to the build. 7403 - Also, since non REMOTE_INSPECTOR ports cannot yet connect to a 7404 JSGlobalObject for inspection remove those files as they don't 7405 need to be built. 7406 7407 * inspector/EventLoop.cpp: Added. 7408 (Inspector::EventLoop::cycle): 7409 * inspector/EventLoop.h: Added. 7410 (Inspector::EventLoop::EventLoop): 7411 (Inspector::EventLoop::ended): 7412 Add a JavaScriptCore version of EventLoop. This is currently only 7413 used by the Mac port for JSGlobalObject remote inspection. Keep 7414 the WebCore/platform version alive because for the Mac port it does 7415 slightly different things involving AppKit. 7416 7417 * inspector/JSGlobalObjectInspectorController.cpp: 7418 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 7419 Create DebuggerAgent and hook up ScriptDebugServer where needed. 7420 7421 * inspector/JSGlobalObjectScriptDebugServer.cpp: Added. 7422 (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer): 7423 (Inspector::JSGlobalObjectScriptDebugServer::addListener): 7424 (Inspector::JSGlobalObjectScriptDebugServer::removeListener): 7425 (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions): 7426 (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused): 7427 * inspector/JSGlobalObjectScriptDebugServer.h: Added. 7428 Simple implementation of ScriptDebugServer with a JSGlobalObject. 7429 7430 * inspector/agents/InspectorDebuggerAgent.cpp: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.cpp. 7431 * inspector/agents/InspectorDebuggerAgent.h: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.h. 7432 Copied from WebCore. A few methods need to be made virtual so that Web implementations 7433 can override and extend the funcitonality. E.g. sourceMapURLForScript and enable/disable. 7434 7435 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: Added. 7436 * inspector/agents/JSGlobalObjectDebuggerAgent.h: Added. 7437 (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent): 7438 (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer): 7439 (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer): 7440 (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval): 7441 Simple implementation of DebuggerAGent with a JSGlobalObject. 7442 74432014-01-25 Mark Lam <mark.lam@apple.com> 7444 7445 Gardening: fix build breakage from previous commit. 7446 7447 Not reviewed. 7448 7449 * profiler/ProfileNode.cpp: 7450 (JSC::ProfileNode::debugPrintData): 7451 - Removed obsolete references to "visible" timers. 7452 74532014-01-25 Timothy Hatcher <timothy@apple.com> 7454 7455 Remove dead code from the JSC profiler. 7456 7457 https://bugs.webkit.org/show_bug.cgi?id=127643 7458 7459 Reviewed by Mark Lam. 7460 7461 * profiler/Profile.cpp: 7462 * profiler/Profile.h: 7463 * profiler/ProfileGenerator.cpp: 7464 (JSC::ProfileGenerator::stopProfiling): 7465 * profiler/ProfileNode.cpp: 7466 (JSC::ProfileNode::ProfileNode): 7467 (JSC::ProfileNode::stopProfiling): 7468 (JSC::ProfileNode::endAndRecordCall): 7469 (JSC::ProfileNode::debugPrintData): 7470 (JSC::ProfileNode::debugPrintDataSampleStyle): 7471 * profiler/ProfileNode.h: 7472 (JSC::ProfileNode::totalTime): 7473 (JSC::ProfileNode::setTotalTime): 7474 (JSC::ProfileNode::selfTime): 7475 (JSC::ProfileNode::setSelfTime): 7476 (JSC::ProfileNode::totalPercent): 7477 (JSC::ProfileNode::selfPercent): 7478 Remove support for things like focus and exclude. The Inspector does those in JS now. 7479 74802014-01-25 Sam Weinig <sam@webkit.org> 7481 7482 Remove unused support for DRAGGABLE_REGION 7483 https://bugs.webkit.org/show_bug.cgi?id=127642 7484 7485 Reviewed by Simon Fraser. 7486 7487 * Configurations/FeatureDefines.xcconfig: 7488 74892014-01-25 Darin Adler <darin@apple.com> 7490 7491 Try to fix Mac build. 7492 7493 * runtime/DatePrototype.cpp: Put the include of <unicode/udat.h> inside 7494 a conditional since we don't have that header in our Mac build configuration. 7495 74962014-01-25 Darin Adler <darin@apple.com> 7497 7498 Call deprecatedCharacters instead of characters at more call sites 7499 https://bugs.webkit.org/show_bug.cgi?id=127631 7500 7501 Reviewed by Sam Weinig. 7502 7503 * API/JSValueRef.cpp: 7504 (JSValueMakeFromJSONString): 7505 * API/OpaqueJSString.cpp: 7506 (OpaqueJSString::~OpaqueJSString): 7507 * bindings/ScriptValue.cpp: 7508 (Deprecated::jsToInspectorValue): 7509 * inspector/ContentSearchUtilities.cpp: 7510 (Inspector::ContentSearchUtilities::createSearchRegexSource): 7511 * inspector/InspectorValues.cpp: 7512 * runtime/Identifier.h: 7513 (JSC::Identifier::deprecatedCharacters): 7514 * runtime/JSStringBuilder.h: 7515 (JSC::JSStringBuilder::append): 7516 Use the new name. 7517 75182014-01-25 Darin Adler <darin@apple.com> 7519 7520 Get rid of ICU_UNICODE and WCHAR_UNICODE remnants 7521 https://bugs.webkit.org/show_bug.cgi?id=127623 7522 7523 Reviewed by Anders Carlsson. 7524 7525 * runtime/DatePrototype.cpp: Removed USE(ICU_UNICODE) checks, since that's always true now. 7526 75272014-01-25 Darin Adler <darin@apple.com> 7528 7529 [Mac] Rewrite locale-specific date formatting code to remove strange string creation 7530 https://bugs.webkit.org/show_bug.cgi?id=127624 7531 7532 Reviewed by Anders Carlsson. 7533 7534 * runtime/DatePrototype.cpp: 7535 (JSC::formatLocaleDate): Use some smart pointers and conversion operators we already 7536 have to do the formatting in a more straightforward way. 7537 75382014-01-25 Anders Carlsson <andersca@apple.com> 7539 7540 Remove atomicIncrement/atomicDecrement 7541 https://bugs.webkit.org/show_bug.cgi?id=127625 7542 7543 Reviewed by Andreas Kling. 7544 7545 Replace atomicIncrement/atomicDecrement with std::atomic. 7546 7547 * bytecode/Watchpoint.h: 7548 * ftl/FTLLowerDFGToLLVM.cpp: 7549 (JSC::FTL::LowerDFGToLLVM::lower): 7550 * profiler/ProfilerDatabase.cpp: 7551 (JSC::Profiler::Database::Database): 7552 (JSC::Profiler::Database::addDatabaseToAtExit): 7553 75542014-01-24 Joseph Pecoraro <pecoraro@apple.com> 7555 7556 Web Inspector: Move InspectorRuntimeAgent into JavaScriptCore 7557 https://bugs.webkit.org/show_bug.cgi?id=127605 7558 7559 Reviewed by Timothy Hatcher. 7560 7561 * CMakeLists.txt: 7562 * GNUmakefile.list.am: 7563 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7564 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 7565 * JavaScriptCore.xcodeproj/project.pbxproj: 7566 Add new files to the build. 7567 7568 * inspector/agents/InspectorRuntimeAgent.h: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.h. 7569 * inspector/agents/InspectorRuntimeAgent.cpp: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.cpp. 7570 (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent): 7571 (Inspector::InspectorRuntimeAgent::parse): 7572 (Inspector::InspectorRuntimeAgent::evaluate): 7573 (Inspector::InspectorRuntimeAgent::callFunctionOn): 7574 (Inspector::InspectorRuntimeAgent::getProperties): 7575 - Move the agent into JavaScriptCore. 7576 - Modernize and cleanup. 7577 - Make globalVM a pure virtual function for subclasses to implement. 7578 7579 * inspector/agents/JSGlobalObjectRuntimeAgent.h: Added. 7580 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: Added. 7581 (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent): 7582 (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): 7583 (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend): 7584 (Inspector::JSGlobalObjectRuntimeAgent::globalVM): 7585 (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval): 7586 Straightforward JSGlobalObject implementation. 7587 7588 * inspector/JSGlobalObjectInspectorController.cpp: 7589 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 7590 Add a runtime agent when inspecting a JSContext! 7591 75922014-01-23 Joseph Pecoraro <pecoraro@apple.com> 7593 7594 Move JavaScriptCallFrame and ScriptDebugServer into JavaScriptCore for inspector 7595 https://bugs.webkit.org/show_bug.cgi?id=127543 7596 7597 Reviewed by Geoffrey Garen. 7598 7599 * CMakeLists.txt: 7600 * GNUmakefile.list.am: 7601 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7602 * JavaScriptCore.xcodeproj/project.pbxproj: 7603 Add new files. 7604 7605 * inspector/ScriptDebugListener.h: 7606 Extract WebCore knowledge from ScriptDebugServer. This will 7607 eventually be made to work outside of WebCore. 7608 7609 * inspector/ScriptDebugServer.h: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.h. 7610 * inspector/ScriptDebugServer.cpp: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.cpp. 7611 (Inspector::ScriptDebugServer::evaluateBreakpointAction): 7612 (Inspector::ScriptDebugServer::dispatchDidPause): 7613 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): 7614 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): 7615 (Inspector::ScriptDebugServer::sourceParsed): 7616 (Inspector::ScriptDebugServer::dispatchFunctionToListeners): 7617 (Inspector::ScriptDebugServer::handlePause): 7618 Modernize code, and call the new ScriptDebugListener callbacks where appropriate. 7619 7620 * inspector/JSJavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JSJavaScriptCallFrameCustom.cpp. 7621 (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame): 7622 (Inspector::JSJavaScriptCallFrame::finishCreation): 7623 (Inspector::JSJavaScriptCallFrame::createPrototype): 7624 (Inspector::JSJavaScriptCallFrame::destroy): 7625 (Inspector::JSJavaScriptCallFrame::releaseImpl): 7626 (Inspector::JSJavaScriptCallFrame::~JSJavaScriptCallFrame): 7627 (Inspector::JSJavaScriptCallFrame::evaluate): 7628 (Inspector::JSJavaScriptCallFrame::scopeType): 7629 (Inspector::JSJavaScriptCallFrame::caller): 7630 (Inspector::JSJavaScriptCallFrame::sourceID): 7631 (Inspector::JSJavaScriptCallFrame::line): 7632 (Inspector::JSJavaScriptCallFrame::column): 7633 (Inspector::JSJavaScriptCallFrame::functionName): 7634 (Inspector::JSJavaScriptCallFrame::scopeChain): 7635 (Inspector::JSJavaScriptCallFrame::thisObject): 7636 (Inspector::JSJavaScriptCallFrame::type): 7637 (Inspector::toJS): 7638 (Inspector::toJSJavaScriptCallFrame): 7639 * inspector/JSJavaScriptCallFrame.h: Added. 7640 (Inspector::JSJavaScriptCallFrame::createStructure): 7641 (Inspector::JSJavaScriptCallFrame::create): 7642 (Inspector::JSJavaScriptCallFrame::impl): 7643 * inspector/JSJavaScriptCallFramePrototype.cpp: Added. 7644 (Inspector::JSJavaScriptCallFramePrototype::finishCreation): 7645 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate): 7646 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): 7647 (Inspector::jsJavaScriptCallFrameAttributeCaller): 7648 (Inspector::jsJavaScriptCallFrameAttributeSourceID): 7649 (Inspector::jsJavaScriptCallFrameAttributeLine): 7650 (Inspector::jsJavaScriptCallFrameAttributeColumn): 7651 (Inspector::jsJavaScriptCallFrameAttributeFunctionName): 7652 (Inspector::jsJavaScriptCallFrameAttributeScopeChain): 7653 (Inspector::jsJavaScriptCallFrameAttributeThisObject): 7654 (Inspector::jsJavaScriptCallFrameAttributeType): 7655 (Inspector::jsJavaScriptCallFrameConstantGLOBAL_SCOPE): 7656 (Inspector::jsJavaScriptCallFrameConstantLOCAL_SCOPE): 7657 (Inspector::jsJavaScriptCallFrameConstantWITH_SCOPE): 7658 (Inspector::jsJavaScriptCallFrameConstantCLOSURE_SCOPE): 7659 (Inspector::jsJavaScriptCallFrameConstantCATCH_SCOPE): 7660 * inspector/JSJavaScriptCallFramePrototype.h: Added. 7661 (Inspector::JSJavaScriptCallFramePrototype::create): 7662 (Inspector::JSJavaScriptCallFramePrototype::createStructure): 7663 (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): 7664 * inspector/JavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.cpp. 7665 (Inspector::JavaScriptCallFrame::caller): 7666 * inspector/JavaScriptCallFrame.h: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.h. 7667 Port of JavaScriptCallFrame.idl to a set of native JS classes. 7668 76692014-01-24 Mark Lam <mark.lam@apple.com> 7670 7671 DebuggerCallFrame::evaluateWithCallFrame() should not execute a null executable. 7672 <https://webkit.org/b/127600> 7673 7674 Reviewed by Oliver Hunt. 7675 7676 In DebuggerCallFrame::evaluateWithCallFrame(), if the script string that 7677 is passed in is bad, it will fail to create an Executable i.e. 7678 EvalExecutable::create() returns a null pointer. However, 7679 DebuggerCallFrame::evaluateWithCallFrame() was just clearing the 7680 exception and proceeded to execute the null pointer as an Executable. 7681 A crash ensues. 7682 7683 Now, if an exception is detected while creating the Executable, we 7684 abort instead. 7685 7686 * debugger/DebuggerCallFrame.cpp: 7687 (JSC::DebuggerCallFrame::evaluateWithCallFrame): 7688 76892014-01-24 Oliver Hunt <oliver@apple.com> 7690 7691 Put functions need to take a base object and a this value, and perform type checks on |this| 7692 https://bugs.webkit.org/show_bug.cgi?id=127594 7693 7694 Reviewed by Geoffrey Garen. 7695 7696 Change the signature for static setter functions, and update uses 7697 7698 * create_hash_table: 7699 * runtime/Lookup.h: 7700 (JSC::putEntry): 7701 * runtime/PutPropertySlot.h: 7702 * runtime/RegExpConstructor.cpp: 7703 (JSC::setRegExpConstructorInput): 7704 (JSC::setRegExpConstructorMultiline): 7705 77062014-01-24 Oliver Hunt <oliver@apple.com> 7707 7708 Generic JSObject::put should handle static properties in the classinfo hierarchy 7709 https://bugs.webkit.org/show_bug.cgi?id=127523 7710 7711 Reviewed by Geoffrey Garen. 7712 7713 This patch makes JSObject::put correctly call static setters 7714 defined by the ClassInfo. 7715 7716 To make this not clobber performance, the ClassInfo HashTable 7717 now includes a flag to indicate that it contains setters. This 7718 required updating the lut generator so that it tracked (and emitted) 7719 this. 7720 7721 The rest of the change was making a number of the methods take 7722 a VM rather than an ExecState*, so that Structure could set the 7723 getter/setter flags during construction (if necessary). 7724 7725 This also means most objects do not need to perform a lookupPut 7726 manually anymore, so most custom ::put's are no longer needed. 7727 DOMWindow is the only exception as it has interesting security 7728 related semantics. 7729 7730 * create_hash_table: 7731 * interpreter/CallFrame.h: 7732 (JSC::ExecState::arrayConstructorTable): 7733 (JSC::ExecState::arrayPrototypeTable): 7734 (JSC::ExecState::booleanPrototypeTable): 7735 (JSC::ExecState::dataViewTable): 7736 (JSC::ExecState::dateTable): 7737 (JSC::ExecState::dateConstructorTable): 7738 (JSC::ExecState::errorPrototypeTable): 7739 (JSC::ExecState::globalObjectTable): 7740 (JSC::ExecState::jsonTable): 7741 (JSC::ExecState::numberConstructorTable): 7742 (JSC::ExecState::numberPrototypeTable): 7743 (JSC::ExecState::objectConstructorTable): 7744 (JSC::ExecState::privateNamePrototypeTable): 7745 (JSC::ExecState::regExpTable): 7746 (JSC::ExecState::regExpConstructorTable): 7747 (JSC::ExecState::regExpPrototypeTable): 7748 (JSC::ExecState::stringConstructorTable): 7749 (JSC::ExecState::promisePrototypeTable): 7750 (JSC::ExecState::promiseConstructorTable): 7751 * runtime/ArrayConstructor.cpp: 7752 (JSC::ArrayConstructor::getOwnPropertySlot): 7753 * runtime/ArrayPrototype.cpp: 7754 (JSC::ArrayPrototype::getOwnPropertySlot): 7755 * runtime/BooleanPrototype.cpp: 7756 (JSC::BooleanPrototype::getOwnPropertySlot): 7757 * runtime/ClassInfo.h: 7758 (JSC::ClassInfo::propHashTable): 7759 * runtime/DateConstructor.cpp: 7760 (JSC::DateConstructor::getOwnPropertySlot): 7761 * runtime/DatePrototype.cpp: 7762 (JSC::DatePrototype::getOwnPropertySlot): 7763 * runtime/ErrorPrototype.cpp: 7764 (JSC::ErrorPrototype::getOwnPropertySlot): 7765 * runtime/JSDataViewPrototype.cpp: 7766 (JSC::JSDataViewPrototype::getOwnPropertySlot): 7767 * runtime/JSGlobalObject.cpp: 7768 (JSC::JSGlobalObject::getOwnPropertySlot): 7769 * runtime/JSONObject.cpp: 7770 (JSC::JSONObject::getOwnPropertySlot): 7771 * runtime/JSObject.cpp: 7772 (JSC::JSObject::put): 7773 (JSC::JSObject::deleteProperty): 7774 * runtime/JSPromiseConstructor.cpp: 7775 (JSC::JSPromiseConstructor::getOwnPropertySlot): 7776 * runtime/JSPromisePrototype.cpp: 7777 (JSC::JSPromisePrototype::getOwnPropertySlot): 7778 * runtime/Lookup.h: 7779 (JSC::HashTable::copy): 7780 (JSC::putEntry): 7781 (JSC::lookupPut): 7782 * runtime/NamePrototype.cpp: 7783 (JSC::NamePrototype::getOwnPropertySlot): 7784 * runtime/NumberConstructor.cpp: 7785 (JSC::NumberConstructor::getOwnPropertySlot): 7786 * runtime/NumberConstructor.h: 7787 * runtime/NumberPrototype.cpp: 7788 (JSC::NumberPrototype::getOwnPropertySlot): 7789 * runtime/ObjectConstructor.cpp: 7790 (JSC::ObjectConstructor::getOwnPropertySlot): 7791 * runtime/RegExpConstructor.cpp: 7792 (JSC::RegExpConstructor::getOwnPropertySlot): 7793 * runtime/RegExpConstructor.h: 7794 * runtime/RegExpObject.cpp: 7795 (JSC::RegExpObject::getOwnPropertySlot): 7796 (JSC::RegExpObject::put): 7797 * runtime/RegExpPrototype.cpp: 7798 (JSC::RegExpPrototype::getOwnPropertySlot): 7799 * runtime/StringConstructor.cpp: 7800 (JSC::StringConstructor::getOwnPropertySlot): 7801 * runtime/Structure.cpp: 7802 (JSC::Structure::Structure): 7803 (JSC::Structure::freezeTransition): 7804 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties): 7805 78062014-01-24 Commit Queue <commit-queue@webkit.org> 7807 7808 Unreviewed, rolling out r162713. 7809 http://trac.webkit.org/changeset/162713 7810 https://bugs.webkit.org/show_bug.cgi?id=127593 7811 7812 broke media/network-no-source-const-shadow (Requested by 7813 thorton on #webkit). 7814 7815 * create_hash_table: 7816 * interpreter/CallFrame.h: 7817 (JSC::ExecState::arrayConstructorTable): 7818 (JSC::ExecState::arrayPrototypeTable): 7819 (JSC::ExecState::booleanPrototypeTable): 7820 (JSC::ExecState::dataViewTable): 7821 (JSC::ExecState::dateTable): 7822 (JSC::ExecState::dateConstructorTable): 7823 (JSC::ExecState::errorPrototypeTable): 7824 (JSC::ExecState::globalObjectTable): 7825 (JSC::ExecState::jsonTable): 7826 (JSC::ExecState::numberConstructorTable): 7827 (JSC::ExecState::numberPrototypeTable): 7828 (JSC::ExecState::objectConstructorTable): 7829 (JSC::ExecState::privateNamePrototypeTable): 7830 (JSC::ExecState::regExpTable): 7831 (JSC::ExecState::regExpConstructorTable): 7832 (JSC::ExecState::regExpPrototypeTable): 7833 (JSC::ExecState::stringConstructorTable): 7834 (JSC::ExecState::promisePrototypeTable): 7835 (JSC::ExecState::promiseConstructorTable): 7836 * runtime/ArrayConstructor.cpp: 7837 (JSC::ArrayConstructor::getOwnPropertySlot): 7838 * runtime/ArrayPrototype.cpp: 7839 (JSC::ArrayPrototype::getOwnPropertySlot): 7840 * runtime/BooleanPrototype.cpp: 7841 (JSC::BooleanPrototype::getOwnPropertySlot): 7842 * runtime/ClassInfo.h: 7843 (JSC::ClassInfo::propHashTable): 7844 * runtime/DateConstructor.cpp: 7845 (JSC::DateConstructor::getOwnPropertySlot): 7846 * runtime/DatePrototype.cpp: 7847 (JSC::DatePrototype::getOwnPropertySlot): 7848 * runtime/ErrorPrototype.cpp: 7849 (JSC::ErrorPrototype::getOwnPropertySlot): 7850 * runtime/JSDataViewPrototype.cpp: 7851 (JSC::JSDataViewPrototype::getOwnPropertySlot): 7852 * runtime/JSGlobalObject.cpp: 7853 (JSC::JSGlobalObject::getOwnPropertySlot): 7854 * runtime/JSONObject.cpp: 7855 (JSC::JSONObject::getOwnPropertySlot): 7856 * runtime/JSObject.cpp: 7857 (JSC::JSObject::put): 7858 (JSC::JSObject::deleteProperty): 7859 * runtime/JSPromiseConstructor.cpp: 7860 (JSC::JSPromiseConstructor::getOwnPropertySlot): 7861 * runtime/JSPromisePrototype.cpp: 7862 (JSC::JSPromisePrototype::getOwnPropertySlot): 7863 * runtime/Lookup.h: 7864 (JSC::HashTable::copy): 7865 (JSC::putEntry): 7866 (JSC::lookupPut): 7867 * runtime/NamePrototype.cpp: 7868 (JSC::NamePrototype::getOwnPropertySlot): 7869 * runtime/NumberConstructor.cpp: 7870 (JSC::NumberConstructor::getOwnPropertySlot): 7871 (JSC::NumberConstructor::put): 7872 * runtime/NumberConstructor.h: 7873 * runtime/NumberPrototype.cpp: 7874 (JSC::NumberPrototype::getOwnPropertySlot): 7875 * runtime/ObjectConstructor.cpp: 7876 (JSC::ObjectConstructor::getOwnPropertySlot): 7877 * runtime/RegExpConstructor.cpp: 7878 (JSC::RegExpConstructor::getOwnPropertySlot): 7879 (JSC::RegExpConstructor::put): 7880 * runtime/RegExpConstructor.h: 7881 * runtime/RegExpObject.cpp: 7882 (JSC::RegExpObject::getOwnPropertySlot): 7883 (JSC::RegExpObject::put): 7884 * runtime/RegExpPrototype.cpp: 7885 (JSC::RegExpPrototype::getOwnPropertySlot): 7886 * runtime/StringConstructor.cpp: 7887 (JSC::StringConstructor::getOwnPropertySlot): 7888 * runtime/Structure.cpp: 7889 (JSC::Structure::Structure): 7890 (JSC::Structure::freezeTransition): 7891 78922014-01-24 Mark Lam <mark.lam@apple.com> 7893 7894 ASSERT(!m_markedSpace.m_currentDelayedReleaseScope) reloading page in inspector. 7895 <https://webkit.org/b/127582> 7896 7897 Reviewed by Mark Hahnenberg. 7898 7899 1. We should not enter a HeapIterationScope when we iterate the CodeBlocks. 7900 Apparently, iterating the CodeBlocks does not count as heap iteration. 7901 7902 2. If we're detaching the debugger due to the JSGlobalObject destructing, 7903 then we don't need to clear the debugger requests in the associated 7904 CodeBlocks. The JSGlobalObject destructing would mean that those 7905 CodeBlocks would be destructing too, and it may not be safe to access 7906 them anyway at this point. 7907 7908 The assertion failure is because we had entered a HeapIterationScope 7909 while the JSGlobalObject is destructing, which in turn means that GC 7910 sweeping is in progress. It's not legal to iterate the heap while the GC 7911 is sweeping. Once we fixed the above 2 issues, we will no longer have 7912 the conditions that manifests this assertion failure. 7913 7914 * debugger/Debugger.cpp: 7915 (JSC::Debugger::detach): 7916 (JSC::Debugger::setSteppingMode): 7917 (JSC::Debugger::toggleBreakpoint): 7918 (JSC::Debugger::clearBreakpoints): 7919 (JSC::Debugger::clearDebuggerRequests): 7920 * debugger/Debugger.h: 7921 * runtime/JSGlobalObject.cpp: 7922 (JSC::JSGlobalObject::~JSGlobalObject): 7923 79242014-01-24 Brent Fulgham <bfulgham@apple.com> 7925 7926 [Win] Convert some NMake files to MSBuild project files 7927 https://bugs.webkit.org/show_bug.cgi?id=127579 7928 7929 Reviewed by Tim Horton. 7930 7931 * JavaScriptCore.vcxproj/JavaScriptCore.make: Removed. 7932 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Added. 7933 79342014-01-24 Mark Lam <mark.lam@apple.com> 7935 7936 Fixed a bad assertion in CodeBlock::removeBreakpoint(). 7937 <https://webkit.org/b/127581> 7938 7939 Reviewed by Joseph Pecoraro. 7940 7941 * bytecode/CodeBlock.h: 7942 (JSC::CodeBlock::removeBreakpoint): 7943 79442014-01-24 Joseph Pecoraro <pecoraro@apple.com> 7945 7946 fast/profiler tests ASSERTing after moving recompileAllJSFunctions off a timer 7947 https://bugs.webkit.org/show_bug.cgi?id=127566 7948 7949 Reviewed by Oliver Hunt. 7950 7951 Make the VM handle recompilation as soon as possible after it is requested. 7952 7953 * debugger/Debugger.cpp: 7954 (JSC::Debugger::recompileAllJSFunctions): 7955 When in a JavaScript stack, mark for recompilation when possible. 7956 7957 * runtime/VMEntryScope.h: 7958 (JSC::VMEntryScope::setRecompilationNeeded): 7959 * runtime/VMEntryScope.cpp: 7960 (JSC::VMEntryScope::VMEntryScope): 7961 (JSC::VMEntryScope::~VMEntryScope): 7962 Handle recompilation when the top VMEntryScope is popped. 7963 Pass the needs recompilation flag up the stack if needed. 7964 79652014-01-24 Oliver Hunt <oliver@apple.com> 7966 7967 Generic JSObject::put should handle static properties in the classinfo hierarchy 7968 https://bugs.webkit.org/show_bug.cgi?id=127523 7969 7970 Reviewed by Geoffrey Garen. 7971 7972 This patch makes JSObject::put correctly call static setters 7973 defined by the ClassInfo. 7974 7975 To make this not clobber performance, the ClassInfo HashTable 7976 now includes a flag to indicate that it contains setters. This 7977 required updating the lut generator so that it tracked (and emitted) 7978 this. 7979 7980 The rest of the change was making a number of the methods take 7981 a VM rather than an ExecState*, so that Structure could set the 7982 getter/setter flags during construction (if necessary). 7983 7984 This also means most objects do not need to perform a lookupPut 7985 manually anymore, so most custom ::put's are no longer needed. 7986 DOMWindow is the only exception as it has interesting security 7987 related semantics. 7988 7989 * create_hash_table: 7990 * interpreter/CallFrame.h: 7991 (JSC::ExecState::arrayConstructorTable): 7992 (JSC::ExecState::arrayPrototypeTable): 7993 (JSC::ExecState::booleanPrototypeTable): 7994 (JSC::ExecState::dataViewTable): 7995 (JSC::ExecState::dateTable): 7996 (JSC::ExecState::dateConstructorTable): 7997 (JSC::ExecState::errorPrototypeTable): 7998 (JSC::ExecState::globalObjectTable): 7999 (JSC::ExecState::jsonTable): 8000 (JSC::ExecState::numberConstructorTable): 8001 (JSC::ExecState::numberPrototypeTable): 8002 (JSC::ExecState::objectConstructorTable): 8003 (JSC::ExecState::privateNamePrototypeTable): 8004 (JSC::ExecState::regExpTable): 8005 (JSC::ExecState::regExpConstructorTable): 8006 (JSC::ExecState::regExpPrototypeTable): 8007 (JSC::ExecState::stringConstructorTable): 8008 (JSC::ExecState::promisePrototypeTable): 8009 (JSC::ExecState::promiseConstructorTable): 8010 * runtime/ArrayConstructor.cpp: 8011 (JSC::ArrayConstructor::getOwnPropertySlot): 8012 * runtime/ArrayPrototype.cpp: 8013 (JSC::ArrayPrototype::getOwnPropertySlot): 8014 * runtime/BooleanPrototype.cpp: 8015 (JSC::BooleanPrototype::getOwnPropertySlot): 8016 * runtime/ClassInfo.h: 8017 (JSC::ClassInfo::propHashTable): 8018 * runtime/DateConstructor.cpp: 8019 (JSC::DateConstructor::getOwnPropertySlot): 8020 * runtime/DatePrototype.cpp: 8021 (JSC::DatePrototype::getOwnPropertySlot): 8022 * runtime/ErrorPrototype.cpp: 8023 (JSC::ErrorPrototype::getOwnPropertySlot): 8024 * runtime/JSDataViewPrototype.cpp: 8025 (JSC::JSDataViewPrototype::getOwnPropertySlot): 8026 * runtime/JSGlobalObject.cpp: 8027 (JSC::JSGlobalObject::getOwnPropertySlot): 8028 * runtime/JSONObject.cpp: 8029 (JSC::JSONObject::getOwnPropertySlot): 8030 * runtime/JSObject.cpp: 8031 (JSC::JSObject::put): 8032 (JSC::JSObject::deleteProperty): 8033 * runtime/JSPromiseConstructor.cpp: 8034 (JSC::JSPromiseConstructor::getOwnPropertySlot): 8035 * runtime/JSPromisePrototype.cpp: 8036 (JSC::JSPromisePrototype::getOwnPropertySlot): 8037 * runtime/Lookup.h: 8038 (JSC::HashTable::copy): 8039 (JSC::putEntry): 8040 (JSC::lookupPut): 8041 * runtime/NamePrototype.cpp: 8042 (JSC::NamePrototype::getOwnPropertySlot): 8043 * runtime/NumberConstructor.cpp: 8044 (JSC::NumberConstructor::getOwnPropertySlot): 8045 * runtime/NumberConstructor.h: 8046 * runtime/NumberPrototype.cpp: 8047 (JSC::NumberPrototype::getOwnPropertySlot): 8048 * runtime/ObjectConstructor.cpp: 8049 (JSC::ObjectConstructor::getOwnPropertySlot): 8050 * runtime/RegExpConstructor.cpp: 8051 (JSC::RegExpConstructor::getOwnPropertySlot): 8052 * runtime/RegExpConstructor.h: 8053 * runtime/RegExpObject.cpp: 8054 (JSC::RegExpObject::getOwnPropertySlot): 8055 (JSC::RegExpObject::put): 8056 * runtime/RegExpPrototype.cpp: 8057 (JSC::RegExpPrototype::getOwnPropertySlot): 8058 * runtime/StringConstructor.cpp: 8059 (JSC::StringConstructor::getOwnPropertySlot): 8060 * runtime/Structure.cpp: 8061 (JSC::Structure::Structure): 8062 (JSC::Structure::freezeTransition): 8063 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties): 8064 80652014-01-24 Mark Lam <mark.lam@apple.com> 8066 8067 Skip op_profiler callbacks if !VM::m_enabledProfiler. 8068 https://bugs.webkit.org/show_bug.cgi?id=127567. 8069 8070 Reviewed by Geoffrey Garen. 8071 8072 The profiler may not be always active (recording). When it's not active 8073 (as in VM::m_enabledProfiler is null), then we might as well skip the 8074 op_profiler callbacks. The callbacks themselves were already previously 8075 gated by a VM::enabledProfiler() check. So, this change does not change 8076 any profiler behavior. 8077 8078 For the DFG, we'll turn the op_profiler handling into speculation checks 8079 and OSR exit to the baseline JIT if the profiler becomes active. 8080 8081 This brings the Octane score up to ~3000 from ~2840. 8082 8083 * dfg/DFGAbstractInterpreterInlines.h: 8084 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 8085 * dfg/DFGByteCodeParser.cpp: 8086 (JSC::DFG::ByteCodeParser::parseBlock): 8087 * dfg/DFGClobberize.h: 8088 (JSC::DFG::clobberize): 8089 * dfg/DFGNodeType.h: 8090 * dfg/DFGSpeculativeJIT32_64.cpp: 8091 (JSC::DFG::SpeculativeJIT::compile): 8092 * dfg/DFGSpeculativeJIT64.cpp: 8093 (JSC::DFG::SpeculativeJIT::compile): 8094 * jit/JITOpcodes.cpp: 8095 (JSC::JIT::emit_op_profile_will_call): 8096 (JSC::JIT::emit_op_profile_did_call): 8097 * jit/JITOpcodes32_64.cpp: 8098 (JSC::JIT::emit_op_profile_will_call): 8099 (JSC::JIT::emit_op_profile_did_call): 8100 * llint/LowLevelInterpreter.asm: 8101 * runtime/VM.h: 8102 (JSC::VM::enabledProfilerAddress): 8103 81042014-01-24 Mark Lam <mark.lam@apple.com> 8105 8106 Removing the need for Debugger* and m_shouldPause op_debug check. 8107 <https://webkit.org/b/127532> 8108 8109 Reviewed by Geoffrey Garen. 8110 8111 This patch replaces the checking of the Debugger::m_shouldPause flag 8112 with a procedure to set a SteppingMode flag on all CodeBlocks under 8113 the management of the debugger. This simplifies the op_debug checking 8114 logic in all the execution engines. 8115 8116 * bytecode/CodeBlock.cpp: 8117 * bytecode/CodeBlock.h: 8118 (JSC::CodeBlock::hasDebuggerRequests): 8119 (JSC::CodeBlock::debuggerRequestsAddress): 8120 (JSC::CodeBlock::setSteppingMode): 8121 (JSC::CodeBlock::clearDebuggerRequests): 8122 - CodeBlock::m_debuggerRequests is a union of m_numBreakpoints and the 8123 new m_steppingMode. The debugger can add/remove breakpoints to the 8124 CodeBlock as well as set the stepping mode. By having 8125 m_debuggerRequests as a union of the 2 bit fields, the op_debug code 8126 can now check if any of the 2 requests made on the CodeBlock is still 8127 in effect just by testing a single int. 8128 8129 * debugger/Debugger.cpp: 8130 (JSC::Debugger::Debugger): 8131 (JSC::Debugger::detach): 8132 - This was bug from before where I forgot to clear the CodeBlock 8133 breakpoints before detaching. We now take care of it by clearing all 8134 debugger requests made to the CodeBlock. 8135 8136 (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor): 8137 (JSC::Debugger::SetSteppingModeFunctor::operator()): 8138 (JSC::Debugger::setSteppingMode): 8139 (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor): 8140 (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()): 8141 (JSC::Debugger::clearBreakpoints): 8142 8143 (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor): 8144 (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()): 8145 (JSC::Debugger::clearDebuggerRequests): 8146 - We need a distinct clearDebuggerRequests() from clearBreakpoints() 8147 because: 8148 1. When we detach a globalObject, we only want to clear the debugger 8149 requests in CodeBlocks from that global. 8150 2. Clearing the debugger requests in the CodeBlocks is not the same 8151 as clearing the breakpoints. The breakpoints are still in effect 8152 for the next time a globalObject is attached, or for other 8153 globalObjects that are still attached. 8154 8155 (JSC::Debugger::setPauseOnNextStatement): 8156 (JSC::Debugger::breakProgram): 8157 (JSC::Debugger::stepIntoStatement): 8158 (JSC::Debugger::updateCallFrameAndPauseIfNeeded): 8159 (JSC::Debugger::pauseIfNeeded): 8160 (JSC::Debugger::exception): 8161 (JSC::Debugger::willExecuteProgram): 8162 (JSC::Debugger::didReachBreakpoint): 8163 * debugger/Debugger.h: 8164 - We're always going to support the debugger. So, there's no longer 8165 a need to check ENABLE(JAVASCRIPT_DEBUGGER). Removed the unneeded code. 8166 8167 * dfg/DFGSpeculativeJIT32_64.cpp: 8168 (JSC::DFG::SpeculativeJIT::compile): 8169 * dfg/DFGSpeculativeJIT64.cpp: 8170 (JSC::DFG::SpeculativeJIT::compile): 8171 * interpreter/Interpreter.cpp: 8172 (JSC::Interpreter::debug): 8173 * jit/JITOpcodes.cpp: 8174 (JSC::JIT::emit_op_debug): 8175 * jit/JITOpcodes32_64.cpp: 8176 (JSC::JIT::emit_op_debug): 8177 * llint/LowLevelInterpreter.asm: 8178 * runtime/JSGlobalObject.h: 8179 (JSC::JSGlobalObject::setDebugger): 8180 81812014-01-24 Michael Saboff <msaboff@apple.com> 8182 8183 ARM Offline assembler temporary register allocator has duplicate register when building fat binaries 8184 https://bugs.webkit.org/show_bug.cgi?id=127545 8185 8186 Reviewed by Mark Lam. 8187 8188 Eliminate the conditional addition of r11/r7 from getModifiedListARMCommon as the 8189 .concat will add the new register to ARM_EXTRA_GPRS. If getModifiedListARMCommon is 8190 invoked a second time, there will be a second r11 or r7, which messes things up. 8191 Instead, r6 was added to ARM_EXTRA_GPRS. r6 is currently an unused register. 8192 8193 * offlineasm/arm.rb: 8194 81952014-01-23 Joseph Pecoraro <pecoraro@apple.com> 8196 8197 Move ContentSearchUtils, ScriptBreakpoint, and ScriptDebugListener into JavaScriptCore for inspector 8198 https://bugs.webkit.org/show_bug.cgi?id=127537 8199 8200 Reviewed by Timothy Hatcher. 8201 8202 * CMakeLists.txt: 8203 * GNUmakefile.list.am: 8204 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8205 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8206 * JavaScriptCore.xcodeproj/project.pbxproj: 8207 * inspector/ContentSearchUtilities.cpp: Renamed from Source/WebCore/inspector/ContentSearchUtils.cpp. 8208 (Inspector::ContentSearchUtilities::createSearchRegexSource): 8209 (Inspector::ContentSearchUtilities::sizetExtractor): 8210 (Inspector::ContentSearchUtilities::textPositionFromOffset): 8211 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): 8212 (Inspector::ContentSearchUtilities::lineEndings): 8213 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): 8214 (Inspector::ContentSearchUtilities::createSearchRegex): 8215 (Inspector::ContentSearchUtilities::countRegularExpressionMatches): 8216 (Inspector::ContentSearchUtilities::searchInTextByLines): 8217 (Inspector::ContentSearchUtilities::scriptCommentPattern): 8218 (Inspector::ContentSearchUtilities::stylesheetCommentPattern): 8219 (Inspector::ContentSearchUtilities::findMagicComment): 8220 (Inspector::ContentSearchUtilities::findScriptSourceURL): 8221 (Inspector::ContentSearchUtilities::findScriptSourceMapURL): 8222 (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): 8223 * inspector/ContentSearchUtilities.h: Renamed from Source/WebCore/inspector/ContentSearchUtils.h. 8224 * inspector/ScriptBreakpoint.h: Renamed from Source/WebCore/inspector/ScriptBreakpoint.h. 8225 (Inspector::ScriptBreakpointAction::ScriptBreakpointAction): 8226 (Inspector::ScriptBreakpoint::ScriptBreakpoint): 8227 * inspector/ScriptDebugListener.h: Renamed from Source/WebCore/inspector/ScriptDebugListener.h. 8228 (Inspector::ScriptDebugListener::Script::Script): 8229 (Inspector::ScriptDebugListener::~ScriptDebugListener): 8230 * runtime/RegExp.cpp: 8231 (JSC::RegExp::match): 8232 82332014-01-23 Joseph Pecoraro <pecoraro@apple.com> 8234 8235 Move RegularExpression into JavaScriptCore for inspector 8236 https://bugs.webkit.org/show_bug.cgi?id=127526 8237 8238 Reviewed by Geoffrey Garen. 8239 8240 Move RegularExpression into JavaScriptCore/yarr so it can 8241 be used later on by JavaScriptCore/inspector. Convert to 8242 the JSC::Yarr namespace. 8243 8244 * CMakeLists.txt: 8245 * GNUmakefile.list.am: 8246 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8247 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8248 * JavaScriptCore.xcodeproj/project.pbxproj: 8249 * yarr/RegularExpression.cpp: Renamed from Source/WebCore/platform/text/RegularExpression.cpp. 8250 (JSC::Yarr::RegularExpression::Private::create): 8251 (JSC::Yarr::RegularExpression::Private::Private): 8252 (JSC::Yarr::RegularExpression::Private::compile): 8253 (JSC::Yarr::RegularExpression::RegularExpression): 8254 (JSC::Yarr::RegularExpression::~RegularExpression): 8255 (JSC::Yarr::RegularExpression::operator=): 8256 (JSC::Yarr::RegularExpression::match): 8257 (JSC::Yarr::RegularExpression::searchRev): 8258 (JSC::Yarr::RegularExpression::matchedLength): 8259 (JSC::Yarr::replace): 8260 (JSC::Yarr::RegularExpression::isValid): 8261 * yarr/RegularExpression.h: Renamed from Source/WebCore/platform/text/RegularExpression.h. 8262 82632014-01-23 Joseph Pecoraro <pecoraro@apple.com> 8264 8265 Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer 8266 https://bugs.webkit.org/show_bug.cgi?id=127409 8267 8268 Reviewed by Geoffrey Garen. 8269 8270 * inspector/InspectorAgentBase.h: 8271 When disconnecting agents, provide a InspectorDisconnectReason for 8272 the disconnection. It could be that an inspector frontend is just 8273 disconnecting or that the inspected object is going away entirely 8274 and we can avoid doing some work. 8275 8276 * runtime/JSGlobalObjectDebuggable.h: 8277 * runtime/JSGlobalObjectDebuggable.cpp: 8278 (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable): 8279 (JSC::JSGlobalObjectDebuggable::disconnect): 8280 (JSC::JSGlobalObjectDebuggable::disconnectInternal): 8281 Pass different reasons for the different disconnects. 8282 8283 * inspector/InspectorAgentRegistry.cpp: 8284 (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): 8285 * inspector/InspectorAgentRegistry.h: 8286 * inspector/JSGlobalObjectInspectorController.cpp: 8287 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): 8288 * inspector/JSGlobalObjectInspectorController.h: 8289 * inspector/agents/InspectorAgent.cpp: 8290 (Inspector::InspectorAgent::willDestroyFrontendAndBackend): 8291 * inspector/agents/InspectorAgent.h: 8292 Pass InspectorDisconnectReason around where needed. 8293 82942014-01-23 Mark Lam <mark.lam@apple.com> 8295 8296 Enable DFG for the Debugger and Profiler. 8297 <https://webkit.org/b/122847> 8298 8299 Reviewed by Geoffrey Garen. 8300 8301 In this patch, we implement DFG op_debug as a series of 3 checks: 8302 1. Check if the debugger pointer is non-null. This is needed in case 8303 the debugger has been detached but the DFG code is still running 8304 on the stack. 8305 2. Check if Debugger::m_shouldPause is true. 8306 3. Check if CodeBlock::m_numBreakpoints is non-zero. 8307 8308 These are the same 3 checks done in the LLINT and baselineJIT. But unlike 8309 the LLINT and baselineJIT, these DFG checks are implemented as 8310 speculationChecks. If the check fails, we OSR exit to the baselineJIT and 8311 let it do the work of servicing the op_debug callback. 8312 8313 Stepping through code in the debugger would work the same way. The top 8314 function being debugged has to be a LLINT or baselineJIT function because 8315 we would have OSR exited if there is a breakpoint in that function. When 8316 we step out of that function to its caller, we expect that the caller will 8317 call back to the debugger at the next op_debug. If the caller function is 8318 a DFG function, the op_debug site will fail its speculation check on 8319 Debugger::m_shouldPause and deopt into a baselineJIT function. Execution 8320 continues from there as usual, and the debugger gets its callback. 8321 8322 For the profile, op_profile_will_call and op_profile_did_call are 8323 implemented as simple runtime calls to service the profiler. 8324 8325 With this patch, Octane performance with the WebInspector open jump from 8326 ~2000 to ~2500 (25% progression). 8327 8328 * bytecode/CodeBlock.h: 8329 (JSC::CodeBlock::numBreakpointsAddress): 8330 * bytecode/ExitKind.cpp: 8331 (JSC::exitKindToString): 8332 * bytecode/ExitKind.h: 8333 * debugger/Debugger.cpp: 8334 (JSC::Debugger::toggleBreakpoint): 8335 - removed an obsolete assertion. The debugger can now handle DFG 8336 CodeBlocks too. 8337 * debugger/Debugger.h: 8338 * dfg/DFGAbstractInterpreterInlines.h: 8339 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 8340 * dfg/DFGByteCodeParser.cpp: 8341 (JSC::DFG::ByteCodeParser::parseBlock): 8342 * dfg/DFGCapabilities.cpp: 8343 (JSC::DFG::capabilityLevel): 8344 * dfg/DFGClobberize.h: 8345 (JSC::DFG::clobberize): 8346 * dfg/DFGFixupPhase.cpp: 8347 (JSC::DFG::FixupPhase::fixupNode): 8348 * dfg/DFGNodeType.h: 8349 * dfg/DFGPredictionPropagationPhase.cpp: 8350 (JSC::DFG::PredictionPropagationPhase::propagate): 8351 * dfg/DFGSafeToExecute.h: 8352 (JSC::DFG::safeToExecute): 8353 * dfg/DFGSpeculativeJIT.h: 8354 (JSC::DFG::SpeculativeJIT::callOperation): 8355 * dfg/DFGSpeculativeJIT32_64.cpp: 8356 (JSC::DFG::SpeculativeJIT::compile): 8357 * dfg/DFGSpeculativeJIT64.cpp: 8358 (JSC::DFG::SpeculativeJIT::compile): 8359 * runtime/JSGlobalObject.h: 8360 (JSC::JSGlobalObject::debuggerAddress): 8361 83622014-01-23 Max Vujovic <mvujovic@adobe.com> 8363 8364 Remove CSS Custom Filters code and tests 8365 https://bugs.webkit.org/show_bug.cgi?id=127382 8366 8367 Reviewed by Simon Fraser. 8368 8369 * Configurations/FeatureDefines.xcconfig: 8370 83712014-01-22 Brent Fulgham <bfulgham@apple.com> 8372 8373 [Win] Update project and solution files for 64-bit builds. 8374 https://bugs.webkit.org/show_bug.cgi?id=127457 8375 8376 Reviewed by Eric Carlson. 8377 8378 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add 64-bit target. 8379 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013 8380 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add missing 8381 file from project view. 8382 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Update for VS2013 8383 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto 8384 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto 8385 83862014-01-22 Mark Lam <mark.lam@apple.com> 8387 8388 Poor man's fast breakpoints for a 2.3x debugger speedup. 8389 <https://webkit.org/b/122836> 8390 8391 Reviewed by Geoffrey Garen. 8392 8393 Previously we gained back some performance (run at baseline JIT speeds) 8394 when the WebInspector is opened provided no breakpoints are set. This 8395 was achieved by simply skipping all op_debug callbacks to the debugger 8396 if no breakpoints are set. If any breakpoints are set, the debugger will 8397 set a m_needsOpDebugCallbacks flag which causes the callbacks to be 8398 called, and we don't get the baseline JIT speeds anymore. 8399 8400 With this patch, we will now track the number of breakpoints set in the 8401 CodeBlock that they are set in. The LLINT and baseline JIT code will 8402 check CodeBlock::m_numBreakpoints to determine if the op_debug callbacks 8403 need to be called. With this, we will only enable op_debug callbacks for 8404 CodeBlocks that need it i.e. those with breakpoints set in them. 8405 8406 Debugger::m_needsOpDebugCallbacks is now obsoleted. The LLINT and baseline 8407 JIT code still needs to check Debugger::m_shouldPause to determine if the 8408 debugger is in stepping mode and hence, needs op_debug callbacks enabled 8409 for everything until the debugger "continues" the run and exit stepping 8410 mode. 8411 8412 Also in this patch, I fixed a regression in DOM breakpoints which relies 8413 Debugger::breakProgram() to pause the debugger. 8414 8415 * bytecode/CodeBlock.cpp: 8416 (JSC::CodeBlock::dumpBytecode): 8417 - Missed accounting for op_debug's new hasBreakpointFlag operand here when 8418 it was added. 8419 (JSC::CodeBlock::CodeBlock): 8420 (JSC::CodeBlock::hasOpDebugForLineAndColumn): 8421 - This is needed in Debugger::toggleBreakpoint() to determine if a 8422 breakpoint falls within a CodeBlock or not. Simply checking the bounds 8423 of the CodeBlock is insufficient. For example, let's say we have the 8424 following JS code: 8425 8426 // begin global scope 8427 function f1() { 8428 function f2() { 8429 ... // set breakpoint here. 8430 } 8431 } 8432 // end global scope 8433 8434 Using the CodeBlock bounds alone, the breakpoint above will to appear 8435 to be in the global program CodeBlock, and the CodeBlocks for function 8436 f1() and f2(). With CodeBlock::hasOpDebugForLineAndColumn() we can 8437 rule out the global program CodeBlock and f1(), and only apply the 8438 breakpoint to f2(0 where it belongs. 8439 8440 CodeBlock::hasOpDebugForLineAndColumn() works by iterating over all 8441 the opcodes in the CodeBlock to look for op_debug's. For each op_debug, 8442 it calls CodeBlock::expressionRangeForBytecodeOffset() to do a binary 8443 seach to get the line and column info for that op_debug. This is a 8444 N * log(N) algorithm. However, a quick hands on test using the 8445 WebInspector (with this patch applied) to exercise setting, breaking 8446 on, and clearing breakpoints, as well as stepping through some code 8447 shows no noticeable degradation of the user experience compared to the 8448 baseline without this patch. 8449 8450 * bytecode/CodeBlock.h: 8451 (JSC::CodeBlock::numBreakpoints): 8452 (JSC::CodeBlock::numBreakpointsOffset): 8453 (JSC::CodeBlock::addBreakpoint): 8454 (JSC::CodeBlock::removeBreakpoint): 8455 (JSC::CodeBlock::clearAllBreakpoints): 8456 * debugger/Breakpoint.h: 8457 - defined Breakpoint::unspecifiedColumn so that we can explicitly indicate 8458 when the WebInspector was setting a line breakpoint and did not provide 8459 a column value. CodeBlock::hasOpDebugForLineAndColumn() needs this 8460 information in order to loosen its matching criteria for op_debug 8461 bytecodes for the specified breakpoint line and column values provided 8462 by the debugger. 8463 8464 Previously, we just hijack a 0 value column as an unspecified column. 8465 However, the WebInspector operates on 0-based ints for column values. 8466 Hence, 0 should be a valid column value and should not be hijacked to 8467 mean an unspecified column. 8468 8469 * debugger/Debugger.cpp: 8470 (JSC::Debugger::Debugger): 8471 - added tracking of the VM that the debugger is used with. This is 8472 needed by Debugger::breakProgram(). 8473 8474 The VM pointer is attained from the first JSGlobalObject that the debugger 8475 attaches to. When the debugger detaches from the last JSGlobalObject, it 8476 will nullify its VM pointer to allow a new one to be set on the next 8477 attach. 8478 8479 We were always only using each debugger instance with one VM. This change 8480 makes it explicit with an assert to ensure that all globalObjects that 8481 the debugger attaches to beongs to the same VM. 8482 8483 (JSC::Debugger::attach): 8484 (JSC::Debugger::detach): 8485 (JSC::Debugger::setShouldPause): 8486 8487 (JSC::Debugger::registerCodeBlock): 8488 (JSC::Debugger::unregisterCodeBlock): 8489 - registerCodeBlock() is responsible for applying pre-existing breakpoints 8490 to new CodeBlocks being installed. Similarly, unregisterCodeBlock() 8491 clears the breakpoints. 8492 8493 (JSC::Debugger::toggleBreakpoint): 8494 - This is the workhorse function that checks if a breakpoint falls within 8495 a CodeBlock or not. If it does, then it can either enable or disable 8496 said breakpoint in the CodeBlock. In the current implementation, 8497 enabling/disabling the breakpoint simply means incrementing/decrementing 8498 the CodeBlock's m_numBreakpoints. 8499 8500 (JSC::Debugger::applyBreakpoints): 8501 8502 (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor): 8503 (JSC::Debugger::ToggleBreakpointFunctor::operator()): 8504 (JSC::Debugger::toggleBreakpoint): 8505 - Iterates all relevant CodeBlocks and apply the specified breakpoint 8506 if appropriate. This is called when a new breakpoint is being defined 8507 by the WebInspector and needs to be applied to an already installed 8508 CodeBlock. 8509 8510 (JSC::Debugger::setBreakpoint): 8511 (JSC::Debugger::removeBreakpoint): 8512 (JSC::Debugger::hasBreakpoint): 8513 (JSC::Debugger::ClearBreakpointsFunctor::ClearBreakpointsFunctor): 8514 (JSC::Debugger::ClearBreakpointsFunctor::operator()): 8515 (JSC::Debugger::clearBreakpoints): 8516 8517 (JSC::Debugger::breakProgram): 8518 - Fixed a regression that broke DOM breakpoints. The issue is that with 8519 the skipping of op_debug callbacks, we don't always have an updated 8520 m_currentCallFrame. Normally, m_currentCallFrame is provided as arg 8521 in the op_debug callback. In this case, we can get the CallFrame* from 8522 m_vm->topCallFrame. 8523 8524 (JSC::Debugger::updateCallFrameAndPauseIfNeeded): 8525 (JSC::Debugger::pauseIfNeeded): 8526 (JSC::Debugger::willExecuteProgram): 8527 * debugger/Debugger.h: 8528 (JSC::Debugger::Debugger): 8529 (JSC::Debugger::shouldPause): 8530 8531 * heap/CodeBlockSet.h: 8532 (JSC::CodeBlockSet::iterate): 8533 * heap/Heap.h: 8534 (JSC::Heap::forEachCodeBlock): 8535 - Added utility to iterate all CodeBlocks in the heap / VM. 8536 8537 * interpreter/Interpreter.cpp: 8538 (JSC::Interpreter::debug): 8539 8540 * jit/JITOpcodes.cpp: 8541 (JSC::JIT::emit_op_debug): 8542 * jit/JITOpcodes32_64.cpp: 8543 (JSC::JIT::emit_op_debug): 8544 * llint/LowLevelInterpreter.asm: 8545 - These now checks CodeBlock::m_numBreakpoints and Debugger::m_shouldPause 8546 instead of Debugger::m_needsOpDebugCallbacks. 8547 8548 * runtime/Executable.cpp: 8549 (JSC::ScriptExecutable::installCode): 8550 85512014-01-22 Myles C. Maxfield <mmaxfield@apple.com> 8552 8553 Remove CSS3_TEXT_DECORATION define 8554 https://bugs.webkit.org/show_bug.cgi?id=127333 8555 8556 This is required for unprefixing the text-decoration-* CSS properties. 8557 8558 Reviewed by Simon Fraser. 8559 8560 * Configurations/FeatureDefines.xcconfig: 8561 85622014-01-22 Alexey Proskuryakov <ap@apple.com> 8563 8564 Update JS whitespace definition for changes in Unicode 6.3 8565 https://bugs.webkit.org/show_bug.cgi?id=127450 8566 <rdar://15863457> 8567 8568 Reviewed by Oliver Hunt. 8569 8570 Covered by existing tests when running against a Unicode back-end that supports 8571 Unicode 6.3 or higher. 8572 8573 * runtime/JSGlobalObjectFunctions.cpp: (JSC::isStrWhiteSpace): Explicitly allow 8574 U+180E MONGOLIAN VOWEL SEPARATOR, because we need to keep recognizing all characters 8575 that used to be whitespace. 8576 85772014-01-21 Mark Hahnenberg <mhahnenberg@apple.com> 8578 8579 Registers used in writeBarrierOnOperand can cause clobbering on some platforms 8580 https://bugs.webkit.org/show_bug.cgi?id=127357 8581 8582 Reviewed by Filip Pizlo. 8583 8584 Some platforms use t0 and t1 for their first two arguments, so using those to load the 8585 cell for the write barrier is a bad idea because it will get clobbered. 8586 8587 * llint/LowLevelInterpreter32_64.asm: 8588 * llint/LowLevelInterpreter64.asm: 8589 85902014-01-21 Mark Rowe <mrowe@apple.com> 8591 8592 Mac production build fix. 8593 8594 Move the shell script build phase to copy jsc into JavaScriptCore.framework 8595 out of the jsc target and in to the All target so that it's not run during 8596 production builds. Xcode appears to the parent directories of paths referenced 8597 in the Output Files of the build phase, which leads to problems when the 8598 SYMROOT for the JavaScriptCore framework and the jsc executables are later merged. 8599 8600 I've also fixed the path to the Resources folder in the script while I'm here. 8601 On iOS the framework bundle is shallow so the correct destination is Resources/ 8602 rather than Versions/A/Resources. This is handled by tweaking the 8603 JAVASCRIPTCORE_RESOURCES_DIR configuration setting to be relative rather than 8604 a complete path so we can reuse it in the script. The references in JSC.xcconfig 8605 and ToolExecutable.xcconfig are updated to prepend JAVASCRIPTCORE_FRAMEWORKS_DIR 8606 to preserve their former values. 8607 8608 * Configurations/Base.xcconfig: 8609 * Configurations/JSC.xcconfig: 8610 * Configurations/ToolExecutable.xcconfig: 8611 * JavaScriptCore.xcodeproj/project.pbxproj: 8612 86132014-01-19 Andreas Kling <akling@apple.com> 8614 8615 JSC Parser: Shrink BindingNode. 8616 <https://webkit.org/b/127253> 8617 8618 The "divot" and "end" source locations are always identical for 8619 BindingNodes, so store only "start" and "end" instead. 8620 8621 1.19 MB progression on Membuster3. 8622 8623 Reviewed by Geoff Garen. 8624 8625 * bytecompiler/NodesCodegen.cpp: 8626 (JSC::BindingNode::bindValue): 8627 * parser/ASTBuilder.h: 8628 (JSC::ASTBuilder::createBindingLocation): 8629 * parser/NodeConstructors.h: 8630 (JSC::BindingNode::create): 8631 (JSC::BindingNode::BindingNode): 8632 * parser/Nodes.h: 8633 (JSC::BindingNode::divotStart): 8634 (JSC::BindingNode::divotEnd): 8635 * parser/Parser.cpp: 8636 (JSC::Parser<LexerType>::createBindingPattern): 8637 * parser/SyntaxChecker.h: 8638 (JSC::SyntaxChecker::operatorStackPop): 8639 86402014-01-20 Filip Pizlo <fpizlo@apple.com> 8641 8642 op_captured_mov and op_new_captured_func in UnlinkedCodeBlocks should use the IdentifierMap instead of the strings directly 8643 https://bugs.webkit.org/show_bug.cgi?id=127311 8644 <rdar://problem/15853958> 8645 8646 Reviewed by Andreas Kling. 8647 8648 This makes UnlinkedCodeBlocks use 32-bit instruction streams again. 8649 8650 * bytecode/CodeBlock.cpp: 8651 (JSC::CodeBlock::CodeBlock): 8652 * bytecode/UnlinkedCodeBlock.h: 8653 (JSC::UnlinkedInstruction::UnlinkedInstruction): 8654 * bytecompiler/BytecodeGenerator.cpp: 8655 (JSC::BytecodeGenerator::addVar): 8656 (JSC::BytecodeGenerator::emitInitLazyRegister): 8657 (JSC::BytecodeGenerator::createArgumentsIfNecessary): 8658 * bytecompiler/BytecodeGenerator.h: 8659 (JSC::BytecodeGenerator::watchableVariable): 8660 (JSC::BytecodeGenerator::hasWatchableVariable): 8661 86622014-01-20 Mark Lam <mark.lam@apple.com> 8663 8664 Removing CodeBlock::opDebugBytecodeOffsetForLineAndColumn() and friends. 8665 <https://webkit.org/b/127321> 8666 8667 Reviewed by Geoffrey Garen. 8668 8669 We're changing plans and will be going with CodeBlock level breakpoints 8670 instead of bytecode level breakpoints. As a result, we no longer need 8671 the services of CodeBlock::opDebugBytecodeOffsetForLineAndColumn() (and 8672 friends). This patch will remove that unused code. 8673 8674 * GNUmakefile.list.am: 8675 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8677 * JavaScriptCore.xcodeproj/project.pbxproj: 8678 * bytecode/CodeBlock.cpp: 8679 * bytecode/CodeBlock.h: 8680 * bytecode/LineColumnInfo.h: Removed. 8681 * bytecode/UnlinkedCodeBlock.cpp: 8682 (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): 8683 * bytecode/UnlinkedCodeBlock.h: 8684 86852014-01-20 Mark Hahnenberg <mhahnenberg@apple.com> 8686 8687 CodeBlockSet::traceMarked doesn't need to visit the ownerExecutable 8688 https://bugs.webkit.org/show_bug.cgi?id=127301 8689 8690 Reviewed by Oliver Hunt. 8691 8692 We used to just call CodeBlock::visitAggregate, but now we call visitChildren 8693 on the ownerExecutable, which is unnecessary. 8694 8695 * heap/CodeBlockSet.cpp: 8696 (JSC::CodeBlockSet::traceMarked): 8697 86982014-01-20 Anders Carlsson <andersca@apple.com> 8699 8700 Fix build. 8701 8702 * heap/BlockAllocator.h: 8703 87042014-01-20 Anders Carlsson <andersca@apple.com> 8705 8706 Stop using ThreadCondition in BlockAllocator 8707 https://bugs.webkit.org/show_bug.cgi?id=126313 8708 8709 Reviewed by Sam Weinig. 8710 8711 * heap/BlockAllocator.cpp: 8712 (JSC::BlockAllocator::~BlockAllocator): 8713 (JSC::BlockAllocator::waitForDuration): 8714 (JSC::BlockAllocator::blockFreeingThreadMain): 8715 * heap/BlockAllocator.h: 8716 (JSC::BlockAllocator::deallocate): 8717 87182014-01-19 Anders Carlsson <andersca@apple.com> 8719 8720 Convert GCThreadSharedData over to STL threading primitives 8721 https://bugs.webkit.org/show_bug.cgi?id=127256 8722 8723 Reviewed by Andreas Kling. 8724 8725 * heap/GCThread.cpp: 8726 (JSC::GCThread::waitForNextPhase): 8727 (JSC::GCThread::gcThreadMain): 8728 * heap/GCThreadSharedData.cpp: 8729 (JSC::GCThreadSharedData::GCThreadSharedData): 8730 (JSC::GCThreadSharedData::~GCThreadSharedData): 8731 (JSC::GCThreadSharedData::startNextPhase): 8732 (JSC::GCThreadSharedData::endCurrentPhase): 8733 (JSC::GCThreadSharedData::didStartMarking): 8734 (JSC::GCThreadSharedData::didFinishMarking): 8735 * heap/GCThreadSharedData.h: 8736 * heap/SlotVisitor.cpp: 8737 (JSC::SlotVisitor::donateKnownParallel): 8738 (JSC::SlotVisitor::drainFromShared): 8739 87402014-01-18 Andreas Kling <akling@apple.com> 8741 8742 CodeBlock: Size m_callLinkInfos and m_byValInfos to fit earlier. 8743 <https://webkit.org/b/127239> 8744 8745 Reviewed by Anders Carlsson. 8746 8747 * bytecode/CodeBlock.h: 8748 (JSC::CodeBlock::setNumberOfByValInfos): 8749 (JSC::CodeBlock::setNumberOfCallLinkInfos): 8750 8751 Use resizeToFit() instead of grow() for these vectors, since 8752 we know the final size here. 8753 8754 * bytecode/CodeBlock.cpp: 8755 (JSC::CodeBlock::shrinkToFit): 8756 8757 No need to shrink here anymore. We were not even shrinking 8758 m_byValInfo before! 8759 87602014-01-18 Andreas Kling <akling@apple.com> 8761 8762 CodeBlock: Size m_function{Exprs,Decls} to fit from creation. 8763 <https://webkit.org/b/127238> 8764 8765 Reviewed by Anders Carlsson. 8766 8767 * bytecode/CodeBlock.cpp: 8768 (JSC::CodeBlock::CodeBlock): 8769 8770 Use resizeToFit() instead of grow() for m_functionExprs and 8771 m_functionDecls since we know they will never change size. 8772 8773 (JSC::CodeBlock::shrinkToFit): 8774 8775 No need to shrink them here anymore. 8776 87772014-01-18 Andreas Kling <akling@apple.com> 8778 8779 Remove unused CodeBlock::m_additionalIdentifiers member. 8780 <https://webkit.org/b/127237> 8781 8782 Reviewed by Anders Carlsson. 8783 8784 * bytecode/CodeBlock.h: 8785 * bytecode/CodeBlock.cpp: 8786 (JSC::CodeBlock::CodeBlock): 8787 (JSC::CodeBlock::shrinkToFit): 8788 8789 Remove m_additionalIdentifiers, nothing uses it. 8790 87912014-01-18 Andreas Kling <akling@apple.com> 8792 8793 Remove two unused CodeBlock functions. 8794 <https://webkit.org/b/127235> 8795 8796 Kill copyPostParseDataFrom() and copyPostParseDataFromAlternative() 8797 since they are not used. 8798 8799 Reviewed by Anders Carlsson. 8800 8801 * bytecode/CodeBlock.cpp: 8802 * bytecode/CodeBlock.h: 8803 88042014-01-18 Andreas Kling <akling@apple.com> 8805 8806 CodeBlock: Size m_exceptionHandlers to fit from creation. 8807 <https://webkit.org/b/127234> 8808 8809 Avoid allocation churn for CodeBlock::m_exceptionHandlers. 8810 8811 Reviewed by Anders Carlsson. 8812 8813 * bytecode/CodeBlock.h: 8814 8815 Removed unused CodeBlock::allocateHandlers() function. 8816 8817 * bytecode/CodeBlock.cpp: 8818 (JSC::CodeBlock::CodeBlock): 8819 8820 Use resizeToFit() instead of grow() for m_exceptionHandlers 8821 since we know it's never going to change size. 8822 8823 (JSC::CodeBlock::shrinkToFit): 8824 8825 No need to shrink m_exceptionHandlers here since it's already 8826 the perfect size. 8827 88282014-01-18 Mark Lam <mark.lam@apple.com> 8829 8830 Add a hasBreakpointFlag arg to the op_debug bytecode. 8831 https://bugs.webkit.org/show_bug.cgi?id=127230. 8832 8833 Reviewed by Geoffrey Garen. 8834 8835 This is in anticipation of upcoming changes to support bytecode level 8836 breakpoints. This patch adds the flag to the op_debug bytecode and 8837 initializes it, but does not use it yet. 8838 8839 * bytecode/Opcode.h: 8840 (JSC::padOpcodeName): 8841 * bytecompiler/BytecodeGenerator.cpp: 8842 (JSC::BytecodeGenerator::emitDebugHook): 8843 * llint/LowLevelInterpreter.asm: 8844 88452014-01-18 Alberto Garcia <berto@igalia.com> 8846 8847 JavaScriptCore uses PLATFORM(MAC) when it means OS(DARWIN) 8848 https://bugs.webkit.org/show_bug.cgi?id=99683 8849 8850 Reviewed by Anders Carlsson. 8851 8852 * jit/ThunkGenerators.cpp: 8853 * tools/CodeProfile.cpp: 8854 (JSC::symbolName): 8855 (JSC::CodeProfile::sample): 8856 88572014-01-18 Anders Carlsson <andersca@apple.com> 8858 8859 Remove ENABLE_THREADED_HTML_PARSER defines everywhere 8860 https://bugs.webkit.org/show_bug.cgi?id=127225 8861 8862 Reviewed by Andreas Kling. 8863 8864 This concludes the removal of over 8.8 million lines of threaded parser code. 8865 8866 * Configurations/FeatureDefines.xcconfig: 8867 88682014-01-18 Mark Lam <mark.lam@apple.com> 8869 8870 Adding UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn().. 8871 https://bugs.webkit.org/show_bug.cgi?id=127127. 8872 8873 Reviewed by Geoffrey Garen. 8874 8875 In order to implement bytecode level breakpoints, we need a mechanism 8876 for computing the best fit op_debug bytecode offset for any valid given 8877 line and column value in the source. The "best fit" op_debug bytecode 8878 in this case is defined below in the comment for 8879 UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn(). 8880 8881 * GNUmakefile.list.am: 8882 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8883 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8884 * JavaScriptCore.xcodeproj/project.pbxproj: 8885 * bytecode/CodeBlock.cpp: 8886 (JSC::CodeBlock::opDebugBytecodeOffsetForLineAndColumn): 8887 - Convert the line and column to unlinked line and column values and 8888 pass them to UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn() 8889 to do the real work. 8890 8891 * bytecode/CodeBlock.h: 8892 * bytecode/LineColumnInfo.h: Added. 8893 (JSC::LineColumnInfo::operator <): 8894 (JSC::LineColumnInfo::LineColumnPair::LineColumnPair): 8895 (JSC::LineColumnInfo::operator ==): 8896 (JSC::LineColumnInfo::operator !=): 8897 (JSC::LineColumnInfo::operator <=): 8898 (JSC::LineColumnInfo::operator >): 8899 (JSC::LineColumnInfo::operator >=): 8900 * bytecode/LineInfo.h: Removed. 8901 8902 * bytecode/UnlinkedCodeBlock.cpp: 8903 (JSC::UnlinkedCodeBlock::decodeExpressionRangeLineAndColumn): 8904 - Factored this out of expressionRangeForBytecodeOffset() so that it can 8905 be called from multiple places. 8906 (JSC::dumpLineColumnEntry): 8907 (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo): 8908 (JSC::UnlinkedCodeBlock::dumpOpDebugLineColumnInfoList): 8909 - Some dumpers for debugging use only. 8910 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): 8911 (JSC::UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn): 8912 - Finds the earliest op_debug bytecode whose line and column matches the 8913 specified line and column values. If an exact match is not found, then 8914 finds the nearest op_debug bytecode that precedes the specified line 8915 and column values. If there are more than one op_debug at that preceding 8916 line and column value, then the earliest of those op_debug bytecodes will 8917 be be selected. The offset of the selected bytecode will be returned. 8918 8919 We want the earliest one because when we have multiple op_debug bytecodes 8920 that map to a given line and column, a debugger user would expect to break 8921 on the first one and step through the rest thereafter if needed. 8922 8923 (JSC::compareLineColumnInfo): 8924 (JSC::UnlinkedCodeBlock::opDebugLineColumnInfoList): 8925 - Creates the sorted opDebugLineColumnInfoList on demand. This list is 8926 stored in the UnlinkedCodeBlock's rareData. 8927 * bytecode/UnlinkedCodeBlock.h: 8928 89292014-01-18 Zan Dobersek <zdobersek@igalia.com> 8930 8931 Inspector scripts are not compatible with Python v3 8932 https://bugs.webkit.org/show_bug.cgi?id=127128 8933 8934 Reviewed by Benjamin Poulain. 8935 8936 * inspector/scripts/generate-combined-inspector-json.py: Turn print statements into print function calls. 8937 * inspector/scripts/jsmin.py: Try importing the StringIO class from the StringIO module (which will work for 8938 Python v2) or, on import error, import the class from the io module (which will work for Python v3). 8939 89402014-01-17 Anders Carlsson <andersca@apple.com> 8941 8942 String::is8Bit() crashes if m_impl is null, handle this. 8943 8944 * API/OpaqueJSString.h: 8945 (OpaqueJSString::OpaqueJSString): 8946 89472014-01-17 Anders Carlsson <andersca@apple.com> 8948 8949 Try to fix the Windows build. 8950 8951 * API/OpaqueJSString.cpp: 8952 (OpaqueJSString::~OpaqueJSString): 8953 (OpaqueJSString::characters): 8954 * API/OpaqueJSString.h: 8955 (OpaqueJSString::OpaqueJSString): 8956 89572014-01-17 Anders Carlsson <andersca@apple.com> 8958 8959 Get rid of OpaqueJSString::deprecatedCharacters() 8960 https://bugs.webkit.org/show_bug.cgi?id=127161 8961 8962 Reviewed by Sam Weinig. 8963 8964 Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra 8965 code paths for the 8-bit cases. 8966 8967 Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer. 8968 Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr 8969 is called and the backing string is 8-bit. 8970 8971 This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before. 8972 (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it 8973 causing an unsafe upconversion to a 16-bit string). 8974 8975 * API/JSStringRef.cpp: 8976 (JSStringGetCharactersPtr): 8977 Call OpaqueJSString::characters. 8978 8979 (JSStringGetUTF8CString): 8980 Add a code path that handles 8-bit strings. 8981 8982 (JSStringIsEqual): 8983 Call OpaqueJSString::equal. 8984 8985 * API/JSStringRefCF.cpp: 8986 (JSStringCreateWithCFString): 8987 Reformat the code to use an early return instead of putting most of the code inside the body of an if statement. 8988 8989 (JSStringCopyCFString): 8990 Create an 8-bit CFStringRef if possible. 8991 8992 * API/OpaqueJSString.cpp: 8993 (OpaqueJSString::create): 8994 Use nullptr. 8995 8996 (OpaqueJSString::~OpaqueJSString): 8997 Free m_characters. 8998 8999 (OpaqueJSString::characters): 9000 Do the up-conversion and store the result in m_characters. 9001 9002 (OpaqueJSString::equal): 9003 New helper function. 9004 9005 * API/OpaqueJSString.h: 9006 (OpaqueJSString::is8Bit): 9007 New function that returns whether a string is 8-bit or not. 9008 9009 (OpaqueJSString::characters8): 9010 (OpaqueJSString::characters16): 9011 Add getters. 9012 90132014-01-17 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 9014 9015 Remove workaround for compilers not supporting deleted functions 9016 https://bugs.webkit.org/show_bug.cgi?id=127166 9017 9018 Reviewed by Andreas Kling. 9019 9020 * inspector/InspectorAgentRegistry.h: 9021 90222014-01-17 Commit Queue <commit-queue@webkit.org> 9023 9024 Unreviewed, rolling out r162185, r162186, and r162187. 9025 http://trac.webkit.org/changeset/162185 9026 http://trac.webkit.org/changeset/162186 9027 http://trac.webkit.org/changeset/162187 9028 https://bugs.webkit.org/show_bug.cgi?id=127164 9029 9030 Broke JSStringCreateWithCharactersNoCopy, as evidenced by a 9031 JSC API test (Requested by ap on #webkit). 9032 9033 * API/JSStringRef.cpp: 9034 (JSStringGetCharactersPtr): 9035 (JSStringGetUTF8CString): 9036 (JSStringIsEqual): 9037 * API/JSStringRefCF.cpp: 9038 (JSStringCreateWithCFString): 9039 (JSStringCopyCFString): 9040 * API/OpaqueJSString.cpp: 9041 (OpaqueJSString::create): 9042 (OpaqueJSString::identifier): 9043 * API/OpaqueJSString.h: 9044 (OpaqueJSString::create): 9045 (OpaqueJSString::characters): 9046 (OpaqueJSString::deprecatedCharacters): 9047 (OpaqueJSString::OpaqueJSString): 9048 90492014-01-16 Anders Carlsson <andersca@apple.com> 9050 9051 Export OpaqueJSString destructor. 9052 9053 * API/OpaqueJSString.h: 9054 90552014-01-16 Anders Carlsson <andersca@apple.com> 9056 9057 Build fix. 9058 9059 * API/OpaqueJSString.h: 9060 90612014-01-16 Anders Carlsson <andersca@apple.com> 9062 9063 Get rid of OpaqueJSString::deprecatedCharacters() 9064 https://bugs.webkit.org/show_bug.cgi?id=127161 9065 9066 Reviewed by Sam Weinig. 9067 9068 Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra 9069 code paths for the 8-bit cases. 9070 9071 Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer. 9072 Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr 9073 is called. This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before. 9074 (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it 9075 causing an unsafe upconversion to a 16-bit string). 9076 9077 * API/JSStringRef.cpp: 9078 (JSStringGetCharactersPtr): 9079 Call OpaqueJSString::characters. 9080 9081 (JSStringGetUTF8CString): 9082 Add a code path that handles 8-bit strings. 9083 9084 (JSStringIsEqual): 9085 Call OpaqueJSString::equal. 9086 9087 * API/JSStringRefCF.cpp: 9088 (JSStringCreateWithCFString): 9089 Reformat the code to use an early return instead of putting most of the code inside the body of an if statement. 9090 9091 (JSStringCopyCFString): 9092 Create an 8-bit CFStringRef if possible. 9093 9094 * API/OpaqueJSString.cpp: 9095 (OpaqueJSString::create): 9096 Use nullptr. 9097 9098 (OpaqueJSString::~OpaqueJSString): 9099 Free m_characters. 9100 9101 (OpaqueJSString::characters): 9102 Do the up-conversion and store the result in m_characters. 9103 9104 (OpaqueJSString::equal): 9105 New helper function. 9106 9107 * API/OpaqueJSString.h: 9108 (OpaqueJSString::is8Bit): 9109 New function that returns whether a string is 8-bit or not. 9110 9111 (OpaqueJSString::characters8): 9112 (OpaqueJSString::characters16): 9113 Add getters. 9114 91152014-01-16 Anders Carlsson <andersca@apple.com> 9116 9117 Change all uses of FINAL to final now that all our compilers support it 9118 https://bugs.webkit.org/show_bug.cgi?id=127142 9119 9120 Reviewed by Benjamin Poulain. 9121 9122 * inspector/JSGlobalObjectInspectorController.h: 9123 * inspector/agents/InspectorAgent.h: 9124 * inspector/remote/RemoteInspector.h: 9125 * inspector/remote/RemoteInspectorDebuggableConnection.h: 9126 * inspector/scripts/CodeGeneratorInspector.py: 9127 (Generator.go): 9128 * runtime/JSGlobalObjectDebuggable.h: 9129 * runtime/JSPromiseReaction.cpp: 9130 91312014-01-16 Oliver Hunt <oliver@apple.com> 9132 9133 throwing an objc object (or general binding object) triggers an assertion 9134 https://bugs.webkit.org/show_bug.cgi?id=127146 9135 9136 Reviewed by Alexey Proskuryakov. 9137 9138 This is simply a bogus assertion as we can't guarantee a bindings object 9139 won't intercept assignment to .stack 9140 9141 * interpreter/Interpreter.cpp: 9142 (JSC::Interpreter::unwind): 9143 91442014-01-16 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 9145 9146 Remove workaround for compilers not supporting explicit override control 9147 https://bugs.webkit.org/show_bug.cgi?id=127111 9148 9149 Reviewed by Anders Carlsson. 9150 9151 Now all compilers support explicit override control, this workaround can be removed. 9152 9153 * API/JSAPIWrapperObject.mm: 9154 * API/JSCallbackObject.h: 9155 * API/JSManagedValue.mm: 9156 * API/JSScriptRef.cpp: 9157 * bytecode/CodeBlock.h: 9158 * bytecode/CodeBlockJettisoningWatchpoint.h: 9159 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: 9160 * bytecode/StructureStubClearingWatchpoint.h: 9161 * dfg/DFGArrayifySlowPathGenerator.h: 9162 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 9163 * dfg/DFGFailedFinalizer.h: 9164 * dfg/DFGJITCode.h: 9165 * dfg/DFGJITFinalizer.h: 9166 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: 9167 * dfg/DFGSlowPathGenerator.h: 9168 * dfg/DFGSpeculativeJIT64.cpp: 9169 * heap/Heap.h: 9170 * heap/IncrementalSweeper.h: 9171 * heap/SuperRegion.h: 9172 * inspector/InspectorValues.h: 9173 * inspector/JSGlobalObjectInspectorController.h: 9174 * inspector/agents/InspectorAgent.h: 9175 * inspector/remote/RemoteInspector.h: 9176 * inspector/remote/RemoteInspectorDebuggableConnection.h: 9177 * inspector/scripts/CodeGeneratorInspector.py: 9178 (Generator.go): 9179 * jit/ClosureCallStubRoutine.h: 9180 * jit/ExecutableAllocatorFixedVMPool.cpp: 9181 * jit/GCAwareJITStubRoutine.h: 9182 * jit/JITCode.h: 9183 * jit/JITToDFGDeferredCompilationCallback.h: 9184 * parser/Nodes.h: 9185 * parser/SourceProvider.h: 9186 * runtime/DataView.h: 9187 * runtime/GCActivityCallback.h: 9188 * runtime/GenericTypedArrayView.h: 9189 * runtime/JSGlobalObjectDebuggable.h: 9190 * runtime/JSPromiseReaction.cpp: 9191 * runtime/RegExpCache.h: 9192 * runtime/SimpleTypedArrayController.h: 9193 * runtime/SymbolTable.h: 9194 * runtime/WeakMapData.h: 9195 91962014-01-15 Joseph Pecoraro <pecoraro@apple.com> 9197 9198 [iOS] Clean up REMOTE_INSPECTOR code in OpenSource after the iOS merge 9199 https://bugs.webkit.org/show_bug.cgi?id=127069 9200 9201 Reviewed by Timothy Hatcher. 9202 9203 * JavaScriptCore.xcodeproj/project.pbxproj: 9204 Export XPCConnection because it is needed by RemoteInspector.h. 9205 9206 * inspector/remote/RemoteInspectorXPCConnection.h: 9207 * inspector/remote/RemoteInspector.h: 9208 * inspector/remote/RemoteInspector.mm: 9209 (Inspector::RemoteInspector::startDisabled): 9210 (Inspector::RemoteInspector::shared): 9211 Allow RemoteInspector singleton to start disabled. 9212 92132014-01-15 Brian Burg <bburg@apple.com> 9214 9215 Web Inspector: capture probe samples on the backend 9216 https://bugs.webkit.org/show_bug.cgi?id=126668 9217 9218 Reviewed by Joseph Pecoraro. 9219 9220 Add the 'probe' breakpoint action to the protocol. Change the setBreakpoint 9221 commands to return a list of assigned breakpoint action identifiers 9222 Add a type for breakpoint action identifiers. Add an event for sending 9223 captured probe samples to the inspector frontend. 9224 9225 * inspector/protocol/Debugger.json: 9226 92272014-01-10 Mark Hahnenberg <mhahnenberg@apple.com> 9228 9229 Copying should be generational 9230 https://bugs.webkit.org/show_bug.cgi?id=126555 9231 9232 Reviewed by Geoffrey Garen. 9233 9234 This patch adds support for copying to our generational collector. Eden collections 9235 always trigger copying. Full collections use our normal fragmentation-based heuristics. 9236 9237 The way this works is that the CopiedSpace now has the notion of an old generation set of CopiedBlocks 9238 and a new generation of CopiedBlocks. During each mutator cycle new CopiedSpace allocations reside 9239 in the new generation. When a collection occurs, those blocks are moved to the old generation. 9240 9241 One key thing to remember is that both new and old generation objects in the MarkedSpace can 9242 refer to old or new generation allocations in CopiedSpace. This is why we must fire write barriers 9243 when assigning to an old (MarkedSpace) object's Butterfly. 9244 9245 * heap/CopiedAllocator.h: 9246 (JSC::CopiedAllocator::tryAllocateDuringCopying): 9247 * heap/CopiedBlock.h: 9248 (JSC::CopiedBlock::CopiedBlock): 9249 (JSC::CopiedBlock::didEvacuateBytes): 9250 (JSC::CopiedBlock::isOld): 9251 (JSC::CopiedBlock::didPromote): 9252 * heap/CopiedBlockInlines.h: 9253 (JSC::CopiedBlock::reportLiveBytes): 9254 (JSC::CopiedBlock::reportLiveBytesDuringCopying): 9255 * heap/CopiedSpace.cpp: 9256 (JSC::CopiedSpace::CopiedSpace): 9257 (JSC::CopiedSpace::~CopiedSpace): 9258 (JSC::CopiedSpace::init): 9259 (JSC::CopiedSpace::tryAllocateOversize): 9260 (JSC::CopiedSpace::tryReallocateOversize): 9261 (JSC::CopiedSpace::doneFillingBlock): 9262 (JSC::CopiedSpace::didStartFullCollection): 9263 (JSC::CopiedSpace::doneCopying): 9264 (JSC::CopiedSpace::size): 9265 (JSC::CopiedSpace::capacity): 9266 (JSC::CopiedSpace::isPagedOut): 9267 * heap/CopiedSpace.h: 9268 (JSC::CopiedSpace::CopiedGeneration::CopiedGeneration): 9269 * heap/CopiedSpaceInlines.h: 9270 (JSC::CopiedSpace::contains): 9271 (JSC::CopiedSpace::recycleEvacuatedBlock): 9272 (JSC::CopiedSpace::allocateBlock): 9273 (JSC::CopiedSpace::startedCopying): 9274 * heap/CopyVisitor.cpp: 9275 (JSC::CopyVisitor::copyFromShared): 9276 * heap/CopyVisitorInlines.h: 9277 (JSC::CopyVisitor::allocateNewSpace): 9278 (JSC::CopyVisitor::allocateNewSpaceSlow): 9279 * heap/GCThreadSharedData.cpp: 9280 (JSC::GCThreadSharedData::didStartCopying): 9281 * heap/Heap.cpp: 9282 (JSC::Heap::copyBackingStores): 9283 * heap/SlotVisitorInlines.h: 9284 (JSC::SlotVisitor::copyLater): 9285 * heap/TinyBloomFilter.h: 9286 (JSC::TinyBloomFilter::add): 9287 92882014-01-14 Mark Lam <mark.lam@apple.com> 9289 9290 ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint(). 9291 https://bugs.webkit.org/show_bug.cgi?id=126990. 9292 9293 Reviewed by Geoffrey Garen. 9294 9295 * parser/Parser.cpp: 9296 (JSC::Parser<LexerType>::parseConstDeclarationList): 9297 - We were missing an error check after attempting to parse an initializer 9298 expression. This is now fixed. 9299 93002014-01-14 Joseph Pecoraro <pecoraro@apple.com> 9301 9302 Web Inspector: For Remote Inspection link WebProcess's to their parent UIProcess 9303 https://bugs.webkit.org/show_bug.cgi?id=126995 9304 9305 Reviewed by Timothy Hatcher. 9306 9307 * inspector/remote/RemoteInspector.mm: 9308 (Inspector::RemoteInspector::listingForDebuggable): 9309 For each WebView, list the parent process. Listing the parent per WebView 9310 is already supported back when we supported processes that could host WebViews 9311 for multiple applications. 9312 9313 * inspector/remote/RemoteInspectorConstants.h: 9314 Add a separate key for the bundle identifier, separate from application identifier. 9315 9316 * inspector/remote/RemoteInspectorDebuggable.cpp: 9317 (Inspector::RemoteInspectorDebuggable::info): 9318 * inspector/remote/RemoteInspectorDebuggable.h: 9319 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): 9320 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): 9321 If a RemoteInspectorDebuggable has a non-zero parent process identifier 9322 it is a proxy for the parent process. 9323 93242014-01-14 Brian J. Burg <burg@cs.washington.edu> 9325 9326 Add ENABLE(WEB_REPLAY) feature flag to the build system 9327 https://bugs.webkit.org/show_bug.cgi?id=126949 9328 9329 Reviewed by Joseph Pecoraro. 9330 9331 * Configurations/FeatureDefines.xcconfig: 9332 93332014-01-14 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 9334 9335 [EFL] FTL buildfix, add missing includes 9336 https://bugs.webkit.org/show_bug.cgi?id=126641 9337 9338 Reviewed by Csaba Osztrogonác. 9339 9340 * ftl/FTLOSREntry.cpp: 9341 * ftl/FTLOSRExitCompiler.cpp: 9342 93432014-01-14 Joseph Pecoraro <pecoraro@apple.com> 9344 9345 Web Inspector: RemoteInspector::updateDebuggable may miss a push 9346 https://bugs.webkit.org/show_bug.cgi?id=126965 9347 9348 Reviewed by Timothy Hatcher. 9349 9350 * inspector/remote/RemoteInspector.mm: 9351 (Inspector::RemoteInspector::updateDebuggable): 9352 Always push an update. If a debuggable went from allowed to 9353 not allowed, we would have missed pushing an update. 9354 93552014-01-13 Mark Hahnenberg <mhahnenberg@apple.com> 9356 9357 Performance regression on dromaeo due to generational marking 9358 https://bugs.webkit.org/show_bug.cgi?id=126901 9359 9360 Reviewed by Oliver Hunt. 9361 9362 We were seeing some performance regression with ENABLE_GGC == 0, so this patch 9363 ifdefs out more things to get rid of the additional overhead. 9364 9365 * heap/Heap.cpp: 9366 (JSC::Heap::markRoots): 9367 (JSC::Heap::writeBarrier): 9368 * heap/MarkedBlock.cpp: 9369 (JSC::MarkedBlock::clearMarks): 9370 (JSC::MarkedBlock::clearMarksWithCollectionType): 9371 * heap/MarkedSpace.cpp: 9372 (JSC::MarkedSpace::resetAllocators): 9373 * heap/MarkedSpace.h: 9374 (JSC::MarkedSpace::didAllocateInBlock): 9375 * heap/SlotVisitorInlines.h: 9376 (JSC::SlotVisitor::internalAppend): 9377 (JSC::SlotVisitor::reportExtraMemoryUsage): 9378 93792014-01-13 Brian Burg <bburg@apple.com> 9380 9381 Web Inspector: protocol generator should support integer-typed declarations 9382 https://bugs.webkit.org/show_bug.cgi?id=126828 9383 9384 Reviewed by Joseph Pecoraro. 9385 9386 Add new binding classes for parameter/ad-hoc and normal integer type declarations. 9387 9388 * inspector/scripts/CodeGeneratorInspector.py: 9389 (TypeBindings.create_type_declaration_): 9390 (TypeBindings.create_type_declaration_.PlainInteger): 9391 (TypeBindings.create_type_declaration_.PlainInteger.resolve_inner): 9392 (TypeBindings.create_type_declaration_.PlainInteger.request_user_runtime_cast): 9393 (TypeBindings.create_type_declaration_.PlainInteger.request_internal_runtime_cast): 9394 (TypeBindings.create_type_declaration_.PlainInteger.get_code_generator): 9395 (TypeBindings.create_type_declaration_.PlainInteger.get_validator_call_text): 9396 (TypeBindings.create_type_declaration_.PlainInteger.reduce_to_raw_type): 9397 (TypeBindings.create_type_declaration_.PlainInteger.get_type_model): 9398 (TypeBindings.create_type_declaration_.PlainInteger.get_setter_value_expression_pattern): 9399 (TypeBindings.create_type_declaration_.PlainInteger.get_array_item_c_type_text): 9400 (TypeBindings.create_type_declaration_.TypedefInteger): 9401 (TypeBindings.create_type_declaration_.TypedefInteger.resolve_inner): 9402 (TypeBindings.create_type_declaration_.TypedefInteger.request_user_runtime_cast): 9403 (TypeBindings.create_type_declaration_.TypedefInteger.request_internal_runtime_cast): 9404 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator): 9405 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator): 9406 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder): 9407 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder.int): 9408 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.register_use): 9409 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.get_generate_pass_id): 9410 (TypeBindings.create_type_declaration_.TypedefInteger.get_validator_call_text): 9411 (TypeBindings.create_type_declaration_.TypedefInteger.reduce_to_raw_type): 9412 (TypeBindings.create_type_declaration_.TypedefInteger.get_type_model): 9413 (TypeBindings.create_type_declaration_.TypedefInteger.get_setter_value_expression_pattern): 9414 (TypeBindings.create_type_declaration_.TypedefInteger.get_array_item_c_type_text): 9415 94162014-01-13 Zalan Bujtas <zalan@apple.com> 9417 9418 Enable SUBPIXEL_LAYOUT on Mac 9419 <https://webkit.org/b/126283> 9420 9421 Reviewed by Simon Fraser. 9422 9423 * Configurations/FeatureDefines.xcconfig: 9424 94252014-01-13 Zan Dobersek <zdobersek@igalia.com> 9426 9427 Unreviewed. Changes in r161686 are exposing a bug in GCC where the global .cfi_startproc directive 9428 is not inserted early enough into the generated assembler code when building in debug mode, causing 9429 compilation failures on ports using the GCC compilers. To work around the problem, only utilize the 9430 OFFLINE_ASM_* macros that use .cfi_ directives when compiling with Clang. 9431 9432 * llint/LowLevelInterpreter.cpp: 9433 94342014-01-12 Commit Queue <commit-queue@webkit.org> 9435 9436 Unreviewed, rolling out r161840. 9437 http://trac.webkit.org/changeset/161840 9438 https://bugs.webkit.org/show_bug.cgi?id=126870 9439 9440 Caused jsscore and layout test failures (Requested by smfr on 9441 #webkit). 9442 9443 * API/JSValueRef.cpp: 9444 (JSValueMakeFromJSONString): 9445 * bindings/ScriptValue.cpp: 9446 (Deprecated::jsToInspectorValue): 9447 * inspector/InspectorValues.cpp: 9448 * runtime/DatePrototype.cpp: 9449 (JSC::formatLocaleDate): 9450 * runtime/Identifier.h: 9451 (JSC::Identifier::characters): 9452 * runtime/JSStringBuilder.h: 9453 (JSC::JSStringBuilder::append): 9454 94552014-01-12 Darin Adler <darin@apple.com> 9456 9457 Add deprecatedCharacters as a synonym for characters and convert most call sites 9458 https://bugs.webkit.org/show_bug.cgi?id=126858 9459 9460 Reviewed by Anders Carlsson. 9461 9462 * API/JSStringRef.cpp: 9463 (JSStringGetCharactersPtr): 9464 (JSStringGetUTF8CString): 9465 (JSStringIsEqual): 9466 * API/JSStringRefCF.cpp: 9467 (JSStringCopyCFString): 9468 * API/OpaqueJSString.h: 9469 (OpaqueJSString::characters): 9470 (OpaqueJSString::deprecatedCharacters): 9471 (OpaqueJSString::length): 9472 (OpaqueJSString::OpaqueJSString): 9473 * inspector/InspectorValues.cpp: 9474 (Inspector::InspectorValue::parseJSON): 9475 * runtime/JSGlobalObjectFunctions.cpp: 9476 (JSC::parseInt): 9477 * runtime/StringPrototype.cpp: 9478 (JSC::localeCompare): 9479 (JSC::stringProtoFuncFontsize): 9480 (JSC::stringProtoFuncLink): 9481 Use deprecatedCharacters instead of characters. 9482 94832014-01-12 Darin Adler <darin@apple.com> 9484 9485 Reduce use of String::characters 9486 https://bugs.webkit.org/show_bug.cgi?id=126854 9487 9488 Reviewed by Sam Weinig. 9489 9490 * API/JSValueRef.cpp: 9491 (JSValueMakeFromJSONString): Use characters16 instead of characters for 16-bit case. 9492 Had to remove length check because an empty string could be either 8 bit or 16 bit. 9493 Don't need a null string check before calling is8Bit because JSStringRef can't hold 9494 a null string. 9495 9496 * bindings/ScriptValue.cpp: 9497 (Deprecated::jsToInspectorValue): Use the existing string here instead of creating 9498 a new one by calling characters and length on the old string. I think this may be 9499 left over from when string types were not the same in JavaScriptCore and WebCore. 9500 Also rewrite the property names loop to use modern for syntax and fewer locals. 9501 9502 * inspector/InspectorValues.cpp: 9503 (Inspector::escapeChar): Changed to use appendLiteral instead of hard-coding string 9504 lengths. Moved handling of "<" and ">" in here instead of at the call site. 9505 (Inspector::doubleQuoteString): Simplify the code so there is no use of characters 9506 and length. This is still an inefficient way of doing this job and could use a rethink. 9507 9508 * runtime/DatePrototype.cpp: 9509 (JSC::formatLocaleDate): Use RetainPtr, createCFString, and the conversion from 9510 CFStringRef to WTF::String to remove a lot of unneeded code. 9511 9512 * runtime/Identifier.h: Removed unneeded Identifier::characters function. 9513 9514 * runtime/JSStringBuilder.h: 9515 (JSC::JSStringBuilder::append): Use characters16 instead of characters function here, 9516 since we have already checked is8Bit above. 9517 95182014-01-12 Andy Estes <aestes@apple.com> 9519 9520 [iOS] Enable the JSC Objective-C API 9521 9522 Rubber-stamped by Simon Fraser. 9523 9524 * API/JSBase.h: 9525 95262014-01-12 Carlos Garcia Campos <cgarcia@igalia.com> 9527 9528 Unreviewed. Fix make distcheck. 9529 9530 * GNUmakefile.am: Add inline-and-minify-stylesheets-and-scripts.py 9531 to EXTRA_DIST and fix InjectedScriptSource.h generation rule. 9532 * GNUmakefile.list.am: Move InjectedScriptSource.h to 9533 built_nosources to make sure it's not disted. 9534 95352014-01-11 Anders Carlsson <andersca@apple.com> 9536 9537 Try again to fix the build. 9538 9539 * inspector/InspectorAgentRegistry.cpp: 9540 * inspector/InspectorAgentRegistry.h: 9541 95422014-01-11 Anders Carlsson <andersca@apple.com> 9543 9544 Try to prevent the Vector copy constructor from being instantiated. 9545 9546 * inspector/InspectorAgentRegistry.cpp: 9547 (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): 9548 * inspector/InspectorAgentRegistry.h: 9549 95502014-01-11 Anders Carlsson <andersca@apple.com> 9551 9552 Try something else. 9553 9554 * inspector/InspectorAgentRegistry.cpp: 9555 (Inspector::InspectorAgentRegistry::~InspectorAgentRegistry): 9556 * inspector/InspectorAgentRegistry.h: 9557 95582014-01-11 Dean Jackson <dino@apple.com> 9559 9560 [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification 9561 https://bugs.webkit.org/show_bug.cgi?id=126754 9562 9563 Reviewed by Filip Pizlo. 9564 9565 The ECMAScript specification forbids calling the typed array 9566 constructors without using "new". Change the call data to return 9567 none so we throw and exception in these cases. 9568 9569 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 9570 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): 9571 95722014-01-11 Anders Carlsson <andersca@apple.com> 9573 9574 Try to fix the build by introducing a constructor. 9575 9576 * inspector/InspectorAgentRegistry.cpp: 9577 (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): 9578 * inspector/InspectorAgentRegistry.h: 9579 95802014-01-11 Anders Carlsson <andersca@apple.com> 9581 9582 * inspector/InspectorAgentRegistry.h: 9583 9584 Remove an unused function. 9585 95862014-01-11 Anders Carlsson <andersca@apple.com> 9587 9588 InspectorAgentRegistry should use std::unique_ptr 9589 https://bugs.webkit.org/show_bug.cgi?id=126826 9590 9591 Reviewed by Sam Weinig. 9592 9593 * inspector/InspectorAgentRegistry.cpp: 9594 (Inspector::InspectorAgentRegistry::append): 9595 * inspector/InspectorAgentRegistry.h: 9596 * inspector/JSGlobalObjectInspectorController.cpp: 9597 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 9598 * inspector/agents/InspectorAgent.h: 9599 96002014-01-10 Joseph Pecoraro <pecoraro@apple.com> 9601 9602 Web Inspector: Push InspectorAgent down into JSC, give JSC an InspectorController 9603 https://bugs.webkit.org/show_bug.cgi?id=126763 9604 9605 Reviewed by Timothy Hatcher. 9606 9607 Introduce JSGlobalObjectInspectorController. This is the InspectorController 9608 for a JSContext. It is created by the JSGlobalObject Remote Inspector Debuggable 9609 when a remote frontend connects, and is destroyed when the remote frontend 9610 disconnects of the JSGlobalObject is destroyed. 9611 9612 * inspector/JSGlobalObjectInspectorController.h: Added. 9613 * inspector/JSGlobalObjectInspectorController.cpp: Added. 9614 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): 9615 (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController): 9616 (Inspector::JSGlobalObjectInspectorController::connectFrontend): 9617 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): 9618 (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend): 9619 (Inspector::JSGlobalObjectInspectorController::functionCallHandler): 9620 (Inspector::JSGlobalObjectInspectorController::evaluateHandler): 9621 Create/destory agents, create/destroy dispatches, implement InspectorEnvironment. 9622 9623 * runtime/JSGlobalObjectDebuggable.h: 9624 * runtime/JSGlobalObjectDebuggable.cpp: 9625 (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable): 9626 (JSC::JSGlobalObjectDebuggable::connect): 9627 (JSC::JSGlobalObjectDebuggable::disconnect): 9628 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): 9629 Forward actions to the InspectorController object. 9630 9631 * inspector/agents/InspectorAgent.h: Renamed from Source/WebCore/inspector/InspectorAgent.h. 9632 * inspector/agents/InspectorAgent.cpp: Renamed from Source/WebCore/inspector/InspectorAgent.cpp. 9633 (Inspector::InspectorAgent::InspectorAgent): 9634 (Inspector::InspectorAgent::~InspectorAgent): 9635 (Inspector::InspectorAgent::didCreateFrontendAndBackend): 9636 (Inspector::InspectorAgent::inspect): 9637 (Inspector::InspectorAgent::evaluateForTestInFrontend): 9638 Implement InspectorAgent in JavaScriptCore in namespace Inspector. 9639 9640 * JavaScriptCore.xcodeproj/project.pbxproj: 9641 * CMakeLists.txt: 9642 * ChangeLog: 9643 * GNUmakefile.am: 9644 * GNUmakefile.list.am: 9645 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9646 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 9647 * JavaScriptCore.vcxproj/copy-files.cmd: 9648 Add files and new inspector/agents subdirectory. 9649 96502014-01-10 Commit Queue <commit-queue@webkit.org> 9651 9652 Unreviewed, rolling out r161702. 9653 http://trac.webkit.org/changeset/161702 9654 https://bugs.webkit.org/show_bug.cgi?id=126803 9655 9656 Broke multiple tests (Requested by ap on #webkit). 9657 9658 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 9659 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): 9660 96612014-01-10 David Kilzer <ddkilzer@apple.com> 9662 9663 Clean up architectures in xcconfig files 9664 <http://webkit.org/b/126794> 9665 9666 Reviewed by Andy Estes. 9667 9668 * Configurations/Base.xcconfig: 9669 * Configurations/JavaScriptCore.xcconfig: Remove armv6, ppc. 9670 * Configurations/ToolExecutable.xcconfig: Sort. 9671 - Add new arch. 9672 96732014-01-10 Dean Jackson <dino@apple.com> 9674 9675 [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification 9676 https://bugs.webkit.org/show_bug.cgi?id=126754 9677 9678 Reviewed by Filip Pizlo. 9679 9680 The ECMAScript specification forbids calling the typed array 9681 constructors without using "new". Change the call data to return 9682 none so we throw and exception in these cases. 9683 9684 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 9685 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): 9686 96872014-01-10 Benjamin Poulain <bpoulain@apple.com> 9688 9689 Remove the BlackBerry port from trunk 9690 https://bugs.webkit.org/show_bug.cgi?id=126715 9691 9692 Reviewed by Anders Carlsson. 9693 9694 * assembler/ARMAssembler.h: 9695 (JSC::ARMAssembler::cacheFlush): 9696 * assembler/ARMv7Assembler.h: 9697 (JSC::ARMv7Assembler::replaceWithJump): 9698 (JSC::ARMv7Assembler::maxJumpReplacementSize): 9699 (JSC::ARMv7Assembler::cacheFlush): 9700 * assembler/MacroAssemblerARMv7.h: 9701 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 9702 * heap/MachineStackMarker.cpp: 9703 (JSC::getPlatformThreadRegisters): 9704 (JSC::otherThreadStackPointer): 9705 (JSC::freePlatformThreadRegisters): 9706 * jit/ExecutableAllocator.h: 9707 97082014-01-10 Joseph Pecoraro <pecoraro@apple.com> 9709 9710 Web Inspector: Remove unimplemented or static ScriptDebugServer features 9711 https://bugs.webkit.org/show_bug.cgi?id=126784 9712 9713 Reviewed by Timothy Hatcher. 9714 9715 * inspector/protocol/Debugger.json: 9716 97172014-01-10 Michael Saboff <msaboff@apple.com> 9718 9719 REGRESSION(C stack work): stack traces no longer work in CrashTracer, lldb, and other tools 9720 https://bugs.webkit.org/show_bug.cgi?id=126764 9721 9722 Reviewed by Geoffrey Garen. 9723 9724 Updated callToJavaScript and cllToNativeFunction to properly replicate the caller's 9725 return PC and frame pointer in the sentinel frame. For X86-64, added .cfi_ 9726 directives to create eh_frame info for all LLInt symbols so that the various 9727 unwinding code understands that we are using a separate JS stack referenced 9728 by BP and at what offsets in that frame the prior PC (register 16) and prior 9729 BP (register 6) can be found. These two changes are sufficient for stack tracing 9730 to work for Mac OSX. 9731 9732 * llint/LowLevelInterpreter.cpp: 9733 * llint/LowLevelInterpreter64.asm: 9734 97352014-01-10 Tamas Gergely <tgergely.u-szeged@partner.samsung.com> 9736 9737 [EFL][JSC] Enable udis86 disassembler on efl. 9738 https://bugs.webkit.org/show_bug.cgi?id=125502 9739 9740 Reviewed by Michael Saboff. 9741 9742 Enable udis86 disassembler on efl and fix build warnings. 9743 9744 * CMakeLists.txt: 9745 Add udis86 disassembler source files. 9746 * disassembler/udis86/udis86_decode.c: 9747 (decode_modrm_rm): 9748 Build warning fixes. 9749 * disassembler/udis86/udis86_syn-att.c: 9750 (gen_operand): 9751 Build warning fixes. 9752 * disassembler/udis86/udis86_syn-intel.c: 9753 (gen_operand): 9754 Build warning fixes. 9755 * disassembler/udis86/udis86_types.h: 9756 Correct FMT64 for uint64_t. 9757 97582014-01-09 Benjamin Poulain <bpoulain@apple.com> 9759 9760 Remove the BlackBerry files outside WebCore 9761 https://bugs.webkit.org/show_bug.cgi?id=126715 9762 9763 Reviewed by Anders Carlsson. 9764 9765 * PlatformBlackBerry.cmake: Removed. 9766 * runtime/GCActivityCallbackBlackBerry.cpp: Removed. 9767 * shell/PlatformBlackBerry.cmake: Removed. 9768 97692014-01-10 Geoffrey Garen <ggaren@apple.com> 9770 9771 Removed Blackberry #ifdefs and platform code from JavaScriptCore 9772 https://bugs.webkit.org/show_bug.cgi?id=126757 9773 9774 Reviewed by Sam Weinig. 9775 9776 * PlatformBlackBerry.cmake: Removed. 9777 * heap/HeapTimer.cpp: 9778 * heap/HeapTimer.h: 9779 * heap/IncrementalSweeper.cpp: 9780 * heap/IncrementalSweeper.h: 9781 * jsc.cpp: 9782 (main): 9783 * runtime/GCActivityCallbackBlackBerry.cpp: Removed. 9784 * runtime/MemoryStatistics.cpp: 9785 (JSC::globalMemoryStatistics): 9786 97872014-01-07 Mark Hahnenberg <mhahnenberg@apple.com> 9788 9789 Marking should be generational 9790 https://bugs.webkit.org/show_bug.cgi?id=126552 9791 9792 Reviewed by Geoffrey Garen. 9793 9794 Re-marking the same objects over and over is a waste of effort. This patch implements 9795 the sticky mark bit algorithm (along with our already-present write barriers) to reduce 9796 overhead during garbage collection caused by rescanning objects. 9797 9798 There are now two collection modes, EdenCollection and FullCollection. EdenCollections 9799 only visit new objects or objects that were added to the remembered set by a write barrier. 9800 FullCollections are normal collections that visit all objects regardless of their 9801 generation. 9802 9803 In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in 9804 https://bugs.webkit.org/show_bug.cgi?id=126555. 9805 9806 * bytecode/CodeBlock.cpp: 9807 (JSC::CodeBlock::visitAggregate): 9808 * bytecode/CodeBlock.h: 9809 (JSC::CodeBlockSet::mark): 9810 * dfg/DFGOperations.cpp: 9811 * heap/CodeBlockSet.cpp: 9812 (JSC::CodeBlockSet::add): 9813 (JSC::CodeBlockSet::traceMarked): 9814 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): 9815 * heap/CodeBlockSet.h: 9816 * heap/CopiedBlockInlines.h: 9817 (JSC::CopiedBlock::reportLiveBytes): 9818 * heap/CopiedSpace.cpp: 9819 (JSC::CopiedSpace::didStartFullCollection): 9820 * heap/CopiedSpace.h: 9821 (JSC::CopiedSpace::heap): 9822 * heap/Heap.cpp: 9823 (JSC::Heap::Heap): 9824 (JSC::Heap::didAbandon): 9825 (JSC::Heap::markRoots): 9826 (JSC::Heap::copyBackingStores): 9827 (JSC::Heap::addToRememberedSet): 9828 (JSC::Heap::collectAllGarbage): 9829 (JSC::Heap::collect): 9830 (JSC::Heap::didAllocate): 9831 (JSC::Heap::writeBarrier): 9832 * heap/Heap.h: 9833 (JSC::Heap::isInRememberedSet): 9834 (JSC::Heap::operationInProgress): 9835 (JSC::Heap::shouldCollect): 9836 (JSC::Heap::isCollecting): 9837 (JSC::Heap::isWriteBarrierEnabled): 9838 (JSC::Heap::writeBarrier): 9839 * heap/HeapOperation.h: 9840 * heap/MarkStack.cpp: 9841 (JSC::MarkStackArray::~MarkStackArray): 9842 (JSC::MarkStackArray::clear): 9843 (JSC::MarkStackArray::fillVector): 9844 * heap/MarkStack.h: 9845 * heap/MarkedAllocator.cpp: 9846 (JSC::isListPagedOut): 9847 (JSC::MarkedAllocator::isPagedOut): 9848 (JSC::MarkedAllocator::tryAllocateHelper): 9849 (JSC::MarkedAllocator::addBlock): 9850 (JSC::MarkedAllocator::removeBlock): 9851 (JSC::MarkedAllocator::reset): 9852 * heap/MarkedAllocator.h: 9853 (JSC::MarkedAllocator::MarkedAllocator): 9854 * heap/MarkedBlock.cpp: 9855 (JSC::MarkedBlock::clearMarks): 9856 (JSC::MarkedBlock::clearRememberedSet): 9857 (JSC::MarkedBlock::clearMarksWithCollectionType): 9858 (JSC::MarkedBlock::lastChanceToFinalize): 9859 * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller 9860 than 16 bytes. This is also to pay for the additional Bitmap for the remembered set. 9861 (JSC::MarkedBlock::didConsumeEmptyFreeList): 9862 (JSC::MarkedBlock::setRemembered): 9863 (JSC::MarkedBlock::clearRemembered): 9864 (JSC::MarkedBlock::atomicClearRemembered): 9865 (JSC::MarkedBlock::isRemembered): 9866 * heap/MarkedSpace.cpp: 9867 (JSC::MarkedSpace::~MarkedSpace): 9868 (JSC::MarkedSpace::resetAllocators): 9869 (JSC::MarkedSpace::visitWeakSets): 9870 (JSC::MarkedSpace::reapWeakSets): 9871 (JSC::VerifyMarked::operator()): 9872 (JSC::MarkedSpace::clearMarks): 9873 * heap/MarkedSpace.h: 9874 (JSC::ClearMarks::operator()): 9875 (JSC::ClearRememberedSet::operator()): 9876 (JSC::MarkedSpace::didAllocateInBlock): 9877 (JSC::MarkedSpace::clearRememberedSet): 9878 * heap/SlotVisitor.cpp: 9879 (JSC::SlotVisitor::~SlotVisitor): 9880 (JSC::SlotVisitor::clearMarkStack): 9881 * heap/SlotVisitor.h: 9882 (JSC::SlotVisitor::markStack): 9883 (JSC::SlotVisitor::sharedData): 9884 * heap/SlotVisitorInlines.h: 9885 (JSC::SlotVisitor::internalAppend): 9886 (JSC::SlotVisitor::unconditionallyAppend): 9887 (JSC::SlotVisitor::copyLater): 9888 (JSC::SlotVisitor::reportExtraMemoryUsage): 9889 (JSC::SlotVisitor::heap): 9890 * jit/Repatch.cpp: 9891 * runtime/JSGenericTypedArrayViewInlines.h: 9892 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): 9893 * runtime/JSPropertyNameIterator.h: 9894 (JSC::StructureRareData::setEnumerationCache): 9895 * runtime/JSString.cpp: 9896 (JSC::JSString::visitChildren): 9897 * runtime/StructureRareDataInlines.h: 9898 (JSC::StructureRareData::setPreviousID): 9899 (JSC::StructureRareData::setObjectToStringValue): 9900 * runtime/WeakMapData.cpp: 9901 (JSC::WeakMapData::visitChildren): 9902 99032014-01-09 Joseph Pecoraro <pecoraro@apple.com> 9904 9905 Unreviewed Windows build fix for r161563. 9906 9907 Copy all scripts, some may not be .py. 9908 9909 * JavaScriptCore.vcxproj/copy-files.cmd: 9910 99112014-01-09 Filip Pizlo <fpizlo@apple.com> 9912 9913 AI for CreateArguments should pass through non-SpecEmpty input values 9914 https://bugs.webkit.org/show_bug.cgi?id=126709 9915 9916 Reviewed by Mark Hahnenberg. 9917 9918 * dfg/DFGAbstractInterpreterInlines.h: 9919 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 9920 * tests/stress/use-arguments-as-object-pointer.js: Added. 9921 (foo): 9922 99232014-01-09 Mark Hahnenberg <mhahnenberg@apple.com> 9924 9925 Constructors for Objective-C classes do not work properly with instanceof 9926 https://bugs.webkit.org/show_bug.cgi?id=126670 9927 9928 Reviewed by Oliver Hunt. 9929 9930 This bug is due to the fact that the JS constructors created for Objective-C classes via the JSC 9931 API inherit from JSCallbackObject, which overrides hasInstance with its own customHasInstance. 9932 JSCallbackObject::customHasInstance only checks the JSClassRefs for hasInstance callbacks. 9933 If it doesn't find any callbacks, it returns false. 9934 9935 This patch adds a hasInstance callback to constructors created for Objective-C wrapper classes. 9936 9937 * API/JSWrapperMap.mm: 9938 (constructorHasInstance): 9939 (constructorWithCustomBrand): 9940 (allocateConstructorForCustomClass): 9941 * API/tests/testapi.mm: 9942 99432014-01-09 Joseph Pecoraro <pecoraro@apple.com> 9944 9945 Web Inspector: Move InjectedScript classes into JavaScriptCore 9946 https://bugs.webkit.org/show_bug.cgi?id=126598 9947 9948 Reviewed by Timothy Hatcher. 9949 9950 Part 5: Move InjectedScript classes into JavaScriptCore 9951 9952 There are pieces of logic that WebCore wants to hook into in the InjectedScript 9953 execution (e.g. for CommandLineAPIModule and InspectorInstrumentation). Create 9954 hooks for those in a base class called InspectorEnvironment. For now, the 9955 InspectorControllers (Page, JSGlobalObject, Worker) will be the InspectorEnvironments 9956 and provide answers to its hooks. 9957 9958 * inspector/InspectorEnvironment.h: Added. 9959 New hooks needed by WebCore in various places. Mostly stubbed in JavaScriptCore. 9960 9961 * inspector/InjectedScript.cpp: Renamed from Source/WebCore/inspector/InjectedScript.cpp. 9962 * inspector/InjectedScript.h: Added. 9963 * inspector/InjectedScriptBase.cpp: Renamed from Source/WebCore/inspector/InjectedScriptBase.cpp. 9964 * inspector/InjectedScriptBase.h: Renamed from Source/WebCore/inspector/InjectedScriptBase.h. 9965 * inspector/InjectedScriptModule.cpp: Renamed from Source/WebCore/inspector/InjectedScriptModule.cpp. 9966 * inspector/InjectedScriptModule.h: Renamed from Source/WebCore/inspector/InjectedScriptModule.h. 9967 Cleanup the style of these files (nullptr, formatting, whitespace, etc). 9968 Use the InspectorEnvironments call/evaluate function for ScriptFunctionCalls and checking access 9969 9970 * inspector/InjectedScriptManager.cpp: Renamed from Source/WebCore/inspector/InjectedScriptManager.cpp. 9971 * inspector/InjectedScriptManager.h: Renamed from Source/WebCore/inspector/InjectedScriptManager.h. 9972 Take an InspectorEnvironment with multiple hooks, instead of a single hook function. 9973 9974 * inspector/InjectedScriptHost.cpp: Added. 9975 * inspector/InjectedScriptHost.h: Added. 9976 * inspector/JSInjectedScriptHost.cpp: Renamed from Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp. 9977 * inspector/JSInjectedScriptHost.h: Added. 9978 * inspector/JSInjectedScriptHostPrototype.cpp: Added. 9979 * inspector/JSInjectedScriptHostPrototype.h: Added. 9980 Implementation of InjectedScriptHost which is passed into the script (InjectedScriptSource.js) 9981 that we inject into the page. This is mostly copied from the original autogenerated code, 9982 then simplified and cleaned up. InjectedScriptHost can be subclasses to provide specialized 9983 implementations of isHTMLAllCollection and type for Web/DOM types unknown to a pure JS context. 9984 9985 9986 Part 4: Move all inspector scripts into JavaScriptCore and update generators. 9987 9988 For OS X be sure to export the scripts as if they are private headers. 9989 9990 * GNUmakefile.am: 9991 * JavaScriptCore.xcodeproj/project.pbxproj: 9992 * inspector/scripts/cssmin.py: Renamed from Source/WebCore/inspector/Scripts/cssmin.py. 9993 * inspector/scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/WebCore/inspector/Scripts/inline-and-minify-stylesheets-and-scripts.py. 9994 * inspector/scripts/jsmin.py: Renamed from Source/WebCore/inspector/Scripts/jsmin.py. 9995 * inspector/scripts/xxd.pl: Renamed from Source/WebCore/inspector/xxd.pl. 9996 9997 9998 Part 3: Update CodeGeneratorInspector to avoid inlining virtual destructors. 9999 10000 This avoids build errors about duplicate exported virtual inlined methods 10001 are included from multiple places. Just put empty destructors in the 10002 implementation file instead of inlined. 10003 10004 * inspector/scripts/CodeGeneratorInspector.py: 10005 (Generator): 10006 (Generator.go): 10007 * inspector/scripts/CodeGeneratorInspectorStrings.py: 10008 10009 10010 Part 2: Move InjectedScriptSource and generation into JavaScriptCore. 10011 10012 Move InjectedScriptSource.js and derived sources generation. 10013 10014 * CMakeLists.txt: 10015 * DerivedSources.make: 10016 * GNUmakefile.am: 10017 * GNUmakefile.list.am: 10018 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10019 * JavaScriptCore.xcodeproj/project.pbxproj: 10020 * inspector/InjectedScriptSource.js: Renamed from Source/WebCore/inspector/InjectedScriptSource.js. 10021 100222014-01-09 Balazs Kilvady <kilvadyb@homejinni.com> 10023 10024 Regression: failing RegExp tests on 32 bit architectures. 10025 https://bugs.webkit.org/show_bug.cgi?id=126699 10026 10027 Reviewed by Michael Saboff. 10028 10029 Fix setRegExpConstructor functions for 32 bit architectures. 10030 10031 * runtime/RegExpConstructor.cpp: 10032 (JSC::setRegExpConstructorInput): 10033 (JSC::setRegExpConstructorMultiline): 10034 100352014-01-09 Commit Queue <commit-queue@webkit.org> 10036 10037 Unreviewed, rolling out r161540. 10038 http://trac.webkit.org/changeset/161540 10039 https://bugs.webkit.org/show_bug.cgi?id=126704 10040 10041 Caused assertion failures on multiple tests (Requested by ap 10042 on #webkit). 10043 10044 * bytecode/CodeBlock.cpp: 10045 (JSC::CodeBlock::visitAggregate): 10046 * bytecode/CodeBlock.h: 10047 (JSC::CodeBlockSet::mark): 10048 * dfg/DFGOperations.cpp: 10049 * heap/CodeBlockSet.cpp: 10050 (JSC::CodeBlockSet::add): 10051 (JSC::CodeBlockSet::traceMarked): 10052 * heap/CodeBlockSet.h: 10053 * heap/CopiedBlockInlines.h: 10054 (JSC::CopiedBlock::reportLiveBytes): 10055 * heap/CopiedSpace.cpp: 10056 * heap/CopiedSpace.h: 10057 * heap/Heap.cpp: 10058 (JSC::Heap::Heap): 10059 (JSC::Heap::didAbandon): 10060 (JSC::Heap::markRoots): 10061 (JSC::Heap::copyBackingStores): 10062 (JSC::Heap::collectAllGarbage): 10063 (JSC::Heap::collect): 10064 (JSC::Heap::didAllocate): 10065 * heap/Heap.h: 10066 (JSC::Heap::shouldCollect): 10067 (JSC::Heap::isCollecting): 10068 (JSC::Heap::isWriteBarrierEnabled): 10069 (JSC::Heap::writeBarrier): 10070 * heap/HeapOperation.h: 10071 * heap/MarkStack.cpp: 10072 (JSC::MarkStackArray::~MarkStackArray): 10073 * heap/MarkStack.h: 10074 * heap/MarkedAllocator.cpp: 10075 (JSC::MarkedAllocator::isPagedOut): 10076 (JSC::MarkedAllocator::tryAllocateHelper): 10077 (JSC::MarkedAllocator::addBlock): 10078 (JSC::MarkedAllocator::removeBlock): 10079 * heap/MarkedAllocator.h: 10080 (JSC::MarkedAllocator::MarkedAllocator): 10081 (JSC::MarkedAllocator::reset): 10082 * heap/MarkedBlock.cpp: 10083 * heap/MarkedBlock.h: 10084 (JSC::MarkedBlock::lastChanceToFinalize): 10085 (JSC::MarkedBlock::didConsumeEmptyFreeList): 10086 (JSC::MarkedBlock::clearMarks): 10087 * heap/MarkedSpace.cpp: 10088 (JSC::MarkedSpace::~MarkedSpace): 10089 (JSC::MarkedSpace::resetAllocators): 10090 (JSC::MarkedSpace::visitWeakSets): 10091 (JSC::MarkedSpace::reapWeakSets): 10092 * heap/MarkedSpace.h: 10093 (JSC::ClearMarks::operator()): 10094 (JSC::MarkedSpace::clearMarks): 10095 * heap/SlotVisitor.cpp: 10096 (JSC::SlotVisitor::~SlotVisitor): 10097 * heap/SlotVisitor.h: 10098 (JSC::SlotVisitor::sharedData): 10099 * heap/SlotVisitorInlines.h: 10100 (JSC::SlotVisitor::internalAppend): 10101 (JSC::SlotVisitor::copyLater): 10102 (JSC::SlotVisitor::reportExtraMemoryUsage): 10103 * jit/Repatch.cpp: 10104 * runtime/JSGenericTypedArrayViewInlines.h: 10105 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): 10106 * runtime/JSPropertyNameIterator.h: 10107 (JSC::StructureRareData::setEnumerationCache): 10108 * runtime/JSString.cpp: 10109 (JSC::JSString::visitChildren): 10110 * runtime/StructureRareDataInlines.h: 10111 (JSC::StructureRareData::setPreviousID): 10112 (JSC::StructureRareData::setObjectToStringValue): 10113 * runtime/WeakMapData.cpp: 10114 (JSC::WeakMapData::visitChildren): 10115 101162014-01-09 Andreas Kling <akling@apple.com> 10117 10118 Shrink WatchpointSet. 10119 <https://webkit.org/b/126694> 10120 10121 Reorder the members of WatchpointSet, shrinking it by 8 bytes. 10122 767 kB progression on Membuster3. 10123 10124 Reviewed by Antti Koivisto. 10125 10126 * bytecode/Watchpoint.h: 10127 101282014-01-08 Mark Hahnenberg <mhahnenberg@apple.com> 10129 10130 Reverting accidental GC logging 10131 10132 * heap/Heap.cpp: 10133 101342014-01-07 Mark Hahnenberg <mhahnenberg@apple.com> 10135 10136 Marking should be generational 10137 https://bugs.webkit.org/show_bug.cgi?id=126552 10138 10139 Reviewed by Geoffrey Garen. 10140 10141 Re-marking the same objects over and over is a waste of effort. This patch implements 10142 the sticky mark bit algorithm (along with our already-present write barriers) to reduce 10143 overhead during garbage collection caused by rescanning objects. 10144 10145 There are now two collection modes, EdenCollection and FullCollection. EdenCollections 10146 only visit new objects or objects that were added to the remembered set by a write barrier. 10147 FullCollections are normal collections that visit all objects regardless of their 10148 generation. 10149 10150 In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in 10151 https://bugs.webkit.org/show_bug.cgi?id=126555. 10152 10153 * bytecode/CodeBlock.cpp: 10154 (JSC::CodeBlock::visitAggregate): 10155 * bytecode/CodeBlock.h: 10156 (JSC::CodeBlockSet::mark): 10157 * dfg/DFGOperations.cpp: 10158 * heap/CodeBlockSet.cpp: 10159 (JSC::CodeBlockSet::add): 10160 (JSC::CodeBlockSet::traceMarked): 10161 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): 10162 * heap/CodeBlockSet.h: 10163 * heap/CopiedBlockInlines.h: 10164 (JSC::CopiedBlock::reportLiveBytes): 10165 * heap/CopiedSpace.cpp: 10166 (JSC::CopiedSpace::didStartFullCollection): 10167 * heap/CopiedSpace.h: 10168 (JSC::CopiedSpace::heap): 10169 * heap/Heap.cpp: 10170 (JSC::Heap::Heap): 10171 (JSC::Heap::didAbandon): 10172 (JSC::Heap::markRoots): 10173 (JSC::Heap::copyBackingStores): 10174 (JSC::Heap::addToRememberedSet): 10175 (JSC::Heap::collectAllGarbage): 10176 (JSC::Heap::collect): 10177 (JSC::Heap::didAllocate): 10178 (JSC::Heap::writeBarrier): 10179 * heap/Heap.h: 10180 (JSC::Heap::isInRememberedSet): 10181 (JSC::Heap::operationInProgress): 10182 (JSC::Heap::shouldCollect): 10183 (JSC::Heap::isCollecting): 10184 (JSC::Heap::isWriteBarrierEnabled): 10185 (JSC::Heap::writeBarrier): 10186 * heap/HeapOperation.h: 10187 * heap/MarkStack.cpp: 10188 (JSC::MarkStackArray::~MarkStackArray): 10189 (JSC::MarkStackArray::clear): 10190 (JSC::MarkStackArray::fillVector): 10191 * heap/MarkStack.h: 10192 * heap/MarkedAllocator.cpp: 10193 (JSC::isListPagedOut): 10194 (JSC::MarkedAllocator::isPagedOut): 10195 (JSC::MarkedAllocator::tryAllocateHelper): 10196 (JSC::MarkedAllocator::addBlock): 10197 (JSC::MarkedAllocator::removeBlock): 10198 (JSC::MarkedAllocator::reset): 10199 * heap/MarkedAllocator.h: 10200 (JSC::MarkedAllocator::MarkedAllocator): 10201 * heap/MarkedBlock.cpp: 10202 (JSC::MarkedBlock::clearMarks): 10203 (JSC::MarkedBlock::clearRememberedSet): 10204 (JSC::MarkedBlock::clearMarksWithCollectionType): 10205 (JSC::MarkedBlock::lastChanceToFinalize): 10206 * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller 10207 than 16 bytes. This is also to pay for the additional Bitmap for the remembered set. 10208 (JSC::MarkedBlock::didConsumeEmptyFreeList): 10209 (JSC::MarkedBlock::setRemembered): 10210 (JSC::MarkedBlock::clearRemembered): 10211 (JSC::MarkedBlock::atomicClearRemembered): 10212 (JSC::MarkedBlock::isRemembered): 10213 * heap/MarkedSpace.cpp: 10214 (JSC::MarkedSpace::~MarkedSpace): 10215 (JSC::MarkedSpace::resetAllocators): 10216 (JSC::MarkedSpace::visitWeakSets): 10217 (JSC::MarkedSpace::reapWeakSets): 10218 (JSC::VerifyMarked::operator()): 10219 (JSC::MarkedSpace::clearMarks): 10220 * heap/MarkedSpace.h: 10221 (JSC::ClearMarks::operator()): 10222 (JSC::ClearRememberedSet::operator()): 10223 (JSC::MarkedSpace::didAllocateInBlock): 10224 (JSC::MarkedSpace::clearRememberedSet): 10225 * heap/SlotVisitor.cpp: 10226 (JSC::SlotVisitor::~SlotVisitor): 10227 (JSC::SlotVisitor::clearMarkStack): 10228 * heap/SlotVisitor.h: 10229 (JSC::SlotVisitor::markStack): 10230 (JSC::SlotVisitor::sharedData): 10231 * heap/SlotVisitorInlines.h: 10232 (JSC::SlotVisitor::internalAppend): 10233 (JSC::SlotVisitor::unconditionallyAppend): 10234 (JSC::SlotVisitor::copyLater): 10235 (JSC::SlotVisitor::reportExtraMemoryUsage): 10236 (JSC::SlotVisitor::heap): 10237 * jit/Repatch.cpp: 10238 * runtime/JSGenericTypedArrayViewInlines.h: 10239 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): 10240 * runtime/JSPropertyNameIterator.h: 10241 (JSC::StructureRareData::setEnumerationCache): 10242 * runtime/JSString.cpp: 10243 (JSC::JSString::visitChildren): 10244 * runtime/StructureRareDataInlines.h: 10245 (JSC::StructureRareData::setPreviousID): 10246 (JSC::StructureRareData::setObjectToStringValue): 10247 * runtime/WeakMapData.cpp: 10248 (JSC::WeakMapData::visitChildren): 10249 102502014-01-08 Sam Weinig <sam@webkit.org> 10251 10252 [JS] Should be able to create a promise by calling the Promise constructor as a function 10253 https://bugs.webkit.org/show_bug.cgi?id=126561 10254 10255 Reviewed by Geoffrey Garen. 10256 10257 * runtime/JSPromiseConstructor.cpp: 10258 (JSC::JSPromiseConstructor::getCallData): 10259 Add support for calling the Promise constructor as a function (e.g. var p = Promise(...), note 10260 the missing "new"). 10261 102622014-01-08 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> 10263 10264 [EFL] Make FTL buildable 10265 https://bugs.webkit.org/show_bug.cgi?id=125777 10266 10267 Reviewed by Csaba Osztrogonác. 10268 10269 * CMakeLists.txt: 10270 * ftl/FTLOSREntry.cpp: 10271 * ftl/FTLOSRExitCompiler.cpp: 10272 * llvm/library/config_llvm.h: 10273 102742014-01-08 Zan Dobersek <zdobersek@igalia.com> 10275 10276 [Automake] Scripts for generated build targets do not necessarily produce their output 10277 https://bugs.webkit.org/show_bug.cgi?id=126378 10278 10279 Reviewed by Carlos Garcia Campos. 10280 10281 * GNUmakefile.am: Touch the build targets that are generated through helper scripts that don't 10282 assure the output is generated every time the script is invoked, most commonly due to unchanged 10283 input. This assures the build targets are up-to-date and can't be older that their dependencies, 10284 which would result in constant regeneration at every build. 10285 102862014-01-07 Filip Pizlo <fpizlo@apple.com> 10287 10288 DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit 10289 https://bugs.webkit.org/show_bug.cgi?id=126600 10290 10291 Reviewed by Michael Saboff. 10292 10293 This fixes an embarrassing OSR exit liveness bug. It also simplifies the code. We were 10294 already using FixupPhase as the place where conversion nodes get inserted. ValueToInt32 10295 was the only exception to that rule, and that was one of the reasons why we had this bug. 10296 10297 Henceforth ValueToInt32 is only inserted by FixupPhase, and only when it is necessary: 10298 we have a BitOp that will want a ToInt32 conversion and the operand is not predicted to 10299 already be an int32. If FixupPhase inserts any ValueToInt32's then the BitOp will no 10300 longer appear to use the original operand, which will make OSR exit think that the 10301 original operand is dead. We work around this they way we always do: insert a Phantom on 10302 the original operands right after the BitOp. This ensures that any OSR exit in any of the 10303 ValueToInt32's or in the BitOp itself will have values for the original inputs. 10304 10305 * dfg/DFGBackwardsPropagationPhase.cpp: 10306 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): 10307 (JSC::DFG::BackwardsPropagationPhase::propagate): 10308 * dfg/DFGByteCodeParser.cpp: 10309 (JSC::DFG::ByteCodeParser::handleIntrinsic): 10310 (JSC::DFG::ByteCodeParser::parseBlock): 10311 * dfg/DFGFixupPhase.cpp: 10312 (JSC::DFG::FixupPhase::fixupNode): 10313 (JSC::DFG::FixupPhase::fixIntEdge): 10314 (JSC::DFG::FixupPhase::fixBinaryIntEdges): 10315 * dfg/DFGPredictionPropagationPhase.cpp: 10316 (JSC::DFG::PredictionPropagationPhase::propagate): 10317 * tests/stress/bit-op-value-to-int32-input-liveness.js: Added. 10318 (foo): 10319 103202014-01-07 Mark Hahnenberg <mhahnenberg@apple.com> 10321 10322 Repatch write barrier slow path call doesn't align the stack in the presence of saved registers 10323 https://bugs.webkit.org/show_bug.cgi?id=126093 10324 10325 Reviewed by Geoffrey Garen. 10326 10327 * jit/Repatch.cpp: Reworked the stack alignment code for calling out to C code on the write barrier slow path. 10328 We need to properly account for the number of reused registers that were saved to the stack, so we have to 10329 pass the ScratchRegisterAllocator around. 10330 (JSC::storeToWriteBarrierBuffer): 10331 (JSC::writeBarrier): 10332 (JSC::emitPutReplaceStub): 10333 (JSC::emitPutTransitionStub): 10334 * jit/ScratchRegisterAllocator.h: Previously the ScratchRegisterAllocator only knew whether or not it had 10335 reused registers, but not how many. In order to correctly align the stack for calls to C slow paths for 10336 the write barriers in inline caches we need to know how the stack is aligned. So now ScratchRegisterAllocator 10337 tracks how many registers it has reused. 10338 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): 10339 (JSC::ScratchRegisterAllocator::allocateScratch): 10340 (JSC::ScratchRegisterAllocator::didReuseRegisters): 10341 (JSC::ScratchRegisterAllocator::numberOfReusedRegisters): 10342 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): 10343 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): 10344 * llint/LowLevelInterpreter64.asm: Random typo fix. 10345 103462014-01-07 Mark Lam <mark.lam@apple.com> 10347 10348 r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows). 10349 https://bugs.webkit.org/show_bug.cgi?id=126589. 10350 10351 Reviewed by Filip Pizlo. 10352 10353 After the removal of ENABLE(VALUE_PROFILER), the LLINT is now expecting the 10354 relevant opcode operands to point to ValueProfiler data structures and will 10355 write profiling data into them. Hence, we need to allocate these data 10356 structures even though the profiling data won't be used in non-DFG builds. 10357 10358 * bytecode/CodeBlock.cpp: 10359 (JSC::CodeBlock::CodeBlock): 10360 103612014-01-07 Filip Pizlo <fpizlo@apple.com> 10362 10363 ASSERT in compileArithNegate on pdfjs 10364 https://bugs.webkit.org/show_bug.cgi?id=126584 10365 10366 Reviewed by Mark Hahnenberg. 10367 10368 Check negative zero when we should check it, not when we shouldn't check it. :-/ 10369 10370 * dfg/DFGSpeculativeJIT.cpp: 10371 (JSC::DFG::SpeculativeJIT::compileArithNegate): 10372 103732014-01-07 Gabor Rapcsanyi <rgabor@webkit.org> 10374 10375 pushFinallyContext saves wrong m_labelScopes size 10376 https://bugs.webkit.org/show_bug.cgi?id=124529 10377 10378 Remove free label scopes before saving finally context. 10379 10380 Reviewed by Geoffrey Garen. 10381 10382 * bytecompiler/BytecodeGenerator.cpp: 10383 (JSC::BytecodeGenerator::pushFinallyContext): 10384 103852014-01-06 Mark Hahnenberg <mhahnenberg@apple.com> 10386 10387 Heap::collect shouldn't be responsible for sweeping 10388 https://bugs.webkit.org/show_bug.cgi?id=126556 10389 10390 Reviewed by Geoffrey Garen. 10391 10392 Sweeping happens at an awkward time during collection due to the fact that destructors can 10393 cause arbitrary reentry into the VM. This patch separates collecting and sweeping, and delays 10394 sweeping until after collection has completely finished. 10395 10396 * heap/Heap.cpp: 10397 (JSC::Heap::collectAllGarbage): 10398 (JSC::Heap::collect): 10399 (JSC::Heap::collectIfNecessaryOrDefer): 10400 * heap/Heap.h: 10401 * heap/MarkedSpace.cpp: 10402 (JSC::MarkedSpace::sweep): 10403 * runtime/GCActivityCallback.cpp: 10404 (JSC::DefaultGCActivityCallback::doWork): 10405 104062014-01-07 Mark Rowe <mrowe@apple.com> 10407 10408 <https://webkit.org/b/126567> Remove the legacy WebKit availability macros 10409 10410 They're no longer used. 10411 10412 Reviewed by Ryosuke Niwa. 10413 10414 * API/WebKitAvailability.h: 10415 104162014-01-07 Filip Pizlo <fpizlo@apple.com> 10417 10418 SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS 10419 https://bugs.webkit.org/show_bug.cgi?id=126563 10420 10421 Reviewed by Gavin Barraclough. 10422 10423 This was a rookie arguments simplification mistake: the SetLocal needs to record the fact 10424 that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments 10425 conveys this, and dataFormatFor(FlushFormat) will do the right thing. 10426 10427 * dfg/DFGSpeculativeJIT32_64.cpp: 10428 (JSC::DFG::SpeculativeJIT::compile): 10429 * dfg/DFGSpeculativeJIT64.cpp: 10430 (JSC::DFG::SpeculativeJIT::compile): 10431 * tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added. 10432 (foo): 10433 104342014-01-06 Filip Pizlo <fpizlo@apple.com> 10435 10436 Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of the backwards propagator to decide integer arithmetic semantics 10437 https://bugs.webkit.org/show_bug.cgi?id=125519 10438 10439 Reviewed by Geoffrey Garen. 10440 10441 Adds the Arith::Mode enum to arithmetic nodes, which makes it explicit what sorts of 10442 checks and overflows the node should do. Previously this would be deduced from 10443 backwards analysis results. 10444 10445 This also makes "unchecked" variants really mean that you want the int32 wrapped 10446 result, so ArithIMul is now done in terms of ArithMul(Unchecked). That means that the 10447 constant folder needs to compute exactly the result implied by ArithMode, instead of 10448 just folding the double result. 10449 10450 * CMakeLists.txt: 10451 * GNUmakefile.list.am: 10452 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10453 * JavaScriptCore.xcodeproj/project.pbxproj: 10454 * dfg/DFGAbstractInterpreterInlines.h: 10455 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 10456 * dfg/DFGArithMode.cpp: Added. 10457 (WTF::printInternal): 10458 * dfg/DFGArithMode.h: Added. 10459 (JSC::DFG::doesOverflow): 10460 (JSC::DFG::shouldCheckOverflow): 10461 (JSC::DFG::shouldCheckNegativeZero): 10462 * dfg/DFGCSEPhase.cpp: 10463 (JSC::DFG::CSEPhase::pureCSE): 10464 (JSC::DFG::CSEPhase::performNodeCSE): 10465 * dfg/DFGConstantFoldingPhase.cpp: 10466 (JSC::DFG::ConstantFoldingPhase::foldConstants): 10467 * dfg/DFGFixupPhase.cpp: 10468 (JSC::DFG::FixupPhase::fixupNode): 10469 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 10470 * dfg/DFGGraph.cpp: 10471 (JSC::DFG::Graph::dump): 10472 * dfg/DFGNode.h: 10473 (JSC::DFG::Node::Node): 10474 (JSC::DFG::Node::hasArithMode): 10475 (JSC::DFG::Node::arithMode): 10476 (JSC::DFG::Node::setArithMode): 10477 * dfg/DFGSpeculativeJIT.cpp: 10478 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 10479 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 10480 (JSC::DFG::SpeculativeJIT::compileAdd): 10481 (JSC::DFG::SpeculativeJIT::compileArithSub): 10482 (JSC::DFG::SpeculativeJIT::compileArithNegate): 10483 (JSC::DFG::SpeculativeJIT::compileArithMul): 10484 (JSC::DFG::SpeculativeJIT::compileArithDiv): 10485 (JSC::DFG::SpeculativeJIT::compileArithMod): 10486 * dfg/DFGSpeculativeJIT.h: 10487 * dfg/DFGSpeculativeJIT32_64.cpp: 10488 (JSC::DFG::SpeculativeJIT::compile): 10489 * dfg/DFGSpeculativeJIT64.cpp: 10490 (JSC::DFG::SpeculativeJIT::compile): 10491 * ftl/FTLLowerDFGToLLVM.cpp: 10492 (JSC::FTL::LowerDFGToLLVM::compileAddSub): 10493 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 10494 (JSC::FTL::LowerDFGToLLVM::compileArithDivMod): 10495 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 10496 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 10497 104982014-01-06 Mark Hahnenberg <mhahnenberg@apple.com> 10499 10500 Add write barriers to the LLInt 10501 https://bugs.webkit.org/show_bug.cgi?id=126527 10502 10503 Reviewed by Filip Pizlo. 10504 10505 This patch takes a similar approach to how write barriers work in the baseline JIT. 10506 We execute the write barrier at the beginning of the opcode so we don't have to 10507 worry about saving and restoring live registers across write barrier slow path calls 10508 to C code. 10509 10510 * llint/LLIntOfflineAsmConfig.h: 10511 * llint/LLIntSlowPaths.cpp: 10512 (JSC::LLInt::llint_write_barrier_slow): 10513 * llint/LLIntSlowPaths.h: 10514 * llint/LowLevelInterpreter.asm: 10515 * llint/LowLevelInterpreter32_64.asm: 10516 * llint/LowLevelInterpreter64.asm: 10517 * offlineasm/arm64.rb: 10518 * offlineasm/instructions.rb: 10519 * offlineasm/x86.rb: 10520 105212014-01-05 Sam Weinig <sam@webkit.org> 10522 10523 [JS] Implement Promise.all() 10524 https://bugs.webkit.org/show_bug.cgi?id=126510 10525 10526 Reviewed by Gavin Barraclough. 10527 10528 Add Promise.all() implementation and factor out performing resolves and rejects 10529 on deferreds to share a bit of code. Also moves the abruptRejection helper to 10530 JSPromiseDeferred so it can be used in JSPromiseFunctions. 10531 10532 * runtime/CommonIdentifiers.h: 10533 * runtime/JSPromiseConstructor.cpp: 10534 (JSC::JSPromiseConstructorFuncCast): 10535 (JSC::JSPromiseConstructorFuncResolve): 10536 (JSC::JSPromiseConstructorFuncReject): 10537 (JSC::JSPromiseConstructorFuncAll): 10538 * runtime/JSPromiseDeferred.cpp: 10539 (JSC::updateDeferredFromPotentialThenable): 10540 (JSC::performDeferredResolve): 10541 (JSC::performDeferredReject): 10542 (JSC::abruptRejection): 10543 * runtime/JSPromiseDeferred.h: 10544 * runtime/JSPromiseFunctions.cpp: 10545 (JSC::promiseAllCountdownFunction): 10546 (JSC::createPromiseAllCountdownFunction): 10547 * runtime/JSPromiseFunctions.h: 10548 * runtime/JSPromiseReaction.cpp: 10549 (JSC::ExecutePromiseReactionMicrotask::run): 10550 105512014-01-06 Filip Pizlo <fpizlo@apple.com> 10552 10553 Get rid of ENABLE(VALUE_PROFILER). It's on all the time now. 10554 10555 Rubber stamped by Mark Hahnenberg. 10556 10557 * bytecode/CallLinkStatus.cpp: 10558 (JSC::CallLinkStatus::computeFor): 10559 * bytecode/CodeBlock.cpp: 10560 (JSC::CodeBlock::dumpValueProfiling): 10561 (JSC::CodeBlock::dumpArrayProfiling): 10562 (JSC::CodeBlock::dumpRareCaseProfile): 10563 (JSC::CodeBlock::dumpBytecode): 10564 (JSC::CodeBlock::CodeBlock): 10565 (JSC::CodeBlock::setNumParameters): 10566 (JSC::CodeBlock::shrinkToFit): 10567 (JSC::CodeBlock::shouldOptimizeNow): 10568 * bytecode/CodeBlock.h: 10569 (JSC::CodeBlock::valueProfileForBytecodeOffset): 10570 * bytecode/GetByIdStatus.cpp: 10571 (JSC::GetByIdStatus::computeForChain): 10572 (JSC::GetByIdStatus::computeFor): 10573 * bytecode/LazyOperandValueProfile.cpp: 10574 * bytecode/LazyOperandValueProfile.h: 10575 * bytecode/PutByIdStatus.cpp: 10576 (JSC::PutByIdStatus::computeFor): 10577 * bytecode/ValueProfile.h: 10578 * bytecompiler/BytecodeGenerator.cpp: 10579 (JSC::BytecodeGenerator::newArrayProfile): 10580 (JSC::BytecodeGenerator::newArrayAllocationProfile): 10581 (JSC::BytecodeGenerator::emitProfiledOpcode): 10582 * jit/GPRInfo.h: 10583 * jit/JIT.cpp: 10584 (JSC::JIT::JIT): 10585 (JSC::JIT::privateCompileSlowCases): 10586 (JSC::JIT::privateCompile): 10587 * jit/JIT.h: 10588 * jit/JITArithmetic.cpp: 10589 (JSC::JIT::compileBinaryArithOp): 10590 (JSC::JIT::emit_op_mul): 10591 (JSC::JIT::emit_op_div): 10592 * jit/JITArithmetic32_64.cpp: 10593 (JSC::JIT::emitBinaryDoubleOp): 10594 (JSC::JIT::emit_op_mul): 10595 (JSC::JIT::emitSlow_op_mul): 10596 (JSC::JIT::emit_op_div): 10597 * jit/JITCall.cpp: 10598 (JSC::JIT::emitPutCallResult): 10599 * jit/JITCall32_64.cpp: 10600 (JSC::JIT::emitPutCallResult): 10601 * jit/JITInlines.h: 10602 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): 10603 (JSC::JIT::emitValueProfilingSite): 10604 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex): 10605 (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase): 10606 (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase): 10607 (JSC::arrayProfileSaw): 10608 (JSC::JIT::chooseArrayMode): 10609 * jit/JITOpcodes.cpp: 10610 (JSC::JIT::emit_op_get_argument_by_val): 10611 * jit/JITOpcodes32_64.cpp: 10612 (JSC::JIT::emit_op_get_argument_by_val): 10613 * jit/JITPropertyAccess.cpp: 10614 (JSC::JIT::emit_op_get_by_val): 10615 (JSC::JIT::emitSlow_op_get_by_val): 10616 (JSC::JIT::emit_op_get_by_id): 10617 (JSC::JIT::emit_op_get_from_scope): 10618 * jit/JITPropertyAccess32_64.cpp: 10619 (JSC::JIT::emit_op_get_by_val): 10620 (JSC::JIT::emitSlow_op_get_by_val): 10621 (JSC::JIT::emit_op_get_by_id): 10622 (JSC::JIT::emit_op_get_from_scope): 10623 * llint/LLIntOfflineAsmConfig.h: 10624 * llint/LLIntSlowPaths.cpp: 10625 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 10626 * llint/LowLevelInterpreter.asm: 10627 * llint/LowLevelInterpreter32_64.asm: 10628 * llint/LowLevelInterpreter64.asm: 10629 * profiler/ProfilerBytecodeSequence.cpp: 10630 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 10631 * runtime/CommonSlowPaths.cpp: 10632 106332014-01-06 Filip Pizlo <fpizlo@apple.com> 10634 10635 LLInt shouldn't check for ENABLE(JIT). 10636 10637 Rubber stamped by Mark Hahnenberg. 10638 10639 * llint/LLIntCommon.h: 10640 * llint/LLIntOfflineAsmConfig.h: 10641 * llint/LLIntSlowPaths.cpp: 10642 (JSC::LLInt::entryOSR): 10643 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 10644 * llint/LowLevelInterpreter.asm: 10645 106462014-01-06 Filip Pizlo <fpizlo@apple.com> 10647 10648 LLInt shouldnt check for ENABLE(JAVASCRIPT_DEBUGGER). 10649 10650 Rubber stamped by Mark Hahnenberg. 10651 10652 * debugger/Debugger.h: 10653 (JSC::Debugger::Debugger): 10654 * llint/LLIntOfflineAsmConfig.h: 10655 * llint/LowLevelInterpreter.asm: 10656 106572014-01-05 Sam Weinig <sam@webkit.org> 10658 10659 [JS] Implement Promise.race() 10660 https://bugs.webkit.org/show_bug.cgi?id=126506 10661 10662 Reviewed by Oliver Hunt. 10663 10664 * runtime/CommonIdentifiers.h: 10665 Add identifier for "cast". 10666 10667 * runtime/JSPromiseConstructor.cpp: 10668 (JSC::abruptRejection): 10669 Helper for the RejectIfAbrupt abstract operation. 10670 10671 (JSC::JSPromiseConstructorFuncRace): 10672 Add implementation of Promise.race() 10673 106742014-01-05 Martin Robinson <mrobinson@igalia.com> 10675 10676 [GTK] [CMake] Ensure that the autotools build and the CMake install the same files 10677 https://bugs.webkit.org/show_bug.cgi?id=116379 10678 10679 Reviewed by Gustavo Noronha Silva. 10680 10681 * PlatformGTK.cmake: Install API headers, gir files, and the pkg-config file. 10682 106832014-01-04 Yusuke Suzuki <utatane.tea@gmail.com> 10684 10685 Use Compiler macros instead of raw "final" and "override" 10686 https://bugs.webkit.org/show_bug.cgi?id=126490 10687 10688 Reviewed by Sam Weinig. 10689 10690 * runtime/JSPromiseReaction.cpp: 10691 106922014-01-04 Martin Robinson <mrobinson@igalia.com> 10693 10694 [GTK] [CMake] Improve the way we locate gobject-introspection 10695 https://bugs.webkit.org/show_bug.cgi?id=126452 10696 10697 Reviewed by Philippe Normand. 10698 10699 * PlatformGTK.cmake: Use the new introspection variables. 10700 107012014-01-04 Zan Dobersek <zdobersek@igalia.com> 10702 10703 Explicitly use the std:: nested name specifier when using std::pair, std::make_pair 10704 https://bugs.webkit.org/show_bug.cgi?id=126439 10705 10706 Reviewed by Andreas Kling. 10707 10708 Instead of relying on std::pair and std::make_pair symbols being present in the current scope 10709 through the pair and make_pair symbols, the std:: specifier should be used explicitly. 10710 10711 * bytecode/Opcode.cpp: 10712 (JSC::compareOpcodePairIndices): 10713 (JSC::OpcodeStats::~OpcodeStats): 10714 * bytecompiler/BytecodeGenerator.cpp: 10715 (JSC::BytecodeGenerator::BytecodeGenerator): 10716 * parser/ASTBuilder.h: 10717 (JSC::ASTBuilder::makeBinaryNode): 10718 * parser/Parser.cpp: 10719 (JSC::Parser<LexerType>::parseIfStatement): 10720 * runtime/Structure.cpp: 10721 (JSC::StructureTransitionTable::contains): 10722 (JSC::StructureTransitionTable::get): 10723 (JSC::StructureTransitionTable::add): 10724 107252014-01-03 David Farler <dfarler@apple.com> 10726 10727 [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls 10728 https://bugs.webkit.org/show_bug.cgi?id=126454 10729 10730 Reviewed by Geoffrey Garen. 10731 10732 * API/tests/testapi.mm: 10733 (-[TextXYZ dealloc]): 10734 add [super dealloc] 10735 (-[EvilAllocationObject dealloc]): 10736 add [super dealloc] 10737 107382014-01-02 Carlos Garcia Campos <cgarcia@igalia.com> 10739 10740 REGRESSION(r160304): [GTK] Disable libtool fast install 10741 https://bugs.webkit.org/show_bug.cgi?id=126381 10742 10743 Reviewed by Martin Robinson. 10744 10745 Remove -no-fast-install ld flag since fast install is now disabled 10746 globally. 10747 10748 * GNUmakefile.am: 10749 107502014-01-02 Sam Weinig <sam@webkit.org> 10751 10752 Update Promises to the https://github.com/domenic/promises-unwrapping spec 10753 https://bugs.webkit.org/show_bug.cgi?id=120954 10754 10755 Reviewed by Filip Pizlo. 10756 10757 Update Promises to the revised spec. Notable changes: 10758 - JSPromiseResolver is gone. 10759 - TaskContext has been renamed Microtask and now has a virtual run() function. 10760 - Instead of using custom InternalFunction subclasses, JSFunctions are used 10761 with PrivateName properties for internal slots. 10762 10763 * CMakeLists.txt: 10764 * DerivedSources.make: 10765 * GNUmakefile.list.am: 10766 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10767 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 10768 * JavaScriptCore.xcodeproj/project.pbxproj: 10769 * interpreter/CallFrame.h: 10770 (JSC::ExecState::promiseConstructorTable): 10771 * runtime/CommonIdentifiers.cpp: 10772 (JSC::CommonIdentifiers::CommonIdentifiers): 10773 * runtime/CommonIdentifiers.h: 10774 * runtime/JSGlobalObject.cpp: 10775 (JSC::JSGlobalObject::reset): 10776 (JSC::JSGlobalObject::visitChildren): 10777 (JSC::JSGlobalObject::queueMicrotask): 10778 * runtime/JSGlobalObject.h: 10779 (JSC::JSGlobalObject::promiseConstructor): 10780 (JSC::JSGlobalObject::promisePrototype): 10781 (JSC::JSGlobalObject::promiseStructure): 10782 * runtime/JSPromise.cpp: 10783 (JSC::JSPromise::create): 10784 (JSC::JSPromise::JSPromise): 10785 (JSC::JSPromise::finishCreation): 10786 (JSC::JSPromise::visitChildren): 10787 (JSC::JSPromise::reject): 10788 (JSC::JSPromise::resolve): 10789 (JSC::JSPromise::appendResolveReaction): 10790 (JSC::JSPromise::appendRejectReaction): 10791 (JSC::triggerPromiseReactions): 10792 * runtime/JSPromise.h: 10793 (JSC::JSPromise::status): 10794 (JSC::JSPromise::result): 10795 (JSC::JSPromise::constructor): 10796 * runtime/JSPromiseCallback.cpp: Removed. 10797 * runtime/JSPromiseCallback.h: Removed. 10798 * runtime/JSPromiseConstructor.cpp: 10799 (JSC::constructPromise): 10800 (JSC::JSPromiseConstructor::getCallData): 10801 (JSC::JSPromiseConstructorFuncCast): 10802 (JSC::JSPromiseConstructorFuncResolve): 10803 (JSC::JSPromiseConstructorFuncReject): 10804 * runtime/JSPromiseConstructor.h: 10805 * runtime/JSPromiseDeferred.cpp: Added. 10806 (JSC::JSPromiseDeferred::create): 10807 (JSC::JSPromiseDeferred::JSPromiseDeferred): 10808 (JSC::JSPromiseDeferred::finishCreation): 10809 (JSC::JSPromiseDeferred::visitChildren): 10810 (JSC::createJSPromiseDeferredFromConstructor): 10811 (JSC::updateDeferredFromPotentialThenable): 10812 * runtime/JSPromiseDeferred.h: Added. 10813 (JSC::JSPromiseDeferred::createStructure): 10814 (JSC::JSPromiseDeferred::promise): 10815 (JSC::JSPromiseDeferred::resolve): 10816 (JSC::JSPromiseDeferred::reject): 10817 * runtime/JSPromiseFunctions.cpp: Added. 10818 (JSC::deferredConstructionFunction): 10819 (JSC::createDeferredConstructionFunction): 10820 (JSC::identifyFunction): 10821 (JSC::createIdentifyFunction): 10822 (JSC::promiseAllCountdownFunction): 10823 (JSC::createPromiseAllCountdownFunction): 10824 (JSC::promiseResolutionHandlerFunction): 10825 (JSC::createPromiseResolutionHandlerFunction): 10826 (JSC::rejectPromiseFunction): 10827 (JSC::createRejectPromiseFunction): 10828 (JSC::resolvePromiseFunction): 10829 (JSC::createResolvePromiseFunction): 10830 (JSC::throwerFunction): 10831 (JSC::createThrowerFunction): 10832 * runtime/JSPromiseFunctions.h: Added. 10833 * runtime/JSPromisePrototype.cpp: 10834 (JSC::JSPromisePrototypeFuncThen): 10835 (JSC::JSPromisePrototypeFuncCatch): 10836 * runtime/JSPromiseReaction.cpp: Added. 10837 (JSC::createExecutePromiseReactionMicroTask): 10838 (JSC::ExecutePromiseReactionMicroTask::run): 10839 (JSC::JSPromiseReaction::create): 10840 (JSC::JSPromiseReaction::JSPromiseReaction): 10841 (JSC::JSPromiseReaction::finishCreation): 10842 (JSC::JSPromiseReaction::visitChildren): 10843 * runtime/JSPromiseReaction.h: Added. 10844 (JSC::JSPromiseReaction::createStructure): 10845 (JSC::JSPromiseReaction::deferred): 10846 (JSC::JSPromiseReaction::handler): 10847 * runtime/JSPromiseResolver.cpp: Removed. 10848 * runtime/JSPromiseResolver.h: Removed. 10849 * runtime/JSPromiseResolverConstructor.cpp: Removed. 10850 * runtime/JSPromiseResolverConstructor.h: Removed. 10851 * runtime/JSPromiseResolverPrototype.cpp: Removed. 10852 * runtime/JSPromiseResolverPrototype.h: Removed. 10853 * runtime/Microtask.h: Added. 10854 * runtime/VM.cpp: 10855 (JSC::VM::VM): 10856 (JSC::VM::~VM): 10857 * runtime/VM.h: 10858 108592014-01-02 Mark Hahnenberg <mhahnenberg@apple.com> 10860 10861 Add support for StoreBarrier and friends to the FTL 10862 https://bugs.webkit.org/show_bug.cgi?id=126040 10863 10864 Reviewed by Filip Pizlo. 10865 10866 * ftl/FTLAbstractHeapRepository.h: 10867 * ftl/FTLCapabilities.cpp: 10868 (JSC::FTL::canCompile): 10869 * ftl/FTLIntrinsicRepository.h: 10870 * ftl/FTLLowerDFGToLLVM.cpp: 10871 (JSC::FTL::LowerDFGToLLVM::compileNode): 10872 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier): 10873 (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier): 10874 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): 10875 (JSC::FTL::LowerDFGToLLVM::loadMarkByte): 10876 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): 10877 * heap/Heap.cpp: 10878 (JSC::Heap::Heap): 10879 * heap/Heap.h: 10880 (JSC::Heap::writeBarrierBuffer): 10881 108822014-01-02 Mark Hahnenberg <mhahnenberg@apple.com> 10883 10884 Storing new CopiedSpace memory into a JSObject should fire a write barrier 10885 https://bugs.webkit.org/show_bug.cgi?id=126025 10886 10887 Reviewed by Filip Pizlo. 10888 10889 Technically this is creating a pointer between a (potentially) old generation object and a young 10890 generation chunk of memory, thus there needs to be a barrier. 10891 10892 * JavaScriptCore.xcodeproj/project.pbxproj: 10893 * dfg/DFGOperations.cpp: 10894 * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 10895 acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 10896 fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 10897 collections that objects with new backing stores are visited, even if they are old generation objects. 10898 (JSC::CopyWriteBarrier::CopyWriteBarrier): 10899 (JSC::CopyWriteBarrier::operator!): 10900 (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): 10901 (JSC::CopyWriteBarrier::get): 10902 (JSC::CopyWriteBarrier::operator*): 10903 (JSC::CopyWriteBarrier::operator->): 10904 (JSC::CopyWriteBarrier::set): 10905 (JSC::CopyWriteBarrier::setWithoutWriteBarrier): 10906 (JSC::CopyWriteBarrier::clear): 10907 * heap/Heap.h: 10908 * runtime/JSArray.cpp: 10909 (JSC::JSArray::unshiftCountSlowCase): 10910 (JSC::JSArray::shiftCountWithArrayStorage): 10911 (JSC::JSArray::unshiftCountWithArrayStorage): 10912 * runtime/JSCell.h: 10913 (JSC::JSCell::unvalidatedStructure): 10914 * runtime/JSGenericTypedArrayViewInlines.h: 10915 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): 10916 * runtime/JSObject.cpp: 10917 (JSC::JSObject::copyButterfly): 10918 (JSC::JSObject::getOwnPropertySlotByIndex): 10919 (JSC::JSObject::putByIndex): 10920 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 10921 (JSC::JSObject::createInitialIndexedStorage): 10922 (JSC::JSObject::createArrayStorage): 10923 (JSC::JSObject::deletePropertyByIndex): 10924 (JSC::JSObject::getOwnPropertyNames): 10925 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 10926 (JSC::JSObject::countElements): 10927 (JSC::JSObject::increaseVectorLength): 10928 (JSC::JSObject::ensureLengthSlow): 10929 * runtime/JSObject.h: 10930 (JSC::JSObject::butterfly): 10931 (JSC::JSObject::setStructureAndButterfly): 10932 (JSC::JSObject::setButterflyWithoutChangingStructure): 10933 (JSC::JSObject::JSObject): 10934 (JSC::JSObject::putDirectInternal): 10935 (JSC::JSObject::putDirectWithoutTransition): 10936 * runtime/MapData.cpp: 10937 (JSC::MapData::ensureSpaceForAppend): 10938 * runtime/Structure.cpp: 10939 (JSC::Structure::materializePropertyMap): 10940 109412013-12-23 Oliver Hunt <oliver@apple.com> 10942 10943 Refactor PutPropertySlot to be aware of custom properties 10944 https://bugs.webkit.org/show_bug.cgi?id=126187 10945 10946 Reviewed by Antti Koivisto. 10947 10948 Refactor PutPropertySlot, making the constructor take the thisValue 10949 used as a target. This results in a wide range of boilerplate changes 10950 to pass the new parameter. 10951 10952 * API/JSObjectRef.cpp: 10953 (JSObjectSetProperty): 10954 * dfg/DFGOperations.cpp: 10955 (JSC::DFG::operationPutByValInternal): 10956 * interpreter/Interpreter.cpp: 10957 (JSC::Interpreter::execute): 10958 * jit/JITOperations.cpp: 10959 * llint/LLIntSlowPaths.cpp: 10960 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 10961 * runtime/Arguments.cpp: 10962 (JSC::Arguments::putByIndex): 10963 * runtime/ArrayPrototype.cpp: 10964 (JSC::putProperty): 10965 (JSC::arrayProtoFuncPush): 10966 * runtime/JSCJSValue.cpp: 10967 (JSC::JSValue::putToPrimitiveByIndex): 10968 * runtime/JSCell.cpp: 10969 (JSC::JSCell::putByIndex): 10970 * runtime/JSFunction.cpp: 10971 (JSC::JSFunction::put): 10972 * runtime/JSGenericTypedArrayViewInlines.h: 10973 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): 10974 * runtime/JSONObject.cpp: 10975 (JSC::Walker::walk): 10976 * runtime/JSObject.cpp: 10977 (JSC::JSObject::putByIndex): 10978 (JSC::JSObject::putDirectNonIndexAccessor): 10979 (JSC::JSObject::deleteProperty): 10980 * runtime/JSObject.h: 10981 (JSC::JSObject::putDirect): 10982 * runtime/Lookup.h: 10983 (JSC::putEntry): 10984 (JSC::lookupPut): 10985 * runtime/PutPropertySlot.h: 10986 (JSC::PutPropertySlot::PutPropertySlot): 10987 (JSC::PutPropertySlot::setCustomProperty): 10988 (JSC::PutPropertySlot::thisValue): 10989 (JSC::PutPropertySlot::isCacheable): 10990 109912014-01-01 Filip Pizlo <fpizlo@apple.com> 10992 10993 Rationalize DFG DCE 10994 https://bugs.webkit.org/show_bug.cgi?id=125523 10995 10996 Reviewed by Mark Hahnenberg. 10997 10998 Adds the ability to DCE more things. It's now the case that if a node is completely 10999 pure, we clear NodeMustGenerate and the node becomes a DCE candidate. 11000 11001 * dfg/DFGAbstractInterpreterInlines.h: 11002 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 11003 * dfg/DFGCSEPhase.cpp: 11004 (JSC::DFG::CSEPhase::performNodeCSE): 11005 * dfg/DFGClobberize.h: 11006 (JSC::DFG::clobberize): 11007 * dfg/DFGDCEPhase.cpp: 11008 (JSC::DFG::DCEPhase::cleanVariables): 11009 * dfg/DFGFixupPhase.cpp: 11010 (JSC::DFG::FixupPhase::fixupNode): 11011 * dfg/DFGGraph.h: 11012 (JSC::DFG::Graph::clobbersWorld): 11013 * dfg/DFGNodeType.h: 11014 * dfg/DFGSpeculativeJIT.cpp: 11015 (JSC::DFG::SpeculativeJIT::compileAdd): 11016 * dfg/DFGSpeculativeJIT.h: 11017 * dfg/DFGSpeculativeJIT32_64.cpp: 11018 (JSC::DFG::SpeculativeJIT::compile): 11019 * dfg/DFGSpeculativeJIT64.cpp: 11020 (JSC::DFG::SpeculativeJIT::compile): 11021 * ftl/FTLLowerDFGToLLVM.cpp: 11022 (JSC::FTL::LowerDFGToLLVM::compileNode): 11023 (JSC::FTL::LowerDFGToLLVM::compileValueAdd): 11024 110252014-01-02 Benjamin Poulain <benjamin@webkit.org> 11026 11027 Attempt to fix the build of WebCore's code generator on CMake based system 11028 https://bugs.webkit.org/show_bug.cgi?id=126271 11029 11030 Reviewed by Sam Weinig. 11031 11032 * CMakeLists.txt: 11033 110342013-12-30 Commit Queue <commit-queue@webkit.org> 11035 11036 Unreviewed, rolling out r161157, r161158, r161160, r161161, 11037 r161163, and r161165. 11038 http://trac.webkit.org/changeset/161157 11039 http://trac.webkit.org/changeset/161158 11040 http://trac.webkit.org/changeset/161160 11041 http://trac.webkit.org/changeset/161161 11042 http://trac.webkit.org/changeset/161163 11043 http://trac.webkit.org/changeset/161165 11044 https://bugs.webkit.org/show_bug.cgi?id=126332 11045 11046 Broke WebKit2 on Mountain Lion (Requested by ap on #webkit). 11047 11048 * heap/BlockAllocator.cpp: 11049 (JSC::BlockAllocator::~BlockAllocator): 11050 (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock): 11051 (JSC::BlockAllocator::waitForRelativeTime): 11052 (JSC::BlockAllocator::blockFreeingThreadMain): 11053 * heap/BlockAllocator.h: 11054 (JSC::BlockAllocator::deallocate): 11055 110562013-12-30 Anders Carlsson <andersca@apple.com> 11057 11058 Fix build. 11059 11060 * heap/BlockAllocator.h: 11061 110622013-12-30 Anders Carlsson <andersca@apple.com> 11063 11064 Stop using ThreadCondition in BlockAllocator 11065 https://bugs.webkit.org/show_bug.cgi?id=126313 11066 11067 Reviewed by Sam Weinig. 11068 11069 * heap/BlockAllocator.cpp: 11070 (JSC::BlockAllocator::~BlockAllocator): 11071 (JSC::BlockAllocator::waitForDuration): 11072 (JSC::BlockAllocator::blockFreeingThreadMain): 11073 * heap/BlockAllocator.h: 11074 (JSC::BlockAllocator::deallocate): 11075 110762013-12-30 Anders Carlsson <andersca@apple.com> 11077 11078 Stop using ThreadCondition in jsc.cpp 11079 https://bugs.webkit.org/show_bug.cgi?id=126311 11080 11081 Reviewed by Sam Weinig. 11082 11083 * jsc.cpp: 11084 (timeoutThreadMain): 11085 (main): 11086 110872013-12-30 Anders Carlsson <andersca@apple.com> 11088 11089 Replace WTF::ThreadingOnce with std::call_once 11090 https://bugs.webkit.org/show_bug.cgi?id=126215 11091 11092 Reviewed by Sam Weinig. 11093 11094 * dfg/DFGWorklist.cpp: 11095 (JSC::DFG::globalWorklist): 11096 * runtime/InitializeThreading.cpp: 11097 (JSC::initializeThreading): 11098 110992013-12-30 Martin Robinson <mrobinson@igalia.com> 11100 11101 [CMake] [GTK] Add support for GObject introspection 11102 https://bugs.webkit.org/show_bug.cgi?id=126162 11103 11104 Reviewed by Daniel Bates. 11105 11106 * PlatformGTK.cmake: Add the GIR targets. 11107 111082013-12-28 Filip Pizlo <fpizlo@apple.com> 11109 11110 Get rid of DFG forward exiting 11111 https://bugs.webkit.org/show_bug.cgi?id=125531 11112 11113 Reviewed by Oliver Hunt. 11114 11115 This finally gets rid of forward exiting. Forward exiting was always a fragile concept 11116 since it involved the compiler trying to figure out how to "roll forward" the 11117 execution from some DFG node to the next bytecode index. It was always easy to find 11118 counterexamples where it broke, and it has always served as an obstacle to adding 11119 compiler improvements - the latest being http://webkit.org/b/125523, which tried to 11120 make DCE work for more things. 11121 11122 This change finishes the work of removing forward exiting. A lot of forward exiting 11123 was already removed in some other bugs, but SetLocal still did forward exits. SetLocal 11124 is in many ways the hardest to remove, since the forward exiting of SetLocal also 11125 implied that any conversion nodes inserted before the SetLocal would then also be 11126 marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other 11127 things also forward-exiting, and this was always a source of weirdo bugs. 11128 11129 SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes 11130 inserted just before SetLocal must also be able to exit - for example type check 11131 hoisting may insert a CheckStructure, or fixup phase may insert something like 11132 Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead 11133 to the reexecution of a side-effecting operation, for example: 11134 11135 a: Call(...) 11136 b: SetLocal(@a, r1) 11137 11138 For a long time it seemed like SetLocal *had* to exit forward because of this. But 11139 this change side-steps the problem by changing the ByteCodeParser to always emit a 11140 kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser 11141 wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal. 11142 The SetLocal isn't actually emitted until the beginning of the next bytecode 11143 instruction (which the exception of op_enter and op_ret, which emit theirs immediately 11144 since it's always safe to reexecute those bytecode instructions and since deferring 11145 SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set 11146 followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the 11147 jump and that would be awkward). This means that the above IR snippet would look 11148 something like: 11149 11150 a: Call(..., bc#42) 11151 b: MovHint(@a, r1, bc#42) 11152 c: SetLocal(@a, r1, bc#47) 11153 11154 Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode 11155 instruction. This means that by the time we get to that SetLocal, the OSR exit 11156 analysis already knows that r1 is associated with @a, and it means that the SetLocal 11157 or anything hoisted above it can exit backwards as normal. 11158 11159 This change also means that the "forward rewiring" can be killed. Previously, we might 11160 have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned 11161 into a MovHint) and the conversion node either died completely or had its lifetime 11162 truncated to be less than the actual value's bytecode lifetime. This no longer happens 11163 since conversion nodes are only inserted at SetLocals. 11164 11165 More precisely, this change introduces two laws that we were basically already 11166 following anyway: 11167 11168 1) A MovHint's child should never be changed except if all other uses of that child 11169 are also replaced. Specifically, this prohibits insertion of conversion nodes at 11170 MovHints. 11171 11172 2) Anytime any child is replaced with something else, and all other uses aren't also 11173 replaced, we must insert a Phantom use of the original child. 11174 11175 This is a slight compile-time regression but has no effect on code-gen. It unlocks a 11176 bunch of optimization opportunities so I think it's worth it. 11177 11178 * bytecode/CodeBlock.cpp: 11179 (JSC::CodeBlock::dumpAssumingJITType): 11180 * bytecode/CodeBlock.h: 11181 (JSC::CodeBlock::instructionCount): 11182 * dfg/DFGAbstractInterpreterInlines.h: 11183 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 11184 * dfg/DFGArgumentsSimplificationPhase.cpp: 11185 (JSC::DFG::ArgumentsSimplificationPhase::run): 11186 * dfg/DFGArrayifySlowPathGenerator.h: 11187 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator): 11188 * dfg/DFGBackwardsPropagationPhase.cpp: 11189 (JSC::DFG::BackwardsPropagationPhase::propagate): 11190 * dfg/DFGByteCodeParser.cpp: 11191 (JSC::DFG::ByteCodeParser::setDirect): 11192 (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): 11193 (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): 11194 (JSC::DFG::ByteCodeParser::handleInlining): 11195 (JSC::DFG::ByteCodeParser::parseBlock): 11196 * dfg/DFGCSEPhase.cpp: 11197 (JSC::DFG::CSEPhase::eliminate): 11198 * dfg/DFGClobberize.h: 11199 (JSC::DFG::clobberize): 11200 * dfg/DFGCommon.h: 11201 * dfg/DFGConstantFoldingPhase.cpp: 11202 (JSC::DFG::ConstantFoldingPhase::foldConstants): 11203 * dfg/DFGDCEPhase.cpp: 11204 (JSC::DFG::DCEPhase::run): 11205 (JSC::DFG::DCEPhase::fixupBlock): 11206 (JSC::DFG::DCEPhase::cleanVariables): 11207 * dfg/DFGFixupPhase.cpp: 11208 (JSC::DFG::FixupPhase::fixupNode): 11209 (JSC::DFG::FixupPhase::fixEdge): 11210 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 11211 * dfg/DFGLICMPhase.cpp: 11212 (JSC::DFG::LICMPhase::run): 11213 (JSC::DFG::LICMPhase::attemptHoist): 11214 * dfg/DFGMinifiedNode.cpp: 11215 (JSC::DFG::MinifiedNode::fromNode): 11216 * dfg/DFGMinifiedNode.h: 11217 (JSC::DFG::belongsInMinifiedGraph): 11218 (JSC::DFG::MinifiedNode::constantNumber): 11219 (JSC::DFG::MinifiedNode::weakConstant): 11220 * dfg/DFGNode.cpp: 11221 (JSC::DFG::Node::hasVariableAccessData): 11222 * dfg/DFGNode.h: 11223 (JSC::DFG::Node::convertToPhantom): 11224 (JSC::DFG::Node::convertToPhantomUnchecked): 11225 (JSC::DFG::Node::convertToIdentity): 11226 (JSC::DFG::Node::containsMovHint): 11227 (JSC::DFG::Node::hasUnlinkedLocal): 11228 (JSC::DFG::Node::willHaveCodeGenOrOSR): 11229 * dfg/DFGNodeFlags.cpp: 11230 (JSC::DFG::dumpNodeFlags): 11231 * dfg/DFGNodeFlags.h: 11232 * dfg/DFGNodeType.h: 11233 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 11234 (JSC::DFG::OSRAvailabilityAnalysisPhase::run): 11235 * dfg/DFGOSREntrypointCreationPhase.cpp: 11236 (JSC::DFG::OSREntrypointCreationPhase::run): 11237 * dfg/DFGOSRExit.cpp: 11238 * dfg/DFGOSRExit.h: 11239 * dfg/DFGOSRExitBase.cpp: 11240 * dfg/DFGOSRExitBase.h: 11241 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite): 11242 * dfg/DFGPredictionPropagationPhase.cpp: 11243 (JSC::DFG::PredictionPropagationPhase::propagate): 11244 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 11245 * dfg/DFGSSAConversionPhase.cpp: 11246 (JSC::DFG::SSAConversionPhase::run): 11247 * dfg/DFGSafeToExecute.h: 11248 (JSC::DFG::safeToExecute): 11249 * dfg/DFGSpeculativeJIT.cpp: 11250 (JSC::DFG::SpeculativeJIT::speculationCheck): 11251 (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): 11252 (JSC::DFG::SpeculativeJIT::typeCheck): 11253 (JSC::DFG::SpeculativeJIT::compileMovHint): 11254 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 11255 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 11256 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 11257 * dfg/DFGSpeculativeJIT.h: 11258 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): 11259 (JSC::DFG::SpeculativeJIT::needsTypeCheck): 11260 * dfg/DFGSpeculativeJIT32_64.cpp: 11261 (JSC::DFG::SpeculativeJIT::compile): 11262 * dfg/DFGSpeculativeJIT64.cpp: 11263 (JSC::DFG::SpeculativeJIT::compile): 11264 * dfg/DFGTypeCheckHoistingPhase.cpp: 11265 (JSC::DFG::TypeCheckHoistingPhase::run): 11266 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 11267 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 11268 * dfg/DFGValidate.cpp: 11269 (JSC::DFG::Validate::validateCPS): 11270 * dfg/DFGVariableAccessData.h: 11271 (JSC::DFG::VariableAccessData::VariableAccessData): 11272 * dfg/DFGVariableEventStream.cpp: 11273 (JSC::DFG::VariableEventStream::reconstruct): 11274 * ftl/FTLCapabilities.cpp: 11275 (JSC::FTL::canCompile): 11276 * ftl/FTLLowerDFGToLLVM.cpp: 11277 (JSC::FTL::LowerDFGToLLVM::compileNode): 11278 (JSC::FTL::LowerDFGToLLVM::compileGetArgument): 11279 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 11280 (JSC::FTL::LowerDFGToLLVM::compileMovHint): 11281 (JSC::FTL::LowerDFGToLLVM::compileZombieHint): 11282 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): 11283 (JSC::FTL::LowerDFGToLLVM::speculate): 11284 (JSC::FTL::LowerDFGToLLVM::typeCheck): 11285 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck): 11286 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 11287 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 11288 * ftl/FTLOSRExit.cpp: 11289 * ftl/FTLOSRExit.h: 11290 * tests/stress/dead-int32-to-double.js: Added. 11291 (foo): 11292 * tests/stress/dead-uint32-to-number.js: Added. 11293 (foo): 11294 112952013-12-25 Commit Queue <commit-queue@webkit.org> 11296 11297 Unreviewed, rolling out r161033 and r161074. 11298 http://trac.webkit.org/changeset/161033 11299 http://trac.webkit.org/changeset/161074 11300 https://bugs.webkit.org/show_bug.cgi?id=126240 11301 11302 Oliver says that a rollout would be better (Requested by ap on 11303 #webkit). 11304 11305 * API/JSObjectRef.cpp: 11306 (JSObjectSetProperty): 11307 * dfg/DFGOperations.cpp: 11308 (JSC::DFG::operationPutByValInternal): 11309 * interpreter/Interpreter.cpp: 11310 (JSC::Interpreter::execute): 11311 * jit/JITOperations.cpp: 11312 * llint/LLIntSlowPaths.cpp: 11313 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 11314 * runtime/Arguments.cpp: 11315 (JSC::Arguments::putByIndex): 11316 * runtime/ArrayPrototype.cpp: 11317 (JSC::putProperty): 11318 (JSC::arrayProtoFuncPush): 11319 * runtime/JSCJSValue.cpp: 11320 (JSC::JSValue::putToPrimitiveByIndex): 11321 * runtime/JSCell.cpp: 11322 (JSC::JSCell::putByIndex): 11323 * runtime/JSFunction.cpp: 11324 (JSC::JSFunction::put): 11325 * runtime/JSGenericTypedArrayViewInlines.h: 11326 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): 11327 * runtime/JSONObject.cpp: 11328 (JSC::Walker::walk): 11329 * runtime/JSObject.cpp: 11330 (JSC::JSObject::putByIndex): 11331 (JSC::JSObject::putDirectNonIndexAccessor): 11332 (JSC::JSObject::deleteProperty): 11333 * runtime/JSObject.h: 11334 (JSC::JSObject::putDirect): 11335 * runtime/Lookup.h: 11336 (JSC::putEntry): 11337 (JSC::lookupPut): 11338 * runtime/PutPropertySlot.h: 11339 (JSC::PutPropertySlot::PutPropertySlot): 11340 (JSC::PutPropertySlot::setNewProperty): 11341 (JSC::PutPropertySlot::isCacheable): 11342 113432013-12-25 Filip Pizlo <fpizlo@apple.com> 11344 11345 DFG PhantomArguments shouldn't rely on a dead Phi graph 11346 https://bugs.webkit.org/show_bug.cgi?id=126218 11347 11348 Reviewed by Oliver Hunt. 11349 11350 This change dramatically rationalizes our handling of PhantomArguments (i.e. 11351 speculative elision of arguments object allocation). 11352 11353 It's now the case that if we decide that we can elide arguments allocation, we just 11354 turn the arguments-creating node into a PhantomArguments and mark all locals that 11355 it's stored to as being arguments aliases. Being an arguments alias and being a 11356 PhantomArguments means basically the same thing: in DFG execution you have the empty 11357 value, on OSR exit an arguments object is allocated in your place, and all operations 11358 that use the value now just refer directly to the actual arguments in the call frame 11359 header (or the arguments we know that we passed to the call, in case of inlining). 11360 11361 This means that we no longer have arguments simplification creating a dead Phi graph 11362 that then has to be interpreted by the OSR exit logic. That sort of never made any 11363 sense. 11364 11365 This means that PhantomArguments now has a clear story in SSA: basically SSA just 11366 gets rid of the "locals" but everything else is the same. 11367 11368 Finally, this means that we can more easily get rid of forward exiting. As I was 11369 working on the code to get rid of forward exiting, I realized that I'd have to 11370 carefully preserve the special meanings of MovHint and SetLocal in the case of 11371 PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to 11372 our specific treatment of PhantomArguments. After this change this is no longer the 11373 case. 11374 11375 One of the really cool things about this change is that arguments reification now 11376 just becomes a special kind of FlushFormat. This further unifies things: it means 11377 that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same 11378 meaning, since both of them dictate that the way we recover the local on exit is by 11379 reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some 11380 special handling to accomplish this. 11381 11382 A downside of this approach is that we will now emit code to store the empty value 11383 into aliased arguments variables, and we will even emit code to load that empty value 11384 as well. As far as I can tell this doesn't cost anything, since PhantomArguments are 11385 most profitable in cases where it allows us to simplify control flow and kill the 11386 arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form 11387 also eliminates the locals. 11388 11389 * dfg/DFGArgumentsSimplificationPhase.cpp: 11390 (JSC::DFG::ArgumentsSimplificationPhase::run): 11391 (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild): 11392 * dfg/DFGFlushFormat.cpp: 11393 (WTF::printInternal): 11394 * dfg/DFGFlushFormat.h: 11395 (JSC::DFG::resultFor): 11396 (JSC::DFG::useKindFor): 11397 (JSC::DFG::dataFormatFor): 11398 * dfg/DFGSpeculativeJIT.cpp: 11399 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 11400 * dfg/DFGSpeculativeJIT32_64.cpp: 11401 (JSC::DFG::SpeculativeJIT::compile): 11402 * dfg/DFGSpeculativeJIT64.cpp: 11403 (JSC::DFG::SpeculativeJIT::compile): 11404 * dfg/DFGValueSource.h: 11405 (JSC::DFG::ValueSource::ValueSource): 11406 (JSC::DFG::ValueSource::forFlushFormat): 11407 * dfg/DFGVariableAccessData.h: 11408 (JSC::DFG::VariableAccessData::flushFormat): 11409 * ftl/FTLLowerDFGToLLVM.cpp: 11410 (JSC::FTL::LowerDFGToLLVM::buildExitArguments): 11411 114122013-12-23 Oliver Hunt <oliver@apple.com> 11413 11414 Refactor PutPropertySlot to be aware of custom properties 11415 https://bugs.webkit.org/show_bug.cgi?id=126187 11416 11417 Reviewed by msaboff. 11418 11419 Refactor PutPropertySlot, making the constructor take the thisValue 11420 used as a target. This results in a wide range of boilerplate changes 11421 to pass the new parameter. 11422 11423 * API/JSObjectRef.cpp: 11424 (JSObjectSetProperty): 11425 * dfg/DFGOperations.cpp: 11426 (JSC::DFG::operationPutByValInternal): 11427 * interpreter/Interpreter.cpp: 11428 (JSC::Interpreter::execute): 11429 * jit/JITOperations.cpp: 11430 * llint/LLIntSlowPaths.cpp: 11431 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 11432 * runtime/Arguments.cpp: 11433 (JSC::Arguments::putByIndex): 11434 * runtime/ArrayPrototype.cpp: 11435 (JSC::putProperty): 11436 (JSC::arrayProtoFuncPush): 11437 * runtime/JSCJSValue.cpp: 11438 (JSC::JSValue::putToPrimitiveByIndex): 11439 * runtime/JSCell.cpp: 11440 (JSC::JSCell::putByIndex): 11441 * runtime/JSFunction.cpp: 11442 (JSC::JSFunction::put): 11443 * runtime/JSGenericTypedArrayViewInlines.h: 11444 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex): 11445 * runtime/JSONObject.cpp: 11446 (JSC::Walker::walk): 11447 * runtime/JSObject.cpp: 11448 (JSC::JSObject::putByIndex): 11449 (JSC::JSObject::putDirectNonIndexAccessor): 11450 (JSC::JSObject::deleteProperty): 11451 * runtime/JSObject.h: 11452 (JSC::JSObject::putDirect): 11453 * runtime/Lookup.h: 11454 (JSC::putEntry): 11455 (JSC::lookupPut): 11456 * runtime/PutPropertySlot.h: 11457 (JSC::PutPropertySlot::PutPropertySlot): 11458 (JSC::PutPropertySlot::setCustomProperty): 11459 (JSC::PutPropertySlot::thisValue): 11460 (JSC::PutPropertySlot::isCacheable): 11461 114622013-12-23 Benjamin Poulain <benjamin@webkit.org> 11463 11464 Add class matching to the Selector Code Generator 11465 https://bugs.webkit.org/show_bug.cgi?id=126176 11466 11467 Reviewed by Antti Koivisto and Oliver Hunt. 11468 11469 Add test and branch based on BaseIndex addressing for x86_64. 11470 Fast loops are needed to compete with clang on tight loops. 11471 11472 * assembler/MacroAssembler.h: 11473 * assembler/MacroAssemblerX86_64.h: 11474 (JSC::MacroAssemblerX86_64::branch64): 11475 (JSC::MacroAssemblerX86_64::branchPtr): 11476 * assembler/X86Assembler.h: 11477 (JSC::X86Assembler::cmpq_rm): 11478 114792013-12-23 Oliver Hunt <oliver@apple.com> 11480 11481 Update custom setter implementations to perform type checks 11482 https://bugs.webkit.org/show_bug.cgi?id=126171 11483 11484 Reviewed by Daniel Bates. 11485 11486 Modify the setter function signature to take encoded values 11487 as we're changing the setter usage everywhere anyway. 11488 11489 * runtime/Lookup.h: 11490 (JSC::putEntry): 11491 114922013-12-23 Lucas Forschler <lforschler@apple.com> 11493 11494 <rdar://problem/15682948> Update copyright strings 11495 11496 Reviewed by Dan Bernstein. 11497 11498 * Info.plist: 11499 * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: 11500 115012013-12-23 Zan Dobersek <zdobersek@igalia.com> 11502 11503 [GTK] Clean up compiler optimizations flags for libWTF, libJSC 11504 https://bugs.webkit.org/show_bug.cgi?id=126157 11505 11506 Reviewed by Gustavo Noronha Silva. 11507 11508 * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets 11509 overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing 11510 is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway). 11511 115122013-12-22 Martin Robinson <mrobinson@igalia.com> 11513 11514 [CMake] Fix typo from r160812 11515 https://bugs.webkit.org/show_bug.cgi?id=126145 11516 11517 Reviewed by Gustavo Noronha Silva. 11518 11519 * CMakeLists.txt: Fix typo when detecting the type of library. 11520 115212013-12-22 Martin Robinson <mrobinson@igalia.com> 11522 11523 [GTK][CMake] libtool-compatible soversion calculation 11524 https://bugs.webkit.org/show_bug.cgi?id=125511 11525 11526 Reviewed by Gustavo Noronha Silva. 11527 11528 * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the 11529 library-specific version information. 11530 115312013-12-23 Gustavo Noronha Silva <gns@gnome.org> 11532 11533 [GTK] [CMake] Generate pkg-config files 11534 https://bugs.webkit.org/show_bug.cgi?id=125685 11535 11536 Reviewed by Martin Robinson. 11537 11538 * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc. 11539 115402013-12-22 Benjamin Poulain <benjamin@webkit.org> 11541 11542 Create a skeleton for CSS Selector code generation 11543 https://bugs.webkit.org/show_bug.cgi?id=126044 11544 11545 Reviewed by Antti Koivisto and Gavin Barraclough. 11546 11547 * assembler/LinkBuffer.h: 11548 Add a new owner UID for code compiled for CSS. 11549 Export the symbols needed to link code from WebCore. 11550 115512013-12-19 Mark Hahnenberg <mhahnenberg@apple.com> 11552 11553 Clean up DFG write barriers 11554 https://bugs.webkit.org/show_bug.cgi?id=126047 11555 11556 Reviewed by Filip Pizlo. 11557 11558 * dfg/DFGSpeculativeJIT.cpp: 11559 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 11560 determine which registers need saving instead of saving every single one of them. 11561 (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 11562 because the write barriers during OSR execute when there are no live registers. Also we 11563 don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add. 11564 (JSC::DFG::SpeculativeJIT::writeBarrier): 11565 * dfg/DFGSpeculativeJIT.h: 11566 * jit/Repatch.cpp: 11567 (JSC::emitPutReplaceStub): 11568 (JSC::emitPutTransitionStub): 11569 * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used. 11570 115712013-12-20 Balazs Kilvady <kilvadyb@homejinni.com> 11572 11573 [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32) 11574 https://bugs.webkit.org/show_bug.cgi?id=126062 11575 11576 Reviewed by Mark Hahnenberg. 11577 11578 * assembler/MacroAssemblerMIPS.h: 11579 (JSC::MacroAssemblerMIPS::branchTest8): 11580 115812013-12-20 Julien Brianceau <jbriance@cisco.com> 11582 11583 [sh4] Add missing implementation in MacroAssembler to fix build. 11584 https://bugs.webkit.org/show_bug.cgi?id=126063 11585 11586 Reviewed by Mark Hahnenberg. 11587 11588 * assembler/MacroAssemblerSH4.h: 11589 (JSC::MacroAssemblerSH4::branchTest8): 11590 115912013-12-20 Julien Brianceau <jbriance@cisco.com> 11592 11593 [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build. 11594 https://bugs.webkit.org/show_bug.cgi?id=126064 11595 11596 Reviewed by Mark Hahnenberg. 11597 11598 * assembler/MacroAssemblerARM.h: 11599 (JSC::MacroAssemblerARM::branchTest8): 11600 116012013-12-19 Joseph Pecoraro <pecoraro@apple.com> 11602 11603 Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web 11604 https://bugs.webkit.org/show_bug.cgi?id=126016 11605 11606 Reviewed by Timothy Hatcher. 11607 11608 * inspector/remote/RemoteInspector.mm: 11609 (Inspector::RemoteInspector::listingForDebuggable): 11610 * inspector/remote/RemoteInspectorConstants.h: 11611 Include a debuggable type identifier in the debuggable listing, 11612 so the remote frontend can know if it is debugging a Web Page 11613 or JS Context. 11614 116152013-12-19 Benjamin Poulain <benjamin@webkit.org> 11616 11617 Add an utility class to simplify generating function calls 11618 https://bugs.webkit.org/show_bug.cgi?id=125972 11619 11620 Reviewed by Geoffrey Garen. 11621 11622 Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags. 11623 This is done to allow code where the flags are set, multiple operation that 11624 do not modify the flags occur, then the flags are used. 11625 11626 This is used for function calls to test the return value while discarding the 11627 return register. 11628 11629 * assembler/MacroAssemblerX86Common.h: 11630 (JSC::MacroAssemblerX86Common::test32AndSetFlags): 11631 (JSC::MacroAssemblerX86Common::branchOnFlags): 11632 (JSC::MacroAssemblerX86Common::branchTest32): 11633 116342013-12-19 Mark Hahnenberg <mhahnenberg@apple.com> 11635 11636 Put write barriers in the right places in the baseline JIT 11637 https://bugs.webkit.org/show_bug.cgi?id=125975 11638 11639 Reviewed by Filip Pizlo. 11640 11641 * jit/JIT.cpp: 11642 (JSC::JIT::privateCompileSlowCases): 11643 * jit/JIT.h: 11644 * jit/JITInlines.h: 11645 (JSC::JIT::callOperation): 11646 (JSC::JIT::emitArrayProfilingSite): 11647 * jit/JITOpcodes.cpp: 11648 (JSC::JIT::emit_op_enter): 11649 (JSC::JIT::emitSlow_op_enter): 11650 * jit/JITOpcodes32_64.cpp: 11651 (JSC::JIT::emit_op_enter): 11652 (JSC::JIT::emitSlow_op_enter): 11653 * jit/JITPropertyAccess.cpp: 11654 (JSC::JIT::emit_op_put_by_val): 11655 (JSC::JIT::emitGenericContiguousPutByVal): 11656 (JSC::JIT::emitArrayStoragePutByVal): 11657 (JSC::JIT::emit_op_put_by_id): 11658 (JSC::JIT::emitPutGlobalProperty): 11659 (JSC::JIT::emitPutGlobalVar): 11660 (JSC::JIT::emitPutClosureVar): 11661 (JSC::JIT::emit_op_init_global_const): 11662 (JSC::JIT::checkMarkWord): 11663 (JSC::JIT::emitWriteBarrier): 11664 (JSC::JIT::privateCompilePutByVal): 11665 * jit/JITPropertyAccess32_64.cpp: 11666 (JSC::JIT::emitGenericContiguousPutByVal): 11667 (JSC::JIT::emitArrayStoragePutByVal): 11668 (JSC::JIT::emit_op_put_by_id): 11669 (JSC::JIT::emitSlow_op_put_by_id): 11670 (JSC::JIT::emitPutGlobalProperty): 11671 (JSC::JIT::emitPutGlobalVar): 11672 (JSC::JIT::emitPutClosureVar): 11673 (JSC::JIT::emit_op_init_global_const): 11674 * jit/Repatch.cpp: 11675 (JSC::emitPutReplaceStub): 11676 (JSC::emitPutTransitionStub): 11677 (JSC::repatchPutByID): 11678 * runtime/CommonSlowPaths.cpp: 11679 (JSC::SLOW_PATH_DECL): 11680 * runtime/CommonSlowPaths.h: 11681 116822013-12-19 Brent Fulgham <bfulgham@apple.com> 11683 11684 Implement ArrayBuffer.isView 11685 https://bugs.webkit.org/show_bug.cgi?id=126004 11686 11687 Reviewed by Filip Pizlo. 11688 11689 Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html 11690 11691 * runtime/JSArrayBufferConstructor.cpp: 11692 (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor. 11693 (JSC::arrayBufferFuncIsView): New method. 11694 116952013-12-19 Mark Lam <mark.lam@apple.com> 11696 11697 Fix broken C loop LLINT build. 11698 https://bugs.webkit.org/show_bug.cgi?id=126024. 11699 11700 Reviewed by Oliver Hunt. 11701 11702 * runtime/VM.h: 11703 117042013-12-18 Mark Hahnenberg <mhahnenberg@apple.com> 11705 11706 DelayedReleaseScope is in the wrong place 11707 https://bugs.webkit.org/show_bug.cgi?id=125876 11708 11709 Reviewed by Geoffrey Garen. 11710 11711 The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 11712 This location gives us a good safe point between getting ready to allocate (i.e. identifying a non-empty 11713 free list) and doing the actual allocation (popping the free list). 11714 11715 * heap/MarkedAllocator.cpp: 11716 (JSC::MarkedAllocator::tryAllocateHelper): 11717 (JSC::MarkedAllocator::allocateSlowCase): 11718 (JSC::MarkedAllocator::addBlock): 11719 * runtime/JSCellInlines.h: 11720 (JSC::allocateCell): 11721 117222013-12-18 Gustavo Noronha Silva <gns@gnome.org> 11723 11724 [GTK][CMake] make libjavascriptcoregtk a public shared library again 11725 https://bugs.webkit.org/show_bug.cgi?id=125512 11726 11727 Reviewed by Martin Robinson. 11728 11729 * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether 11730 JavaScriptCore is a shared library, since it's always shared for GTK+ regardless 11731 of SHARED_CORE. 11732 117332013-12-18 Benjamin Poulain <benjamin@webkit.org> 11734 11735 Add a simple stack abstraction for x86_64 11736 https://bugs.webkit.org/show_bug.cgi?id=125908 11737 11738 Reviewed by Geoffrey Garen. 11739 11740 * assembler/MacroAssemblerX86_64.h: 11741 (JSC::MacroAssemblerX86_64::addPtrNoFlags): 11742 Add an explicit abstraction for the "lea" instruction. This is needed 11743 by the experimental JIT to have add and substract without changing the flags. 11744 11745 This is useful for function calls to test the return value, restore the registers, 11746 then branch on the flags from the return value. 11747 117482013-12-18 Mark Hahnenberg <mhahnenberg@apple.com> 11749 11750 DFG should have a separate StoreBarrier node 11751 https://bugs.webkit.org/show_bug.cgi?id=125530 11752 11753 Reviewed by Filip Pizlo. 11754 11755 This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 11756 part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 11757 They are inserted during the fixup phase. Initially they do not generate any code. 11758 11759 * CMakeLists.txt: 11760 * GNUmakefile.list.am: 11761 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 11762 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 11763 * JavaScriptCore.xcodeproj/project.pbxproj: 11764 * dfg/DFGAbstractHeap.h: 11765 * dfg/DFGAbstractInterpreter.h: 11766 (JSC::DFG::AbstractInterpreter::isKnownNotCell): 11767 * dfg/DFGAbstractInterpreterInlines.h: 11768 (JSC::DFG::::executeEffects): 11769 * dfg/DFGClobberize.h: 11770 (JSC::DFG::clobberizeForAllocation): 11771 (JSC::DFG::clobberize): 11772 * dfg/DFGConstantFoldingPhase.cpp: 11773 (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers, 11774 we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 11775 ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first, 11776 which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier. 11777 If we ever require that write barriers occur before stores, we'll have to split these nodes into 11778 AllocatePropertyStorage + StoreBarrier + PutPropertyStorage. 11779 * dfg/DFGFixupPhase.cpp: 11780 (JSC::DFG::FixupPhase::fixupNode): 11781 (JSC::DFG::FixupPhase::insertStoreBarrier): 11782 * dfg/DFGNode.h: 11783 (JSC::DFG::Node::isStoreBarrier): 11784 * dfg/DFGNodeType.h: 11785 * dfg/DFGOSRExitCompiler32_64.cpp: 11786 (JSC::DFG::OSRExitCompiler::compileExit): 11787 * dfg/DFGOSRExitCompiler64.cpp: 11788 (JSC::DFG::OSRExitCompiler::compileExit): 11789 * dfg/DFGPlan.cpp: 11790 (JSC::DFG::Plan::compileInThreadImpl): 11791 * dfg/DFGPredictionPropagationPhase.cpp: 11792 (JSC::DFG::PredictionPropagationPhase::propagate): 11793 * dfg/DFGSafeToExecute.h: 11794 (JSC::DFG::safeToExecute): 11795 * dfg/DFGSpeculativeJIT.cpp: 11796 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 11797 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 11798 (JSC::DFG::SpeculativeJIT::compileStoreBarrier): 11799 (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 11800 byte that contains the mark bit of the object. 11801 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 11802 cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call. 11803 (JSC::DFG::SpeculativeJIT::writeBarrier): 11804 (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 11805 during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 11806 are properly cleared during GC. 11807 * dfg/DFGSpeculativeJIT.h: 11808 (JSC::DFG::SpeculativeJIT::callOperation): 11809 * dfg/DFGSpeculativeJIT32_64.cpp: 11810 (JSC::DFG::SpeculativeJIT::cachedPutById): 11811 (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier): 11812 (JSC::DFG::SpeculativeJIT::compile): 11813 (JSC::DFG::SpeculativeJIT::writeBarrier): 11814 * dfg/DFGSpeculativeJIT64.cpp: 11815 (JSC::DFG::SpeculativeJIT::cachedPutById): 11816 (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier): 11817 (JSC::DFG::SpeculativeJIT::compile): 11818 (JSC::DFG::SpeculativeJIT::writeBarrier): 11819 * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant 11820 StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 11821 that object doesn't need any more StoreBarriers. 11822 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase): 11823 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 11824 objects known in the current block. 11825 (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 11826 sets the bit for that object since if a GC occurred as the result of that object's allocation then that 11827 object would not need a barrier since it would be guaranteed to be a young generation object until the 11828 next GC point. 11829 (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject): 11830 (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore): 11831 (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided): 11832 (JSC::DFG::StoreBarrierElisionPhase::elideBarrier): 11833 (JSC::DFG::StoreBarrierElisionPhase::handleNode): 11834 (JSC::DFG::StoreBarrierElisionPhase::handleBlock): 11835 (JSC::DFG::StoreBarrierElisionPhase::run): 11836 (JSC::DFG::performStoreBarrierElision): 11837 * dfg/DFGStoreBarrierElisionPhase.h: Added. 11838 * heap/Heap.cpp: 11839 (JSC::Heap::Heap): 11840 (JSC::Heap::flushWriteBarrierBuffer): 11841 * heap/Heap.h: 11842 (JSC::Heap::writeBarrier): 11843 * heap/MarkedBlock.h: 11844 (JSC::MarkedBlock::offsetOfMarks): 11845 * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 11846 a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly 11847 to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer 11848 until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 11849 each EdenCollection. 11850 (JSC::WriteBarrierBuffer::WriteBarrierBuffer): 11851 (JSC::WriteBarrierBuffer::~WriteBarrierBuffer): 11852 (JSC::WriteBarrierBuffer::flush): 11853 (JSC::WriteBarrierBuffer::reset): 11854 (JSC::WriteBarrierBuffer::add): 11855 * heap/WriteBarrierBuffer.h: Added. 11856 (JSC::WriteBarrierBuffer::currentIndexOffset): 11857 (JSC::WriteBarrierBuffer::capacityOffset): 11858 (JSC::WriteBarrierBuffer::bufferOffset): 11859 * jit/JITOperations.cpp: 11860 * jit/JITOperations.h: 11861 * runtime/VM.h: 11862 118632013-12-18 Carlos Garcia Campos <cgarcia@igalia.com> 11864 11865 Unreviewed. Fix make distcheck. 11866 11867 * GNUmakefile.am: 11868 118692013-12-17 Julien Brianceau <jbriance@cisco.com> 11870 11871 Fix armv7 and sh4 builds. 11872 https://bugs.webkit.org/show_bug.cgi?id=125848 11873 11874 Reviewed by Csaba Osztrogonác. 11875 11876 * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN. 11877 * assembler/SH4Assembler.h: Include limits.h for INT_MIN. 11878 118792013-12-16 Oliver Hunt <oliver@apple.com> 11880 11881 Avoid indirect function calls for custom getters 11882 https://bugs.webkit.org/show_bug.cgi?id=125821 11883 11884 Reviewed by Mark Hahnenberg. 11885 11886 Rather than invoking a helper function to perform an indirect call 11887 through a function pointer, just have the JIT call the function directly. 11888 11889 Unfortunately this only works in JSVALUE64 at the moment as there 11890 is not an obvious way to pass two EncodedJSValues uniformly over 11891 the various effected JITs. 11892 11893 * jit/CCallHelpers.h: 11894 (JSC::CCallHelpers::setupArguments): 11895 * jit/Repatch.cpp: 11896 (JSC::generateProtoChainAccessStub): 11897 (JSC::tryBuildGetByIDList): 11898 118992013-12-16 Joseph Pecoraro <pecoraro@apple.com> 11900 11901 Fix some whitespace issues in inspector code 11902 https://bugs.webkit.org/show_bug.cgi?id=125814 11903 11904 Reviewed by Darin Adler. 11905 11906 * inspector/protocol/Debugger.json: 11907 * inspector/protocol/Runtime.json: 11908 * inspector/scripts/CodeGeneratorInspector.py: 11909 (Generator.process_command): 11910 119112013-12-16 Mark Hahnenberg <mhahnenberg@apple.com> 11912 11913 Add some missing functions to MacroAssembler 11914 https://bugs.webkit.org/show_bug.cgi?id=125809 11915 11916 Reviewed by Oliver Hunt. 11917 11918 * assembler/AbstractMacroAssembler.h: 11919 * assembler/AssemblerBuffer.h: 11920 * assembler/LinkBuffer.cpp: 11921 * assembler/MacroAssembler.h: 11922 (JSC::MacroAssembler::storePtr): 11923 (JSC::MacroAssembler::andPtr): 11924 * assembler/MacroAssemblerARM64.h: 11925 (JSC::MacroAssemblerARM64::and64): 11926 (JSC::MacroAssemblerARM64::branchTest8): 11927 * assembler/MacroAssemblerARMv7.h: 11928 (JSC::MacroAssemblerARMv7::branchTest8): 11929 * assembler/X86Assembler.h: 11930 119312013-12-16 Brent Fulgham <bfulgham@apple.com> 11932 11933 [Win] Remove dead code after conversion to VS2013 11934 https://bugs.webkit.org/show_bug.cgi?id=125795 11935 11936 Reviewed by Darin Adler. 11937 11938 * API/tests/testapi.c: Remove local nan implementation 11939 119402013-12-16 Oliver Hunt <oliver@apple.com> 11941 11942 Cache getters and custom accessors on the prototype chain 11943 https://bugs.webkit.org/show_bug.cgi?id=125602 11944 11945 Reviewed by Michael Saboff. 11946 11947 Support caching of custom getters and accessors on the prototype chain. 11948 This is relatively trivial and just requires a little work compared to 11949 the direct access mode as we're under more register pressure. 11950 11951 * bytecode/StructureStubInfo.h: 11952 Removed the unsued initGetByIdProto as it was confusing to still have it present. 11953 * jit/Repatch.cpp: 11954 (JSC::generateProtoChainAccessStub): 11955 (JSC::tryCacheGetByID): 11956 (JSC::tryBuildGetByIDList): 11957 119582013-12-16 Mark Lam <mark.lam@apple.com> 11959 11960 Change slow path result to take a void* instead of a ExecState*. 11961 https://bugs.webkit.org/show_bug.cgi?id=125802. 11962 11963 Reviewed by Filip Pizlo. 11964 11965 This is in preparation for C Stack OSR entry work that is coming soon. 11966 In the OSR entry case, we'll be returning a topOfFrame pointer value 11967 instead of the ExecState*. 11968 11969 * offlineasm/cloop.rb: 11970 * runtime/CommonSlowPaths.h: 11971 (JSC::encodeResult): 11972 (JSC::decodeResult): 11973 119742013-12-16 Alex Christensen <achristensen@webkit.org> 11975 11976 Fixed Win64 build on VS2013. 11977 https://bugs.webkit.org/show_bug.cgi?id=125753 11978 11979 Reviewed by Brent Fulgham. 11980 11981 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 11982 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: 11983 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 11984 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 11985 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 11986 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 11987 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 11988 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: 11989 Added correct PlatformToolset for 64-bit builds. 11990 119912013-12-16 Peter Szanka <h868064@stud.u-szeged.hu> 11992 11993 Delete RVCT related code parts. 11994 https://bugs.webkit.org/show_bug.cgi?id=125626 11995 11996 Reviewed by Darin Adler. 11997 11998 * assembler/ARMAssembler.cpp: 11999 * assembler/ARMAssembler.h: 12000 (JSC::ARMAssembler::cacheFlush): 12001 * assembler/MacroAssemblerARM.cpp: 12002 (JSC::isVFPPresent): 12003 * jit/JITStubsARM.h: 12004 * jit/JITStubsARMv7.h: 12005 120062013-12-15 Ryosuke Niwa <rniwa@webkit.org> 12007 12008 REGRESSION: 2x regression on Dromaeo DOM query tests 12009 https://bugs.webkit.org/show_bug.cgi?id=125377 12010 12011 Reviewed by Filip Pizlo. 12012 12013 The bug was caused by JSC not JIT'ing property access on "document" due to its type info having 12014 HasImpureGetOwnPropertySlot flag. 12015 12016 Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline 12017 JIT to generate byte code for access properties on an object with named properties (a.k.a. 12018 custom name getter) in DOM. When a new named property appears on the object, VM is notified via 12019 VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch. 12020 12021 * bytecode/GetByIdStatus.cpp: 12022 (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure 12023 properties in the prototype chain. 12024 (JSC::GetByIdStatus::computeForChain): Ditto. 12025 12026 * jit/Repatch.cpp: 12027 (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any 12028 object in the prototype chain via StructureStubClearingWatchpoint. 12029 (JSC::generateProtoChainAccessStub): Ditto. 12030 (JSC::tryCacheGetByID): 12031 (JSC::tryBuildGetByIDList): 12032 (JSC::tryRepatchIn): Ditto. 12033 12034 * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints. 12035 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added. 12036 12037 * runtime/Operations.h: 12038 (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new 12039 impure property even if the object had impure properties. 12040 12041 * runtime/Structure.h: 12042 (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and 12043 asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true. 12044 12045 * runtime/VM.cpp: 12046 (JSC::VM::registerWatchpointForImpureProperty): Added. 12047 (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property. 12048 12049 * runtime/VM.h: 12050 120512013-12-15 Andy Estes <aestes@apple.com> 12052 12053 [iOS] Upstream changes to FeatureDefines.xcconfig 12054 https://bugs.webkit.org/show_bug.cgi?id=125742 12055 12056 Reviewed by Dan Bernstein. 12057 12058 * Configurations/FeatureDefines.xcconfig: 12059 120602013-12-14 Filip Pizlo <fpizlo@apple.com> 12061 12062 FTL should *really* know when things are flushed 12063 https://bugs.webkit.org/show_bug.cgi?id=125747 12064 12065 Reviewed by Sam Weinig. 12066 12067 Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL 12068 than in DFG. This means that even if we just compile those functions in V8v7 that don't 12069 make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering 12070 that we have still more optimizations to fix and we can make calls work. 12071 12072 * dfg/DFGSSAConversionPhase.cpp: 12073 (JSC::DFG::SSAConversionPhase::run): 12074 * ftl/FTLCompile.cpp: 12075 (JSC::FTL::fixFunctionBasedOnStackMaps): 12076 120772013-12-14 Andy Estes <aestes@apple.com> 12078 12079 Unify FeatureDefines.xcconfig 12080 https://bugs.webkit.org/show_bug.cgi?id=125741 12081 12082 Rubber-stamped by Dan Bernstein. 12083 12084 * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE. 12085 120862013-12-14 Mark Rowe <mrowe@apple.com> 12087 12088 Build fix after r160557. 12089 12090 r160557 added the first generated header to JavaScriptCore that needs to be installed in to 12091 the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate 12092 headers when invoked as part of the installhdrs action. This resulted in the build failing 12093 due to Xcode being unable to find the header file to install. The fix for this is to configure 12094 the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE 12095 to YES and allows Xcode to generate derived sources during the installhdrs action. 12096 12097 Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build 12098 phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor 12099 having been compiled, which isn't the case at installhdrs time. 12100 12101 * JavaScriptCore.xcodeproj/project.pbxproj: 12102 121032013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12104 12105 Some Set and Map prototype functions have incorrect function lengths 12106 https://bugs.webkit.org/show_bug.cgi?id=125732 12107 12108 Reviewed by Oliver Hunt. 12109 12110 * runtime/MapPrototype.cpp: 12111 (JSC::MapPrototype::finishCreation): 12112 * runtime/SetPrototype.cpp: 12113 (JSC::SetPrototype::finishCreation): 12114 121152013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12116 12117 Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore 12118 https://bugs.webkit.org/show_bug.cgi?id=125707 12119 12120 Reviewed by Timothy Hatcher. 12121 12122 * CMakeLists.txt: 12123 * DerivedSources.make: 12124 * GNUmakefile.am: 12125 * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json. 12126 * inspector/protocol/GenericTypes.json: Added. 12127 * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json. 12128 Add new files to inspector generation. 12129 12130 * inspector/scripts/CodeGeneratorInspector.py: 12131 (Generator.go): 12132 Only build TypeBuilder output if the domain only has types. Avoid 12133 backend/frontend dispatchers and backend commands. 12134 12135 (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern): 12136 (format_setter_value_expression): 12137 (Generator.process_command): 12138 (Generator.generate_send_method): 12139 * inspector/scripts/CodeGeneratorInspectorStrings.py: 12140 Export and name the get{JS,Web}EnumConstant function. 12141 121422013-12-11 Filip Pizlo <fpizlo@apple.com> 12143 12144 Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction 12145 https://bugs.webkit.org/show_bug.cgi?id=125553 12146 12147 Reviewed by Oliver Hunt. 12148 12149 UInt32ToNumber was a super complicated node because it had to do a speculation, but it 12150 would do it after we already had computed the urshift. It couldn't just back to the 12151 beginning of the urshift because the inputs to the urshift weren't necessarily live 12152 anymore. We couldn't jump forward to the beginning of the next instruction because the 12153 result of the urshift was not yet unsigned-converted. 12154 12155 For a while we solved this by forward-exiting in UInt32ToNumber. But that's really 12156 gross and I want to get rid of all forward exits. They cause a lot of bugs. 12157 12158 We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to 12159 the urshift to be live. I figure that this might be a bit too extreme. 12160 12161 So, I just created a new place that we can exit to: I split op_urshift into op_urshift 12162 followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what 12163 UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for 12164 forward exiting in UInt32ToNumber. 12165 12166 This patch enables massive code carnage in the DFG and FTL, and brings us closer to 12167 eliminating one of the DFG's most confusing concepts. On the flipside, it does make the 12168 bytecode slightly more complex (one new instruction). This is a profitable trade. We 12169 want the DFG and FTL to trend towards simplicity, since they are both currently too 12170 complicated. 12171 12172 * bytecode/BytecodeUseDef.h: 12173 (JSC::computeUsesForBytecodeOffset): 12174 (JSC::computeDefsForBytecodeOffset): 12175 * bytecode/CodeBlock.cpp: 12176 (JSC::CodeBlock::dumpBytecode): 12177 * bytecode/Opcode.h: 12178 (JSC::padOpcodeName): 12179 * bytecode/ValueRecovery.cpp: 12180 (JSC::ValueRecovery::dumpInContext): 12181 * bytecode/ValueRecovery.h: 12182 (JSC::ValueRecovery::gpr): 12183 * bytecompiler/NodesCodegen.cpp: 12184 (JSC::BinaryOpNode::emitBytecode): 12185 (JSC::emitReadModifyAssignment): 12186 * dfg/DFGByteCodeParser.cpp: 12187 (JSC::DFG::ByteCodeParser::toInt32): 12188 (JSC::DFG::ByteCodeParser::parseBlock): 12189 * dfg/DFGClobberize.h: 12190 (JSC::DFG::clobberize): 12191 * dfg/DFGNodeType.h: 12192 * dfg/DFGOSRExitCompiler32_64.cpp: 12193 (JSC::DFG::OSRExitCompiler::compileExit): 12194 * dfg/DFGOSRExitCompiler64.cpp: 12195 (JSC::DFG::OSRExitCompiler::compileExit): 12196 * dfg/DFGSpeculativeJIT.cpp: 12197 (JSC::DFG::SpeculativeJIT::compileMovHint): 12198 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 12199 * dfg/DFGSpeculativeJIT.h: 12200 * dfg/DFGSpeculativeJIT32_64.cpp: 12201 * dfg/DFGSpeculativeJIT64.cpp: 12202 * dfg/DFGStrengthReductionPhase.cpp: 12203 (JSC::DFG::StrengthReductionPhase::handleNode): 12204 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): 12205 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1): 12206 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2): 12207 * ftl/FTLFormattedValue.h: 12208 (JSC::FTL::int32Value): 12209 * ftl/FTLLowerDFGToLLVM.cpp: 12210 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 12211 * ftl/FTLValueFormat.cpp: 12212 (JSC::FTL::reboxAccordingToFormat): 12213 (WTF::printInternal): 12214 * ftl/FTLValueFormat.h: 12215 * jit/JIT.cpp: 12216 (JSC::JIT::privateCompileMainPass): 12217 (JSC::JIT::privateCompileSlowCases): 12218 * jit/JIT.h: 12219 * jit/JITArithmetic.cpp: 12220 (JSC::JIT::emit_op_urshift): 12221 (JSC::JIT::emitSlow_op_urshift): 12222 (JSC::JIT::emit_op_unsigned): 12223 (JSC::JIT::emitSlow_op_unsigned): 12224 * jit/JITArithmetic32_64.cpp: 12225 (JSC::JIT::emitRightShift): 12226 (JSC::JIT::emitRightShiftSlowCase): 12227 (JSC::JIT::emit_op_unsigned): 12228 (JSC::JIT::emitSlow_op_unsigned): 12229 * llint/LowLevelInterpreter32_64.asm: 12230 * llint/LowLevelInterpreter64.asm: 12231 * runtime/CommonSlowPaths.cpp: 12232 (JSC::SLOW_PATH_DECL): 12233 * runtime/CommonSlowPaths.h: 12234 122352013-12-13 Mark Hahnenberg <mhahnenberg@apple.com> 12236 12237 LLInt should not conditionally branch to to labels outside of its function 12238 https://bugs.webkit.org/show_bug.cgi?id=125713 12239 12240 Reviewed by Geoffrey Garen. 12241 12242 Conditional branches are insufficient for jumping to out-of-function labels. 12243 The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp. 12244 12245 * llint/LowLevelInterpreter32_64.asm: 12246 * llint/LowLevelInterpreter64.asm: 12247 122482013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12249 12250 [GTK] Remove Warnings in building about duplicate INSPECTOR variables 12251 https://bugs.webkit.org/show_bug.cgi?id=125710 12252 12253 Reviewed by Tim Horton. 12254 12255 * GNUmakefile.am: 12256 122572013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12258 12259 Cleanup CodeGeneratorInspectorStrings a bit 12260 https://bugs.webkit.org/show_bug.cgi?id=125705 12261 12262 Reviewed by Timothy Hatcher. 12263 12264 * inspector/scripts/CodeGeneratorInspectorStrings.py: 12265 Use ${foo} variable syntax and add an ASCIILiteral. 12266 122672013-12-13 Brent Fulgham <bfulgham@apple.com> 12268 12269 [Win] Unreviewed build fix after r160563 12270 12271 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug 12272 target in my last patch. 12273 122742013-12-13 Brent Fulgham <bfulgham@apple.com> 12275 12276 [Win] Unreviewed build fix after r160548 12277 12278 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify 12279 that we are using the vs12_xp target for Makefile-based projects. 12280 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto 12281 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto. 12282 122832013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12284 12285 Make inspector folder groups smarter in JavaScriptCore.xcodeproj 12286 https://bugs.webkit.org/show_bug.cgi?id=125663 12287 12288 Reviewed by Darin Adler. 12289 12290 * JavaScriptCore.xcodeproj/project.pbxproj: 12291 122922013-12-13 Joseph Pecoraro <pecoraro@apple.com> 12293 12294 Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain 12295 https://bugs.webkit.org/show_bug.cgi?id=125595 12296 12297 Reviewed by Timothy Hatcher. 12298 12299 - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts 12300 - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders 12301 - Update CodeGeneratorInspector.py in a few ways: 12302 - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.* 12303 - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies 12304 that are generated elsewhere that we can depend on for Types. 12305 - Add DerivedSources build step to generate the Inspector Interfaces 12306 12307 * CMakeLists.txt: 12308 * DerivedSources.make: 12309 * GNUmakefile.am: 12310 * GNUmakefile.list.am: 12311 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12312 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 12313 * JavaScriptCore.vcxproj/copy-files.cmd: 12314 * JavaScriptCore.xcodeproj/project.pbxproj: 12315 Add scripts and code generation. 12316 12317 * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json. 12318 Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore. 12319 12320 * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py. 12321 Updates to the script as listed above. 12322 12323 * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py. 12324 * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py. 12325 Moved from WebCore into JavaScriptCore for code generation. 12326 123272013-12-13 Peter Szanka <h868064@stud.u-szeged.hu> 12328 12329 Delete INTEL C compiler related code parts. 12330 https://bugs.webkit.org/show_bug.cgi?id=125625 12331 12332 Reviewed by Darin Adler. 12333 12334 * jsc.cpp: 12335 * testRegExp.cpp: 12336 123372013-12-13 Brent Fulgham <bfulgham@apple.com> 12338 12339 [Win] Switch WebKit solution to Visual Studio 2013 12340 https://bugs.webkit.org/show_bug.cgi?id=125192 12341 12342 Reviewed by Anders Carlsson. 12343 12344 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013 12345 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 12346 Ditto 12347 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto 12348 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto 12349 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto 12350 123512013-12-12 Joseph Pecoraro <pecoraro@apple.com> 12352 12353 Add a few more ASCIILiterals 12354 https://bugs.webkit.org/show_bug.cgi?id=125662 12355 12356 Reviewed by Darin Adler. 12357 12358 * inspector/InspectorBackendDispatcher.cpp: 12359 (Inspector::InspectorBackendDispatcher::dispatch): 12360 123612013-12-12 Joseph Pecoraro <pecoraro@apple.com> 12362 12363 Test new JSContext name APIs 12364 https://bugs.webkit.org/show_bug.cgi?id=125607 12365 12366 Reviewed by Darin Adler. 12367 12368 * API/JSContext.h: 12369 * API/JSContextRef.h: 12370 Fix whitespace issues. 12371 12372 * API/tests/testapi.c: 12373 (globalContextNameTest): 12374 (main): 12375 * API/tests/testapi.mm: 12376 Add tests for JSContext set/get name APIs. 12377 123782013-12-11 Filip Pizlo <fpizlo@apple.com> 12379 12380 ARM64: Hang running pdfjs test, suspect DFG generated code for "in" 12381 https://bugs.webkit.org/show_bug.cgi?id=124727 12382 <rdar://problem/15566923> 12383 12384 Reviewed by Michael Saboff. 12385 12386 Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin, 12387 and it was the only IC that used that field, which was wasteful. Moreover, it used it 12388 to store two separate locations: the label for patching the jump and the label right 12389 after the jump. The code was relying on those two being the same label, which is true 12390 on X86 and some other platforms, but it isn't true on ARM64. 12391 12392 This gets rid of hotPathBegin and makes In express those two locations as offsets from 12393 the callReturnLocation, which is analogous to what the other IC's do. 12394 12395 This fixes a bug where any successful In patching would result in a trivially infinite 12396 loop - and hence a hang - on ARM64. 12397 12398 * bytecode/StructureStubInfo.h: 12399 * dfg/DFGJITCompiler.cpp: 12400 (JSC::DFG::JITCompiler::link): 12401 * dfg/DFGJITCompiler.h: 12402 (JSC::DFG::InRecord::InRecord): 12403 * dfg/DFGSpeculativeJIT.cpp: 12404 (JSC::DFG::SpeculativeJIT::compileIn): 12405 * jit/JITInlineCacheGenerator.cpp: 12406 (JSC::JITByIdGenerator::finalize): 12407 * jit/Repatch.cpp: 12408 (JSC::replaceWithJump): 12409 (JSC::patchJumpToGetByIdStub): 12410 (JSC::tryCachePutByID): 12411 (JSC::tryBuildPutByIdList): 12412 (JSC::tryRepatchIn): 12413 (JSC::resetGetByID): 12414 (JSC::resetPutByID): 12415 (JSC::resetIn): 12416 124172013-12-11 Joseph Pecoraro <pecoraro@apple.com> 12418 12419 Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore 12420 https://bugs.webkit.org/show_bug.cgi?id=125324 12421 12422 Reviewed by Timothy Hatcher. 12423 12424 * CMakeLists.txt: 12425 * GNUmakefile.am: 12426 * GNUmakefile.list.am: 12427 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12428 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 12429 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 12430 * JavaScriptCore.vcxproj/copy-files.cmd: 12431 * JavaScriptCore.xcodeproj/project.pbxproj: 12432 * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp. 12433 * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h. 12434 * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp. 12435 * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h. 12436 * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp. 12437 * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h. 12438 * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h. 12439 * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp. 12440 * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h. 12441 (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): 12442 (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): 12443 * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp. 12444 * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h. 12445 124462013-12-11 Laszlo Vidacs <lac@inf.u-szeged.hu> 12447 12448 Store SHA1 hash in std::array 12449 https://bugs.webkit.org/show_bug.cgi?id=125446 12450 12451 Reviewed by Darin Adler. 12452 12453 Change Vector to std::array and use typedef. 12454 12455 * bytecode/CodeBlockHash.cpp: 12456 (JSC::CodeBlockHash::CodeBlockHash): 12457 124582013-12-11 Mark Rowe <mrowe@apple.com> 12459 12460 <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers 12461 <rdar://problem/15540121> 12462 12463 This consists of three main changes: 12464 1) Converting the return type of initializer methods to instancetype. 12465 2) Declaring properties rather than getters and setters. 12466 3) Tagging C API methods with information about their memory management semantics. 12467 12468 Changing the declarations from getters and setters to properties also required 12469 updating the headerdoc in a number of places. 12470 12471 Reviewed by Anders Carlsson. 12472 12473 * API/JSContext.h: 12474 * API/JSContext.mm: 12475 * API/JSManagedValue.h: 12476 * API/JSManagedValue.mm: 12477 * API/JSStringRefCF.h: 12478 * API/JSValue.h: 12479 * API/JSVirtualMachine.h: 12480 * API/JSVirtualMachine.mm: 12481 124822013-12-11 Mark Rowe <mrowe@apple.com> 12483 12484 <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros 12485 12486 The legacy WebKit availability macros are verbose, confusing, and provide no benefit over 12487 using the system availability macros directly. The original vision was that they'd serve 12488 a cross-platform purpose but that never came to be. 12489 12490 Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h. 12491 All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made 12492 public. 12493 12494 Part of <rdar://problem/15512304>. 12495 12496 Reviewed by Anders Carlsson. 12497 12498 * API/JSBasePrivate.h: 12499 * API/JSContextRef.h: 12500 * API/JSContextRefPrivate.h: 12501 * API/JSObjectRef.h: 12502 * API/JSValueRef.h: 12503 125042013-12-10 Filip Pizlo <fpizlo@apple.com> 12505 12506 Get rid of forward exit on DoubleAsInt32 12507 https://bugs.webkit.org/show_bug.cgi?id=125552 12508 12509 Reviewed by Oliver Hunt. 12510 12511 The forward exit was just there so that we wouldn't have to keep the inputs alive up to 12512 the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and 12513 we shouldn't have it just for a bit of liveness micro-optimization. 12514 12515 Also add a bunch of machinery to test this case on X86. 12516 12517 * assembler/AbstractMacroAssembler.h: 12518 (JSC::optimizeForARMv7s): 12519 (JSC::optimizeForARM64): 12520 (JSC::optimizeForX86): 12521 * dfg/DFGFixupPhase.cpp: 12522 (JSC::DFG::FixupPhase::fixupNode): 12523 * dfg/DFGNodeType.h: 12524 * dfg/DFGSpeculativeJIT.cpp: 12525 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 12526 * runtime/Options.h: 12527 * tests/stress/double-as-int32.js: Added. 12528 (foo): 12529 (test): 12530 125312013-12-10 Filip Pizlo <fpizlo@apple.com> 12532 12533 Simplify CSE's treatment of NodeRelevantToOSR 12534 https://bugs.webkit.org/show_bug.cgi?id=125538 12535 12536 Reviewed by Oliver Hunt. 12537 12538 Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the 12539 node is relevant to OSR. 12540 12541 * dfg/DFGCSEPhase.cpp: 12542 (JSC::DFG::CSEPhase::run): 12543 (JSC::DFG::CSEPhase::performNodeCSE): 12544 (JSC::DFG::CSEPhase::performBlockCSE): 12545 125462013-12-10 Filip Pizlo <fpizlo@apple.com> 12547 12548 Get rid of forward exit in GetByVal on Uint32Array 12549 https://bugs.webkit.org/show_bug.cgi?id=125543 12550 12551 Reviewed by Oliver Hunt. 12552 12553 * dfg/DFGSpeculativeJIT.cpp: 12554 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 12555 * ftl/FTLLowerDFGToLLVM.cpp: 12556 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 12557 125582013-12-10 Balazs Kilvady <kilvadyb@homejinni.com> 12559 12560 [MIPS] Redundant instructions in code generated from offlineasm. 12561 https://bugs.webkit.org/show_bug.cgi?id=125528 12562 12563 Reviewed by Michael Saboff. 12564 12565 Optimize lowering of offlineasm BaseIndex Addresses. 12566 12567 * offlineasm/mips.rb: 12568 125692013-12-10 Oliver Hunt <oliver@apple.com> 12570 12571 Reduce the mass templatizing of the JS parser 12572 https://bugs.webkit.org/show_bug.cgi?id=125535 12573 12574 Reviewed by Michael Saboff. 12575 12576 The various caches we have now have removed the need for many of 12577 the template vs. regular parameters. This patch converts those 12578 template parameters to regular parameters and updates the call 12579 sites. This reduces the code size of the parser by around 15%. 12580 12581 * parser/ASTBuilder.h: 12582 (JSC::ASTBuilder::createGetterOrSetterProperty): 12583 (JSC::ASTBuilder::createProperty): 12584 * parser/Parser.cpp: 12585 (JSC::::parseInner): 12586 (JSC::::parseSourceElements): 12587 (JSC::::parseVarDeclarationList): 12588 (JSC::::createBindingPattern): 12589 (JSC::::tryParseDeconstructionPatternExpression): 12590 (JSC::::parseDeconstructionPattern): 12591 (JSC::::parseSwitchClauses): 12592 (JSC::::parseSwitchDefaultClause): 12593 (JSC::::parseBlockStatement): 12594 (JSC::::parseFormalParameters): 12595 (JSC::::parseFunctionInfo): 12596 (JSC::::parseFunctionDeclaration): 12597 (JSC::::parseProperty): 12598 (JSC::::parseObjectLiteral): 12599 (JSC::::parseStrictObjectLiteral): 12600 (JSC::::parseMemberExpression): 12601 * parser/Parser.h: 12602 * parser/SyntaxChecker.h: 12603 (JSC::SyntaxChecker::createProperty): 12604 (JSC::SyntaxChecker::createGetterOrSetterProperty): 12605 126062013-12-10 Mark Hahnenberg <mhahnenberg@apple.com> 12607 12608 ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC 12609 https://bugs.webkit.org/show_bug.cgi?id=125472 12610 12611 Reviewed by Geoff Garen. 12612 12613 This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 12614 can do what it needs to do. We already expected that we might do allocation during plan 12615 finalization and we increased the deferral depth to handle this, but we need to fix this other 12616 ASSERT stuff too. 12617 12618 * GNUmakefile.list.am: 12619 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12620 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 12621 * JavaScriptCore.xcodeproj/project.pbxproj: 12622 * heap/Heap.cpp: 12623 (JSC::Heap::collect): 12624 * heap/Heap.h: 12625 * heap/RecursiveAllocationScope.h: Added. 12626 (JSC::RecursiveAllocationScope::RecursiveAllocationScope): 12627 (JSC::RecursiveAllocationScope::~RecursiveAllocationScope): 12628 * runtime/VM.h: 12629 126302013-12-09 Filip Pizlo <fpizlo@apple.com> 12631 12632 Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be 12633 https://bugs.webkit.org/show_bug.cgi?id=125480 12634 12635 Reviewed by Geoffrey Garen. 12636 12637 Previously, if you wanted to insert some speculation right after where a value was 12638 produced, you'd get super confused if that value was produced by a Phi node. You can't 12639 necessarily insert speculations after a Phi node because Phi nodes appear in this 12640 special sequence of Phis and MovHints that establish the OSR exit state for a block. 12641 So, you'd probably want to search for the next place where it's safe to insert things. 12642 We already do this "search for beginning of next bytecode instruction" search by 12643 looking at the next node that has a different CodeOrigin. But this would be hard for a 12644 Phi because those Phis and MovHints have basically random CodeOrigins and they can all 12645 have different CodeOrigins. 12646 12647 This change imposes some sanity for this situation: 12648 12649 - Phis must have unset CodeOrigins. 12650 12651 - In each basic block, all nodes that have unset CodeOrigins must come before all nodes 12652 that have set CodeOrigins. 12653 12654 This all ends up working out just great because prior to this change we didn't have a 12655 use for unset CodeOrigins. I think it's appropriate to make "unset CodeOrigin" mean 12656 that we're in the prologue of a basic block. 12657 12658 It's interesting what this means for block merging, which we don't yet do in SSA. 12659 Consider merging the edge A->B. One possibility is that the block merger is now 12660 required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of 12661 the A's block terminal. But an answer that might be better is that the originless 12662 nodes at the top of the B are just given the origin of the terminal and we keep the 12663 Phis. That would require changing the above rules. We'll see how it goes, and what we 12664 end up picking... 12665 12666 Overall, this special-things-at-the-top rule is analogous to what other SSA-based 12667 compilers do. For example, LLVM has rules mandating that Phis appear at the top of a 12668 block. 12669 12670 * bytecode/CodeOrigin.cpp: 12671 (JSC::CodeOrigin::dump): 12672 * dfg/DFGOSRExitBase.h: 12673 (JSC::DFG::OSRExitBase::OSRExitBase): 12674 * dfg/DFGSSAConversionPhase.cpp: 12675 (JSC::DFG::SSAConversionPhase::run): 12676 * dfg/DFGValidate.cpp: 12677 (JSC::DFG::Validate::validate): 12678 (JSC::DFG::Validate::validateSSA): 12679 126802013-12-08 Filip Pizlo <fpizlo@apple.com> 12681 12682 Reveal array bounds checks in DFG IR 12683 https://bugs.webkit.org/show_bug.cgi?id=125253 12684 12685 Reviewed by Oliver Hunt and Mark Hahnenberg. 12686 12687 In SSA mode, this reveals array bounds checks and the load of array length in DFG IR, 12688 making this a candidate for LICM. 12689 12690 This also fixes a long-standing performance bug where the JSObject slow paths would 12691 always create contiguous storage, rather than type-specialized storage, when doing a 12692 "storage creating" storage, like: 12693 12694 var o = {}; 12695 o[0] = 42; 12696 12697 * CMakeLists.txt: 12698 * GNUmakefile.list.am: 12699 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12700 * JavaScriptCore.xcodeproj/project.pbxproj: 12701 * bytecode/ExitKind.cpp: 12702 (JSC::exitKindToString): 12703 (JSC::exitKindIsCountable): 12704 * bytecode/ExitKind.h: 12705 * dfg/DFGAbstractInterpreterInlines.h: 12706 (JSC::DFG::::executeEffects): 12707 * dfg/DFGArrayMode.cpp: 12708 (JSC::DFG::permitsBoundsCheckLowering): 12709 (JSC::DFG::ArrayMode::permitsBoundsCheckLowering): 12710 * dfg/DFGArrayMode.h: 12711 (JSC::DFG::ArrayMode::lengthNeedsStorage): 12712 * dfg/DFGClobberize.h: 12713 (JSC::DFG::clobberize): 12714 * dfg/DFGConstantFoldingPhase.cpp: 12715 (JSC::DFG::ConstantFoldingPhase::foldConstants): 12716 * dfg/DFGFixupPhase.cpp: 12717 (JSC::DFG::FixupPhase::fixupNode): 12718 * dfg/DFGNodeType.h: 12719 * dfg/DFGPlan.cpp: 12720 (JSC::DFG::Plan::compileInThreadImpl): 12721 * dfg/DFGPredictionPropagationPhase.cpp: 12722 (JSC::DFG::PredictionPropagationPhase::propagate): 12723 * dfg/DFGSSALoweringPhase.cpp: Added. 12724 (JSC::DFG::SSALoweringPhase::SSALoweringPhase): 12725 (JSC::DFG::SSALoweringPhase::run): 12726 (JSC::DFG::SSALoweringPhase::handleNode): 12727 (JSC::DFG::SSALoweringPhase::lowerBoundsCheck): 12728 (JSC::DFG::performSSALowering): 12729 * dfg/DFGSSALoweringPhase.h: Added. 12730 * dfg/DFGSafeToExecute.h: 12731 (JSC::DFG::safeToExecute): 12732 * dfg/DFGSpeculativeJIT.cpp: 12733 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 12734 * dfg/DFGSpeculativeJIT32_64.cpp: 12735 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 12736 (JSC::DFG::SpeculativeJIT::compile): 12737 * dfg/DFGSpeculativeJIT64.cpp: 12738 (JSC::DFG::SpeculativeJIT::compile): 12739 * ftl/FTLCapabilities.cpp: 12740 (JSC::FTL::canCompile): 12741 * ftl/FTLLowerDFGToLLVM.cpp: 12742 (JSC::FTL::LowerDFGToLLVM::compileNode): 12743 (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds): 12744 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 12745 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 12746 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds): 12747 * runtime/JSObject.cpp: 12748 (JSC::JSObject::convertUndecidedForValue): 12749 (JSC::JSObject::createInitialForValueAndSet): 12750 (JSC::JSObject::putByIndexBeyondVectorLength): 12751 (JSC::JSObject::putDirectIndexBeyondVectorLength): 12752 * runtime/JSObject.h: 12753 * tests/stress/float32array-out-of-bounds.js: Added. 12754 (make): 12755 (foo): 12756 (test): 12757 * tests/stress/int32-object-out-of-bounds.js: Added. 12758 (make): 12759 (foo): 12760 (test): 12761 * tests/stress/int32-out-of-bounds.js: Added. 12762 (foo): 12763 (test): 12764 127652013-12-09 Sam Weinig <sam@webkit.org> 12766 12767 Replace use of WTF::FixedArray with std::array 12768 https://bugs.webkit.org/show_bug.cgi?id=125475 12769 12770 Reviewed by Anders Carlsson. 12771 12772 * bytecode/CodeBlockHash.cpp: 12773 (JSC::CodeBlockHash::dump): 12774 * bytecode/Opcode.cpp: 12775 (JSC::OpcodeStats::~OpcodeStats): 12776 * dfg/DFGCSEPhase.cpp: 12777 * ftl/FTLAbstractHeap.h: 12778 * heap/MarkedSpace.h: 12779 * parser/ParserArena.h: 12780 * runtime/CodeCache.h: 12781 * runtime/DateInstanceCache.h: 12782 * runtime/JSGlobalObject.cpp: 12783 (JSC::JSGlobalObject::reset): 12784 * runtime/JSGlobalObject.h: 12785 * runtime/JSString.h: 12786 * runtime/LiteralParser.h: 12787 * runtime/NumericStrings.h: 12788 * runtime/RegExpCache.h: 12789 * runtime/SmallStrings.h: 12790 127912013-12-09 Joseph Pecoraro <pecoraro@apple.com> 12792 12793 Remove miscellaneous unnecessary build statements 12794 https://bugs.webkit.org/show_bug.cgi?id=125466 12795 12796 Reviewed by Darin Adler. 12797 12798 * DerivedSources.make: 12799 * JavaScriptCore.vcxproj/build-generated-files.sh: 12800 * JavaScriptCore.xcodeproj/project.pbxproj: 12801 * make-generated-sources.sh: 12802 128032013-12-08 Filip Pizlo <fpizlo@apple.com> 12804 12805 CSE should work in SSA 12806 https://bugs.webkit.org/show_bug.cgi?id=125430 12807 12808 Reviewed by Oliver Hunt and Mark Hahnenberg. 12809 12810 * dfg/DFGCSEPhase.cpp: 12811 (JSC::DFG::CSEPhase::run): 12812 (JSC::DFG::CSEPhase::performNodeCSE): 12813 * dfg/DFGPlan.cpp: 12814 (JSC::DFG::Plan::compileInThreadImpl): 12815 128162013-12-09 Joseph Pecoraro <pecoraro@apple.com> 12817 12818 Remove docs/make-bytecode-docs.pl 12819 https://bugs.webkit.org/show_bug.cgi?id=125462 12820 12821 This sript is very old and no longer outputs useful data since the 12822 op code definitions have moved from Interpreter.cpp. 12823 12824 Reviewed by Darin Adler. 12825 12826 * DerivedSources.make: 12827 * docs/make-bytecode-docs.pl: Removed. 12828 128292013-12-09 Julien Brianceau <jbriance@cisco.com> 12830 12831 Fix sh4 LLINT build. 12832 https://bugs.webkit.org/show_bug.cgi?id=125454 12833 12834 Reviewed by Michael Saboff. 12835 12836 In LLINT, sh4 backend implementation didn't handle properly conditional jumps using 12837 a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase. 12838 Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in 12839 getModifiedListSH4. 12840 12841 * offlineasm/sh4.rb: 12842 128432013-12-08 Filip Pizlo <fpizlo@apple.com> 12844 12845 Add the notion of ConstantStoragePointer to DFG IR 12846 https://bugs.webkit.org/show_bug.cgi?id=125395 12847 12848 Reviewed by Oliver Hunt. 12849 12850 This pushes more typed array folding into StrengthReductionPhase, and enables CSE on 12851 storage pointers. Previously, you might have separate nodes for the same storage 12852 pointer and this would cause some bad register pressure in the DFG. Note that this 12853 was really a theoretical problem and not, to my knowledge a practical one - so this 12854 patch is basically just a clean-up. 12855 12856 * dfg/DFGAbstractInterpreterInlines.h: 12857 (JSC::DFG::::executeEffects): 12858 * dfg/DFGCSEPhase.cpp: 12859 (JSC::DFG::CSEPhase::constantStoragePointerCSE): 12860 (JSC::DFG::CSEPhase::performNodeCSE): 12861 * dfg/DFGClobberize.h: 12862 (JSC::DFG::clobberize): 12863 * dfg/DFGFixupPhase.cpp: 12864 (JSC::DFG::FixupPhase::fixupNode): 12865 * dfg/DFGGraph.cpp: 12866 (JSC::DFG::Graph::dump): 12867 * dfg/DFGNode.h: 12868 (JSC::DFG::Node::convertToConstantStoragePointer): 12869 (JSC::DFG::Node::hasStoragePointer): 12870 (JSC::DFG::Node::storagePointer): 12871 * dfg/DFGNodeType.h: 12872 * dfg/DFGPredictionPropagationPhase.cpp: 12873 (JSC::DFG::PredictionPropagationPhase::propagate): 12874 * dfg/DFGSafeToExecute.h: 12875 (JSC::DFG::safeToExecute): 12876 * dfg/DFGSpeculativeJIT.cpp: 12877 (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer): 12878 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 12879 * dfg/DFGSpeculativeJIT.h: 12880 * dfg/DFGSpeculativeJIT32_64.cpp: 12881 (JSC::DFG::SpeculativeJIT::compile): 12882 * dfg/DFGSpeculativeJIT64.cpp: 12883 (JSC::DFG::SpeculativeJIT::compile): 12884 * dfg/DFGStrengthReductionPhase.cpp: 12885 (JSC::DFG::StrengthReductionPhase::handleNode): 12886 (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): 12887 (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): 12888 * dfg/DFGWatchpointCollectionPhase.cpp: 12889 (JSC::DFG::WatchpointCollectionPhase::handle): 12890 * ftl/FTLLowerDFGToLLVM.cpp: 12891 (JSC::FTL::LowerDFGToLLVM::compileNode): 12892 (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer): 12893 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 12894 128952013-12-08 Filip Pizlo <fpizlo@apple.com> 12896 12897 FTL should support UntypedUse versions of Compare nodes 12898 https://bugs.webkit.org/show_bug.cgi?id=125426 12899 12900 Reviewed by Oliver Hunt. 12901 12902 This adds UntypedUse versions of all comparisons except CompareStrictEq, which is 12903 sufficiently different that I thought I'd do it in another patch. 12904 12905 This also extends our ability to abstract over comparison kind and removes a bunch of 12906 copy-paste code. 12907 12908 * dfg/DFGSpeculativeJIT64.cpp: 12909 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 12910 * ftl/FTLCapabilities.cpp: 12911 (JSC::FTL::canCompile): 12912 * ftl/FTLIntrinsicRepository.h: 12913 * ftl/FTLLowerDFGToLLVM.cpp: 12914 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 12915 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 12916 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 12917 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 12918 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 12919 (JSC::FTL::LowerDFGToLLVM::compare): 12920 (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare): 12921 * ftl/FTLOutput.h: 12922 (JSC::FTL::Output::icmp): 12923 (JSC::FTL::Output::equal): 12924 (JSC::FTL::Output::notEqual): 12925 (JSC::FTL::Output::above): 12926 (JSC::FTL::Output::aboveOrEqual): 12927 (JSC::FTL::Output::below): 12928 (JSC::FTL::Output::belowOrEqual): 12929 (JSC::FTL::Output::greaterThan): 12930 (JSC::FTL::Output::greaterThanOrEqual): 12931 (JSC::FTL::Output::lessThan): 12932 (JSC::FTL::Output::lessThanOrEqual): 12933 (JSC::FTL::Output::fcmp): 12934 (JSC::FTL::Output::doubleEqual): 12935 (JSC::FTL::Output::doubleNotEqualOrUnordered): 12936 (JSC::FTL::Output::doubleLessThan): 12937 (JSC::FTL::Output::doubleLessThanOrEqual): 12938 (JSC::FTL::Output::doubleGreaterThan): 12939 (JSC::FTL::Output::doubleGreaterThanOrEqual): 12940 (JSC::FTL::Output::doubleEqualOrUnordered): 12941 (JSC::FTL::Output::doubleNotEqual): 12942 (JSC::FTL::Output::doubleLessThanOrUnordered): 12943 (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered): 12944 (JSC::FTL::Output::doubleGreaterThanOrUnordered): 12945 (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered): 12946 * tests/stress/untyped-equality.js: Added. 12947 (foo): 12948 * tests/stress/untyped-less-than.js: Added. 12949 (foo): 12950 129512013-12-07 Filip Pizlo <fpizlo@apple.com> 12952 12953 Fold typedArray.length if typedArray is constant 12954 https://bugs.webkit.org/show_bug.cgi?id=125252 12955 12956 Reviewed by Sam Weinig. 12957 12958 This was meant to be easy. The problem is that there was no good place for putting 12959 the folding of typedArray.length to a constant. You can't quite do it in the 12960 bytecode parser because at that point you don't yet know if typedArray is really 12961 a typed array. You can't do it as part of constant folding because the folder 12962 assumes that it can opportunistically forward-flow a constant value without changing 12963 the IR; this doesn't work since we need to first change the IR to register a 12964 desired watchpoint and only after that can we introduce that constant. We could have 12965 done it in Fixup but that would have been awkward since Fixup's code for turning a 12966 GetById of "length" into GetArrayLength is already somewhat complex. We could have 12967 done it in CSE but CSE is already fairly gnarly and will probably get rewritten. 12968 12969 So I introduced a new phase, called StrengthReduction. This phase should have any 12970 transformations that don't requite CFA or CSE and that it would be weird to put into 12971 those other phases. 12972 12973 I also took the opportunity to refactor some of the other folding code. 12974 12975 This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I 12976 introduced the notion of JavaScriptCore/tests/stress. 12977 12978 The goal of this patch isn't really to improve performance or anything like that. 12979 It adds an optimization for completeness, and in doing so it unlocks a bunch of new 12980 possibilities. The one that I'm most excited about is revealing array length checks 12981 in DFG IR, which will allow for array bounds check hoisting and elimination. 12982 12983 * CMakeLists.txt: 12984 * GNUmakefile.list.am: 12985 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12986 * JavaScriptCore.xcodeproj/project.pbxproj: 12987 * dfg/DFGAbstractInterpreterInlines.h: 12988 (JSC::DFG::::executeEffects): 12989 * dfg/DFGClobberize.h: 12990 (JSC::DFG::clobberize): 12991 * dfg/DFGFixupPhase.cpp: 12992 (JSC::DFG::FixupPhase::fixupNode): 12993 * dfg/DFGGraph.cpp: 12994 (JSC::DFG::Graph::tryGetFoldableView): 12995 (JSC::DFG::Graph::tryGetFoldableViewForChild1): 12996 * dfg/DFGGraph.h: 12997 * dfg/DFGNode.h: 12998 (JSC::DFG::Node::hasTypedArray): 12999 (JSC::DFG::Node::typedArray): 13000 * dfg/DFGNodeType.h: 13001 * dfg/DFGPlan.cpp: 13002 (JSC::DFG::Plan::compileInThreadImpl): 13003 * dfg/DFGPredictionPropagationPhase.cpp: 13004 (JSC::DFG::PredictionPropagationPhase::propagate): 13005 * dfg/DFGSafeToExecute.h: 13006 (JSC::DFG::safeToExecute): 13007 * dfg/DFGSpeculativeJIT.cpp: 13008 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): 13009 (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage): 13010 * dfg/DFGSpeculativeJIT32_64.cpp: 13011 (JSC::DFG::SpeculativeJIT::compile): 13012 * dfg/DFGSpeculativeJIT64.cpp: 13013 (JSC::DFG::SpeculativeJIT::compile): 13014 * dfg/DFGStrengthReductionPhase.cpp: Added. 13015 (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase): 13016 (JSC::DFG::StrengthReductionPhase::run): 13017 (JSC::DFG::StrengthReductionPhase::handleNode): 13018 (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): 13019 (JSC::DFG::performStrengthReduction): 13020 * dfg/DFGStrengthReductionPhase.h: Added. 13021 * dfg/DFGWatchpointCollectionPhase.cpp: 13022 (JSC::DFG::WatchpointCollectionPhase::handle): 13023 * ftl/FTLCapabilities.cpp: 13024 (JSC::FTL::canCompile): 13025 * ftl/FTLLowerDFGToLLVM.cpp: 13026 (JSC::FTL::LowerDFGToLLVM::compileNode): 13027 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 13028 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 13029 (JSC::FTL::LowerDFGToLLVM::typedArrayLength): 13030 * jsc.cpp: 13031 (GlobalObject::finishCreation): 13032 (functionTransferArrayBuffer): 13033 * runtime/ArrayBufferView.h: 13034 * tests/stress: Added. 13035 * tests/stress/fold-typed-array-properties.js: Added. 13036 (foo): 13037 130382013-12-07 peavo@outlook.com <peavo@outlook.com> 13039 13040 [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript. 13041 https://bugs.webkit.org/show_bug.cgi?id=125382 13042 13043 Reviewed by Michael Saboff. 13044 13045 The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints. 13046 13047 * jit/JITStubsMSVC64.asm: Remove breakpoint instructions. 13048 130492013-12-06 Filip Pizlo <fpizlo@apple.com> 13050 13051 FTL should support all of Branch/LogicalNot 13052 https://bugs.webkit.org/show_bug.cgi?id=125370 13053 13054 Reviewed by Mark Hahnenberg. 13055 13056 * ftl/FTLCapabilities.cpp: 13057 (JSC::FTL::canCompile): 13058 * ftl/FTLIntrinsicRepository.h: 13059 * ftl/FTLLowerDFGToLLVM.cpp: 13060 (JSC::FTL::LowerDFGToLLVM::boolify): 13061 130622013-12-06 Roger Fong <roger_fong@apple.com> and Brent Fulgham <bfulgham@apple.com> 13063 13064 [Win] Support compiling with VS2013 13065 https://bugs.webkit.org/show_bug.cgi?id=125353 13066 13067 Reviewed by Anders Carlsson. 13068 13069 * API/tests/testapi.c: Use C99 defines if available. 13070 * jit/JITOperations.cpp: Don't attempt to define C linkage when 13071 returning a C++ object. 13072 130732013-12-06 Filip Pizlo <fpizlo@apple.com> 13074 13075 FTL should support generic ByVal accesses 13076 https://bugs.webkit.org/show_bug.cgi?id=125368 13077 13078 Reviewed by Mark Hahnenberg. 13079 13080 * dfg/DFGGraph.h: 13081 (JSC::DFG::Graph::isStrictModeFor): 13082 (JSC::DFG::Graph::ecmaModeFor): 13083 * ftl/FTLCapabilities.cpp: 13084 (JSC::FTL::canCompile): 13085 * ftl/FTLIntrinsicRepository.h: 13086 * ftl/FTLLowerDFGToLLVM.cpp: 13087 (JSC::FTL::LowerDFGToLLVM::compileNode): 13088 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 13089 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 13090 130912013-12-06 Filip Pizlo <fpizlo@apple.com> 13092 13093 FTL should support hole/OOB array accesses 13094 https://bugs.webkit.org/show_bug.cgi?id=118077 13095 13096 Reviewed by Oliver Hunt and Mark Hahnenberg. 13097 13098 * ftl/FTLCapabilities.cpp: 13099 (JSC::FTL::canCompile): 13100 * ftl/FTLIntrinsicRepository.h: 13101 * ftl/FTLLowerDFGToLLVM.cpp: 13102 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 13103 (JSC::FTL::LowerDFGToLLVM::baseIndex): 13104 131052013-12-06 Michael Saboff <msaboff@apple.com> 13106 13107 Split sizing of VarArgs frames from loading arguments for the frame 13108 https://bugs.webkit.org/show_bug.cgi?id=125331 13109 13110 Reviewed by Filip Pizlo. 13111 13112 Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in 13113 preparation for moving onto the C stack. sizeAndAllocFrameForVarargs() will 13114 compute the size of the callee frame and allocate it, while loadVarargs() 13115 actually loads the argument values. 13116 13117 As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be 13118 changed to a function that just computes the size. The caller will use that 13119 size to allocate the new frame on the stack before calling loadVargs() and 13120 actually making the call. 13121 13122 * interpreter/Interpreter.cpp: 13123 (JSC::sizeAndAllocFrameForVarargs): 13124 (JSC::loadVarargs): 13125 * interpreter/Interpreter.h: 13126 * jit/JIT.h: 13127 * jit/JITCall.cpp: 13128 (JSC::JIT::compileLoadVarargs): 13129 * jit/JITCall32_64.cpp: 13130 (JSC::JIT::compileLoadVarargs): 13131 * jit/JITInlines.h: 13132 (JSC::JIT::callOperation): 13133 * jit/JITOperations.cpp: 13134 * jit/JITOperations.h: 13135 * llint/LLIntSlowPaths.cpp: 13136 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 13137 * llint/LLIntSlowPaths.h: 13138 * llint/LowLevelInterpreter.asm: 13139 * llint/LowLevelInterpreter32_64.asm: 13140 * llint/LowLevelInterpreter64.asm: 13141 * runtime/VM.h: 13142 131432013-12-06 Filip Pizlo <fpizlo@apple.com> 13144 13145 FTL should support all of ValueToInt32 13146 https://bugs.webkit.org/show_bug.cgi?id=125283 13147 13148 Reviewed by Mark Hahnenberg. 13149 13150 * ftl/FTLCapabilities.cpp: 13151 (JSC::FTL::canCompile): 13152 * ftl/FTLLowerDFGToLLVM.cpp: 13153 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): 13154 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 13155 (JSC::FTL::LowerDFGToLLVM::lowCell): 13156 (JSC::FTL::LowerDFGToLLVM::isCell): 13157 131582013-12-06 Filip Pizlo <fpizlo@apple.com> 13159 13160 FTL shouldn't have a doubleToUInt32 path 13161 https://bugs.webkit.org/show_bug.cgi?id=125360 13162 13163 Reviewed by Mark Hahnenberg. 13164 13165 This code existed because I incorrectly thought it was necessary. It's now basically 13166 dead. 13167 13168 * ftl/FTLLowerDFGToLLVM.cpp: 13169 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 13170 131712013-12-06 Laszlo Vidacs <lac@inf.u-szeged.hu> 13172 13173 Define SHA1 hash size in SHA1.h and use it at various places. 13174 https://bugs.webkit.org/show_bug.cgi?id=125345 13175 13176 Reviewed by Darin Adler. 13177 13178 Use SHA1::hashSize instead of local variables. 13179 13180 * bytecode/CodeBlockHash.cpp: 13181 (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize 13182 131832013-12-05 Michael Saboff <msaboff@apple.com> 13184 13185 REGRESSION(r160213): Crash in js/dom/JSON-parse.html 13186 https://bugs.webkit.org/show_bug.cgi?id=125335 13187 13188 Reviewed by Mark Lam. 13189 13190 Changed _llint_op_catch to materialize the VM via the scope chain instead of 13191 the CodeBlock. CallFrames always have a scope chain, but may have a null CodeBlock. 13192 13193 * llint/LowLevelInterpreter32_64.asm: 13194 (_llint_op_catch): 13195 * llint/LowLevelInterpreter64.asm: 13196 (_llint_op_catch): 13197 131982013-12-05 Michael Saboff <msaboff@apple.com> 13199 13200 JSC: Simplify interface between throw and catch handler 13201 https://bugs.webkit.org/show_bug.cgi?id=125328 13202 13203 Reviewed by Geoffrey Garen. 13204 13205 Simplified the throw - catch interface. The throw side is only responsible for 13206 jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught 13207 exceptions. The handler uses the exception values like VM.callFrameForThrow 13208 as appropriate and no longer relies on the throw side putting anything in 13209 registers. 13210 13211 * jit/CCallHelpers.h: 13212 (JSC::CCallHelpers::jumpToExceptionHandler): 13213 * jit/JITOpcodes.cpp: 13214 (JSC::JIT::emit_op_catch): 13215 * jit/JITOpcodes32_64.cpp: 13216 (JSC::JIT::emit_op_catch): 13217 * llint/LowLevelInterpreter32_64.asm: 13218 (_llint_op_catch): 13219 (_llint_throw_from_slow_path_trampoline): 13220 * llint/LowLevelInterpreter64.asm: 13221 (_llint_op_catch): 13222 (_llint_throw_from_slow_path_trampoline): 13223 132242013-12-04 Oliver Hunt <oliver@apple.com> 13225 13226 Refactor static getter function prototype to include thisValue in addition to the base object 13227 https://bugs.webkit.org/show_bug.cgi?id=124461 13228 13229 Reviewed by Geoffrey Garen. 13230 13231 Add thisValue parameter to static getter prototype, and switch 13232 from JSValue to EncodedJSValue for parameters and return value. 13233 13234 Currently none of the static getters use the thisValue, but 13235 separating out the refactoring will prevent future changes 13236 from getting lost in the noise of refactoring. This means 13237 that this patch does not result in any change in behaviour. 13238 13239 * API/JSCallbackObject.h: 13240 * API/JSCallbackObjectFunctions.h: 13241 (JSC::::asCallbackObject): 13242 (JSC::::staticFunctionGetter): 13243 (JSC::::callbackGetter): 13244 * jit/JITOperations.cpp: 13245 * runtime/JSActivation.cpp: 13246 (JSC::JSActivation::argumentsGetter): 13247 * runtime/JSActivation.h: 13248 * runtime/JSFunction.cpp: 13249 (JSC::JSFunction::argumentsGetter): 13250 (JSC::JSFunction::callerGetter): 13251 (JSC::JSFunction::lengthGetter): 13252 (JSC::JSFunction::nameGetter): 13253 * runtime/JSFunction.h: 13254 * runtime/JSObject.h: 13255 (JSC::PropertySlot::getValue): 13256 * runtime/NumberConstructor.cpp: 13257 (JSC::numberConstructorNaNValue): 13258 (JSC::numberConstructorNegInfinity): 13259 (JSC::numberConstructorPosInfinity): 13260 (JSC::numberConstructorMaxValue): 13261 (JSC::numberConstructorMinValue): 13262 * runtime/PropertySlot.h: 13263 * runtime/RegExpConstructor.cpp: 13264 (JSC::asRegExpConstructor): 13265 (JSC::regExpConstructorDollar1): 13266 (JSC::regExpConstructorDollar2): 13267 (JSC::regExpConstructorDollar3): 13268 (JSC::regExpConstructorDollar4): 13269 (JSC::regExpConstructorDollar5): 13270 (JSC::regExpConstructorDollar6): 13271 (JSC::regExpConstructorDollar7): 13272 (JSC::regExpConstructorDollar8): 13273 (JSC::regExpConstructorDollar9): 13274 (JSC::regExpConstructorInput): 13275 (JSC::regExpConstructorMultiline): 13276 (JSC::regExpConstructorLastMatch): 13277 (JSC::regExpConstructorLastParen): 13278 (JSC::regExpConstructorLeftContext): 13279 (JSC::regExpConstructorRightContext): 13280 * runtime/RegExpObject.cpp: 13281 (JSC::asRegExpObject): 13282 (JSC::regExpObjectGlobal): 13283 (JSC::regExpObjectIgnoreCase): 13284 (JSC::regExpObjectMultiline): 13285 (JSC::regExpObjectSource): 13286 132872013-12-04 Filip Pizlo <fpizlo@apple.com> 13288 13289 FTL should use cvttsd2si directly for double-to-int32 conversions 13290 https://bugs.webkit.org/show_bug.cgi?id=125275 13291 13292 Reviewed by Michael Saboff. 13293 13294 Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and 13295 sometimes even fixed, some interesting things: 13296 13297 - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a 13298 vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction. 13299 13300 - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's 13301 better to use branchTruncateDoubleToInt32 instead. It has the right semantics for 13302 all of its callers (err, its one-and-only caller), and it's more likely to take 13303 fast path. This patch kills branchTruncateDoubleToUint32. 13304 13305 - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish 13306 operation - like an array access with 'i' being an integer index and we're not 13307 having a bad time. Now does this change v? CSE assumes that it doesn't. That's 13308 wrong. If 'a' is a typed array - the most sensible and pure kind of array - then 13309 this can be a truncating cast. For example 'v' could be a double and 'a' could be 13310 an integer array. 13311 13312 - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer 13313 is no. You could have a different arrayMode in each access. I know this sounds 13314 weird, but with concurrent JIT that might happen. 13315 13316 This patch adds tests for all of this stuff, except for the first issue (it's weird 13317 but probably doesn't matter) and the last issue (it's too much of a freakshow). 13318 13319 * assembler/MacroAssemblerARM64.h: 13320 * assembler/MacroAssemblerARMv7.h: 13321 * assembler/MacroAssemblerX86Common.h: 13322 * dfg/DFGCSEPhase.cpp: 13323 (JSC::DFG::CSEPhase::getByValLoadElimination): 13324 (JSC::DFG::CSEPhase::performNodeCSE): 13325 * dfg/DFGSpeculativeJIT.cpp: 13326 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 13327 * ftl/FTLAbbreviations.h: 13328 (JSC::FTL::vectorType): 13329 (JSC::FTL::getUndef): 13330 (JSC::FTL::buildInsertElement): 13331 * ftl/FTLIntrinsicRepository.h: 13332 * ftl/FTLLowerDFGToLLVM.cpp: 13333 (JSC::FTL::LowerDFGToLLVM::doubleToInt32): 13334 (JSC::FTL::LowerDFGToLLVM::doubleToUInt32): 13335 (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32): 13336 * ftl/FTLOutput.h: 13337 (JSC::FTL::Output::insertElement): 13338 (JSC::FTL::Output::hasSensibleDoubleToInt): 13339 (JSC::FTL::Output::sensibleDoubleToInt): 13340 133412013-12-05 Commit Queue <commit-queue@webkit.org> 13342 13343 Unreviewed, rolling out r160133. 13344 http://trac.webkit.org/changeset/160133 13345 https://bugs.webkit.org/show_bug.cgi?id=125325 13346 13347 broke bindings tests on all the bots (Requested by thorton on 13348 #webkit). 13349 13350 * API/JSCallbackObject.h: 13351 * API/JSCallbackObjectFunctions.h: 13352 (JSC::::staticFunctionGetter): 13353 (JSC::::callbackGetter): 13354 * jit/JITOperations.cpp: 13355 * runtime/JSActivation.cpp: 13356 (JSC::JSActivation::argumentsGetter): 13357 * runtime/JSActivation.h: 13358 * runtime/JSFunction.cpp: 13359 (JSC::JSFunction::argumentsGetter): 13360 (JSC::JSFunction::callerGetter): 13361 (JSC::JSFunction::lengthGetter): 13362 (JSC::JSFunction::nameGetter): 13363 * runtime/JSFunction.h: 13364 * runtime/JSObject.h: 13365 (JSC::PropertySlot::getValue): 13366 * runtime/NumberConstructor.cpp: 13367 (JSC::numberConstructorNaNValue): 13368 (JSC::numberConstructorNegInfinity): 13369 (JSC::numberConstructorPosInfinity): 13370 (JSC::numberConstructorMaxValue): 13371 (JSC::numberConstructorMinValue): 13372 * runtime/PropertySlot.h: 13373 * runtime/RegExpConstructor.cpp: 13374 (JSC::regExpConstructorDollar1): 13375 (JSC::regExpConstructorDollar2): 13376 (JSC::regExpConstructorDollar3): 13377 (JSC::regExpConstructorDollar4): 13378 (JSC::regExpConstructorDollar5): 13379 (JSC::regExpConstructorDollar6): 13380 (JSC::regExpConstructorDollar7): 13381 (JSC::regExpConstructorDollar8): 13382 (JSC::regExpConstructorDollar9): 13383 (JSC::regExpConstructorInput): 13384 (JSC::regExpConstructorMultiline): 13385 (JSC::regExpConstructorLastMatch): 13386 (JSC::regExpConstructorLastParen): 13387 (JSC::regExpConstructorLeftContext): 13388 (JSC::regExpConstructorRightContext): 13389 * runtime/RegExpObject.cpp: 13390 (JSC::regExpObjectGlobal): 13391 (JSC::regExpObjectIgnoreCase): 13392 (JSC::regExpObjectMultiline): 13393 (JSC::regExpObjectSource): 13394 133952013-12-05 Mark Lam <mark.lam@apple.com> 13396 13397 Make the C Loop LLINT work with callToJavaScript. 13398 https://bugs.webkit.org/show_bug.cgi?id=125294. 13399 13400 Reviewed by Michael Saboff. 13401 13402 1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode 13403 instance which is consistent with how the ASM LLINT works. 13404 2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID. 13405 This makes it play nice with the use of JITCode for dispatching. 13406 3. Introduce a callToJavaScript and callToNativeFunction for the C Loop 13407 LLINT. These will call JSStack::pushFrame() and popFrame() to setup 13408 and teardown the CallFrame. 13409 4. Also introduced a C Loop returnFromJavaScript which is just a 13410 replacement for ctiOpThrowNotCaught which had the same function. 13411 5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch 13412 mechanism is consistent. 13413 13414 This patch has been tested with both configurations of COMPUTED_GOTOs 13415 on and off. 13416 13417 * interpreter/CachedCall.h: 13418 (JSC::CachedCall::CachedCall): 13419 (JSC::CachedCall::call): 13420 (JSC::CachedCall::setArgument): 13421 * interpreter/CallFrameClosure.h: 13422 (JSC::CallFrameClosure::setThis): 13423 (JSC::CallFrameClosure::setArgument): 13424 (JSC::CallFrameClosure::resetCallFrame): 13425 * interpreter/Interpreter.cpp: 13426 (JSC::Interpreter::execute): 13427 (JSC::Interpreter::executeCall): 13428 (JSC::Interpreter::executeConstruct): 13429 (JSC::Interpreter::prepareForRepeatCall): 13430 * interpreter/Interpreter.h: 13431 * interpreter/JSStack.h: 13432 * interpreter/JSStackInlines.h: 13433 (JSC::JSStack::pushFrame): 13434 * interpreter/ProtoCallFrame.h: 13435 (JSC::ProtoCallFrame::scope): 13436 (JSC::ProtoCallFrame::callee): 13437 (JSC::ProtoCallFrame::thisValue): 13438 (JSC::ProtoCallFrame::argument): 13439 (JSC::ProtoCallFrame::setArgument): 13440 * jit/JITCode.cpp: 13441 (JSC::JITCode::execute): 13442 * jit/JITCode.h: 13443 * jit/JITExceptions.cpp: 13444 (JSC::genericUnwind): 13445 * llint/LLIntCLoop.cpp: 13446 (JSC::LLInt::CLoop::initialize): 13447 * llint/LLIntCLoop.h: 13448 * llint/LLIntEntrypoint.cpp: 13449 (JSC::LLInt::setFunctionEntrypoint): 13450 (JSC::LLInt::setEvalEntrypoint): 13451 (JSC::LLInt::setProgramEntrypoint): 13452 - Inverted the check for vm.canUseJIT(). This allows the JIT case to be 13453 #if'd out nicely when building the C Loop LLINT. 13454 * llint/LLIntOpcode.h: 13455 * llint/LLIntThunks.cpp: 13456 (JSC::doCallToJavaScript): 13457 (JSC::executeJS): 13458 (JSC::callToJavaScript): 13459 (JSC::executeNative): 13460 (JSC::callToNativeFunction): 13461 * llint/LLIntThunks.h: 13462 * llint/LowLevelInterpreter.cpp: 13463 (JSC::CLoop::execute): 13464 * runtime/Executable.h: 13465 (JSC::ExecutableBase::offsetOfNumParametersFor): 13466 (JSC::ExecutableBase::hostCodeEntryFor): 13467 (JSC::ExecutableBase::jsCodeEntryFor): 13468 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): 13469 (JSC::NativeExecutable::create): 13470 (JSC::NativeExecutable::finishCreation): 13471 (JSC::ProgramExecutable::generatedJITCode): 13472 * runtime/JSArray.cpp: 13473 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): 13474 * runtime/StringPrototype.cpp: 13475 (JSC::replaceUsingRegExpSearch): 13476 * runtime/VM.cpp: 13477 (JSC::VM::getHostFunction): 13478 134792013-12-05 Laszlo Vidacs <lac@inf.u-szeged.hu> 13480 13481 Fix JavaScriptCore build if cloop is enabled after r160094 13482 https://bugs.webkit.org/show_bug.cgi?id=125292 13483 13484 Reviewed by Michael Saboff. 13485 13486 Move ProtoCallFrame outside the JIT guard. 13487 13488 * jit/JITCode.h: 13489 134902013-12-04 Filip Pizlo <fpizlo@apple.com> 13491 13492 Fold constant typed arrays 13493 https://bugs.webkit.org/show_bug.cgi?id=125205 13494 13495 Reviewed by Oliver Hunt and Mark Hahnenberg. 13496 13497 If by some other mechanism we have a typed array access on a compile-time constant 13498 typed array pointer, then fold: 13499 13500 - Array bounds checks. Specifically, fold the load of length. 13501 13502 - Loading the vector. 13503 13504 This needs to install a watchpoint on the array itself because of the possibility of 13505 neutering. Neutering is ridiculous. We do this without bloating the size of 13506 ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you 13507 allocated an array that didn't end up becoming a compile-time constant). To install 13508 the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to 13509 the ArrayBuffer, where that incoming reference is from a watchpoint object. The 13510 ArrayBuffer already knows about such incoming references and can fire the 13511 watchpoints that way. 13512 13513 * CMakeLists.txt: 13514 * GNUmakefile.list.am: 13515 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 13516 * JavaScriptCore.xcodeproj/project.pbxproj: 13517 * dfg/DFGDesiredWatchpoints.cpp: 13518 (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add): 13519 (JSC::DFG::DesiredWatchpoints::addLazily): 13520 * dfg/DFGDesiredWatchpoints.h: 13521 (JSC::DFG::GenericSetAdaptor::add): 13522 (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated): 13523 (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated): 13524 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): 13525 (JSC::DFG::GenericDesiredWatchpoints::areStillValid): 13526 (JSC::DFG::GenericDesiredWatchpoints::isStillValid): 13527 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): 13528 (JSC::DFG::DesiredWatchpoints::isStillValid): 13529 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): 13530 (JSC::DFG::DesiredWatchpoints::isValidOrMixed): 13531 * dfg/DFGGraph.cpp: 13532 (JSC::DFG::Graph::tryGetFoldableView): 13533 * dfg/DFGGraph.h: 13534 * dfg/DFGSpeculativeJIT.cpp: 13535 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): 13536 (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck): 13537 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 13538 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 13539 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 13540 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 13541 (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage): 13542 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 13543 * dfg/DFGSpeculativeJIT.h: 13544 * dfg/DFGWatchpointCollectionPhase.cpp: 13545 (JSC::DFG::WatchpointCollectionPhase::handle): 13546 (JSC::DFG::WatchpointCollectionPhase::addLazily): 13547 * ftl/FTLLowerDFGToLLVM.cpp: 13548 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 13549 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 13550 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 13551 (JSC::FTL::LowerDFGToLLVM::typedArrayLength): 13552 * runtime/ArrayBuffer.cpp: 13553 (JSC::ArrayBuffer::transfer): 13554 * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added. 13555 (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint): 13556 (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint): 13557 (JSC::ArrayBufferNeuteringWatchpoint::finishCreation): 13558 (JSC::ArrayBufferNeuteringWatchpoint::destroy): 13559 (JSC::ArrayBufferNeuteringWatchpoint::create): 13560 (JSC::ArrayBufferNeuteringWatchpoint::createStructure): 13561 * runtime/ArrayBufferNeuteringWatchpoint.h: Added. 13562 (JSC::ArrayBufferNeuteringWatchpoint::set): 13563 * runtime/VM.cpp: 13564 (JSC::VM::VM): 13565 * runtime/VM.h: 13566 135672013-12-04 Commit Queue <commit-queue@webkit.org> 13568 13569 Unreviewed, rolling out r160116. 13570 http://trac.webkit.org/changeset/160116 13571 https://bugs.webkit.org/show_bug.cgi?id=125264 13572 13573 Change doesn't work as intended. See bug comments for details. 13574 (Requested by bfulgham on #webkit). 13575 13576 * runtime/InitializeThreading.cpp: 13577 (JSC::initializeThreading): 13578 135792013-12-04 Oliver Hunt <oliver@apple.com> 13580 13581 Refactor static getter function prototype to include thisValue in addition to the base object 13582 https://bugs.webkit.org/show_bug.cgi?id=124461 13583 13584 Reviewed by Geoffrey Garen. 13585 13586 Add thisValue parameter to static getter prototype, and switch 13587 from JSValue to EncodedJSValue for parameters and return value. 13588 13589 Currently none of the static getters use the thisValue, but 13590 separating out the refactoring will prevent future changes 13591 from getting lost in the noise of refactoring. This means 13592 that this patch does not result in any change in behaviour. 13593 13594 * API/JSCallbackObject.h: 13595 * API/JSCallbackObjectFunctions.h: 13596 (JSC::::asCallbackObject): 13597 (JSC::::staticFunctionGetter): 13598 (JSC::::callbackGetter): 13599 * jit/JITOperations.cpp: 13600 * runtime/JSActivation.cpp: 13601 (JSC::JSActivation::argumentsGetter): 13602 * runtime/JSActivation.h: 13603 * runtime/JSFunction.cpp: 13604 (JSC::JSFunction::argumentsGetter): 13605 (JSC::JSFunction::callerGetter): 13606 (JSC::JSFunction::lengthGetter): 13607 (JSC::JSFunction::nameGetter): 13608 * runtime/JSFunction.h: 13609 * runtime/JSObject.h: 13610 (JSC::PropertySlot::getValue): 13611 * runtime/NumberConstructor.cpp: 13612 (JSC::numberConstructorNaNValue): 13613 (JSC::numberConstructorNegInfinity): 13614 (JSC::numberConstructorPosInfinity): 13615 (JSC::numberConstructorMaxValue): 13616 (JSC::numberConstructorMinValue): 13617 * runtime/PropertySlot.h: 13618 * runtime/RegExpConstructor.cpp: 13619 (JSC::asRegExpConstructor): 13620 (JSC::regExpConstructorDollar1): 13621 (JSC::regExpConstructorDollar2): 13622 (JSC::regExpConstructorDollar3): 13623 (JSC::regExpConstructorDollar4): 13624 (JSC::regExpConstructorDollar5): 13625 (JSC::regExpConstructorDollar6): 13626 (JSC::regExpConstructorDollar7): 13627 (JSC::regExpConstructorDollar8): 13628 (JSC::regExpConstructorDollar9): 13629 (JSC::regExpConstructorInput): 13630 (JSC::regExpConstructorMultiline): 13631 (JSC::regExpConstructorLastMatch): 13632 (JSC::regExpConstructorLastParen): 13633 (JSC::regExpConstructorLeftContext): 13634 (JSC::regExpConstructorRightContext): 13635 * runtime/RegExpObject.cpp: 13636 (JSC::asRegExpObject): 13637 (JSC::regExpObjectGlobal): 13638 (JSC::regExpObjectIgnoreCase): 13639 (JSC::regExpObjectMultiline): 13640 (JSC::regExpObjectSource): 13641 136422013-12-04 Daniel Bates <dabates@apple.com> 13643 13644 [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator 13645 https://bugs.webkit.org/show_bug.cgi?id=125170 13646 13647 Reviewed by Geoffrey Garen. 13648 13649 * API/tests/testapi.mm: 13650 * Configurations/ToolExecutable.xcconfig: 13651 136522013-12-04 peavo@outlook.com <peavo@outlook.com> 13653 13654 Use ThreadingOnce class to encapsulate pthread_once functionality. 13655 https://bugs.webkit.org/show_bug.cgi?id=125228 13656 13657 Reviewed by Brent Fulgham. 13658 13659 * runtime/InitializeThreading.cpp: 13660 (JSC::initializeThreading): 13661 136622013-12-04 Mark Lam <mark.lam@apple.com> 13663 13664 Remove unneeded semicolons. 13665 https://bugs.webkit.org/show_bug.cgi?id=125083. 13666 13667 Rubber-stamped by Filip Pizlo. 13668 13669 * debugger/Debugger.h: 13670 (JSC::Debugger::detach): 13671 (JSC::Debugger::sourceParsed): 13672 (JSC::Debugger::exception): 13673 (JSC::Debugger::atStatement): 13674 (JSC::Debugger::callEvent): 13675 (JSC::Debugger::returnEvent): 13676 (JSC::Debugger::willExecuteProgram): 13677 (JSC::Debugger::didExecuteProgram): 13678 (JSC::Debugger::didReachBreakpoint): 13679 136802013-12-04 Andy Estes <aestes@apple.com> 13681 13682 [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT) 13683 https://bugs.webkit.org/show_bug.cgi?id=125236 13684 13685 Reviewed by Sam Weinig. 13686 13687 $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds. 13688 13689 * Configurations/DebugRelease.xcconfig: 13690 136912013-12-03 Filip Pizlo <fpizlo@apple.com> 13692 13693 Infer constant closure variables 13694 https://bugs.webkit.org/show_bug.cgi?id=124630 13695 13696 Reviewed by Geoffrey Garen. 13697 13698 Captured variables that are assigned once (not counting op_enter's Undefined 13699 initialization) and that are contained within a function that has thus far only been 13700 entered once are now constant folded. It's pretty awesome. 13701 13702 This involves a watchpoint on the assignment to variables and a watchpoint on entry 13703 into the function. The former is reused from global variable constant inference and the 13704 latter is reused from one-time closure inference. 13705 13706 * GNUmakefile.list.am: 13707 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 13708 * JavaScriptCore.xcodeproj/project.pbxproj: 13709 * bytecode/CodeBlock.cpp: 13710 (JSC::CodeBlock::dumpBytecode): 13711 (JSC::CodeBlock::CodeBlock): 13712 * bytecode/Instruction.h: 13713 (JSC::Instruction::Instruction): 13714 * bytecode/Opcode.h: 13715 (JSC::padOpcodeName): 13716 * bytecode/UnlinkedCodeBlock.h: 13717 (JSC::UnlinkedInstruction::UnlinkedInstruction): 13718 * bytecode/VariableWatchpointSet.h: 13719 (JSC::VariableWatchpointSet::invalidate): 13720 * bytecode/Watchpoint.h: 13721 (JSC::WatchpointSet::invalidate): 13722 * bytecompiler/BytecodeGenerator.cpp: 13723 (JSC::BytecodeGenerator::addVar): 13724 (JSC::BytecodeGenerator::BytecodeGenerator): 13725 (JSC::BytecodeGenerator::emitInitLazyRegister): 13726 (JSC::BytecodeGenerator::emitMove): 13727 (JSC::BytecodeGenerator::emitNewFunctionInternal): 13728 (JSC::BytecodeGenerator::createArgumentsIfNecessary): 13729 * bytecompiler/BytecodeGenerator.h: 13730 (JSC::BytecodeGenerator::addVar): 13731 (JSC::BytecodeGenerator::watchableVariable): 13732 * dfg/DFGByteCodeParser.cpp: 13733 (JSC::DFG::ByteCodeParser::getLocal): 13734 (JSC::DFG::ByteCodeParser::inferredConstant): 13735 (JSC::DFG::ByteCodeParser::parseBlock): 13736 (JSC::DFG::ByteCodeParser::parse): 13737 * dfg/DFGGraph.cpp: 13738 (JSC::DFG::Graph::tryGetActivation): 13739 (JSC::DFG::Graph::tryGetRegisters): 13740 * dfg/DFGGraph.h: 13741 * jit/JIT.cpp: 13742 (JSC::JIT::privateCompileMainPass): 13743 (JSC::JIT::privateCompileSlowCases): 13744 * jit/JIT.h: 13745 * jit/JITOpcodes.cpp: 13746 (JSC::JIT::emit_op_mov): 13747 (JSC::JIT::emit_op_captured_mov): 13748 (JSC::JIT::emit_op_new_captured_func): 13749 (JSC::JIT::emitSlow_op_captured_mov): 13750 * jit/JITOpcodes32_64.cpp: 13751 (JSC::JIT::emit_op_mov): 13752 (JSC::JIT::emit_op_captured_mov): 13753 * llint/LowLevelInterpreter32_64.asm: 13754 * llint/LowLevelInterpreter64.asm: 13755 * runtime/CommonSlowPaths.cpp: 13756 (JSC::SLOW_PATH_DECL): 13757 * runtime/CommonSlowPaths.h: 13758 * runtime/ConstantMode.h: Added. 13759 * runtime/JSGlobalObject.h: 13760 * runtime/JSScope.cpp: 13761 (JSC::abstractAccess): 13762 * runtime/SymbolTable.cpp: 13763 (JSC::SymbolTableEntry::prepareToWatch): 13764 137652013-12-04 Brent Fulgham <bfulgham@apple.com> 13766 13767 [Win] Unreviewed project file gardening. 13768 13769 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project. 13770 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory 13771 folders to match the directory structure of the source code. 13772 137732013-12-04 Joseph Pecoraro <pecoraro@apple.com> 13774 13775 Unreviewed Windows Build Fix attempt after r160099. 13776 13777 * JavaScriptCore.vcxproj/copy-files.cmd: 13778 137792013-12-04 Julien Brianceau <jbriance@cisco.com> 13780 13781 REGRESSION (r160094): Fix lots of crashes for sh4 architecture. 13782 https://bugs.webkit.org/show_bug.cgi?id=125227 13783 13784 Reviewed by Michael Saboff. 13785 13786 * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1. 13787 * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port. 13788 * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones. 13789 137902013-12-03 Joseph Pecoraro <pecoraro@apple.com> 13791 13792 Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore 13793 https://bugs.webkit.org/show_bug.cgi?id=124613 13794 13795 Reviewed by Timothy Hatcher. 13796 13797 Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management 13798 into JavaScriptCore (originally from WebKit/mac). Include enhancements: 13799 13800 * allow for different types of remote debuggable targets, 13801 eventually at least a JSContext, WebView, WKView. 13802 * allow debuggables to be registered and debugged on any thread. Unlike 13803 WebViews, JSContexts may be run entirely off of the main thread. 13804 * move the remote connection (XPC connection) itself off of the main thread, 13805 it doesn't need to be on the main thread. 13806 13807 Make JSContext @class and JavaScriptCore::JSContextRef 13808 "JavaScript" Remote Debuggables. 13809 13810 * inspector/remote/RemoteInspectorDebuggable.h: Added. 13811 * inspector/remote/RemoteInspectorDebuggable.cpp: Added. 13812 (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable): 13813 (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable): 13814 (Inspector::RemoteInspectorDebuggable::init): 13815 (Inspector::RemoteInspectorDebuggable::update): 13816 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed): 13817 (Inspector::RemoteInspectorDebuggable::info): 13818 RemoteInspectorDebuggable defines a debuggable target. As long as 13819 something creates a debuggable and is set to allow remote inspection 13820 it will be listed in remote debuggers. For the different types of 13821 debuggables (JavaScript and Web) there is different basic information 13822 that may be listed. 13823 13824 * inspector/InspectorFrontendChannel.h: Added. 13825 (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): 13826 The only thing a debuggable needs for remote debugging is an 13827 InspectorFrontendChannel a way to send messages to a remote frontend. 13828 This class provides that method, and is vended to the 13829 RemoteInspectorDebuggable when a remote connection is setup. 13830 13831 * inspector/remote/RemoteInspector.h: Added. 13832 * inspector/remote/RemoteInspector.mm: Added. 13833 Singleton, created at least when the first Debuggable is created. 13834 This class manages the list of debuggables, any connection to a 13835 remote debugger proxy (XPC service "com.apple.webinspector"). 13836 13837 (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): 13838 (Inspector::RemoteInspector::shared): 13839 (Inspector::RemoteInspector::RemoteInspector): 13840 (Inspector::RemoteInspector::nextAvailableIdentifier): 13841 (Inspector::RemoteInspector::registerDebuggable): 13842 (Inspector::RemoteInspector::unregisterDebuggable): 13843 (Inspector::RemoteInspector::updateDebuggable): 13844 Debuggable management. When debuggables are added, removed, or updated 13845 we stash a copy of the debuggable information and push an update to 13846 debuggers. Stashing a copy of the information in the RemoteInspector 13847 is a thread safe way to avoid walking over all debuggables to gather 13848 the information when it is needed. 13849 13850 (Inspector::RemoteInspector::start): 13851 (Inspector::RemoteInspector::stop): 13852 Runtime API to enable / disable the feature. 13853 13854 (Inspector::RemoteInspector::listingForDebuggable): 13855 (Inspector::RemoteInspector::pushListingNow): 13856 (Inspector::RemoteInspector::pushListingSoon): 13857 Pushing a listing to remote debuggers. 13858 13859 (Inspector::RemoteInspector::sendMessageToRemoteFrontend): 13860 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): 13861 (Inspector::RemoteInspector::xpcConnectionReceivedMessage): 13862 (Inspector::RemoteInspector::xpcConnectionFailed): 13863 (Inspector::RemoteInspector::xpcConnectionUnhandledMessage): 13864 XPC setup, send, and receive handling. 13865 13866 (Inspector::RemoteInspector::updateHasActiveDebugSession): 13867 Applications being debugged may want to know when a debug 13868 session is active. This provides that notification. 13869 13870 (Inspector::RemoteInspector::receivedSetupMessage): 13871 (Inspector::RemoteInspector::receivedDataMessage): 13872 (Inspector::RemoteInspector::receivedDidCloseMessage): 13873 (Inspector::RemoteInspector::receivedGetListingMessage): 13874 (Inspector::RemoteInspector::receivedIndicateMessage): 13875 (Inspector::RemoteInspector::receivedConnectionDiedMessage): 13876 Dispatching incoming remote debugging protocol messages. 13877 These are wrapping above the inspector protocol messages. 13878 13879 * inspector/remote/RemoteInspectorConstants.h: Added. 13880 Protocol messages and dictionary keys inside the messages. 13881 13882 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): 13883 * inspector/remote/RemoteInspectorDebuggableConnection.h: Added. 13884 * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added. 13885 This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable. 13886 13887 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): 13888 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): 13889 Allow for dispatching messages on JavaScript debuggables on a dispatch_queue 13890 instead of the main queue. 13891 13892 (Inspector::RemoteInspectorDebuggableConnection::destination): 13893 (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier): 13894 Needed in the remote debugging protocol to identify the remote debugger. 13895 13896 (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable): 13897 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): 13898 (Inspector::RemoteInspectorDebuggableConnection::setup): 13899 (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable): 13900 (Inspector::RemoteInspectorDebuggableConnection::close): 13901 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend): 13902 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend): 13903 The connection is a thin channel between the two sides that can be closed 13904 from either side, so there is some logic around multi-threaded access. 13905 13906 * inspector/remote/RemoteInspectorXPCConnection.h: Added. 13907 (Inspector::RemoteInspectorXPCConnection::Client::~Client): 13908 * inspector/remote/RemoteInspectorXPCConnection.mm: Added. 13909 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): 13910 (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection): 13911 (Inspector::RemoteInspectorXPCConnection::close): 13912 (Inspector::RemoteInspectorXPCConnection::deserializeMessage): 13913 (Inspector::RemoteInspectorXPCConnection::handleEvent): 13914 (Inspector::RemoteInspectorXPCConnection::sendMessage): 13915 This is a connection between the RemoteInspector singleton and an XPC service 13916 named "com.apple.webinspector". This handles serialization of the dictionary 13917 messages to and from the service. The receiving is done on a non-main queue. 13918 13919 * API/JSContext.h: 13920 * API/JSContext.mm: 13921 (-[JSContext name]): 13922 (-[JSContext setName:]): 13923 ObjC API to enable/disable JSContext remote inspection and give a name. 13924 13925 * API/JSContextRef.h: 13926 * API/JSContextRef.cpp: 13927 (JSGlobalContextGetName): 13928 (JSGlobalContextSetName): 13929 C API to give a JSContext a name. 13930 13931 * runtime/JSGlobalObject.cpp: 13932 (JSC::JSGlobalObject::setName): 13933 * runtime/JSGlobalObject.h: 13934 (JSC::JSGlobalObject::name): 13935 Shared handling of the APIs above. 13936 13937 * runtime/JSGlobalObjectDebuggable.cpp: Added. 13938 (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable): 13939 (JSC::JSGlobalObjectDebuggable::name): 13940 (JSC::JSGlobalObjectDebuggable::connect): 13941 (JSC::JSGlobalObjectDebuggable::disconnect): 13942 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): 13943 * runtime/JSGlobalObjectDebuggable.h: Added. 13944 Stub for the actual remote debugging implementation. We will push 13945 down the appropriate WebCore/inspector peices suitable for debugging 13946 just a JavaScript context. 13947 13948 * CMakeLists.txt: 13949 * JavaScriptCore.xcodeproj/project.pbxproj: 13950 * GNUmakefile.am: 13951 * GNUmakefile.list.am: 13952 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 13953 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 13954 Update build files. 13955 139562013-12-04 Michael Saboff <msaboff@apple.com> 13957 13958 Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk 13959 https://bugs.webkit.org/show_bug.cgi?id=123999 13960 13961 Reviewed by Filip Pizlo. 13962 13963 Changed LLInt and/or JIT enabled ports to allocate the stack frame in the 13964 callToJavaScript stub. Added an additional stub, callToNativeFunction that 13965 allocates a stack frame in a similar way for calling native entry points 13966 that take a single ExecState* argument. These stubs are implemented 13967 using common macros in LowLevelInterpreter{32_64,64}.asm. There are also 13968 Windows X86 and X86-64 versions in the corresponding JitStubsXX.h. 13969 The stubs allocate and create a sentinel frame, then create the callee's 13970 frame, populating the header and arguments from the passed in ProtoCallFrame*. 13971 It is assumed that the caller of either stub does a check for enough stack space 13972 via JSStack::entryCheck(). 13973 13974 For ports using the C-Loop interpreter, the prior method for allocating stack 13975 frame and invoking functions is used, namely with JSStack::pushFrame() and 13976 ::popFrame(). 13977 13978 Made spelling changes "sentinal" -> "sentinel". 13979 13980 * CMakeLists.txt: 13981 * GNUmakefile.list.am: 13982 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 13983 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 13984 * JavaScriptCore.xcodeproj/project.pbxproj: 13985 * interpreter/CachedCall.h: 13986 (JSC::CachedCall::CachedCall): 13987 (JSC::CachedCall::setThis): 13988 (JSC::CachedCall::setArgument): 13989 * interpreter/CallFrameClosure.h: 13990 (JSC::CallFrameClosure::resetCallFrame): 13991 * interpreter/Interpreter.cpp: 13992 (JSC::Interpreter::execute): 13993 (JSC::Interpreter::executeCall): 13994 (JSC::Interpreter::executeConstruct): 13995 (JSC::Interpreter::prepareForRepeatCall): 13996 * interpreter/Interpreter.h: 13997 * interpreter/JSStack.h: 13998 * interpreter/JSStackInlines.h: 13999 (JSC::JSStack::entryCheck): 14000 (JSC::JSStack::pushFrame): 14001 (JSC::JSStack::popFrame): 14002 * interpreter/ProtoCallFrame.cpp: Added. 14003 (JSC::ProtoCallFrame::init): 14004 * interpreter/ProtoCallFrame.h: Added. 14005 (JSC::ProtoCallFrame::codeBlock): 14006 (JSC::ProtoCallFrame::setCodeBlock): 14007 (JSC::ProtoCallFrame::setScope): 14008 (JSC::ProtoCallFrame::setCallee): 14009 (JSC::ProtoCallFrame::argumentCountIncludingThis): 14010 (JSC::ProtoCallFrame::argumentCount): 14011 (JSC::ProtoCallFrame::setArgumentCountIncludingThis): 14012 (JSC::ProtoCallFrame::setPaddedArgsCount): 14013 (JSC::ProtoCallFrame::clearCurrentVPC): 14014 (JSC::ProtoCallFrame::setThisValue): 14015 (JSC::ProtoCallFrame::setArgument): 14016 * jit/JITCode.cpp: 14017 (JSC::JITCode::execute): 14018 * jit/JITCode.h: 14019 * jit/JITOperations.cpp: 14020 * jit/JITStubs.h: 14021 * jit/JITStubsMSVC64.asm: 14022 * jit/JITStubsX86.h: 14023 * llint/LLIntOffsetsExtractor.cpp: 14024 * llint/LLIntThunks.h: 14025 * llint/LowLevelInterpreter.asm: 14026 * llint/LowLevelInterpreter32_64.asm: 14027 * llint/LowLevelInterpreter64.asm: 14028 * runtime/ArgList.h: 14029 (JSC::ArgList::data): 14030 * runtime/JSArray.cpp: 14031 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): 14032 * runtime/StringPrototype.cpp: 14033 (JSC::replaceUsingRegExpSearch): 14034 140352013-12-04 László Langó <lango@inf.u-szeged.hu> 14036 14037 Remove stdio.h from JSC files. 14038 https://bugs.webkit.org/show_bug.cgi?id=125220 14039 14040 Reviewed by Michael Saboff. 14041 14042 * interpreter/VMInspector.cpp: 14043 * jit/JITArithmetic.cpp: 14044 * jit/JITArithmetic32_64.cpp: 14045 * jit/JITCall.cpp: 14046 * jit/JITCall32_64.cpp: 14047 * jit/JITPropertyAccess.cpp: 14048 * jit/JITPropertyAccess32_64.cpp: 14049 * runtime/Completion.cpp: 14050 * runtime/IndexingType.cpp: 14051 * runtime/Lookup.h: 14052 * runtime/Operations.cpp: 14053 * runtime/Options.cpp: 14054 * runtime/RegExp.cpp: 14055 140562013-12-04 László Langó <lango@inf.u-szeged.hu> 14057 14058 Avoid to add zero offset in BaseIndex. 14059 https://bugs.webkit.org/show_bug.cgi?id=125215 14060 14061 Reviewed by Michael Saboff. 14062 14063 When using cloop do not generate offsets additions for BaseIndex if the offset is zero. 14064 14065 * offlineasm/cloop.rb: 14066 140672013-12-04 Peter Molnar <pmolnar.u-szeged@partner.samsung.com> 14068 14069 Fix !ENABLE(JAVASCRIPT_DEBUGGER) build. 14070 https://bugs.webkit.org/show_bug.cgi?id=125083 14071 14072 Reviewed by Mark Lam. 14073 14074 * debugger/Debugger.cpp: 14075 * debugger/Debugger.h: 14076 (JSC::Debugger::Debugger): 14077 (JSC::Debugger::needsOpDebugCallbacks): 14078 (JSC::Debugger::needsExceptionCallbacks): 14079 (JSC::Debugger::detach): 14080 (JSC::Debugger::sourceParsed): 14081 (JSC::Debugger::exception): 14082 (JSC::Debugger::atStatement): 14083 (JSC::Debugger::callEvent): 14084 (JSC::Debugger::returnEvent): 14085 (JSC::Debugger::willExecuteProgram): 14086 (JSC::Debugger::didExecuteProgram): 14087 (JSC::Debugger::didReachBreakpoint): 14088 * debugger/DebuggerPrimitives.h: 14089 * jit/JITOpcodes.cpp: 14090 (JSC::JIT::emit_op_debug): 14091 * jit/JITOpcodes32_64.cpp: 14092 (JSC::JIT::emit_op_debug): 14093 * llint/LLIntOfflineAsmConfig.h: 14094 * llint/LowLevelInterpreter.asm: 14095 140962013-12-03 Mark Lam <mark.lam@apple.com> 14097 14098 testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size(). 14099 https://bugs.webkit.org/show_bug.cgi?id=121972. 14100 14101 Reviewed by Brent Fulgham. 14102 14103 * interpreter/JSStack.cpp: 14104 (JSC::JSStack::~JSStack): 14105 - Reverting the change from r160004 since it's better to fix OSAllocatorWin 14106 to be consistent with OSAllocatorPosix. 14107 141082013-12-03 Mark Lam <mark.lam@apple.com> 14109 14110 Fix LLINT_C_LOOP build for Win64. 14111 https://bugs.webkit.org/show_bug.cgi?id=125186. 14112 14113 Reviewed by Michael Saboff. 14114 14115 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14116 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 14117 * jit/JITOperationsMSVC64.cpp: Added. 14118 (JSC::getHostCallReturnValueWithExecState): 14119 - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results 14120 in a linkage error due to a missing getHostCallReturnValueWithExecState(). 14121 So, we add a stub getHostCallReturnValueWithExecState() here to satisfy 14122 that linkage. This function will never be called. 14123 The alternative to providing such a stub is to make the MSVC project 14124 recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm 14125 if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC 14126 project and the work to do that is too much trouble for what we're trying 14127 to achieve here. So, we're opting for this simpler workaround instead. 14128 14129 * llint/LowLevelInterpreter.asm: 14130 * llint/LowLevelInterpreter.cpp: 14131 (JSC::CLoop::execute): 14132 - Don't build callToJavaScript if we're building the C loop. Otherwise, 14133 the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES). 14134 141352013-12-03 Michael Saboff <msaboff@apple.com> 14136 14137 ARM64: Crash in JIT code due to improper reuse of cached memory temp register 14138 https://bugs.webkit.org/show_bug.cgi?id=125181 14139 14140 Reviewed by Geoffrey Garen. 14141 14142 Changed load8() and load() to invalidate the memory temp CachedTempRegister when the 14143 destination of an absolute load is the memory temp register since the source address 14144 is also the memory temp register. Change branch{8,32,64} of an AbsoluteAddress with 14145 a register to use the dataTempRegister as the destinate of the absolute load to 14146 reduce the chance that we need to invalidate the memory temp register cache. 14147 In the process, found and fixed an outright bug in branch8() where we'd load into 14148 the data temp register and then compare and branch on the memory temp register. 14149 14150 * assembler/MacroAssemblerARM64.h: 14151 (JSC::MacroAssemblerARM64::load8): 14152 (JSC::MacroAssemblerARM64::branch32): 14153 (JSC::MacroAssemblerARM64::branch64): 14154 (JSC::MacroAssemblerARM64::branch8): 14155 (JSC::MacroAssemblerARM64::load): 14156 141572013-12-03 Michael Saboff <msaboff@apple.com> 14158 14159 jit/JITArithmetic.cpp doesn't build for non-X86 ports 14160 https://bugs.webkit.org/show_bug.cgi?id=125185 14161 14162 Rubber stamped by Mark Hahnenberg. 14163 14164 Removed unused declarations and related UNUSED_PARAM(). 14165 14166 * jit/JITArithmetic.cpp: 14167 (JSC::JIT::emit_op_mod): 14168 141692013-12-03 Filip Pizlo <fpizlo@apple.com> 14170 14171 ObjectAllocationProfile is racy and the DFG should be cool with that 14172 https://bugs.webkit.org/show_bug.cgi?id=125172 14173 <rdar://problem/15233487> 14174 14175 Reviewed by Mark Hahnenberg. 14176 14177 We would previously sometimes get a null Structure because checking if the profile is non-null and loading 14178 the structure from it were two separate operations. 14179 14180 * dfg/DFGAbstractInterpreterInlines.h: 14181 (JSC::DFG::::executeEffects): 14182 * dfg/DFGAbstractValue.cpp: 14183 (JSC::DFG::AbstractValue::setFuturePossibleStructure): 14184 * dfg/DFGByteCodeParser.cpp: 14185 (JSC::DFG::ByteCodeParser::parseBlock): 14186 * runtime/JSFunction.h: 14187 (JSC::JSFunction::allocationProfile): 14188 (JSC::JSFunction::allocationStructure): 14189 141902013-12-03 peavo@outlook.com <peavo@outlook.com> 14191 14192 testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size() 14193 https://bugs.webkit.org/show_bug.cgi?id=121972 14194 14195 Reviewed by Michael Saboff. 14196 14197 The reason for the crash is that the wrong memory block is decommitted. 14198 This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed. 14199 In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero. 14200 If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block, 14201 if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash. 14202 14203 * interpreter/JSStack.cpp: 14204 (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed. 14205 142062013-12-03 László Langó <lango@inf.u-szeged.hu> 14207 14208 Guard JIT include. 14209 https://bugs.webkit.org/show_bug.cgi?id=125063 14210 14211 Reviewed by Filip Pizlo. 14212 14213 * llint/LLIntThunks.cpp: 14214 142152013-12-03 Julien Brianceau <jbriance@cisco.com> 14216 14217 Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. 14218 https://bugs.webkit.org/show_bug.cgi?id=125067 14219 14220 Reviewed by Michael Saboff. 14221 14222 * jit/JITOpcodes32_64.cpp: 14223 (JSC::JIT::privateCompileCTINativeCall): 14224 * jit/ThunkGenerators.cpp: 14225 (JSC::nativeForGenerator): 14226 142272013-12-02 Mark Lam <mark.lam@apple.com> 14228 14229 Build failure when disabling JIT, YARR_JIT, and ASSEMBLER. 14230 https://bugs.webkit.org/show_bug.cgi?id=123809. 14231 14232 Reviewed by Geoffrey Garen. 14233 14234 Also fixed build when disabling the DISASSEMBLER. 14235 Added some needed #if's and some comments. 14236 14237 * assembler/LinkBuffer.cpp: 14238 (JSC::LinkBuffer::finalizeCodeWithDisassembly): 14239 * dfg/DFGDisassembler.cpp: 14240 * dfg/DFGDisassembler.h: 14241 (JSC::DFG::Disassembler::Disassembler): 14242 (JSC::DFG::Disassembler::setStartOfCode): 14243 (JSC::DFG::Disassembler::setForBlockIndex): 14244 (JSC::DFG::Disassembler::setForNode): 14245 (JSC::DFG::Disassembler::setEndOfMainPath): 14246 (JSC::DFG::Disassembler::setEndOfCode): 14247 (JSC::DFG::Disassembler::dump): 14248 (JSC::DFG::Disassembler::reportToProfiler): 14249 * disassembler/Disassembler.cpp: 14250 * disassembler/X86Disassembler.cpp: 14251 * jit/FPRInfo.h: 14252 * jit/GPRInfo.h: 14253 * jit/JITDisassembler.cpp: 14254 * jit/JITDisassembler.h: 14255 (JSC::JITDisassembler::JITDisassembler): 14256 (JSC::JITDisassembler::setStartOfCode): 14257 (JSC::JITDisassembler::setForBytecodeMainPath): 14258 (JSC::JITDisassembler::setForBytecodeSlowPath): 14259 (JSC::JITDisassembler::setEndOfSlowPath): 14260 (JSC::JITDisassembler::setEndOfCode): 14261 (JSC::JITDisassembler::dump): 14262 (JSC::JITDisassembler::reportToProfiler): 14263 142642013-12-02 Filip Pizlo <fpizlo@apple.com> 14265 14266 Baseline JIT calls to CommonSlowPaths shouldn't restore the last result 14267 https://bugs.webkit.org/show_bug.cgi?id=125107 14268 14269 Reviewed by Mark Hahnenberg. 14270 14271 Just killing dead code. 14272 14273 * jit/JITArithmetic.cpp: 14274 (JSC::JIT::emitSlow_op_negate): 14275 (JSC::JIT::emitSlow_op_lshift): 14276 (JSC::JIT::emitSlow_op_rshift): 14277 (JSC::JIT::emitSlow_op_urshift): 14278 (JSC::JIT::emitSlow_op_bitand): 14279 (JSC::JIT::emitSlow_op_inc): 14280 (JSC::JIT::emitSlow_op_dec): 14281 (JSC::JIT::emitSlow_op_mod): 14282 (JSC::JIT::emit_op_mod): 14283 (JSC::JIT::compileBinaryArithOpSlowCase): 14284 (JSC::JIT::emitSlow_op_div): 14285 * jit/JITArithmetic32_64.cpp: 14286 (JSC::JIT::emitSlow_op_negate): 14287 (JSC::JIT::emitSlow_op_lshift): 14288 (JSC::JIT::emitRightShiftSlowCase): 14289 (JSC::JIT::emitSlow_op_bitand): 14290 (JSC::JIT::emitSlow_op_bitor): 14291 (JSC::JIT::emitSlow_op_bitxor): 14292 (JSC::JIT::emitSlow_op_inc): 14293 (JSC::JIT::emitSlow_op_dec): 14294 (JSC::JIT::emitSlow_op_add): 14295 (JSC::JIT::emitSlow_op_sub): 14296 (JSC::JIT::emitSlow_op_mul): 14297 (JSC::JIT::emitSlow_op_div): 14298 * jit/JITOpcodes.cpp: 14299 (JSC::JIT::emit_op_strcat): 14300 (JSC::JIT::emitSlow_op_get_callee): 14301 (JSC::JIT::emitSlow_op_create_this): 14302 (JSC::JIT::emitSlow_op_to_this): 14303 (JSC::JIT::emitSlow_op_to_primitive): 14304 (JSC::JIT::emitSlow_op_not): 14305 (JSC::JIT::emitSlow_op_bitxor): 14306 (JSC::JIT::emitSlow_op_bitor): 14307 (JSC::JIT::emitSlow_op_stricteq): 14308 (JSC::JIT::emitSlow_op_nstricteq): 14309 (JSC::JIT::emitSlow_op_to_number): 14310 * jit/JITOpcodes32_64.cpp: 14311 (JSC::JIT::emitSlow_op_to_primitive): 14312 (JSC::JIT::emitSlow_op_not): 14313 (JSC::JIT::emitSlow_op_stricteq): 14314 (JSC::JIT::emitSlow_op_nstricteq): 14315 (JSC::JIT::emitSlow_op_to_number): 14316 (JSC::JIT::emitSlow_op_get_callee): 14317 (JSC::JIT::emitSlow_op_create_this): 14318 (JSC::JIT::emitSlow_op_to_this): 14319 143202013-12-01 Filip Pizlo <fpizlo@apple.com> 14321 14322 Stores to local captured variables should be intercepted 14323 https://bugs.webkit.org/show_bug.cgi?id=124883 14324 14325 Reviewed by Mark Hahnenberg. 14326 14327 Previously, in bytecode, you could assign to a captured variable just as you would 14328 assign to any other kind of variable. This complicates closure variable constant 14329 inference because we don't have any place where we can intercept stores to captured 14330 variables in the LLInt. 14331 14332 This patch institutes a policy that only certain instructions can store to captured 14333 variables. If you interpret those instructions and you are required to notifyWrite() 14334 then you need to check if the relevant variable is captured. Those instructions are 14335 tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov. 14336 In the future, we'll probably modify those instructions to have a pointer directly to 14337 the VariableWatchpointSet; but for now we just introduce the captured instructions as 14338 placeholders. 14339 14340 In order to validate that the placeholders are inserted correctly, this patch improves 14341 the CodeBlock validation to be able to inspect every def in the bytecode. To do that, 14342 this patch refactors the liveness analysis' use/def calculator to be reusable; it now 14343 takes a functor for each use or def. 14344 14345 In the process of refactoring the liveness analysis, I noticed that op_enter was 14346 claiming to def all callee registers. That's wrong; it only defs the non-temporary 14347 variables. Making that change revealed preexisting bugs in the liveness analysis, since 14348 now the validator would pick up cases where the bytecode claimed to use a temporary and 14349 the def calculator never noticed the definition (or the converse - where the bytecode 14350 was actually not using a temporary but the liveness analysis thought that it was a 14351 use). This patch fixes a few of those bugs. 14352 14353 * GNUmakefile.list.am: 14354 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14355 * JavaScriptCore.xcodeproj/project.pbxproj: 14356 * bytecode/BytecodeLivenessAnalysis.cpp: 14357 (JSC::stepOverInstruction): 14358 * bytecode/BytecodeUseDef.h: Added. 14359 (JSC::computeUsesForBytecodeOffset): 14360 (JSC::computeDefsForBytecodeOffset): 14361 * bytecode/CodeBlock.cpp: 14362 (JSC::CodeBlock::dumpBytecode): 14363 (JSC::CodeBlock::isCaptured): 14364 (JSC::CodeBlock::validate): 14365 * bytecode/CodeBlock.h: 14366 * bytecode/Opcode.h: 14367 (JSC::padOpcodeName): 14368 * bytecompiler/BytecodeGenerator.cpp: 14369 (JSC::BytecodeGenerator::BytecodeGenerator): 14370 (JSC::BytecodeGenerator::resolveCallee): 14371 (JSC::BytecodeGenerator::emitMove): 14372 (JSC::BytecodeGenerator::isCaptured): 14373 (JSC::BytecodeGenerator::local): 14374 (JSC::BytecodeGenerator::constLocal): 14375 (JSC::BytecodeGenerator::emitNewFunction): 14376 (JSC::BytecodeGenerator::emitLazyNewFunction): 14377 (JSC::BytecodeGenerator::emitNewFunctionInternal): 14378 * bytecompiler/BytecodeGenerator.h: 14379 (JSC::Local::Local): 14380 (JSC::Local::isCaptured): 14381 (JSC::Local::captureMode): 14382 (JSC::BytecodeGenerator::captureMode): 14383 (JSC::BytecodeGenerator::emitNode): 14384 (JSC::BytecodeGenerator::pushOptimisedForIn): 14385 * bytecompiler/NodesCodegen.cpp: 14386 (JSC::PostfixNode::emitResolve): 14387 (JSC::PrefixNode::emitResolve): 14388 (JSC::ReadModifyResolveNode::emitBytecode): 14389 (JSC::AssignResolveNode::emitBytecode): 14390 (JSC::ConstDeclNode::emitCodeSingle): 14391 (JSC::ForInNode::emitBytecode): 14392 * dfg/DFGByteCodeParser.cpp: 14393 (JSC::DFG::ByteCodeParser::parseBlock): 14394 * dfg/DFGCapabilities.cpp: 14395 (JSC::DFG::capabilityLevel): 14396 * jit/JIT.cpp: 14397 (JSC::JIT::privateCompileMainPass): 14398 * llint/LowLevelInterpreter32_64.asm: 14399 * llint/LowLevelInterpreter64.asm: 14400 * runtime/SymbolTable.h: 14401 (JSC::SymbolTable::isCaptured): 14402 144032013-12-02 Filip Pizlo <fpizlo@apple.com> 14404 14405 Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables 14406 https://bugs.webkit.org/show_bug.cgi?id=125052 14407 14408 Reviewed by Mark Hahnenberg. 14409 14410 This makes us watch function entry rather than activation creation. We only incur the 14411 costs of doing so for functions that have captured variables, and only on the first two 14412 entries into the function. This means that closure variable constant inference will 14413 naturally work even for local uses of the captured variable, like: 14414 14415 (function(){ 14416 var blah = 42; 14417 ... // stuff 14418 function () { ... blah /* we can fold this to 42 */ } 14419 ... blah // we can also fold this to 42. 14420 })(); 14421 14422 Previously, only the nested use would have been foldable. 14423 14424 * bytecode/BytecodeLivenessAnalysis.cpp: 14425 (JSC::computeUsesForBytecodeOffset): 14426 (JSC::computeDefsForBytecodeOffset): 14427 * bytecode/CodeBlock.cpp: 14428 (JSC::CodeBlock::dumpBytecode): 14429 * bytecode/Opcode.h: 14430 (JSC::padOpcodeName): 14431 * bytecode/Watchpoint.h: 14432 (JSC::WatchpointSet::touch): 14433 (JSC::InlineWatchpointSet::touch): 14434 * bytecompiler/BytecodeGenerator.cpp: 14435 (JSC::BytecodeGenerator::BytecodeGenerator): 14436 * dfg/DFGAbstractInterpreterInlines.h: 14437 (JSC::DFG::::executeEffects): 14438 * dfg/DFGByteCodeParser.cpp: 14439 (JSC::DFG::ByteCodeParser::parseBlock): 14440 * dfg/DFGCapabilities.cpp: 14441 (JSC::DFG::capabilityLevel): 14442 * dfg/DFGClobberize.h: 14443 (JSC::DFG::clobberize): 14444 * dfg/DFGFixupPhase.cpp: 14445 (JSC::DFG::FixupPhase::fixupNode): 14446 * dfg/DFGNode.h: 14447 (JSC::DFG::Node::hasSymbolTable): 14448 * dfg/DFGNodeType.h: 14449 * dfg/DFGPredictionPropagationPhase.cpp: 14450 (JSC::DFG::PredictionPropagationPhase::propagate): 14451 * dfg/DFGSafeToExecute.h: 14452 (JSC::DFG::safeToExecute): 14453 * dfg/DFGSpeculativeJIT32_64.cpp: 14454 (JSC::DFG::SpeculativeJIT::compile): 14455 * dfg/DFGSpeculativeJIT64.cpp: 14456 (JSC::DFG::SpeculativeJIT::compile): 14457 * dfg/DFGWatchpointCollectionPhase.cpp: 14458 (JSC::DFG::WatchpointCollectionPhase::handle): 14459 * ftl/FTLCapabilities.cpp: 14460 (JSC::FTL::canCompile): 14461 * ftl/FTLLowerDFGToLLVM.cpp: 14462 (JSC::FTL::LowerDFGToLLVM::compileNode): 14463 * jit/JIT.cpp: 14464 (JSC::JIT::privateCompileMainPass): 14465 * jit/JIT.h: 14466 * jit/JITOpcodes.cpp: 14467 (JSC::JIT::emit_op_touch_entry): 14468 * llint/LowLevelInterpreter.asm: 14469 * runtime/CommonSlowPaths.cpp: 14470 (JSC::SLOW_PATH_DECL): 14471 * runtime/CommonSlowPaths.h: 14472 * runtime/JSActivation.h: 14473 (JSC::JSActivation::create): 14474 * runtime/SymbolTable.cpp: 14475 (JSC::SymbolTable::SymbolTable): 14476 * runtime/SymbolTable.h: 14477 144782013-12-02 Nick Diego Yamane <nick.yamane@openbossa.org> 14479 14480 [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros 14481 https://bugs.webkit.org/show_bug.cgi?id=125075 14482 14483 Reviewed by Michael Saboff. 14484 14485 * llint/LLIntSlowPaths.cpp: 14486 (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc). 14487 (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros. 14488 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto. 14489 144902013-12-02 László Langó <lango@inf.u-szeged.hu> 14491 14492 Remove stdio.h from JSC files. 14493 https://bugs.webkit.org/show_bug.cgi?id=125066 14494 14495 Reviewed by Michael Saboff. 14496 14497 Remove stdio.h, when it is not necessary to be included. 14498 14499 * bytecode/CodeBlock.cpp: 14500 * bytecode/StructureSet.h: 14501 * profiler/LegacyProfiler.cpp: 14502 * profiler/Profile.cpp: 14503 * profiler/ProfileNode.cpp: 14504 * yarr/YarrInterpreter.cpp: 14505 145062013-12-02 László Langó <lango@inf.u-szeged.hu> 14507 14508 Unused include files when building without JIT. 14509 https://bugs.webkit.org/show_bug.cgi?id=125062 14510 14511 Reviewed by Michael Saboff. 14512 14513 We should organize the includes, and guard JIT methods 14514 in ValueRecovery. 14515 14516 * bytecode/ValueRecovery.cpp: Guard include files. 14517 * bytecode/ValueRecovery.h: Guard JIT methods. 14518 145192013-12-02 Balazs Kilvady <kilvadyb@homejinni.com> 14520 14521 [MIPS] Small stack frame causes regressions. 14522 https://bugs.webkit.org/show_bug.cgi?id=124945 14523 14524 Reviewed by Michael Saboff. 14525 14526 Fix stack space for LLInt on MIPS. 14527 14528 * llint/LowLevelInterpreter32_64.asm: 14529 145302013-12-02 Brian J. Burg <burg@cs.washington.edu> 14531 14532 jsc: implement a native readFile function 14533 https://bugs.webkit.org/show_bug.cgi?id=125059 14534 14535 Reviewed by Filip Pizlo. 14536 14537 This adds a native readFile() function to jsc, used to slurp 14538 an entire file into a JavaScript string. 14539 14540 * jsc.cpp: 14541 (GlobalObject::finishCreation): Add readFile() to globals. 14542 (functionReadFile): Added. 14543 145442013-12-02 László Langó <lango@inf.u-szeged.hu> 14545 14546 JSC does not build if OPCODE_STATS is enabled. 14547 https://bugs.webkit.org/show_bug.cgi?id=125011 14548 14549 Reviewed by Filip Pizlo. 14550 14551 * bytecode/Opcode.cpp: 14552 145532013-11-29 Filip Pizlo <fpizlo@apple.com> 14554 14555 Finally remove those DFG_ENABLE things 14556 https://bugs.webkit.org/show_bug.cgi?id=125025 14557 14558 Rubber stamped by Sam Weinig. 14559 14560 This removes a bunch of unused and untested insanity. 14561 14562 * bytecode/CodeBlock.cpp: 14563 (JSC::CodeBlock::tallyFrequentExitSites): 14564 * dfg/DFGArgumentsSimplificationPhase.cpp: 14565 (JSC::DFG::ArgumentsSimplificationPhase::run): 14566 * dfg/DFGByteCodeParser.cpp: 14567 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 14568 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): 14569 (JSC::DFG::ByteCodeParser::makeSafe): 14570 (JSC::DFG::ByteCodeParser::makeDivSafe): 14571 (JSC::DFG::ByteCodeParser::handleCall): 14572 (JSC::DFG::ByteCodeParser::handleInlining): 14573 (JSC::DFG::ByteCodeParser::parseBlock): 14574 (JSC::DFG::ByteCodeParser::linkBlock): 14575 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 14576 (JSC::DFG::ByteCodeParser::parseCodeBlock): 14577 (JSC::DFG::ByteCodeParser::parse): 14578 (JSC::DFG::parse): 14579 * dfg/DFGCFGSimplificationPhase.cpp: 14580 (JSC::DFG::CFGSimplificationPhase::run): 14581 (JSC::DFG::CFGSimplificationPhase::convertToJump): 14582 (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors): 14583 * dfg/DFGCSEPhase.cpp: 14584 (JSC::DFG::CSEPhase::endIndexForPureCSE): 14585 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 14586 (JSC::DFG::CSEPhase::setReplacement): 14587 (JSC::DFG::CSEPhase::eliminate): 14588 (JSC::DFG::CSEPhase::performNodeCSE): 14589 * dfg/DFGCommon.h: 14590 (JSC::DFG::verboseCompilationEnabled): 14591 (JSC::DFG::logCompilationChanges): 14592 (JSC::DFG::shouldDumpGraphAtEachPhase): 14593 * dfg/DFGConstantFoldingPhase.cpp: 14594 (JSC::DFG::ConstantFoldingPhase::foldConstants): 14595 * dfg/DFGFixupPhase.cpp: 14596 (JSC::DFG::FixupPhase::fixupNode): 14597 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 14598 * dfg/DFGInPlaceAbstractState.cpp: 14599 (JSC::DFG::InPlaceAbstractState::initialize): 14600 (JSC::DFG::InPlaceAbstractState::endBasicBlock): 14601 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 14602 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): 14603 * dfg/DFGJITCompiler.cpp: 14604 (JSC::DFG::JITCompiler::compileBody): 14605 (JSC::DFG::JITCompiler::link): 14606 * dfg/DFGOSRExitCompiler.cpp: 14607 * dfg/DFGOSRExitCompiler32_64.cpp: 14608 (JSC::DFG::OSRExitCompiler::compileExit): 14609 * dfg/DFGOSRExitCompiler64.cpp: 14610 (JSC::DFG::OSRExitCompiler::compileExit): 14611 * dfg/DFGOSRExitCompilerCommon.cpp: 14612 (JSC::DFG::adjustAndJumpToTarget): 14613 * dfg/DFGPredictionInjectionPhase.cpp: 14614 (JSC::DFG::PredictionInjectionPhase::run): 14615 * dfg/DFGPredictionPropagationPhase.cpp: 14616 (JSC::DFG::PredictionPropagationPhase::run): 14617 (JSC::DFG::PredictionPropagationPhase::propagate): 14618 (JSC::DFG::PredictionPropagationPhase::propagateForward): 14619 (JSC::DFG::PredictionPropagationPhase::propagateBackward): 14620 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 14621 * dfg/DFGScoreBoard.h: 14622 (JSC::DFG::ScoreBoard::use): 14623 * dfg/DFGSlowPathGenerator.h: 14624 (JSC::DFG::SlowPathGenerator::generate): 14625 * dfg/DFGSpeculativeJIT.cpp: 14626 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 14627 (JSC::DFG::SpeculativeJIT::runSlowPathGenerators): 14628 (JSC::DFG::SpeculativeJIT::dump): 14629 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 14630 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 14631 * dfg/DFGSpeculativeJIT.h: 14632 * dfg/DFGSpeculativeJIT32_64.cpp: 14633 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 14634 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 14635 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14636 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 14637 (JSC::DFG::SpeculativeJIT::compile): 14638 * dfg/DFGSpeculativeJIT64.cpp: 14639 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 14640 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 14641 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14642 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 14643 (JSC::DFG::SpeculativeJIT::compile): 14644 * dfg/DFGVariableEventStream.cpp: 14645 (JSC::DFG::VariableEventStream::reconstruct): 14646 * dfg/DFGVariableEventStream.h: 14647 (JSC::DFG::VariableEventStream::appendAndLog): 14648 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 14649 (JSC::DFG::VirtualRegisterAllocationPhase::run): 14650 * jit/JIT.cpp: 14651 (JSC::JIT::privateCompile): 14652 146532013-11-29 Filip Pizlo <fpizlo@apple.com> 14654 14655 FTL IC should nop-fill to make up the difference between the actual IC size and the requested patchpoint size 14656 https://bugs.webkit.org/show_bug.cgi?id=124960 14657 14658 Reviewed by Sam Weinig. 14659 14660 * assembler/LinkBuffer.h: 14661 (JSC::LinkBuffer::size): 14662 * assembler/X86Assembler.h: 14663 (JSC::X86Assembler::fillNops): 14664 * dfg/DFGDisassembler.cpp: 14665 (JSC::DFG::Disassembler::dumpHeader): 14666 * ftl/FTLCompile.cpp: 14667 (JSC::FTL::generateICFastPath): 14668 * jit/JITDisassembler.cpp: 14669 (JSC::JITDisassembler::dumpHeader): 14670 146712013-11-29 Julien Brianceau <jbriance@cisco.com> 14672 14673 Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports. 14674 https://bugs.webkit.org/show_bug.cgi?id=124936 14675 14676 Reviewed by Zoltan Herczeg. 14677 14678 The moveDoubleToInts implementations in ARM, MIPS and SH4 macro assemblers do not clobber 14679 src FPRegister and are likely to be more efficient than the current generic implementation 14680 using the stack. 14681 14682 * jit/SpecializedThunkJIT.h: 14683 (JSC::SpecializedThunkJIT::returnDouble): 14684 146852013-11-29 Julien Brianceau <jbriance@cisco.com> 14686 14687 Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. 14688 https://bugs.webkit.org/show_bug.cgi?id=124892 14689 14690 Reviewed by Zoltan Herczeg. 14691 14692 * assembler/MacroAssemblerSH4.h: 14693 (JSC::MacroAssemblerSH4::call): Pick a scratch register instead of getting it as a 14694 parameter. The sh4 port was the only one to have this call(Address, RegisterID) prototype. 14695 * jit/JITOpcodes32_64.cpp: 14696 (JSC::JIT::privateCompileCTINativeCall): Use argumentGPRx and merge arm and sh4 paths. 14697 * jit/ThunkGenerators.cpp: 14698 (JSC::nativeForGenerator): Use argumentGPRx and merge arm and sh4 paths. 14699 147002013-11-28 Nadav Rotem <nrotem@apple.com> 14701 14702 Revert the X86 assembler peephole changes 14703 https://bugs.webkit.org/show_bug.cgi?id=124988 14704 14705 Reviewed by Csaba Osztrogonác. 14706 14707 * assembler/MacroAssemblerX86.h: 14708 (JSC::MacroAssemblerX86::add32): 14709 (JSC::MacroAssemblerX86::add64): 14710 (JSC::MacroAssemblerX86::or32): 14711 * assembler/MacroAssemblerX86Common.h: 14712 (JSC::MacroAssemblerX86Common::add32): 14713 (JSC::MacroAssemblerX86Common::or32): 14714 (JSC::MacroAssemblerX86Common::branchAdd32): 14715 * assembler/MacroAssemblerX86_64.h: 14716 (JSC::MacroAssemblerX86_64::add32): 14717 (JSC::MacroAssemblerX86_64::or32): 14718 (JSC::MacroAssemblerX86_64::add64): 14719 (JSC::MacroAssemblerX86_64::or64): 14720 (JSC::MacroAssemblerX86_64::xor64): 14721 147222013-11-28 Antti Koivisto <antti@apple.com> 14723 14724 Remove feature: CSS variables 14725 https://bugs.webkit.org/show_bug.cgi?id=114119 14726 14727 Reviewed by Andreas Kling. 14728 14729 * Configurations/FeatureDefines.xcconfig: 14730 147312013-11-28 Peter Gal <galpeter@inf.u-szeged.hu> 14732 14733 Typo fix after r159834 to fix 32 bit builds. 14734 14735 Reviewed by Csaba Osztrogonác. 14736 14737 * dfg/DFGSpeculativeJIT32_64.cpp: 14738 (JSC::DFG::SpeculativeJIT::compile): 14739 147402013-11-27 Nadav Rotem <nrotem@apple.com> 14741 14742 Add a bunch of early exits and local optimizations to the x86 assembler. 14743 https://bugs.webkit.org/show_bug.cgi?id=124904 14744 14745 Reviewed by Filip Pizlo. 14746 14747 * assembler/MacroAssemblerX86.h: 14748 (JSC::MacroAssemblerX86::add32): 14749 (JSC::MacroAssemblerX86::add64): 14750 (JSC::MacroAssemblerX86::or32): 14751 * assembler/MacroAssemblerX86Common.h: 14752 (JSC::MacroAssemblerX86Common::add32): 14753 (JSC::MacroAssemblerX86Common::or32): 14754 * assembler/MacroAssemblerX86_64.h: 14755 (JSC::MacroAssemblerX86_64::add32): 14756 (JSC::MacroAssemblerX86_64::or32): 14757 (JSC::MacroAssemblerX86_64::add64): 14758 (JSC::MacroAssemblerX86_64::or64): 14759 (JSC::MacroAssemblerX86_64::xor64): 14760 147612013-11-27 Filip Pizlo <fpizlo@apple.com> 14762 14763 Infer one-time scopes 14764 https://bugs.webkit.org/show_bug.cgi?id=124812 14765 14766 Reviewed by Oliver Hunt. 14767 14768 This detects JSActivations that are created only once. The JSActivation pointer is then 14769 baked into the machine code. 14770 14771 This takes advantage of the one-time scope inference to reduce the number of 14772 indirections needed to get to a closure variable in case where the scope is only 14773 allocated once. This isn't really a speed-up since in the common case the total number 14774 of instruction bytes needed to load the scope from the stack is about equal to the 14775 number of instruction bytes needed to materialize the absolute address of a scoped 14776 variable. But, this is a necessary prerequisite to 14777 https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway. 14778 14779 * bytecode/CodeBlock.cpp: 14780 (JSC::CodeBlock::dumpBytecode): 14781 (JSC::CodeBlock::CodeBlock): 14782 (JSC::CodeBlock::finalizeUnconditionally): 14783 * bytecode/Instruction.h: 14784 * bytecode/Opcode.h: 14785 (JSC::padOpcodeName): 14786 * bytecode/Watchpoint.h: 14787 (JSC::WatchpointSet::notifyWrite): 14788 (JSC::InlineWatchpointSet::notifyWrite): 14789 * bytecompiler/BytecodeGenerator.cpp: 14790 (JSC::BytecodeGenerator::emitResolveScope): 14791 * dfg/DFGAbstractInterpreterInlines.h: 14792 (JSC::DFG::::executeEffects): 14793 * dfg/DFGByteCodeParser.cpp: 14794 (JSC::DFG::ByteCodeParser::parseBlock): 14795 * dfg/DFGCSEPhase.cpp: 14796 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 14797 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 14798 (JSC::DFG::CSEPhase::getLocalLoadElimination): 14799 (JSC::DFG::CSEPhase::setLocalStoreElimination): 14800 * dfg/DFGClobberize.h: 14801 (JSC::DFG::clobberize): 14802 * dfg/DFGFixupPhase.cpp: 14803 (JSC::DFG::FixupPhase::fixupNode): 14804 * dfg/DFGGraph.cpp: 14805 (JSC::DFG::Graph::tryGetRegisters): 14806 * dfg/DFGGraph.h: 14807 * dfg/DFGNode.h: 14808 (JSC::DFG::Node::varNumber): 14809 (JSC::DFG::Node::hasSymbolTable): 14810 (JSC::DFG::Node::symbolTable): 14811 * dfg/DFGNodeType.h: 14812 * dfg/DFGPredictionPropagationPhase.cpp: 14813 (JSC::DFG::PredictionPropagationPhase::propagate): 14814 * dfg/DFGSafeToExecute.h: 14815 (JSC::DFG::safeToExecute): 14816 * dfg/DFGSpeculativeJIT32_64.cpp: 14817 (JSC::DFG::SpeculativeJIT::compile): 14818 * dfg/DFGSpeculativeJIT64.cpp: 14819 (JSC::DFG::SpeculativeJIT::compile): 14820 * dfg/DFGWatchpointCollectionPhase.cpp: 14821 (JSC::DFG::WatchpointCollectionPhase::handle): 14822 * ftl/FTLCapabilities.cpp: 14823 (JSC::FTL::canCompile): 14824 * ftl/FTLLowerDFGToLLVM.cpp: 14825 (JSC::FTL::LowerDFGToLLVM::compileNode): 14826 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): 14827 * llint/LowLevelInterpreter32_64.asm: 14828 * llint/LowLevelInterpreter64.asm: 14829 * runtime/JSActivation.h: 14830 (JSC::JSActivation::create): 14831 * runtime/JSScope.cpp: 14832 (JSC::abstractAccess): 14833 (JSC::JSScope::abstractResolve): 14834 * runtime/JSScope.h: 14835 (JSC::ResolveOp::ResolveOp): 14836 * runtime/JSVariableObject.h: 14837 (JSC::JSVariableObject::registers): 14838 * runtime/SymbolTable.cpp: 14839 (JSC::SymbolTable::SymbolTable): 14840 * runtime/SymbolTable.h: 14841 148422013-11-27 Filip Pizlo <fpizlo@apple.com> 14843 14844 Finally fix some obvious Bartlett bugs 14845 https://bugs.webkit.org/show_bug.cgi?id=124951 14846 14847 Reviewed by Mark Hahnenberg. 14848 14849 Sanitize the stack (i.e. zero parts of it known to be dead) at three key points: 14850 14851 - GC. 14852 14853 - At beginning of OSR entry. 14854 14855 - Just as we finish preparing OSR entry. This clears those slots on the stack that 14856 could have been live in baseline but that are known to be dead in DFG. 14857 14858 This is as much as a 2x speed-up on splay if you run it in certain modes, and run it 14859 for a long enough interval. It appears to fix all instances of the dreaded exponential 14860 heap growth that splay gets into when some stale pointer stays around. 14861 14862 This doesn't have much of an effect on real-world programs. This bug has only ever 14863 manifested in splay and for that reason we thus far opted against fixing it. But splay 14864 is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we 14865 can run it without pathologies - even when you tweak its configuration - is probably 14866 fairly important. 14867 14868 * dfg/DFGJITCompiler.h: 14869 (JSC::DFG::JITCompiler::noticeOSREntry): 14870 * dfg/DFGOSREntry.cpp: 14871 (JSC::DFG::prepareOSREntry): 14872 * dfg/DFGOSREntry.h: 14873 * heap/Heap.cpp: 14874 (JSC::Heap::markRoots): 14875 * interpreter/JSStack.cpp: 14876 (JSC::JSStack::JSStack): 14877 (JSC::JSStack::sanitizeStack): 14878 * interpreter/JSStack.h: 14879 148802013-11-26 Filip Pizlo <fpizlo@apple.com> 14881 14882 Do bytecode validation as part of testing 14883 https://bugs.webkit.org/show_bug.cgi?id=124913 14884 14885 Reviewed by Oliver Hunt. 14886 14887 Also fix some small bugs in the bytecode liveness analysis that I found by doing 14888 this validation thingy. 14889 14890 * bytecode/BytecodeLivenessAnalysis.cpp: 14891 (JSC::isValidRegisterForLiveness): 14892 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): 14893 * bytecode/CodeBlock.cpp: 14894 (JSC::CodeBlock::validate): 14895 (JSC::CodeBlock::beginValidationDidFail): 14896 (JSC::CodeBlock::endValidationDidFail): 14897 * bytecode/CodeBlock.h: 14898 * runtime/Executable.cpp: 14899 (JSC::ScriptExecutable::prepareForExecutionImpl): 14900 * runtime/Options.h: 14901 149022013-11-27 Andreas Kling <akling@apple.com> 14903 14904 Structure::m_staticFunctionReified should be a single bit. 14905 <https://webkit.org/b/124912> 14906 14907 Shave 8 bytes off of JSC::Structure by jamming m_staticFunctionReified 14908 into the bitfield just above. 14909 14910 Reviewed by Antti Koivisto. 14911 149122013-11-27 Andreas Kling <akling@apple.com> 14913 14914 JSActivation constructor should use NotNull placement new. 14915 <https://webkit.org/b/124909> 14916 14917 Knock a null check outta the storage initialization loop. 14918 14919 Reviewed by Antti Koivisto. 14920 149212013-11-26 Filip Pizlo <fpizlo@apple.com> 14922 14923 Restructure global variable constant inference so that it could work for any kind of symbol table variable 14924 https://bugs.webkit.org/show_bug.cgi?id=124760 14925 14926 Reviewed by Oliver Hunt. 14927 14928 This changes the way global variable constant inference works so that it can be reused 14929 for closure variable constant inference. Some of the premises that originally motivated 14930 this patch are somewhat wrong, but it led to some simplifications anyway and I suspect 14931 that we'll be able to fix those premises in the future. The main point of this patch is 14932 to make it easy to reuse global variable constant inference for closure variable 14933 constant inference, and this will be possible provided we can also either (a) infer 14934 one-shot closures (easy) or (b) infer closure variables that are always assigned prior 14935 to first use. 14936 14937 One of the things that this patch is meant to enable is constant inference for closure 14938 variables that may be part of a multi-shot closure. Closure variables may be 14939 instantiated multiple times, like: 14940 14941 function foo() { 14942 var WIDTH = 45; 14943 function bar() { 14944 ... use WIDTH ... 14945 } 14946 ... 14947 } 14948 14949 Even if foo() is called many times and WIDTH is assigned to multiple times, that 14950 doesn't change the fact that it's a constant. The goal of closure variable constant 14951 inference is to catch any case where a closure variable has been assigned at least once 14952 and its value has never changed. This patch doesn't implement that, but it does change 14953 global variable constant inference to have most of the powers needed to do that. Note 14954 that most likely we will use this functionality only to implement constant inference 14955 for one-shot closures, but the resulting machinery is still simpler than what we had 14956 before. 14957 14958 This involves three changes: 14959 14960 - The watchpoint object now contains the inferred value. This involves creating a 14961 new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object 14962 for closure variables. 14963 14964 - Writing to a variable that is watchpointed still involves these three states that 14965 we proceed through monotonically (Uninitialized->Initialized->Invalidated) but 14966 now, the Initialized->Invalidated state transition only happens if we change the 14967 variable's value, rather than store to the variable. Repeatedly storing the same 14968 value won't change the variable's state. 14969 14970 - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer 14971 need fancy fencing to get a consistent view of the watchpoint in the JIT. The 14972 state of the VariableWatchpointSet for the purposes of constant folding is 14973 entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is 14974 JSValue() then you cannot fold (either because the set is uninitialized or 14975 because it's invalidated - doesn't matter which); on the other hand if the value 14976 is anything other than JSValue() then you can fold, and that's the value you fold 14977 to. Simple! 14978 14979 This also changes the way that DFG IR deals with variable watchpoints. It's now 14980 oblivious to global variables. You install a watchpoint using VariableWatchpoint and 14981 you notify write using NotifyWrite. Easy! 14982 14983 Note that this will requires some more tweaks because of the fact that op_enter will 14984 store Undefined into every captured variable. Hence it won't even work for one-shot 14985 closures. One-shot closures are easily fixed by introducing another state (so we'll 14986 have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will 14987 require static analysis. One-shot closures are clearly a higher priority. 14988 14989 * GNUmakefile.list.am: 14990 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14991 * JavaScriptCore.xcodeproj/project.pbxproj: 14992 * bytecode/Instruction.h: 14993 * bytecode/VariableWatchpointSet.h: Added. 14994 (JSC::VariableWatchpointSet::VariableWatchpointSet): 14995 (JSC::VariableWatchpointSet::~VariableWatchpointSet): 14996 (JSC::VariableWatchpointSet::inferredValue): 14997 (JSC::VariableWatchpointSet::notifyWrite): 14998 (JSC::VariableWatchpointSet::invalidate): 14999 (JSC::VariableWatchpointSet::finalizeUnconditionally): 15000 (JSC::VariableWatchpointSet::addressOfInferredValue): 15001 * bytecode/Watchpoint.h: 15002 * dfg/DFGAbstractInterpreterInlines.h: 15003 (JSC::DFG::::executeEffects): 15004 * dfg/DFGByteCodeParser.cpp: 15005 (JSC::DFG::ByteCodeParser::parseBlock): 15006 * dfg/DFGCSEPhase.cpp: 15007 (JSC::DFG::CSEPhase::performNodeCSE): 15008 * dfg/DFGClobberize.h: 15009 (JSC::DFG::clobberize): 15010 * dfg/DFGFixupPhase.cpp: 15011 (JSC::DFG::FixupPhase::fixupNode): 15012 * dfg/DFGNode.h: 15013 (JSC::DFG::Node::hasRegisterPointer): 15014 (JSC::DFG::Node::hasVariableWatchpointSet): 15015 (JSC::DFG::Node::variableWatchpointSet): 15016 * dfg/DFGNodeType.h: 15017 * dfg/DFGOperations.cpp: 15018 * dfg/DFGOperations.h: 15019 * dfg/DFGPredictionPropagationPhase.cpp: 15020 (JSC::DFG::PredictionPropagationPhase::propagate): 15021 * dfg/DFGSafeToExecute.h: 15022 (JSC::DFG::safeToExecute): 15023 * dfg/DFGSpeculativeJIT.cpp: 15024 (JSC::DFG::SpeculativeJIT::compileArithMod): 15025 * dfg/DFGSpeculativeJIT.h: 15026 (JSC::DFG::SpeculativeJIT::callOperation): 15027 * dfg/DFGSpeculativeJIT32_64.cpp: 15028 (JSC::DFG::SpeculativeJIT::compile): 15029 * dfg/DFGSpeculativeJIT64.cpp: 15030 (JSC::DFG::SpeculativeJIT::compile): 15031 * dfg/DFGWatchpointCollectionPhase.cpp: 15032 (JSC::DFG::WatchpointCollectionPhase::handle): 15033 * ftl/FTLCapabilities.cpp: 15034 (JSC::FTL::canCompile): 15035 * ftl/FTLLowerDFGToLLVM.cpp: 15036 (JSC::FTL::LowerDFGToLLVM::compileNode): 15037 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): 15038 * jit/JIT.h: 15039 * jit/JITOperations.h: 15040 * jit/JITPropertyAccess.cpp: 15041 (JSC::JIT::emitNotifyWrite): 15042 (JSC::JIT::emitPutGlobalVar): 15043 * jit/JITPropertyAccess32_64.cpp: 15044 (JSC::JIT::emitNotifyWrite): 15045 (JSC::JIT::emitPutGlobalVar): 15046 * llint/LowLevelInterpreter32_64.asm: 15047 * llint/LowLevelInterpreter64.asm: 15048 * runtime/JSGlobalObject.cpp: 15049 (JSC::JSGlobalObject::addGlobalVar): 15050 (JSC::JSGlobalObject::addFunction): 15051 * runtime/JSGlobalObject.h: 15052 * runtime/JSScope.h: 15053 (JSC::ResolveOp::ResolveOp): 15054 * runtime/JSSymbolTableObject.h: 15055 (JSC::symbolTablePut): 15056 (JSC::symbolTablePutWithAttributes): 15057 * runtime/SymbolTable.cpp: 15058 (JSC::SymbolTableEntry::inferredValue): 15059 (JSC::SymbolTableEntry::prepareToWatch): 15060 (JSC::SymbolTableEntry::addWatchpoint): 15061 (JSC::SymbolTableEntry::notifyWriteSlow): 15062 (JSC::SymbolTable::visitChildren): 15063 (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): 15064 (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): 15065 (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): 15066 * runtime/SymbolTable.h: 15067 (JSC::SymbolTableEntry::watchpointSet): 15068 (JSC::SymbolTableEntry::notifyWrite): 15069 150702013-11-24 Filip Pizlo <fpizlo@apple.com> 15071 15072 Create a new SymbolTable every time code is loaded so that the watchpoints don't get reused 15073 https://bugs.webkit.org/show_bug.cgi?id=124824 15074 15075 Reviewed by Oliver Hunt. 15076 15077 This helps with one shot closure inference as well as closure variable constant 15078 inference, since without this, if code was reloaded from the cache then we would 15079 think that the first run was actually an Nth run. This would cause us to think that 15080 the watchpoint(s) should all be invalidated. 15081 15082 * bytecode/CodeBlock.cpp: 15083 (JSC::CodeBlock::CodeBlock): 15084 (JSC::CodeBlock::stronglyVisitStrongReferences): 15085 * bytecode/CodeBlock.h: 15086 (JSC::CodeBlock::symbolTable): 15087 * runtime/Executable.cpp: 15088 (JSC::FunctionExecutable::symbolTable): 15089 * runtime/Executable.h: 15090 * runtime/SymbolTable.cpp: 15091 (JSC::SymbolTable::clone): 15092 * runtime/SymbolTable.h: 15093 150942013-11-26 Oliver Hunt <oliver@apple.com> 15095 15096 Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 15097 https://bugs.webkit.org/show_bug.cgi?id=124886 15098 15099 Reviewed by Sam Weinig. 15100 15101 Make sure the error macros propagate an existing error before 15102 trying to create a new error message. We need to do this as 15103 the parser state may not be safe for any specific error message 15104 if we are already unwinding due to an error. 15105 15106 * parser/Parser.cpp: 15107 151082013-11-26 Nadav Rotem <nrotem@apple.com> 15109 15110 Optimize away OR with zero - a common ASM.js pattern. 15111 https://bugs.webkit.org/show_bug.cgi?id=124869 15112 15113 Reviewed by Filip Pizlo. 15114 15115 * dfg/DFGFixupPhase.cpp: 15116 (JSC::DFG::FixupPhase::fixupNode): 15117 151182013-11-25 Julien Brianceau <jbriance@cisco.com> 15119 15120 [arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test. 15121 https://bugs.webkit.org/show_bug.cgi?id=124839 15122 15123 Reviewed by Michael Saboff. 15124 15125 In ARM EABI and MIPS, 64-bit values have to be aligned on stack too. 15126 15127 * jit/CCallHelpers.h: 15128 (JSC::CCallHelpers::setupArgumentsWithExecState): 15129 * jit/JITInlines.h: 15130 (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG. 15131 151322013-11-23 Filip Pizlo <fpizlo@apple.com> 15133 15134 Fix more fallout from failed attempts at div/mod DFG strength reductions 15135 https://bugs.webkit.org/show_bug.cgi?id=124813 15136 15137 Reviewed by Geoffrey Garen. 15138 15139 * dfg/DFGSpeculativeJIT.cpp: 15140 (JSC::DFG::SpeculativeJIT::compileArithMod): 15141 151422013-11-22 Mark Hahnenberg <mhahnenberg@apple.com> 15143 15144 JSC Obj-C API should have real documentation 15145 https://bugs.webkit.org/show_bug.cgi?id=124805 15146 15147 Reviewed by Geoffrey Garen. 15148 15149 Massaging the header comments into proper headerdocs. 15150 15151 * API/JSContext.h: 15152 * API/JSExport.h: 15153 * API/JSManagedValue.h: 15154 * API/JSValue.h: 15155 * API/JSVirtualMachine.h: 15156 151572013-11-22 Filip Pizlo <fpizlo@apple.com> 15158 15159 CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things 15160 https://bugs.webkit.org/show_bug.cgi?id=124793 15161 15162 Reviewed by Mark Hahnenberg. 15163 15164 Now m_numCalleeRegisters always refers to the number of locals that the attached 15165 bytecode uses. It never means anything else. 15166 15167 For frame size, we now have it lazily computed from m_numCalleeRegisters for the 15168 baseline engines and we have it stored in DFG::CommonData for the optimizing JITs. 15169 15170 For frame-size-needed-at-exit, we store that in DFG::CommonData, too. 15171 15172 The code no longer implies that there is any arithmetic relationship between 15173 m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater 15174 than the former. 15175 15176 The code no longer implies that there is any arithmetic relationship between the 15177 frame Size and the frame-size-needed-at-exit. Previously it implied that the latter 15178 is greater that the former. 15179 15180 * bytecode/CodeBlock.cpp: 15181 (JSC::CodeBlock::frameRegisterCount): 15182 * bytecode/CodeBlock.h: 15183 * dfg/DFGCommonData.h: 15184 (JSC::DFG::CommonData::CommonData): 15185 (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit): 15186 * dfg/DFGGraph.cpp: 15187 (JSC::DFG::Graph::frameRegisterCount): 15188 (JSC::DFG::Graph::requiredRegisterCountForExit): 15189 (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit): 15190 * dfg/DFGGraph.h: 15191 * dfg/DFGJITCompiler.cpp: 15192 (JSC::DFG::JITCompiler::link): 15193 (JSC::DFG::JITCompiler::compileFunction): 15194 * dfg/DFGOSREntry.cpp: 15195 (JSC::DFG::prepareOSREntry): 15196 * dfg/DFGSpeculativeJIT.cpp: 15197 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 15198 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 15199 (JSC::DFG::VirtualRegisterAllocationPhase::run): 15200 * ftl/FTLLink.cpp: 15201 (JSC::FTL::link): 15202 * ftl/FTLLowerDFGToLLVM.cpp: 15203 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 15204 * ftl/FTLOSREntry.cpp: 15205 (JSC::FTL::prepareOSREntry): 15206 * interpreter/CallFrame.cpp: 15207 (JSC::CallFrame::frameExtentInternal): 15208 * interpreter/JSStackInlines.h: 15209 (JSC::JSStack::pushFrame): 15210 * jit/JIT.h: 15211 (JSC::JIT::frameRegisterCountFor): 15212 * jit/JITOperations.cpp: 15213 * llint/LLIntEntrypoint.cpp: 15214 (JSC::LLInt::frameRegisterCountFor): 15215 * llint/LLIntEntrypoint.h: 15216 152172013-11-21 Filip Pizlo <fpizlo@apple.com> 15218 15219 Combine SymbolTable and SharedSymbolTable 15220 https://bugs.webkit.org/show_bug.cgi?id=124761 15221 15222 Reviewed by Geoffrey Garen. 15223 15224 SymbolTable was never used directly; we now always used SharedSymbolTable. So, this 15225 gets rid of SymbolTable and renames SharedSymbolTable to SymbolTable. 15226 15227 * bytecode/CodeBlock.h: 15228 (JSC::CodeBlock::symbolTable): 15229 * bytecode/UnlinkedCodeBlock.h: 15230 (JSC::UnlinkedFunctionExecutable::symbolTable): 15231 (JSC::UnlinkedCodeBlock::symbolTable): 15232 (JSC::UnlinkedCodeBlock::finishCreation): 15233 * bytecompiler/BytecodeGenerator.h: 15234 (JSC::BytecodeGenerator::symbolTable): 15235 * dfg/DFGSpeculativeJIT32_64.cpp: 15236 (JSC::DFG::SpeculativeJIT::compile): 15237 * dfg/DFGSpeculativeJIT64.cpp: 15238 (JSC::DFG::SpeculativeJIT::compile): 15239 * dfg/DFGStackLayoutPhase.cpp: 15240 (JSC::DFG::StackLayoutPhase::run): 15241 * jit/AssemblyHelpers.h: 15242 (JSC::AssemblyHelpers::symbolTableFor): 15243 * runtime/Arguments.h: 15244 (JSC::Arguments::finishCreation): 15245 * runtime/Executable.h: 15246 (JSC::FunctionExecutable::symbolTable): 15247 * runtime/JSActivation.h: 15248 (JSC::JSActivation::create): 15249 (JSC::JSActivation::JSActivation): 15250 (JSC::JSActivation::registersOffset): 15251 (JSC::JSActivation::allocationSize): 15252 * runtime/JSSymbolTableObject.h: 15253 (JSC::JSSymbolTableObject::symbolTable): 15254 (JSC::JSSymbolTableObject::JSSymbolTableObject): 15255 (JSC::JSSymbolTableObject::finishCreation): 15256 * runtime/JSVariableObject.h: 15257 (JSC::JSVariableObject::JSVariableObject): 15258 * runtime/SymbolTable.cpp: 15259 (JSC::SymbolTable::destroy): 15260 (JSC::SymbolTable::SymbolTable): 15261 * runtime/SymbolTable.h: 15262 (JSC::SymbolTable::create): 15263 (JSC::SymbolTable::createStructure): 15264 * runtime/VM.cpp: 15265 (JSC::VM::VM): 15266 * runtime/VM.h: 15267 152682013-11-22 Mark Lam <mark.lam@apple.com> 15269 15270 Remove residual references to "dynamicGlobalObject". 15271 https://bugs.webkit.org/show_bug.cgi?id=124787. 15272 15273 Reviewed by Filip Pizlo. 15274 15275 * JavaScriptCore.order: 15276 * interpreter/CallFrame.h: 15277 152782013-11-22 Mark Lam <mark.lam@apple.com> 15279 15280 Ensure that arity fixups honor stack alignment requirements. 15281 https://bugs.webkit.org/show_bug.cgi?id=124756. 15282 15283 Reviewed by Geoffrey Garen. 15284 15285 The LLINT and all the JITs rely on CommonSlowPaths::arityCheckFor() to 15286 compute the arg count adjustment for the arity fixup. We take advantage 15287 of this choke point and introduce the stack alignment padding there in 15288 the guise of additional args. 15289 15290 The only cost of this approach is that the padding will also be 15291 initialized to undefined values as if they were args. Since arity fixups 15292 are considered a slow path that is rarely taken, this cost is not a 15293 concern. 15294 15295 * runtime/CommonSlowPaths.h: 15296 (JSC::CommonSlowPaths::arityCheckFor): 15297 * runtime/VM.h: 15298 (JSC::VM::isSafeToRecurse): 15299 153002013-11-21 Filip Pizlo <fpizlo@apple.com> 15301 15302 BytecodeGenerator should align the stack according to native conventions 15303 https://bugs.webkit.org/show_bug.cgi?id=124735 15304 15305 Reviewed by Mark Lam. 15306 15307 Rolling this back in because it actually fixed fast/dom/gc-attribute-node.html, but 15308 our infrastructure misleads peole into thinking that fixing a test constitutes 15309 breaking it. 15310 15311 * bytecompiler/BytecodeGenerator.h: 15312 (JSC::CallArguments::registerOffset): 15313 (JSC::CallArguments::argumentCountIncludingThis): 15314 * bytecompiler/NodesCodegen.cpp: 15315 (JSC::CallArguments::CallArguments): 15316 153172013-11-21 Filip Pizlo <fpizlo@apple.com> 15318 15319 Get rid of CodeBlock::dumpStatistics() 15320 https://bugs.webkit.org/show_bug.cgi?id=124762 15321 15322 Reviewed by Mark Hahnenberg. 15323 15324 * bytecode/CodeBlock.cpp: 15325 (JSC::CodeBlock::CodeBlock): 15326 (JSC::CodeBlock::~CodeBlock): 15327 * bytecode/CodeBlock.h: 15328 153292013-11-22 Commit Queue <commit-queue@webkit.org> 15330 15331 Unreviewed, rolling out r159652. 15332 http://trac.webkit.org/changeset/159652 15333 https://bugs.webkit.org/show_bug.cgi?id=124778 15334 15335 broke fast/dom/gc-attribute-node.html (Requested by ap on 15336 #webkit). 15337 15338 * bytecompiler/BytecodeGenerator.cpp: 15339 (JSC::BytecodeGenerator::emitCall): 15340 (JSC::BytecodeGenerator::emitConstruct): 15341 * bytecompiler/BytecodeGenerator.h: 15342 (JSC::CallArguments::registerOffset): 15343 (JSC::CallArguments::argumentCountIncludingThis): 15344 * bytecompiler/NodesCodegen.cpp: 15345 (JSC::CallArguments::CallArguments): 15346 (JSC::CallArguments::newArgument): 15347 153482013-11-21 Filip Pizlo <fpizlo@apple.com> 15349 15350 Fix a typo (requriements->requirements). 15351 15352 * runtime/StackAlignment.h: 15353 153542013-11-21 Mark Lam <mark.lam@apple.com> 15355 15356 CodeBlock::m_numCalleeRegisters need to honor native stack alignment. 15357 https://bugs.webkit.org/show_bug.cgi?id=124754. 15358 15359 Reviewed by Filip Pizlo. 15360 15361 * bytecompiler/BytecodeGenerator.cpp: 15362 (JSC::BytecodeGenerator::newRegister): 15363 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 15364 (JSC::DFG::VirtualRegisterAllocationPhase::run): 15365 153662013-11-21 Mark Rowe <mrowe@apple.com> 15367 15368 <https://webkit.org/b/124702> Stop overriding VALID_ARCHS. 15369 15370 All modern versions of Xcode set it appropriately for our needs. 15371 15372 Reviewed by Alexey Proskuryakov. 15373 15374 * Configurations/Base.xcconfig: 15375 153762013-11-21 Mark Rowe <mrowe@apple.com> 15377 15378 <https://webkit.org/b/124701> Fix an error in a few Xcode configuration setting files. 15379 15380 Reviewed by Alexey Proskuryakov. 15381 15382 * Configurations/Base.xcconfig: 15383 153842013-11-21 Michael Saboff <msaboff@apple.com> 15385 15386 ARM64: Implement push/pop equivalents in LLInt 15387 https://bugs.webkit.org/show_bug.cgi?id=124721 15388 15389 Reviewed by Filip Pizlo. 15390 15391 Added pushLRAndFP and popLRAndFP that push and pop the link register and frame pointer register. 15392 These ops emit code just like what the compiler emits in the prologue and epilogue. Also changed 15393 pushCalleeSaves and popCalleeSaves to use the same store pair and load pair instructions to do 15394 the actually pushing and popping. Finally changed the implementation of push and pop to raise 15395 an exception since we don't have (or need) a single register push or pop. 15396 15397 * llint/LowLevelInterpreter64.asm: 15398 * offlineasm/arm64.rb: 15399 * offlineasm/instructions.rb: 15400 154012013-11-21 Michael Saboff <msaboff@apple.com> 15402 15403 JSC: Removed unused opcodes from offline assembler 15404 https://bugs.webkit.org/show_bug.cgi?id=124749 15405 15406 Reviewed by Mark Hahnenberg. 15407 15408 Removed the unused, X86 only peekq and pokeq. 15409 15410 * offlineasm/instructions.rb: 15411 * offlineasm/x86.rb: 15412 154132013-11-21 Michael Saboff <msaboff@apple.com> 15414 15415 REGRESSION(159395) Fix branch8(…, AbsoluteAddress, …) in ARM64 MacroAssembler 15416 https://bugs.webkit.org/show_bug.cgi?id=124688 15417 15418 Reviewed by Geoffrey Garen. 15419 15420 Changed handling of the address for the load8() in the branch8(AbsoluteAddress) to be like 15421 the rest of the branchXX(AbsoluteAddress) fucntions. 15422 15423 * assembler/MacroAssemblerARM64.h: 15424 (JSC::MacroAssemblerARM64::branch8): 15425 154262013-11-21 Filip Pizlo <fpizlo@apple.com> 15427 15428 BytecodeGenerator should align the stack according to native conventions 15429 https://bugs.webkit.org/show_bug.cgi?id=124735 15430 15431 Reviewed by Mark Lam. 15432 15433 * bytecompiler/BytecodeGenerator.h: 15434 (JSC::CallArguments::registerOffset): 15435 (JSC::CallArguments::argumentCountIncludingThis): 15436 * bytecompiler/NodesCodegen.cpp: 15437 (JSC::CallArguments::CallArguments): 15438 154392013-11-21 Filip Pizlo <fpizlo@apple.com> 15440 15441 Unreviewed, preemptive build fix. 15442 15443 * runtime/StackAlignment.h: 15444 (JSC::stackAlignmentBytes): 15445 (JSC::stackAlignmentRegisters): 15446 154472013-11-21 Filip Pizlo <fpizlo@apple.com> 15448 15449 JSC should know what the stack alignment conventions are 15450 https://bugs.webkit.org/show_bug.cgi?id=124736 15451 15452 Reviewed by Mark Lam. 15453 15454 * GNUmakefile.list.am: 15455 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 15456 * JavaScriptCore.xcodeproj/project.pbxproj: 15457 * runtime/StackAlignment.h: Added. 15458 (JSC::stackAlignmentBytes): 15459 (JSC::stackAlignmentRegisters): 15460 154612013-11-21 Balazs Kilvady <kilvadyb@homejinni.com> 15462 15463 [MIPS] Build fails since r159545. 15464 https://bugs.webkit.org/show_bug.cgi?id=124716 15465 15466 Reviewed by Michael Saboff. 15467 15468 Add missing implementations in MacroAssembler and LLInt for MIPS. 15469 15470 * assembler/MIPSAssembler.h: 15471 (JSC::MIPSAssembler::sync): 15472 * assembler/MacroAssemblerMIPS.h: 15473 (JSC::MacroAssemblerMIPS::store8): 15474 (JSC::MacroAssemblerMIPS::memoryFence): 15475 * offlineasm/mips.rb: 15476 154772013-11-21 Julien Brianceau <jbriance@cisco.com> 15478 15479 Fix sh4 build after r159545. 15480 https://bugs.webkit.org/show_bug.cgi?id=124713 15481 15482 Reviewed by Michael Saboff. 15483 15484 Add missing implementations in macro assembler and LLINT for sh4. 15485 15486 * assembler/MacroAssemblerSH4.h: 15487 (JSC::MacroAssemblerSH4::load8): 15488 (JSC::MacroAssemblerSH4::store8): 15489 (JSC::MacroAssemblerSH4::memoryFence): 15490 * assembler/SH4Assembler.h: 15491 (JSC::SH4Assembler::synco): 15492 * offlineasm/sh4.rb: Handle "memfence" opcode. 15493 154942013-11-20 Mark Lam <mark.lam@apple.com> 15495 15496 Introducing VMEntryScope to update the VM stack limit. 15497 https://bugs.webkit.org/show_bug.cgi?id=124634. 15498 15499 Reviewed by Geoffrey Garen. 15500 15501 1. Introduced USE(SEPARATE_C_AND_JS_STACK) (defined in Platform.h). 15502 Currently, it is hardcoded to use separate C and JS stacks. Once we 15503 switch to using the C stack for JS frames, we'll need to fix this to 15504 only be enabled when ENABLE(LLINT_C_LOOP). 15505 15506 2. Stack limits are now tracked in the VM. 15507 15508 Logically, there are 2 stack limits: 15509 a. m_stackLimit for the native C stack, and 15510 b. m_jsStackLimit for the JS stack. 15511 15512 If USE(SEPARATE_C_AND_JS_STACK), then the 2 limits are the same 15513 value, and are implemented as 2 fields in a union. 15514 15515 3. The VM native stackLimit is set as follows: 15516 a. Initially, the VM sets it to the limit of the stack of the thread that 15517 instantiated the VM. This allows the parser and bytecode generator to 15518 run before we enter the VM to execute JS code. 15519 15520 b. Upon entry into the VM to execute JS code (via one of the 15521 Interpreter::execute...() functions), we instantiate a VMEntryScope 15522 that sets the VM's stackLimit to the limit of the current thread's 15523 stack. The VMEntryScope will automatically restore the previous 15524 entryScope and stack limit upon destruction. 15525 15526 If USE(SEPARATE_C_AND_JS_STACK), the JSStack's methods will set the VM's 15527 jsStackLimit whenever it grows or shrinks. 15528 15529 4. The VM now provides a isSafeToRecurse() function that compares the 15530 current stack pointer against its native stackLimit. This subsumes and 15531 obsoletes the VMStackBounds class. 15532 15533 5. The VMEntryScope class also subsumes DynamicGlobalObjectScope for 15534 tracking the JSGlobalObject that we last entered the VM with. 15535 15536 6. Renamed dynamicGlobalObject() to vmEntryGlobalObject() since that is 15537 the value that the function retrieves. 15538 15539 7. Changed JIT and LLINT code to do stack checks against the jsStackLimit 15540 in the VM class instead of the JSStack. 15541 15542 * API/JSBase.cpp: 15543 (JSEvaluateScript): 15544 (JSCheckScriptSyntax): 15545 * API/JSContextRef.cpp: 15546 (JSGlobalContextRetain): 15547 (JSGlobalContextRelease): 15548 * CMakeLists.txt: 15549 * GNUmakefile.list.am: 15550 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 15551 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 15552 * JavaScriptCore.xcodeproj/project.pbxproj: 15553 * bytecompiler/BytecodeGenerator.cpp: 15554 (JSC::BytecodeGenerator::BytecodeGenerator): 15555 * bytecompiler/BytecodeGenerator.h: 15556 (JSC::BytecodeGenerator::emitNode): 15557 (JSC::BytecodeGenerator::emitNodeInConditionContext): 15558 * debugger/Debugger.cpp: 15559 (JSC::Debugger::detach): 15560 (JSC::Debugger::recompileAllJSFunctions): 15561 (JSC::Debugger::pauseIfNeeded): 15562 * debugger/DebuggerCallFrame.cpp: 15563 (JSC::DebuggerCallFrame::vmEntryGlobalObject): 15564 * debugger/DebuggerCallFrame.h: 15565 * dfg/DFGJITCompiler.cpp: 15566 (JSC::DFG::JITCompiler::compileFunction): 15567 * dfg/DFGOSREntry.cpp: 15568 * ftl/FTLLink.cpp: 15569 (JSC::FTL::link): 15570 * ftl/FTLOSREntry.cpp: 15571 * heap/Heap.cpp: 15572 (JSC::Heap::lastChanceToFinalize): 15573 (JSC::Heap::deleteAllCompiledCode): 15574 * interpreter/CachedCall.h: 15575 (JSC::CachedCall::CachedCall): 15576 * interpreter/CallFrame.cpp: 15577 (JSC::CallFrame::vmEntryGlobalObject): 15578 * interpreter/CallFrame.h: 15579 * interpreter/Interpreter.cpp: 15580 (JSC::unwindCallFrame): 15581 (JSC::Interpreter::unwind): 15582 (JSC::Interpreter::execute): 15583 (JSC::Interpreter::executeCall): 15584 (JSC::Interpreter::executeConstruct): 15585 (JSC::Interpreter::prepareForRepeatCall): 15586 (JSC::Interpreter::debug): 15587 * interpreter/JSStack.cpp: 15588 (JSC::JSStack::JSStack): 15589 (JSC::JSStack::growSlowCase): 15590 * interpreter/JSStack.h: 15591 * interpreter/JSStackInlines.h: 15592 (JSC::JSStack::shrink): 15593 (JSC::JSStack::grow): 15594 - Moved these inlined functions here from JSStack.h. It reduces some 15595 #include dependencies of JSSTack.h which had previously resulted 15596 in some EWS bots' unhappiness with this patch. 15597 (JSC::JSStack::updateStackLimit): 15598 * jit/JIT.cpp: 15599 (JSC::JIT::privateCompile): 15600 * jit/JITCall.cpp: 15601 (JSC::JIT::compileLoadVarargs): 15602 * jit/JITCall32_64.cpp: 15603 (JSC::JIT::compileLoadVarargs): 15604 * jit/JITOperations.cpp: 15605 * llint/LLIntSlowPaths.cpp: 15606 * llint/LowLevelInterpreter.asm: 15607 * parser/Parser.cpp: 15608 (JSC::::Parser): 15609 * parser/Parser.h: 15610 (JSC::Parser::canRecurse): 15611 * runtime/CommonSlowPaths.h: 15612 * runtime/Completion.cpp: 15613 (JSC::evaluate): 15614 * runtime/FunctionConstructor.cpp: 15615 (JSC::constructFunctionSkippingEvalEnabledCheck): 15616 * runtime/JSGlobalObject.cpp: 15617 * runtime/JSGlobalObject.h: 15618 * runtime/StringRecursionChecker.h: 15619 (JSC::StringRecursionChecker::performCheck): 15620 * runtime/VM.cpp: 15621 (JSC::VM::VM): 15622 (JSC::VM::releaseExecutableMemory): 15623 (JSC::VM::throwException): 15624 * runtime/VM.h: 15625 (JSC::VM::addressOfJSStackLimit): 15626 (JSC::VM::jsStackLimit): 15627 (JSC::VM::setJSStackLimit): 15628 (JSC::VM::stackLimit): 15629 (JSC::VM::setStackLimit): 15630 (JSC::VM::isSafeToRecurse): 15631 * runtime/VMEntryScope.cpp: Added. 15632 (JSC::VMEntryScope::VMEntryScope): 15633 (JSC::VMEntryScope::~VMEntryScope): 15634 (JSC::VMEntryScope::requiredCapacity): 15635 * runtime/VMEntryScope.h: Added. 15636 (JSC::VMEntryScope::globalObject): 15637 * runtime/VMStackBounds.h: Removed. 15638 156392013-11-20 Michael Saboff <msaboff@apple.com> 15640 15641 [Win] JavaScript JIT crash (with DFG enabled). 15642 https://bugs.webkit.org/show_bug.cgi?id=124675 15643 15644 Reviewed by Geoffrey Garen. 15645 15646 Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee. 15647 linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that. 15648 15649 * jit/Repatch.cpp: 15650 (JSC::linkClosureCall): 15651 * jit/ThunkGenerators.cpp: 15652 (JSC::linkForThunkGenerator): 15653 156542013-11-20 Michael Saboff <msaboff@apple.com> 15655 15656 ARMv7: Crash due to use after free of AssemblerBuffer 15657 https://bugs.webkit.org/show_bug.cgi?id=124611 15658 15659 Reviewed by Geoffrey Garen. 15660 15661 Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label. 15662 In finalizeFunction(), we use that value instead of calculating it from the label. 15663 15664 * assembler/MacroAssembler.cpp: 15665 * dfg/DFGJITFinalizer.cpp: 15666 (JSC::DFG::JITFinalizer::JITFinalizer): 15667 (JSC::DFG::JITFinalizer::finalizeFunction): 15668 * dfg/DFGJITFinalizer.h: 15669 156702013-11-20 Julien Brianceau <jbriance@cisco.com> 15671 15672 Fix CPU(ARM_TRADITIONAL) build after r159545. 15673 https://bugs.webkit.org/show_bug.cgi?id=124649 15674 15675 Reviewed by Michael Saboff. 15676 15677 Add missing memoryFence, load8 and store8 implementations in macro assembler. 15678 15679 * assembler/ARMAssembler.h: 15680 (JSC::ARMAssembler::dmbSY): 15681 * assembler/MacroAssemblerARM.h: 15682 (JSC::MacroAssemblerARM::load8): 15683 (JSC::MacroAssemblerARM::store8): 15684 (JSC::MacroAssemblerARM::memoryFence): 15685 156862013-11-20 Julien Brianceau <jbriance@cisco.com> 15687 15688 [armv7][arm64] Speculative build fix after r159545. 15689 https://bugs.webkit.org/show_bug.cgi?id=124646 15690 15691 Reviewed by Filip Pizlo. 15692 15693 * assembler/ARMv7Assembler.h: 15694 * assembler/MacroAssemblerARM64.h: 15695 (JSC::MacroAssemblerARM64::memoryFence): 15696 * assembler/MacroAssemblerARMv7.h: 15697 (JSC::MacroAssemblerARMv7::memoryFence): 15698 156992013-11-19 Ryosuke Niwa <rniwa@webkit.org> 15700 15701 Enable HTMLTemplateElement on Mac port 15702 https://bugs.webkit.org/show_bug.cgi?id=124637 15703 15704 Reviewed by Tim Horton. 15705 15706 * Configurations/FeatureDefines.xcconfig: 15707 157082013-11-19 Filip Pizlo <fpizlo@apple.com> 15709 15710 Unreviewed, remove completely bogus assertion. 15711 15712 * runtime/JSGlobalObject.cpp: 15713 (JSC::JSGlobalObject::addFunction): 15714 157152013-11-19 Filip Pizlo <fpizlo@apple.com> 15716 15717 Unreviewed, debug build fix. 15718 15719 * runtime/JSGlobalObject.cpp: 15720 (JSC::JSGlobalObject::addFunction): 15721 157222013-11-19 Filip Pizlo <fpizlo@apple.com> 15723 15724 Infer constant global variables 15725 https://bugs.webkit.org/show_bug.cgi?id=124464 15726 15727 Reviewed by Sam Weinig. 15728 15729 All global variables that are candidates for watchpoint-based constant inference (i.e. 15730 not 'const' variables) will now have WatchpointSet's associated with them and those 15731 are used to drive the inference by tracking three states of each variable: 15732 15733 Uninitialized: the variable's value is Undefined and the WatchpointSet state is 15734 ClearWatchpoint. 15735 15736 Initialized: the variable's value was set to something (could even be explicitly set 15737 to Undefined) and the WatchpointSet state is IsWatching. 15738 15739 Invalidated: the variable's value was set to something else (could even be the same 15740 thing as before but the point is that a put operation did execute again) and the 15741 WatchpointSet is IsInvalidated. 15742 15743 If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is 15744 IsWatching, then the current value of the variable can be folded in place of the get, 15745 and a watchpoint on the variable can be registered. 15746 15747 We handle race conditions between the mutator and compiler by mandating that: 15748 15749 - The mutator changes the WatchpointSet state after executing the put. 15750 15751 - There is no opportunity to install code or call functions between when the mutator 15752 executes a put and changes the WatchpointSet state. 15753 15754 - The compiler checks the WatchpointSet state prior to reading the value. 15755 15756 The concrete algorithm used by the mutator is: 15757 15758 1. Store the new value into the variable. 15759 --- Execute a store-store fence. 15760 2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes 15761 IsInvalidated); the IsWatching->IsInvalidated transition may end up firing 15762 watchpoints. 15763 15764 The concrete algorithm that the compiler uses is: 15765 15766 1. Load the state. If it's *not* IsWatching, then give up on constant inference. 15767 --- Execute a load-load fence. 15768 2. Load the value of the variable and use that for folding, while also registering 15769 a DesiredWatchpoint. The various parts of this step can be done in any order. 15770 15771 The desired watchpoint registration will fail if the watchpoint set is already 15772 invalidated. Now consider the following interesting interleavings: 15773 15774 Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store 15775 operation, and the variable is folded. The fencing ensures that C2 sees the value 15776 stored in M1 - i.e. we fold on the value that will actually be watchpointed. If 15777 before the compilation is installed the mutator executes another store then we 15778 will be sure that it will be a complete sequence of M1+M2 since compilations get 15779 installed at safepoints and never "in the middle" of a put_to_scope. Hence that 15780 compilation installation will be invalidated. If the M1+M2 sequence happens after 15781 the code is installed, then the code will be invalidated by triggering a jettison. 15782 15783 Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is 15784 a sensible outcome since if the compiler read the variable's value, it would have 15785 seen Undefined. 15786 15787 Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold. 15788 Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold. 15789 Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold. 15790 Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold. 15791 15792 IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold. 15793 15794 IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired 15795 watchpoint, and that watchpoint will get invalidated before the code is installed. 15796 15797 IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated. 15798 IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated. 15799 IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated. 15800 IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated. 15801 15802 Note that this kind of reasoning shows why having the mutator first bump the state and 15803 then store the new value would be wrong. If we had done that (M1 = bump state, M2 = 15804 execute put) then we could have the following deadly interleavings: 15805 15806 Uninitialized->M1->C1->C2->M2: 15807 Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the 15808 compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the 15809 watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a 15810 value other than Undefined, and you're toast. 15811 15812 You could fix this sort of thing by making the Desired Watchpoints machinery more 15813 sophisticated, for example having it track the value that was folded; if the global 15814 variable's value was later found to be different then we could invalidate the 15815 compilation. You could also fix it by having the compiler also check that the value of 15816 the variable is not Undefined before folding. While those all sound great, I decided 15817 to instead just use the right interleaving since that results in less code and feels 15818 more intuitive. 15819 15820 This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic. 15821 It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is 15822 because 3d-cube takes global variable assignment slow paths very often. Note that this 15823 3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is 15824 also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue 15825 (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due 15826 to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the 15827 slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS 15828 programming often leads to global-var-based idioms and those variables tend to be 15829 assigned once, leading to excellent constant folding opportunities in an optimizing 15830 JIT. This is very evident in the speed-ups on JSRegress. 15831 15832 * assembler/ARM64Assembler.h: 15833 (JSC::ARM64Assembler::dmbSY): 15834 * assembler/ARMv7Assembler.h: 15835 (JSC::ARMv7Assembler::dmbSY): 15836 * assembler/MacroAssemblerARM64.h: 15837 (JSC::MacroAssemblerARM64::memfence): 15838 * assembler/MacroAssemblerARMv7.h: 15839 (JSC::MacroAssemblerARMv7::load8): 15840 (JSC::MacroAssemblerARMv7::memfence): 15841 * assembler/MacroAssemblerX86.h: 15842 (JSC::MacroAssemblerX86::load8): 15843 (JSC::MacroAssemblerX86::store8): 15844 * assembler/MacroAssemblerX86Common.h: 15845 (JSC::MacroAssemblerX86Common::getUnusedRegister): 15846 (JSC::MacroAssemblerX86Common::store8): 15847 (JSC::MacroAssemblerX86Common::memoryFence): 15848 * assembler/MacroAssemblerX86_64.h: 15849 (JSC::MacroAssemblerX86_64::load8): 15850 (JSC::MacroAssemblerX86_64::store8): 15851 * assembler/X86Assembler.h: 15852 (JSC::X86Assembler::movb_rm): 15853 (JSC::X86Assembler::movzbl_mr): 15854 (JSC::X86Assembler::mfence): 15855 (JSC::X86Assembler::X86InstructionFormatter::threeByteOp): 15856 (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8): 15857 * bytecode/CodeBlock.cpp: 15858 (JSC::CodeBlock::CodeBlock): 15859 * bytecode/Watchpoint.cpp: 15860 (JSC::WatchpointSet::WatchpointSet): 15861 (JSC::WatchpointSet::add): 15862 (JSC::WatchpointSet::notifyWriteSlow): 15863 * bytecode/Watchpoint.h: 15864 (JSC::WatchpointSet::state): 15865 (JSC::WatchpointSet::isStillValid): 15866 (JSC::WatchpointSet::addressOfSetIsNotEmpty): 15867 * dfg/DFGAbstractInterpreterInlines.h: 15868 (JSC::DFG::::executeEffects): 15869 * dfg/DFGByteCodeParser.cpp: 15870 (JSC::DFG::ByteCodeParser::getJSConstantForValue): 15871 (JSC::DFG::ByteCodeParser::getJSConstant): 15872 (JSC::DFG::ByteCodeParser::parseBlock): 15873 * dfg/DFGClobberize.h: 15874 (JSC::DFG::clobberize): 15875 * dfg/DFGFixupPhase.cpp: 15876 (JSC::DFG::FixupPhase::fixupNode): 15877 * dfg/DFGNode.h: 15878 (JSC::DFG::Node::isStronglyProvedConstantIn): 15879 (JSC::DFG::Node::hasIdentifierNumberForCheck): 15880 (JSC::DFG::Node::hasRegisterPointer): 15881 * dfg/DFGNodeFlags.h: 15882 * dfg/DFGNodeType.h: 15883 * dfg/DFGOperations.cpp: 15884 * dfg/DFGOperations.h: 15885 * dfg/DFGPredictionPropagationPhase.cpp: 15886 (JSC::DFG::PredictionPropagationPhase::propagate): 15887 * dfg/DFGSafeToExecute.h: 15888 (JSC::DFG::safeToExecute): 15889 * dfg/DFGSpeculativeJIT.cpp: 15890 (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar): 15891 * dfg/DFGSpeculativeJIT.h: 15892 (JSC::DFG::SpeculativeJIT::callOperation): 15893 * dfg/DFGSpeculativeJIT32_64.cpp: 15894 (JSC::DFG::SpeculativeJIT::compile): 15895 * dfg/DFGSpeculativeJIT64.cpp: 15896 (JSC::DFG::SpeculativeJIT::compile): 15897 * ftl/FTLAbbreviatedTypes.h: 15898 * ftl/FTLAbbreviations.h: 15899 (JSC::FTL::buildFence): 15900 * ftl/FTLCapabilities.cpp: 15901 (JSC::FTL::canCompile): 15902 * ftl/FTLIntrinsicRepository.h: 15903 * ftl/FTLLowerDFGToLLVM.cpp: 15904 (JSC::FTL::LowerDFGToLLVM::compileNode): 15905 (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar): 15906 * ftl/FTLOutput.h: 15907 (JSC::FTL::Output::fence): 15908 * jit/JIT.h: 15909 * jit/JITOperations.h: 15910 * jit/JITPropertyAccess.cpp: 15911 (JSC::JIT::emitPutGlobalVar): 15912 (JSC::JIT::emit_op_put_to_scope): 15913 (JSC::JIT::emitSlow_op_put_to_scope): 15914 * jit/JITPropertyAccess32_64.cpp: 15915 (JSC::JIT::emitPutGlobalVar): 15916 (JSC::JIT::emit_op_put_to_scope): 15917 (JSC::JIT::emitSlow_op_put_to_scope): 15918 * llint/LowLevelInterpreter32_64.asm: 15919 * llint/LowLevelInterpreter64.asm: 15920 * llvm/LLVMAPIFunctions.h: 15921 * offlineasm/arm.rb: 15922 * offlineasm/arm64.rb: 15923 * offlineasm/cloop.rb: 15924 * offlineasm/instructions.rb: 15925 * offlineasm/x86.rb: 15926 * runtime/JSGlobalObject.cpp: 15927 (JSC::JSGlobalObject::addGlobalVar): 15928 (JSC::JSGlobalObject::addFunction): 15929 * runtime/JSGlobalObject.h: 15930 (JSC::JSGlobalObject::addVar): 15931 (JSC::JSGlobalObject::addConst): 15932 * runtime/JSScope.cpp: 15933 (JSC::abstractAccess): 15934 * runtime/JSSymbolTableObject.h: 15935 (JSC::symbolTablePut): 15936 (JSC::symbolTablePutWithAttributes): 15937 * runtime/SymbolTable.cpp: 15938 (JSC::SymbolTableEntry::couldBeWatched): 15939 (JSC::SymbolTableEntry::prepareToWatch): 15940 (JSC::SymbolTableEntry::notifyWriteSlow): 15941 * runtime/SymbolTable.h: 15942 159432013-11-19 Michael Saboff <msaboff@apple.com> 15944 15945 REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code 15946 https://bugs.webkit.org/show_bug.cgi?id=124612 15947 15948 Reviewed by Geoffrey Garen. 15949 15950 Removed ASSERT checks (i.e. lower bit set) for ARM Thumb2 destination addresses related to 15951 calls since we are calling native ARM traditional functions like sin() and cos(). 15952 15953 * assembler/ARMv7Assembler.h: 15954 (JSC::ARMv7Assembler::linkCall): 15955 (JSC::ARMv7Assembler::relinkCall): 15956 * assembler/MacroAssemblerCodeRef.h: 15957 159582013-11-19 Commit Queue <commit-queue@webkit.org> 15959 15960 Unreviewed, rolling out r159459. 15961 http://trac.webkit.org/changeset/159459 15962 https://bugs.webkit.org/show_bug.cgi?id=124616 15963 15964 tons of assertions on launch (Requested by thorton on 15965 #webkit). 15966 15967 * API/JSContext.mm: 15968 (-[JSContext setException:]): 15969 (-[JSContext wrapperForObjCObject:]): 15970 (-[JSContext wrapperForJSObject:]): 15971 * API/JSContextRef.cpp: 15972 (JSContextGroupRelease): 15973 (JSGlobalContextRelease): 15974 * API/JSManagedValue.mm: 15975 (-[JSManagedValue initWithValue:]): 15976 (-[JSManagedValue value]): 15977 * API/JSObjectRef.cpp: 15978 (JSObjectIsFunction): 15979 (JSObjectCopyPropertyNames): 15980 * API/JSValue.mm: 15981 (containerValueToObject): 15982 * API/JSWrapperMap.mm: 15983 (tryUnwrapObjcObject): 15984 159852013-11-19 Filip Pizlo <fpizlo@apple.com> 15986 15987 Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll() 15988 https://bugs.webkit.org/show_bug.cgi?id=124609 15989 15990 Rubber stamped by Mark Lam. 15991 15992 notifyWrite() is a thing that SymbolTable does. WatchpointSet uses that terminology 15993 because it was original designed to match exactly SymbolTable's semantics. But now 15994 it's a confusing term. 15995 15996 * bytecode/Watchpoint.cpp: 15997 (JSC::WatchpointSet::fireAllSlow): 15998 * bytecode/Watchpoint.h: 15999 (JSC::WatchpointSet::fireAll): 16000 (JSC::InlineWatchpointSet::fireAll): 16001 * interpreter/Interpreter.cpp: 16002 (JSC::Interpreter::execute): 16003 * runtime/JSFunction.cpp: 16004 (JSC::JSFunction::put): 16005 (JSC::JSFunction::defineOwnProperty): 16006 * runtime/JSGlobalObject.cpp: 16007 (JSC::JSGlobalObject::haveABadTime): 16008 * runtime/Structure.h: 16009 (JSC::Structure::notifyTransitionFromThisStructure): 16010 * runtime/SymbolTable.cpp: 16011 (JSC::SymbolTableEntry::notifyWriteSlow): 16012 160132013-11-18 Michael Saboff <msaboff@apple.com> 16014 16015 REGRESSION (r159395): Error compiling for ARMv7 16016 https://bugs.webkit.org/show_bug.cgi?id=124552 16017 16018 Reviewed by Geoffrey Garen. 16019 16020 Fixed the implementation of branch8(RelationalCondition cond, AbsoluteAddress address, TrustedImm32 right) 16021 to materialize and use address similar to other ARMv7 branchXX() functions. 16022 16023 * assembler/MacroAssemblerARMv7.h: 16024 (JSC::MacroAssemblerARMv7::branch8): 16025 160262013-11-19 Mark Lam <mark.lam@apple.com> 16027 16028 Add tracking of endColumn for Executables. 16029 https://bugs.webkit.org/show_bug.cgi?id=124245. 16030 16031 Reviewed by Geoffrey Garen. 16032 16033 1. Fixed computation of columns to take into account the startColumn from 16034 <script> tags. Previously, we were only computing the column relative 16035 to the char after the <script> tag. Now, the column number that JSC 16036 computes is always the column number you'll see when viewing the source 16037 in a text editor (assuming the first column position is 1, not 0). 16038 16039 2. Previously, unlinkedExecutables kept the a base-1 startColumn for 16040 ProgramExecutables and EvalExecutables, but uses base-0 columns for 16041 FunctionExecutables. This has been fixed so that they all use base-0 16042 columns. When the executable gets linked, the column is adjusted into 16043 a base-1 value. 16044 16045 3. In the UnlinkedFunctionExecutable, renamed m_functionStartOffset to 16046 m_unlinkedFunctionNameStart because it actually points to the start 16047 column in the name part of the function declaration. 16048 16049 Similarly, renamed m_functionStartColumn to m_unlinkedBodyStartColumn 16050 because it points to the first character in the function body. This is 16051 usually '{' except for functions created from "global code" which 16052 excludes its braces. See FunctionExecutable::fromGlobalCode(). 16053 16054 The exclusion of braces for the global code case is needed so that 16055 computed start and end columns will more readily map to what a JS 16056 developer would expect them to be. Otherwise, the first column of the 16057 function source will not be 1 (includes prepended characters added in 16058 constructFunctionSkippingEvalEnabledCheck()). 16059 16060 Also, similarly, a m_unlinkedBodyEndColumn has been added to track the 16061 end column of the UnlinkedFunctionExecutable. 16062 16063 4. For unlinked executables, end column values are either: 16064 a. Relative to the start of the last line if (last line != first line). 16065 b. Relative to the start column position if (last line == first line). 16066 16067 The second case is needed so that we can add an appropriate adjustment 16068 to the end column value (just like we do for the start column) when we 16069 link the executable. 16070 16071 5. This is not new to this patch, but it worth noting that the lineCount 16072 values used through this patch has the following meaning: 16073 - a lineCount of 0 means the source for this code block is on 1 line. 16074 - a lineCount of N means there are N + l lines of source. 16075 16076 This interpretation is janky, but was present before this patch. We can 16077 clean that up later in another patch. 16078 16079 16080 * JavaScriptCore.xcodeproj/project.pbxproj: 16081 - In order to implement WebCore::Internals::parserMetaData(), we need to 16082 move some seemingly unrelated header files from the Project section to 16083 the Private section so that they can be #include'd by the forwarding 16084 CodeBlock.h from WebCore. 16085 * bytecode/CodeBlock.cpp: 16086 (JSC::CodeBlock::sourceCodeForTools): 16087 (JSC::CodeBlock::CodeBlock): 16088 * bytecode/UnlinkedCodeBlock.cpp: 16089 (JSC::generateFunctionCodeBlock): 16090 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 16091 - m_isFromGlobalCode is needed to support the exclusion of the open brace / 16092 prepended code for functions created from "global code". 16093 (JSC::UnlinkedFunctionExecutable::link): 16094 (JSC::UnlinkedFunctionExecutable::fromGlobalCode): 16095 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 16096 * bytecode/UnlinkedCodeBlock.h: 16097 (JSC::UnlinkedFunctionExecutable::create): 16098 (JSC::UnlinkedFunctionExecutable::unlinkedFunctionNameStart): 16099 (JSC::UnlinkedFunctionExecutable::unlinkedBodyStartColumn): 16100 (JSC::UnlinkedFunctionExecutable::unlinkedBodyEndColumn): 16101 (JSC::UnlinkedFunctionExecutable::recordParse): 16102 (JSC::UnlinkedCodeBlock::recordParse): 16103 (JSC::UnlinkedCodeBlock::endColumn): 16104 * bytecompiler/NodesCodegen.cpp: 16105 (JSC::FunctionBodyNode::emitBytecode): 16106 * parser/ASTBuilder.h: 16107 (JSC::ASTBuilder::createFunctionBody): 16108 (JSC::ASTBuilder::setFunctionNameStart): 16109 * parser/Lexer.cpp: 16110 (JSC::::shiftLineTerminator): 16111 - Removed an unused SourceCode Lexer<T>::sourceCode() function. 16112 * parser/Lexer.h: 16113 (JSC::Lexer::positionBeforeLastNewline): 16114 (JSC::Lexer::prevTerminator): 16115 - Added tracking of m_positionBeforeLastNewline in the Lexer to enable us 16116 to exclude the close brace / appended code for functions created from "global 16117 code". 16118 * parser/Nodes.cpp: 16119 (JSC::ProgramNode::ProgramNode): 16120 (JSC::ProgramNode::create): 16121 (JSC::EvalNode::EvalNode): 16122 (JSC::EvalNode::create): 16123 (JSC::FunctionBodyNode::FunctionBodyNode): 16124 (JSC::FunctionBodyNode::create): 16125 (JSC::FunctionBodyNode::setEndPosition): 16126 - setEndPosition() is needed to fixed up the end position so that we can 16127 exclude the close brace / appended code for functions created from "global 16128 code". 16129 * parser/Nodes.h: 16130 (JSC::ProgramNode::startColumn): 16131 (JSC::ProgramNode::endColumn): 16132 (JSC::EvalNode::startColumn): 16133 (JSC::EvalNode::endColumn): 16134 (JSC::FunctionBodyNode::setFunctionNameStart): 16135 (JSC::FunctionBodyNode::functionNameStart): 16136 (JSC::FunctionBodyNode::endColumn): 16137 * parser/Parser.cpp: 16138 (JSC::::parseFunctionBody): 16139 (JSC::::parseFunctionInfo): 16140 * parser/Parser.h: 16141 (JSC::Parser::positionBeforeLastNewline): 16142 (JSC::::parse): 16143 - Subtracted 1 from startColumn here to keep the node column values consistently 16144 base-0. See note 2 above. 16145 (JSC::parse): 16146 * parser/SourceProviderCacheItem.h: 16147 (JSC::SourceProviderCacheItem::SourceProviderCacheItem): 16148 * parser/SyntaxChecker.h: 16149 (JSC::SyntaxChecker::createFunctionBody): 16150 (JSC::SyntaxChecker::setFunctionNameStart): 16151 * runtime/CodeCache.cpp: 16152 (JSC::CodeCache::getGlobalCodeBlock): 16153 (JSC::CodeCache::getProgramCodeBlock): 16154 (JSC::CodeCache::getEvalCodeBlock): 16155 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 16156 * runtime/CodeCache.h: 16157 * runtime/Executable.cpp: 16158 (JSC::ScriptExecutable::newCodeBlockFor): 16159 (JSC::FunctionExecutable::FunctionExecutable): 16160 (JSC::ProgramExecutable::initializeGlobalProperties): 16161 (JSC::FunctionExecutable::fromGlobalCode): 16162 * runtime/Executable.h: 16163 (JSC::ExecutableBase::isEvalExecutable): 16164 (JSC::ExecutableBase::isProgramExecutable): 16165 (JSC::ScriptExecutable::ScriptExecutable): 16166 (JSC::ScriptExecutable::endColumn): 16167 (JSC::ScriptExecutable::recordParse): 16168 (JSC::FunctionExecutable::create): 16169 (JSC::FunctionExecutable::bodyIncludesBraces): 16170 * runtime/FunctionConstructor.cpp: 16171 (JSC::constructFunctionSkippingEvalEnabledCheck): 16172 * runtime/FunctionPrototype.cpp: 16173 (JSC::insertSemicolonIfNeeded): 16174 (JSC::functionProtoFuncToString): 16175 * runtime/JSGlobalObject.cpp: 16176 (JSC::JSGlobalObject::createProgramCodeBlock): 16177 (JSC::JSGlobalObject::createEvalCodeBlock): 16178 161792013-11-19 Dean Jackson <dino@apple.com> 16180 16181 MarkedSpace::resumeAllocating needs to delay release 16182 https://bugs.webkit.org/show_bug.cgi?id=124596 16183 16184 Reviewed by Geoffrey Garen. 16185 16186 * heap/MarkedSpace.cpp: 16187 (JSC::MarkedSpace::resumeAllocating): Add DelayedReleaseScope protection. 16188 161892013-11-19 Mark Hahnenberg <mhahnenberg@apple.com> 16190 16191 IncrementalSweeper needs to use DelayedReleaseScope too 16192 https://bugs.webkit.org/show_bug.cgi?id=124558 16193 16194 Reviewed by Filip Pizlo. 16195 16196 It does sweeping too, so it needs to use it. Also refactored an 16197 ASSERT that should have caught this sooner. 16198 16199 * heap/DelayedReleaseScope.h: 16200 (JSC::DelayedReleaseScope::isInEffectFor): 16201 * heap/IncrementalSweeper.cpp: 16202 (JSC::IncrementalSweeper::doSweep): 16203 * heap/MarkedBlock.cpp: 16204 (JSC::MarkedBlock::sweep): 16205 * heap/MarkedSpace.cpp: 16206 (JSC::MarkedSpace::sweep): 16207 162082013-11-18 Michael Saboff <msaboff@apple.com> 16209 16210 ARM64 CRASH: Debug builds crash in emitPointerValidation() 16211 https://bugs.webkit.org/show_bug.cgi?id=124545 16212 16213 Reviewed by Filip Pizlo. 16214 16215 Changed emitPointerValidation() to use pushToSave() and popToRestore() as 16216 all macro assemblers have an implementation of these functions. 16217 16218 * jit/ThunkGenerators.cpp: 16219 (JSC::emitPointerValidation): 16220 162212013-11-18 Michael Saboff <msaboff@apple.com> 16222 16223 ARM64: Update getHostCallReturnValue() to use architected frame pointer register 16224 https://bugs.webkit.org/show_bug.cgi?id=124520 16225 16226 Reviewed by Filip Pizlo. 16227 16228 Changed from using the prior JSC specific x25 callframe register to the ARM64 16229 architected x29 (fp) register. This change should have been done as part of 16230 https://bugs.webkit.org/show_bug.cgi?id=123956. 16231 16232 * jit/JITOperations.cpp: 16233 162342013-11-18 Filip Pizlo <fpizlo@apple.com> 16235 16236 put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet 16237 https://bugs.webkit.org/show_bug.cgi?id=124539 16238 16239 Reviewed by Mark Hahnenberg. 16240 16241 This is in preparation for getting put_to_scope to directly invalidate the watchpoint set 16242 on stores, which will allow us to run constant inference on all globals. 16243 16244 * bytecode/CodeBlock.cpp: 16245 (JSC::CodeBlock::CodeBlock): 16246 (JSC::CodeBlock::finalizeUnconditionally): 16247 * bytecode/Instruction.h: 16248 * dfg/DFGByteCodeParser.cpp: 16249 (JSC::DFG::ByteCodeParser::parseBlock): 16250 * runtime/JSScope.cpp: 16251 (JSC::abstractAccess): 16252 (JSC::JSScope::abstractResolve): 16253 * runtime/JSScope.h: 16254 (JSC::ResolveOp::ResolveOp): 16255 * runtime/SymbolTable.h: 16256 (JSC::SymbolTableEntry::watchpointSet): 16257 162582013-11-18 Mark Hahnenberg <mhahnenberg@apple.com> 16259 16260 APIEntryShims need some love 16261 https://bugs.webkit.org/show_bug.cgi?id=124540 16262 16263 Reviewed by Filip Pizlo. 16264 16265 We were missing them in key places which some other hacking revealed. These could have manifested as 16266 race conditions for VMs being used in multithreaded environments. 16267 16268 * API/JSContext.mm: 16269 (-[JSContext setException:]): 16270 (-[JSContext wrapperForObjCObject:]): 16271 (-[JSContext wrapperForJSObject:]): 16272 * API/JSContextRef.cpp: 16273 (JSContextGroupRelease): 16274 (JSGlobalContextRelease): 16275 * API/JSManagedValue.mm: 16276 (-[JSManagedValue initWithValue:]): 16277 (-[JSManagedValue value]): 16278 * API/JSObjectRef.cpp: 16279 (JSObjectIsFunction): 16280 (JSObjectCopyPropertyNames): 16281 * API/JSValue.mm: 16282 (containerValueToObject): 16283 * API/JSWrapperMap.mm: 16284 (tryUnwrapObjcObject): 16285 162862013-11-18 Filip Pizlo <fpizlo@apple.com> 16287 16288 Allow the FTL debug dumps to include the new size field 16289 https://bugs.webkit.org/show_bug.cgi?id=124479 16290 16291 Reviewed by Mark Hahnenberg. 16292 16293 * ftl/FTLStackMaps.cpp: 16294 (JSC::FTL::StackMaps::Location::parse): 16295 (JSC::FTL::StackMaps::Location::dump): 16296 * ftl/FTLStackMaps.h: 16297 162982013-11-18 peavo@outlook.com <peavo@outlook.com> 16299 16300 [Win] Link fails when DFG JIT is enabled. 16301 https://bugs.webkit.org/show_bug.cgi?id=123614 16302 16303 Reviewed by Brent Fulgham. 16304 16305 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files. 16306 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 16307 163082013-11-18 Julien Brianceau <jbriance@cisco.com> 16309 16310 [sh4] Add missing implementation in MacroAssembler to fix build (broken since r159395). 16311 https://bugs.webkit.org/show_bug.cgi?id=124484 16312 16313 Reviewed by Michael Saboff. 16314 16315 * assembler/MacroAssemblerSH4.h: 16316 (JSC::MacroAssemblerSH4::load8): 16317 (JSC::MacroAssemblerSH4::branch8): 16318 163192013-11-18 Michael Saboff <msaboff@apple.com> 16320 16321 ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame 16322 https://bugs.webkit.org/show_bug.cgi?id=124481 16323 16324 Reviewed by Mark Lam. 16325 16326 Fixed the offset to access CallerFrame in the ARM64 version of getHostCallReturnValue() to be 0 16327 to correspond with the change in CallFrame layout done in r158315. 16328 16329 * jit/JITOperations.cpp: 16330 163312013-11-18 Michael Saboff <msaboff@apple.com> 16332 16333 Crash in virtualForThunkGenerator generated code on ARM64 16334 https://bugs.webkit.org/show_bug.cgi?id=124447 16335 16336 Reviewed by Geoffrey Garen. 16337 16338 The baseline JIT generates slow path call code with the caller in regT0. The DFG 16339 generates call code with the caller in nonArgGPR0. The virtualForThunkGenerator 16340 generates code with the caller in nonArgGPR0. For X86 and X86_64, regT0 and nonArgGPR0 16341 are the same CPU register, eax. For other platforms this isn't the case. The same 16342 issue exists for JSVALUE32_64 ports as well, where there also is an issue with the callee 16343 tag registers being regT1 and nonArgGPR1 in the various locations. 16344 16345 Changed nonArgGPR0, nonArgGPR1 and nonArgGPR2 for X86 and X86_64 to not match up with 16346 regT0-2. Changing these registers will cause a crash on all ports should we have a 16347 similar problem in the future. Changed the DFG call generating code to use regT0 and 16348 regT1. Now all slow path call code is generated using regT0 and for JSVALUE32_64 regT1. 16349 Added r12 to X86_64 as a new temp register (regT9) and moved r13 down to regT10. 16350 The new temp register decreases the likelihood of inadvertant register overlap. 16351 16352 * dfg/DFGSpeculativeJIT32_64.cpp: 16353 (JSC::DFG::SpeculativeJIT::emitCall): 16354 * dfg/DFGSpeculativeJIT64.cpp: 16355 (JSC::DFG::SpeculativeJIT::emitCall): 16356 * jit/GPRInfo.h: 16357 (JSC::GPRInfo::toRegister): 16358 (JSC::GPRInfo::toIndex): 16359 * jit/ThunkGenerators.cpp: 16360 (JSC::virtualForThunkGenerator): 16361 163622013-11-18 Balazs Kilvady <kilvadyb@homejinni.com> 16363 16364 Add missing load8/branch8 with AbsoluteAddress parameter to MIPS port. 16365 16366 [MIPS] Build fails since r159395. 16367 https://bugs.webkit.org/show_bug.cgi?id=124491 16368 16369 Reviewed by Michael Saboff. 16370 16371 * assembler/MacroAssemblerMIPS.h: 16372 (JSC::MacroAssemblerMIPS::load8): 16373 (JSC::MacroAssemblerMIPS::branch8): 16374 163752013-11-18 Csaba Osztrogonác <ossy@webkit.org> 16376 16377 REGRESSION(r159351): It made zillion tests assert on !CF platforms 16378 https://bugs.webkit.org/show_bug.cgi?id=124490 16379 16380 Reviewed by Mark Hahnenberg. 16381 16382 * heap/MarkedSpace.cpp: 16383 (JSC::MarkedSpace::sweep): 16384 163852013-11-18 Julien Brianceau <jbriance@cisco.com> 16386 16387 Remove architecture specific code in LowLevelInterpreter. 16388 https://bugs.webkit.org/show_bug.cgi?id=124501 16389 16390 Reviewed by Michael Saboff. 16391 16392 * llint/LowLevelInterpreter.asm: Use generic path instead of sh4 specific code. 16393 * llint/LowLevelInterpreter32_64.asm: Merge sh4/mips path with arm path. The 16394 "move t0, a0" is not needed for arm because t0 == a0 with this architecture. 16395 * offlineasm/sh4.rb: Handle move opcode with pr register. 16396 163972013-11-18 Julien Brianceau <jbriance@cisco.com> 16398 16399 [arm] Add missing implementation in MacroAssembler to fix build (broken since r159395). 16400 https://bugs.webkit.org/show_bug.cgi?id=124488 16401 16402 Reviewed by Zoltan Herczeg. 16403 16404 * assembler/MacroAssemblerARM.h: 16405 (JSC::MacroAssemblerARM::branch8): 16406 164072013-11-17 Julien Brianceau <jbriance@cisco.com> 16408 16409 [sh4] Fix revertJumpReplacementToBranchPtrWithPatch in MacroAssembler. 16410 https://bugs.webkit.org/show_bug.cgi?id=124468 16411 16412 Reviewed by Michael Saboff. 16413 16414 Current implementation of revertJumpReplacementToBranchPtrWithPatch is wrong in 16415 the sh4 MacroAssembler part, leading to random instabilities. This patch fixes it 16416 and also renames the bad-named revertJumpToMove to revertJumpReplacementToBranchPtrWithPatch 16417 in the SH4Assembler. 16418 16419 * assembler/MacroAssemblerSH4.h: 16420 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): 16421 * assembler/SH4Assembler.h: 16422 (JSC::SH4Assembler::replaceWithJump): 16423 (JSC::SH4Assembler::revertJumpReplacementToBranchPtrWithPatch): 16424 164252013-11-16 Filip Pizlo <fpizlo@apple.com> 16426 16427 Simplify WatchpointSet state tracking 16428 https://bugs.webkit.org/show_bug.cgi?id=124465 16429 16430 Reviewed by Sam Weinig. 16431 16432 We previously represented the state of watchpoint sets using two booleans. But that 16433 makes it awkward to case over the state. 16434 16435 We also previously supported a watchpoint set being both watched and invalidated. We 16436 never used that capability, and its presence was just purely confusing. 16437 16438 This turns the whole thing into an enum. 16439 16440 * assembler/MacroAssemblerARM64.h: 16441 (JSC::MacroAssemblerARM64::branch8): 16442 * assembler/MacroAssemblerARMv7.h: 16443 (JSC::MacroAssemblerARMv7::branch8): 16444 * assembler/MacroAssemblerX86.h: 16445 (JSC::MacroAssemblerX86::branch8): 16446 * assembler/MacroAssemblerX86_64.h: 16447 (JSC::MacroAssemblerX86_64::branch8): 16448 * bytecode/Watchpoint.cpp: 16449 (JSC::WatchpointSet::WatchpointSet): 16450 (JSC::WatchpointSet::add): 16451 (JSC::WatchpointSet::notifyWriteSlow): 16452 (JSC::InlineWatchpointSet::inflateSlow): 16453 * bytecode/Watchpoint.h: 16454 (JSC::WatchpointSet::state): 16455 (JSC::WatchpointSet::isStillValid): 16456 (JSC::WatchpointSet::startWatching): 16457 (JSC::WatchpointSet::notifyWrite): 16458 (JSC::WatchpointSet::addressOfState): 16459 (JSC::InlineWatchpointSet::InlineWatchpointSet): 16460 (JSC::InlineWatchpointSet::hasBeenInvalidated): 16461 (JSC::InlineWatchpointSet::startWatching): 16462 (JSC::InlineWatchpointSet::notifyWrite): 16463 (JSC::InlineWatchpointSet::decodeState): 16464 (JSC::InlineWatchpointSet::encodeState): 16465 * jit/JITPropertyAccess.cpp: 16466 (JSC::JIT::emitVarInjectionCheck): 16467 * jit/JITPropertyAccess32_64.cpp: 16468 (JSC::JIT::emitVarInjectionCheck): 16469 * llint/LowLevelInterpreter.asm: 16470 * llint/LowLevelInterpreter32_64.asm: 16471 * llint/LowLevelInterpreter64.asm: 16472 * runtime/JSFunction.cpp: 16473 (JSC::JSFunction::JSFunction): 16474 * runtime/JSFunctionInlines.h: 16475 (JSC::JSFunction::JSFunction): 16476 * runtime/JSGlobalObject.cpp: 16477 (JSC::JSGlobalObject::JSGlobalObject): 16478 * runtime/Structure.cpp: 16479 (JSC::Structure::Structure): 16480 * runtime/SymbolTable.cpp: 16481 (JSC::SymbolTableEntry::attemptToWatch): 16482 * runtime/SymbolTable.h: 16483 164842013-11-16 Filip Pizlo <fpizlo@apple.com> 16485 16486 FTL should have an explicit notion of bytecode liveness 16487 https://bugs.webkit.org/show_bug.cgi?id=124181 16488 16489 Reviewed by Sam Weinig. 16490 16491 This makes FTL OSR exit use bytecode liveness analysis to determine which variables 16492 to include values for. The decision of how to get the values of variables is based on 16493 forward propagation of MovHints and SetLocals. 16494 16495 This fixes a bunch of bugs (like https://bugs.webkit.org/show_bug.cgi?id=124138 but 16496 also others that I noticed when I started writing more targetted tests) and allows us 16497 to remove some sketchy code. 16498 16499 * CMakeLists.txt: 16500 * GNUmakefile.list.am: 16501 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 16502 * JavaScriptCore.xcodeproj/project.pbxproj: 16503 * bytecode/BytecodeBasicBlock.h: 16504 * bytecode/BytecodeLivenessAnalysis.cpp: 16505 (JSC::isValidRegisterForLiveness): 16506 (JSC::setForOperand): 16507 (JSC::computeUsesForBytecodeOffset): 16508 (JSC::computeDefsForBytecodeOffset): 16509 (JSC::stepOverInstruction): 16510 (JSC::computeLocalLivenessForBytecodeOffset): 16511 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): 16512 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): 16513 (JSC::getLivenessInfo): 16514 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): 16515 (JSC::BytecodeLivenessAnalysis::computeFullLiveness): 16516 * bytecode/BytecodeLivenessAnalysis.h: 16517 * bytecode/BytecodeLivenessAnalysisInlines.h: Added. 16518 (JSC::operandIsAlwaysLive): 16519 (JSC::operandThatIsNotAlwaysLiveIsLive): 16520 (JSC::operandIsLive): 16521 * bytecode/CodeBlock.h: 16522 (JSC::CodeBlock::captureCount): 16523 (JSC::CodeBlock::captureStart): 16524 (JSC::CodeBlock::captureEnd): 16525 * bytecode/CodeOrigin.cpp: 16526 (JSC::InlineCallFrame::dumpInContext): 16527 * bytecode/FullBytecodeLiveness.h: Added. 16528 (JSC::FullBytecodeLiveness::FullBytecodeLiveness): 16529 (JSC::FullBytecodeLiveness::getOut): 16530 (JSC::FullBytecodeLiveness::operandIsLive): 16531 (JSC::FullBytecodeLiveness::getLiveness): 16532 * dfg/DFGAvailability.cpp: Added. 16533 (JSC::DFG::Availability::dump): 16534 (JSC::DFG::Availability::dumpInContext): 16535 * dfg/DFGAvailability.h: Added. 16536 (JSC::DFG::Availability::Availability): 16537 (JSC::DFG::Availability::unavailable): 16538 (JSC::DFG::Availability::withFlush): 16539 (JSC::DFG::Availability::withNode): 16540 (JSC::DFG::Availability::withUnavailableNode): 16541 (JSC::DFG::Availability::nodeIsUndecided): 16542 (JSC::DFG::Availability::nodeIsUnavailable): 16543 (JSC::DFG::Availability::hasNode): 16544 (JSC::DFG::Availability::node): 16545 (JSC::DFG::Availability::flushedAt): 16546 (JSC::DFG::Availability::operator!): 16547 (JSC::DFG::Availability::operator==): 16548 (JSC::DFG::Availability::merge): 16549 (JSC::DFG::Availability::mergeNodes): 16550 (JSC::DFG::Availability::unavailableMarker): 16551 * dfg/DFGBasicBlock.h: 16552 * dfg/DFGByteCodeParser.cpp: 16553 (JSC::DFG::ByteCodeParser::parseBlock): 16554 * dfg/DFGDisassembler.cpp: 16555 (JSC::DFG::Disassembler::Disassembler): 16556 * dfg/DFGFlushFormat.cpp: 16557 (WTF::printInternal): 16558 * dfg/DFGFlushFormat.h: 16559 (JSC::DFG::resultFor): 16560 (JSC::DFG::useKindFor): 16561 (JSC::DFG::dataFormatFor): 16562 * dfg/DFGFlushedAt.cpp: 16563 (JSC::DFG::FlushedAt::dump): 16564 * dfg/DFGFlushedAt.h: 16565 (JSC::DFG::FlushedAt::FlushedAt): 16566 (JSC::DFG::FlushedAt::merge): 16567 * dfg/DFGGraph.cpp: 16568 (JSC::DFG::Graph::dump): 16569 (JSC::DFG::Graph::livenessFor): 16570 (JSC::DFG::Graph::isLiveInBytecode): 16571 * dfg/DFGGraph.h: 16572 (JSC::DFG::Graph::baselineCodeBlockFor): 16573 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: 16574 (JSC::DFG::OSRAvailabilityAnalysisPhase::run): 16575 * dfg/DFGOSRAvailabilityAnalysisPhase.h: 16576 * dfg/DFGPlan.cpp: 16577 (JSC::DFG::Plan::compileInThreadImpl): 16578 * dfg/DFGResurrectionForValidationPhase.cpp: Added. 16579 (JSC::DFG::ResurrectionForValidationPhase::ResurrectionForValidationPhase): 16580 (JSC::DFG::ResurrectionForValidationPhase::run): 16581 (JSC::DFG::performResurrectionForValidation): 16582 * dfg/DFGResurrectionForValidationPhase.h: Added. 16583 * dfg/DFGSSAConversionPhase.cpp: 16584 (JSC::DFG::SSAConversionPhase::run): 16585 * dfg/DFGValueSource.h: 16586 (JSC::DFG::ValueSource::forFlushFormat): 16587 * dfg/DFGVariableAccessData.h: 16588 * ftl/FTLExitValue.cpp: 16589 (JSC::FTL::ExitValue::dumpInContext): 16590 * ftl/FTLInlineCacheSize.cpp: 16591 (JSC::FTL::sizeOfGetById): 16592 * ftl/FTLLocation.cpp: 16593 (JSC::FTL::Location::gpr): 16594 (JSC::FTL::Location::fpr): 16595 (JSC::FTL::Location::directGPR): 16596 * ftl/FTLLowerDFGToLLVM.cpp: 16597 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 16598 (JSC::FTL::LowerDFGToLLVM::compileBlock): 16599 (JSC::FTL::LowerDFGToLLVM::compileNode): 16600 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 16601 (JSC::FTL::LowerDFGToLLVM::compileZombieHint): 16602 (JSC::FTL::LowerDFGToLLVM::compilePutById): 16603 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): 16604 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 16605 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 16606 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 16607 (JSC::FTL::LowerDFGToLLVM::buildExitArguments): 16608 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 16609 (JSC::FTL::LowerDFGToLLVM::observeMovHint): 16610 * ftl/FTLOutput.h: 16611 (JSC::FTL::Output::alloca): 16612 * ftl/FTLValueSource.cpp: Removed. 16613 * ftl/FTLValueSource.h: Removed. 16614 * llvm/LLVMAPIFunctions.h: 16615 * runtime/DumpContext.cpp: 16616 (JSC::DumpContext::DumpContext): 16617 * runtime/DumpContext.h: 16618 * runtime/Options.h: 16619 * runtime/SymbolTable.h: 16620 (JSC::SharedSymbolTable::captureStart): 16621 (JSC::SharedSymbolTable::captureEnd): 16622 (JSC::SharedSymbolTable::captureCount): 16623 166242013-11-16 Filip Pizlo <fpizlo@apple.com> 16625 16626 Fix indentation of JSActivation.h. 16627 16628 Rubber stamped by Mark Hahnenberg. 16629 16630 * runtime/JSActivation.h: 16631 166322013-11-16 Filip Pizlo <fpizlo@apple.com> 16633 16634 Fix indentation of JSVariableObject.h. 16635 16636 Rubber stamped by Mark Hahnenberg. 16637 16638 I'm about to do some damage to this file. I wanted to give it some sanity first. 16639 16640 * runtime/JSVariableObject.h: 16641 166422013-11-16 Julien Brianceau <jbriance@cisco.com> 16643 16644 [sh4] Fix build (broken since r159346). 16645 https://bugs.webkit.org/show_bug.cgi?id=124455 16646 16647 Reviewed by Oliver Hunt. 16648 16649 Fix LLINT implementation for sh4 architecture to handle properly load and store operations with pr register. 16650 16651 * offlineasm/sh4.rb: 16652 166532013-11-15 Alexey Proskuryakov <ap@apple.com> 16654 16655 Support exporting symmetric keys as JWK 16656 https://bugs.webkit.org/show_bug.cgi?id=124442 16657 16658 Reviewed by Sam Weinig. 16659 16660 * runtime/JSONObject.h: Export JSONStringify. 16661 166622013-11-15 peavo@outlook.com <peavo@outlook.com> 16663 16664 [Win] JavaScript crashes on 64-bit with JIT enabled. 16665 https://bugs.webkit.org/show_bug.cgi?id=124409 16666 16667 Reviewed by Michael Saboff. 16668 16669 These are issues found with JIT on 64-bit: 16670 - The registers rsi and rdi in callToJavaScript needs to be saved and restored. This is required by the Windows 64-bit ABI. 16671 - The getHostCallReturnValue function needs to be updated according to it's GCC counterpart. 16672 - The poke argument offset needs to be 20h, because Windows 64-bit ABI requires stack space allocated for the 4 argument registers. 16673 16674 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Re-added JITStubsMSVC64.asm to project. 16675 * jit/CCallHelpers.h: Set poke argument offset. 16676 (JSC::CCallHelpers::setupArguments): Compile fix, added needed method. 16677 * jit/JITStubsMSVC64.asm: Save and restore registers rsi and rdi. 16678 Update getHostCallReturnValue according to the GCC version. 16679 166802013-11-14 David Farler <dfarler@apple.com> 16681 16682 Copy ASAN flag settings to WebCore and JavaScriptCore intermediate build tools 16683 https://bugs.webkit.org/show_bug.cgi?id=124362 16684 16685 Reviewed by David Kilzer. 16686 16687 * Configurations/ToolExecutable.xcconfig: 16688 Use ASAN_C*FLAGS. 16689 166902013-11-15 Mark Hahnenberg <mhahnenberg@apple.com> 16691 16692 Remove JSChunk 16693 https://bugs.webkit.org/show_bug.cgi?id=124435 16694 16695 Reviewed by Geoffrey Garen. 16696 16697 It's empty and has been since it was added 3 years ago. 16698 16699 * CMakeLists.txt: 16700 * runtime/JSChunk.cpp: Removed. 16701 * runtime/JSChunk.h: Removed. 16702 167032013-11-15 Mark Hahnenberg <mhahnenberg@apple.com> 16704 16705 Remove VTableSpectrum 16706 https://bugs.webkit.org/show_bug.cgi?id=124427 16707 16708 Reviewed by Filip Pizlo. 16709 16710 * CMakeLists.txt: 16711 * GNUmakefile.list.am: 16712 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 16713 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 16714 * JavaScriptCore.xcodeproj/project.pbxproj: 16715 * heap/Heap.cpp: 16716 (JSC::Heap::lastChanceToFinalize): 16717 * heap/Heap.h: 16718 * heap/MarkedBlock.cpp: 16719 (JSC::MarkedBlock::callDestructor): 16720 * heap/SlotVisitor.cpp: 16721 (JSC::visitChildren): 16722 * heap/SlotVisitor.h: 16723 * heap/VTableSpectrum.cpp: Removed. 16724 * heap/VTableSpectrum.h: Removed. 16725 167262013-11-14 Mark Hahnenberg <mhahnenberg@apple.com> 16727 16728 -dealloc callbacks from wrapped Objective-C objects can happen at bad times 16729 https://bugs.webkit.org/show_bug.cgi?id=123821 16730 16731 Reviewed by Darin Adler. 16732 16733 Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C 16734 object. When they are swept, they release their Obj-C objects which can trigger a call to that 16735 object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not 16736 allowed during sweeping or VM shutdown. 16737 16738 We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so. 16739 This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects 16740 that are unsafe to release until the end of the DelayedReleaseScope. 16741 16742 * API/APIShims.h: 16743 (JSC::APICallbackShim::APICallbackShim): 16744 (JSC::APICallbackShim::vmForDropAllLocks): 16745 (JSC::APICallbackShim::execForDropAllLocks): 16746 * API/JSAPIWrapperObject.mm: 16747 (JSAPIWrapperObjectHandleOwner::finalize): 16748 * API/ObjCCallbackFunction.mm: 16749 (JSC::ObjCCallbackFunctionImpl::destroy): 16750 (JSC::ObjCCallbackFunction::destroy): 16751 * API/tests/testapi.mm: 16752 (-[TinyDOMNode initWithVirtualMachine:]): 16753 (-[TinyDOMNode dealloc]): 16754 (-[TinyDOMNode appendChild:]): 16755 (-[TinyDOMNode removeChildAtIndex:]): 16756 (-[EvilAllocationObject initWithContext:]): 16757 (-[EvilAllocationObject dealloc]): 16758 (-[EvilAllocationObject doEvilThingsWithContext:]): 16759 * JavaScriptCore.xcodeproj/project.pbxproj: 16760 * heap/DelayedReleaseScope.h: Added. 16761 (JSC::DelayedReleaseScope::DelayedReleaseScope): 16762 (JSC::DelayedReleaseScope::~DelayedReleaseScope): 16763 (JSC::DelayedReleaseScope::releaseSoon): 16764 (JSC::MarkedSpace::releaseSoon): 16765 * heap/Heap.cpp: 16766 (JSC::Heap::collectAllGarbage): 16767 * heap/Heap.h: 16768 (JSC::Heap::releaseSoon): 16769 * heap/MarkedAllocator.cpp: 16770 (JSC::MarkedAllocator::allocateSlowCase): 16771 * heap/MarkedSpace.cpp: 16772 (JSC::MarkedSpace::MarkedSpace): 16773 (JSC::MarkedSpace::lastChanceToFinalize): 16774 (JSC::MarkedSpace::sweep): 16775 * heap/MarkedSpace.h: 16776 167772013-11-15 Michael Saboff <msaboff@apple.com> 16778 16779 REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame 16780 https://bugs.webkit.org/show_bug.cgi?id=124420 16781 16782 Reviewed by Filip Pizlo. 16783 16784 Save the return PC into the sentinel frame. 16785 16786 * jit/JITStubsMSVC64.asm: 16787 * jit/JITStubsX86.h: 16788 * llint/LowLevelInterpreter32_64.asm: 16789 * llint/LowLevelInterpreter64.asm: 16790 167912013-11-14 Oliver Hunt <oliver@apple.com> 16792 16793 Make CLoop easier to build, and make it work 16794 https://bugs.webkit.org/show_bug.cgi?id=124359 16795 16796 Reviewed by Geoffrey Garen. 16797 16798 Add --cloop to build-jsc, build-webkit and friends. 16799 16800 Also make CLoop build and work again - This meant adding a 16801 couple of missing ENABLE(DFG_JIT) blocks, and fixing a few 16802 other references. 16803 16804 * Configurations/FeatureDefines.xcconfig: 16805 * bytecode/BytecodeLivenessAnalysis.cpp: 16806 (JSC::computeUsesForBytecodeOffset): 16807 (JSC::computeDefsForBytecodeOffset): 16808 * bytecode/DFGExitProfile.cpp: 16809 * dfg/DFGCapabilities.cpp: 16810 * dfg/DFGCompilationKey.cpp: 16811 * dfg/DFGCompilationMode.cpp: 16812 * jit/JITExceptions.cpp: 16813 (JSC::genericUnwind): 16814 168152013-11-14 Michael Saboff <msaboff@apple.com> 16816 16817 REGRESSION (r159276): Fix lots of crashes for arm_traditional architecture. 16818 https://bugs.webkit.org/show_bug.cgi?id=124365 16819 16820 Reviewed by Oliver Hunt. 16821 16822 Crashes were caused by a mixup between regular registers and temporary registers in ARM_EXTRA_GPRS. 16823 16824 * llint/LowLevelInterpreter32_64.asm: Warning, t3 != a3. It's safer to use an implementation using aX 16825 registers like the MIPS one for cCallX macros. 16826 * offlineasm/arm.rb: Rearrange ARM_EXTRA_GPRS according to the new register distribution in LLINT. 16827 168282013-11-14 Michael Saboff <msaboff@apple.com> 16829 16830 REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub 16831 https://bugs.webkit.org/show_bug.cgi?id=124361 16832 16833 Reviewed by Oliver Hunt. 16834 16835 Swapped operand ordering to: mov rax, rbp 16836 16837 * jit/JITStubsMSVC64.asm: 16838 168392013-11-14 Julien Brianceau <jbriance@cisco.com> 16840 16841 REGRESSION (r159276): Fix lots of crashes for sh4 architecture. 16842 https://bugs.webkit.org/show_bug.cgi?id=124347 16843 16844 Reviewed by Michael Saboff. 16845 16846 Since r159276, we have (t4 == a0 == r4) and (t5 == a1 == r5) in LLINT for sh4. 16847 This leads to argument register trampling in cCallX macros, especially with cCall2 16848 macro when arg1 == t4. 16849 16850 * llint/LowLevelInterpreter32_64.asm: Use a new "setargs" pseudo-op to setup arguments for sh4. 16851 * offlineasm/instructions.rb: 16852 * offlineasm/sh4.rb: Lower "setargs" pseudo-op to setup argument registers and prevent register trampling issues. 16853 168542013-11-14 Julien Brianceau <jbriance@cisco.com> 16855 16856 Fix build for sh4 architectures (broken since r159276). 16857 https://bugs.webkit.org/show_bug.cgi?id=124344 16858 16859 Reviewed by Csaba Osztrogonác. 16860 16861 * offlineasm/sh4.rb: There is no fp alias for r14 register for sh4. 16862 168632013-11-13 Michael Saboff <msaboff@apple.com> 16864 16865 Change callToJavaScript thunk into an offline assembled stub 16866 https://bugs.webkit.org/show_bug.cgi?id=124251 16867 16868 Reviewed by Geoffrey Garen. 16869 16870 Changed callToJavaScript and throwNotCaught into stubs generated by the offline assembler. 16871 Added popCalleeSaves and pushCalleeSaves pseudo ops to the offline assembler to handle 16872 the saving and restoring of callee save registers. Fixed callFrameRegister differences 16873 between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. Also fixed implementation 16874 of pop & push in arm.rb. 16875 16876 Since the offline assembler and therefore the LLInt don't work on Windows, the Windows stubs 16877 are handled as inline assembly in JITStubsX86.h and JITStubsMSVC64.asm. 16878 16879 * dfg/DFGDriver.cpp: 16880 (JSC::DFG::compileImpl): 16881 * jit/GPRInfo.h: 16882 (JSC::GPRInfo::toIndex): 16883 (JSC::GPRInfo::debugName): 16884 * jit/JITCode.cpp: 16885 (JSC::JITCode::execute): 16886 * jit/JITExceptions.cpp: 16887 (JSC::genericUnwind): 16888 * jit/JITStubs.h: 16889 * jit/JITStubsMSVC64.asm: 16890 * jit/JITStubsX86.h: 16891 * jit/ThunkGenerators.cpp: 16892 * jit/ThunkGenerators.h: 16893 * llint/LLIntThunks.h: 16894 * llint/LowLevelInterpreter.asm: 16895 * llint/LowLevelInterpreter32_64.asm: 16896 * llint/LowLevelInterpreter64.asm: 16897 * offlineasm/arm.rb: 16898 * offlineasm/arm64.rb: 16899 * offlineasm/instructions.rb: 16900 * offlineasm/mips.rb: 16901 * offlineasm/registers.rb: 16902 * offlineasm/sh4.rb: 16903 * offlineasm/x86.rb: 16904 * runtime/VM.cpp: 16905 (JSC::VM::VM): 16906 * runtime/VM.h: 16907 169082013-11-13 Andy Estes <aestes@apple.com> 16909 16910 Fix the ARM64 build after recent JavaScriptCore changes 16911 https://bugs.webkit.org/show_bug.cgi?id=124315 16912 16913 Reviewed by Michael Saboff. 16914 16915 Based on patches by myself, Filip Pizlo, Benjamin Poulain, and Michael Saboff. 16916 16917 * Configurations/JavaScriptCore.xcconfig: Hid the symbol for 16918 std::bad_function_call. 16919 * JavaScriptCore.xcodeproj/project.pbxproj: Marked 16920 MacroAssemblerARM64.h and ARM64Assembler.h as Private headers. 16921 * assembler/ARM64Assembler.h: 16922 (JSC::ARM64Assembler::executableOffsetFor): 16923 * assembler/MacroAssemblerARM64.h: Removed ARM64's executableCopy(), 16924 which was removed from other assembler backends in r157690. 16925 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): Added. 16926 (JSC::MacroAssemblerARM64::lshift64): Added. 16927 (JSC::MacroAssemblerARM64::mul64): Added. 16928 (JSC::MacroAssemblerARM64::rshift64): Added. 16929 (JSC::MacroAssemblerARM64::convertInt64ToDouble): Added. 16930 (JSC::MacroAssemblerARM64::branchMul64): Added. 16931 (JSC::MacroAssemblerARM64::branchNeg64): Added. 16932 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): Added. 16933 * dfg/DFGSpeculativeJIT.cpp: 16934 (JSC::DFG::SpeculativeJIT::compileArithDiv): Changed 16935 SpeculateIntegerOperand to SpeculateInt32Operand, 16936 nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(), and 16937 nodeUsedAsNumber() to bytecodeUsesAsNumber(). 16938 (JSC::DFG::SpeculativeJIT::compileArithMod): Changed 16939 nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(). 16940 169412013-11-13 Oliver Hunt <oliver@apple.com> 16942 16943 Fix debug build. 16944 16945 * parser/Parser.cpp: 16946 169472013-11-13 Tim Horton <timothy_horton@apple.com> 16948 16949 r159210 added a period where there previously wasn't one, breaking >100 tests 16950 16951 Rubber-stamped by Oliver Hunt. 16952 16953 * parser/Parser.cpp: 16954 (JSC::::logError): 16955 Remove the extra period. 16956 169572013-11-13 Oliver Hunt <oliver@apple.com> 16958 16959 REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack) 16960 https://bugs.webkit.org/show_bug.cgi?id=124177 16961 16962 Reviewed by Michael Saboff. 16963 16964 This patch pushes error handling into NEVER_INLINE functions to perform 16965 the actual error message construction. This dramatically reduces the 16966 stack usage of the Parser. For the large functions (such as parseMemberExpression) 16967 the improvement is on the order of 2.5x reduction in stack usage. For 16968 smaller functions the reduction is in the order of 5-6x. 16969 16970 * parser/Parser.cpp: 16971 (JSC::::logError): 16972 * parser/Parser.h: 16973 169742013-11-13 Julien Brianceau <jbriance@cisco.com> 16975 16976 [sh4] Protect repatchCompact from flushConstantPool. 16977 https://bugs.webkit.org/show_bug.cgi?id=124278 16978 16979 Reviewed by Michael Saboff. 16980 16981 Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in 16982 movlMemRegCompact. As in this case a branch opcode and the constant pool are put 16983 before the movlMemRegCompact, the branch itself is patched when calling repatchCompact 16984 instead of the mov instruction, which is really bad. 16985 16986 * assembler/SH4Assembler.h: 16987 (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT. 16988 169892013-11-12 Alexey Proskuryakov <ap@apple.com> 16990 16991 Disable WebCrypto on Mountain Lion 16992 https://bugs.webkit.org/show_bug.cgi?id=124261 16993 16994 Rubber-stamped by Sam Weinig. 16995 16996 * Configurations/FeatureDefines.xcconfig: 16997 169982013-11-12 Julien Brianceau <jbriance@cisco.com> 16999 17000 [sh4] Fix load32WithUnalignedHalfWords function in baseline JIT. 17001 https://bugs.webkit.org/show_bug.cgi?id=124233 17002 17003 Reviewed by Michael Saboff. 17004 17005 * assembler/MacroAssemblerSH4.h: 17006 (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): Do not claim scratch register too early. 17007 Test already covered by fast/regex/pcre-test-1. 17008 170092013-11-12 Filip Pizlo <fpizlo@apple.com> 17010 17011 Liveness analysis should take less memory in CodeBlock when it is unused 17012 https://bugs.webkit.org/show_bug.cgi?id=124225 17013 17014 Reviewed by Mark Hahnenberg. 17015 17016 Basically, I turned CodeBlock::m_livenessAnalysis into a pointer that is null by 17017 default. 17018 17019 * bytecode/BytecodeLivenessAnalysis.cpp: 17020 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis): 17021 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): 17022 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): 17023 (JSC::BytecodeLivenessAnalysis::dumpResults): 17024 (JSC::BytecodeLivenessAnalysis::compute): 17025 * bytecode/BytecodeLivenessAnalysis.h: 17026 * bytecode/CodeBlock.cpp: 17027 (JSC::CodeBlock::CodeBlock): 17028 * bytecode/CodeBlock.h: 17029 (JSC::CodeBlock::livenessAnalysis): 17030 170312013-11-11 Oliver Hunt <oliver@apple.com> 17032 17033 Support unprefixed deconstructing assignment 17034 https://bugs.webkit.org/show_bug.cgi?id=124172 17035 17036 Reviewed by Mark Lam. 17037 17038 Add support for unprefixed descontructive assignment. 17039 17040 Happily non-reference types on the left hand side of an assignment 17041 are a runtime error, so we're able to defer validation of the binding 17042 pattern to codegen time when we're already doing a lot more work. 17043 17044 We're also able to predicate our attempt to parse on the existence of 17045 '[' or '{' as they are not as common as other constructs. 17046 17047 * bytecompiler/NodesCodegen.cpp: 17048 (JSC::ArrayPatternNode::emitDirectBinding): 17049 * parser/ASTBuilder.h: 17050 * parser/Parser.cpp: 17051 (JSC::::createBindingPattern): 17052 (JSC::::tryParseDeconstructionPatternExpression): 17053 (JSC::::parseDeconstructionPattern): 17054 (JSC::::parseForStatement): 17055 (JSC::::parseAssignmentExpression): 17056 * parser/Parser.h: 17057 (JSC::Parser::createSavePoint): 17058 (JSC::Parser::restoreSavePoint): 17059 * parser/SyntaxChecker.h: 17060 170612013-11-12 Andy Estes <aestes@apple.com> 17062 17063 Run JavaScriptCore Objective-C API tests on all supported platforms 17064 https://bugs.webkit.org/show_bug.cgi?id=124214 17065 17066 Reviewed by Mark Hahnenberg. 17067 17068 Now that we support the API on iOS and on OS X 10.8, there's no reason 17069 to limit the tests to OS X 10.9 (or greater). 17070 17071 * API/tests/CurrentThisInsideBlockGetterTest.h: 17072 * API/tests/CurrentThisInsideBlockGetterTest.mm: 17073 * API/tests/testapi.mm: 17074 170752013-08-02 Mark Hahnenberg <mhahnenberg@apple.com> 17076 17077 CodeBlocks should be able to determine bytecode liveness 17078 https://bugs.webkit.org/show_bug.cgi?id=118546 17079 17080 Reviewed by Filip Pizlo. 17081 17082 This will simplify some things in the DFG related to OSR exits and determining 17083 which bytecode variables are live at which points during execution. It will 17084 also be useful for making our conservative GC scan more precise. Currently it 17085 doesn't properly account for liveness while the DFG is running, so it will be 17086 off by default behing a runtime Options flag. 17087 17088 * JavaScriptCore.xcodeproj/project.pbxproj: 17089 * bytecode/BytecodeBasicBlock.cpp: Added. 17090 (JSC::isBranch): Used to determine the end of basic blocks. 17091 (JSC::isUnconditionalBranch): Used to determine when a branch at the end of a 17092 basic block can't possibly fall through to the next basic block in program order. 17093 (JSC::isTerminal): Also used to detect the end of a block. 17094 (JSC::isThrow): 17095 (JSC::isJumpTarget): Used to correctly separate basic blocks. Any jump destination 17096 must be the head of its own basic block. 17097 (JSC::linkBlocks): Links two blocks together in a bi-direcitonal fashion. 17098 (JSC::computeBytecodeBasicBlocks): Creates a set of basic blocks given a particular 17099 CodeBlock and links them together. 17100 * bytecode/BytecodeBasicBlock.h: Added. 17101 (JSC::BytecodeBasicBlock::isEntryBlock): Entry blocks are a special basic blocks 17102 that indicate the beginning of the function. 17103 (JSC::BytecodeBasicBlock::isExitBlock): Exit blocks are a special basic block that 17104 all blocks that exit the function have as a successor. Entry and exit blocks allows 17105 the various code paths to be more regular. 17106 (JSC::BytecodeBasicBlock::leaderBytecodeOffset): The leader bytecode offset is the 17107 bytecode offset of the first instruction in the block. 17108 (JSC::BytecodeBasicBlock::totalBytecodeLength): The total length of all the bytecodes 17109 in this block. 17110 (JSC::BytecodeBasicBlock::bytecodeOffsets): The bytecode offsets in this particular 17111 basic block. This Vector allows us to iterate over the bytecodes in reverse order 17112 which wouldn't be possible normally since they are of variable size. 17113 (JSC::BytecodeBasicBlock::addPredecessor): Links a block to a specified predecessor. 17114 Only creates one direction of the link. 17115 (JSC::BytecodeBasicBlock::addSuccessor): Same as addPredecessor, but for successors. 17116 (JSC::BytecodeBasicBlock::predecessors): Getter for predecessors. 17117 (JSC::BytecodeBasicBlock::successors): Getter for successors. 17118 (JSC::BytecodeBasicBlock::in): Getter for the liveness info at the head of the block. 17119 (JSC::BytecodeBasicBlock::out): Getter for the liveness info at the tail of the block. 17120 (JSC::BytecodeBasicBlock::BytecodeBasicBlock): 17121 (JSC::BytecodeBasicBlock::addBytecodeLength): When creating basic blocks we call 17122 this function when we want to add the next bytecode in program order to this block. 17123 * bytecode/BytecodeLivenessAnalysis.cpp: Added. 17124 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis): 17125 (JSC::numberOfCapturedVariables): Convenience wrapper. Returns the 17126 number of captured variables for a particular CodeBlock, or 0 if 17127 the CodeBlock has no SymbolTable. 17128 (JSC::captureStart): Ditto, but for captureStart(). 17129 (JSC::captureEnd): Ditto, but for captureEnd(). 17130 (JSC::isValidRegisterForLiveness): Returns true if the liveness analysis should 17131 track the liveness of a particular operand. We ignore constants, arguments, and 17132 captured variables. We ignore arguments because they're live for the duration of 17133 a function call. We ignore captured variables because we also treat them as live 17134 for the duration of the function. This could probably be improved to be more precise, 17135 but it didn't seem worth it for now. 17136 (JSC::setForOperand): Convenience wrapper that sets the bit in the provided bit 17137 vector for the provided operand. It handles skipping over captured variables. 17138 (JSC::computeUsesForBytecodeOffset): Computes which operands are used by a particular bytecode. 17139 (JSC::computeDefsForBytecodeOffset): Computes which operands are defined by a particular 17140 bytecode. Typically this is just the left-most operand. 17141 (JSC::findBasicBlockWithLeaderOffset): 17142 (JSC::findBasicBlockForBytecodeOffset): Scans over basic blocks to find the block 17143 which contains a particular bytecode offset. 17144 (JSC::computeLocalLivenessForBytecodeOffset): Computes block-local liveness from the 17145 bottom of the block until a specified bytecode offset is reached. 17146 (JSC::computeLocalLivenessForBlock): Computes liveness for the entire block and 17147 stores the resulting liveness at the head. 17148 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Runs backward flow liveness 17149 analysis to fixpoint. 17150 (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): 17151 Slow path to get liveness info for non-captured, non-argument variable. 17152 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): 17153 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Returns the liveness 17154 info for both captured and non-captured vars at a particular bytecode offset. 17155 (JSC::BytecodeLivenessAnalysis::dumpResults): Dumps the output of the liveness analysis. 17156 Controlled by new flag in Options.h/.cpp. 17157 (JSC::BytecodeLivenessAnalysis::compute): Creates bytecode basic blocks and runs 17158 full liveness analysis. 17159 * bytecode/BytecodeLivenessAnalysis.h: Added. 17160 (JSC::BytecodeLivenessAnalysis::hasBeenComputed): 17161 (JSC::BytecodeLivenessAnalysis::computeIfNecessary): 17162 * bytecode/CodeBlock.cpp: 17163 (JSC::CodeBlock::CodeBlock): 17164 * bytecode/CodeBlock.h: 17165 (JSC::CodeBlock::livenessAnalysis): 17166 * bytecode/PreciseJumpTargets.cpp: Refactored to be able to get the jump targets for 17167 a particular bytecode offset for use during bytecode basic block construction. 17168 (JSC::getJumpTargetsForBytecodeOffset): 17169 (JSC::computePreciseJumpTargets): 17170 (JSC::findJumpTargetsForBytecodeOffset): 17171 * bytecode/PreciseJumpTargets.h: 17172 * runtime/Options.cpp: 17173 (JSC::Options::initialize): 17174 * runtime/Options.h: 17175 171762013-11-11 Andy Estes <aestes@apple.com> 17177 17178 [iOS] Define JSC_OBJC_API_ENABLED 17179 https://bugs.webkit.org/show_bug.cgi?id=124192 17180 17181 Reviewed by Geoffrey Garen. 17182 17183 * API/JSBase.h: JSC_OBJC_API_ENABLED should evaluate to true if 17184 TARGET_OS_IPHONE is true. 17185 * API/JSValue.h: Ensure CG types referenced later in the file are defined. 17186 171872013-11-12 Balazs Kilvady <kilvadyb@homejinni.com> 17188 17189 Fix undefined reference issues in JavaScriptCore build. 17190 https://bugs.webkit.org/show_bug.cgi?id=124152 17191 17192 Reviewed by Michael Saboff. 17193 17194 Missing includes added. 17195 17196 * runtime/SymbolTable.cpp: 17197 171982013-11-12 Alexandru Chiculita <achicu@adobe.com> 17199 17200 Web Inspector: Crash when closing the Inspector while debugging an exception inside a breakpoint condition. 17201 https://bugs.webkit.org/show_bug.cgi?id=124078 17202 17203 Reviewed by Joseph Pecoraro. 17204 17205 The crash would happen because the Debugger is not designed to support nested 17206 breaks. For example, when the debugger handles a breakpoint and the Inspector 17207 executes a console command that would hit the breakpoint again, the Debugger 17208 will just ignore the breakpoint. 17209 17210 There were no checks for conditions and actions. Because of that conditions and actions 17211 could trigger exceptions and breakpoints. This patch disables that functionality as it 17212 cannot be supported without a bigger rewrite of the code. 17213 17214 * debugger/Debugger.cpp: 17215 (JSC::TemporaryPausedState::TemporaryPausedState): 17216 (JSC::TemporaryPausedState::~TemporaryPausedState): 17217 (JSC::Debugger::hasBreakpoint): 17218 (JSC::Debugger::pauseIfNeeded): 17219 * debugger/Debugger.h: 17220 172212013-11-12 Julien Brianceau <jbriance@cisco.com> 17222 17223 InvalidIndex shouldn't be private in GPRInfo and FPRInfo for sh4, mips and arm64 architectures. 17224 https://bugs.webkit.org/show_bug.cgi?id=124156 17225 17226 Reviewed by Michael Saboff. 17227 17228 * jit/FPRInfo.h: 17229 (JSC::FPRInfo::debugName): 17230 * jit/GPRInfo.h: 17231 (JSC::GPRInfo::debugName): 17232 172332013-11-11 Andreas Kling <akling@apple.com> 17234 17235 CodeBlock: Un-segment some Vectors. 17236 <https://webkit.org/b/124188> 17237 17238 Turn some SegmentedVectors into Vectors where the final item count 17239 is known at CodeBlock construction time. This removes unnecessary 17240 allocation and indirection. 17241 17242 I've got ~4.5 MB below SegmentedVector<ValueProfile>::ensureSegment 17243 on Membuster3 (peak, before pressure signal) so this should help 17244 take a bit of the edge off there. 17245 17246 Reviewed by Geoffrey Garen. 17247 172482013-11-11 Filip Pizlo <fpizlo@apple.com> 17249 17250 Get rid of the lastResultRegister optimization in the baseline JIT 17251 https://bugs.webkit.org/show_bug.cgi?id=124171 17252 17253 Rubber stamped by Mark Hahnenberg. 17254 17255 The baseline JIT no longer needs amazing throughput. And this optimization has caused 17256 way too many OSR exit bugs. And it constrains how much we can do in the DFG/FTL. So, 17257 I'm getting rid of it. 17258 17259 * dfg/DFGOSRExit.cpp: 17260 (JSC::DFG::OSRExit::OSRExit): 17261 (JSC::DFG::OSRExit::convertToForward): 17262 * dfg/DFGOSRExit.h: 17263 * dfg/DFGOSRExitCompiler32_64.cpp: 17264 (JSC::DFG::OSRExitCompiler::compileExit): 17265 * dfg/DFGOSRExitCompiler64.cpp: 17266 (JSC::DFG::OSRExitCompiler::compileExit): 17267 * dfg/DFGSpeculativeJIT.cpp: 17268 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 17269 (JSC::DFG::SpeculativeJIT::compileMovHint): 17270 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 17271 * dfg/DFGSpeculativeJIT.h: 17272 * ftl/FTLLowerDFGToLLVM.cpp: 17273 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 17274 (JSC::FTL::LowerDFGToLLVM::compileZombieHint): 17275 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): 17276 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 17277 (JSC::FTL::LowerDFGToLLVM::observeMovHint): 17278 * ftl/FTLOSRExit.cpp: 17279 (JSC::FTL::OSRExit::OSRExit): 17280 (JSC::FTL::OSRExit::convertToForward): 17281 * ftl/FTLOSRExit.h: 17282 * ftl/FTLOSRExitCompiler.cpp: 17283 (JSC::FTL::compileStub): 17284 * jit/JIT.cpp: 17285 (JSC::JIT::JIT): 17286 (JSC::JIT::privateCompileMainPass): 17287 (JSC::JIT::privateCompileSlowCases): 17288 * jit/JIT.h: 17289 (JSC::JIT::appendCall): 17290 * jit/JITArithmetic32_64.cpp: 17291 (JSC::JIT::emit_op_lshift): 17292 (JSC::JIT::emitRightShift): 17293 (JSC::JIT::emit_op_bitand): 17294 (JSC::JIT::emit_op_bitor): 17295 (JSC::JIT::emit_op_bitxor): 17296 (JSC::JIT::emit_op_inc): 17297 (JSC::JIT::emit_op_dec): 17298 * jit/JITCall.cpp: 17299 (JSC::JIT::emitPutCallResult): 17300 (JSC::JIT::compileLoadVarargs): 17301 * jit/JITInlines.h: 17302 (JSC::JIT::emitGetFromCallFrameHeaderPtr): 17303 (JSC::JIT::emitGetFromCallFrameHeader32): 17304 (JSC::JIT::emitGetFromCallFrameHeader64): 17305 (JSC::JIT::emitLoadTag): 17306 (JSC::JIT::emitLoadPayload): 17307 (JSC::JIT::emitLoad2): 17308 (JSC::JIT::emitGetVirtualRegister): 17309 (JSC::JIT::emitGetVirtualRegisters): 17310 (JSC::JIT::emitPutVirtualRegister): 17311 * jit/JITOpcodes.cpp: 17312 (JSC::JIT::emit_op_mov): 17313 (JSC::JIT::emit_op_catch): 17314 (JSC::JIT::emit_op_new_func): 17315 * jit/JITOpcodes32_64.cpp: 17316 (JSC::JIT::emit_op_mov): 17317 (JSC::JIT::emit_op_to_primitive): 17318 (JSC::JIT::emit_op_to_number): 17319 (JSC::JIT::emit_op_catch): 17320 * jit/JITPropertyAccess.cpp: 17321 (JSC::JIT::emit_op_resolve_scope): 17322 (JSC::JIT::emit_op_get_from_scope): 17323 (JSC::JIT::emit_op_put_to_scope): 17324 * jit/JITPropertyAccess32_64.cpp: 17325 (JSC::JIT::emit_op_get_by_val): 17326 (JSC::JIT::emit_op_get_by_id): 17327 (JSC::JIT::emit_op_get_by_pname): 17328 (JSC::JIT::emitResolveClosure): 17329 (JSC::JIT::emit_op_resolve_scope): 17330 (JSC::JIT::emit_op_get_from_scope): 17331 (JSC::JIT::emit_op_init_global_const): 17332 * jit/SlowPathCall.h: 17333 (JSC::JITSlowPathCall::call): 17334 173352013-11-11 Filip Pizlo <fpizlo@apple.com> 17336 17337 Remove ConstantFoldingPhase's weirdo compile-time optimization 17338 https://bugs.webkit.org/show_bug.cgi?id=124169 17339 17340 Reviewed by Mark Hahnenberg. 17341 17342 It turns out that this compile-time optimization doesn't optimize compile times 17343 anymore. Kill it with fire. 17344 17345 * dfg/DFGConstantFoldingPhase.cpp: 17346 (JSC::DFG::ConstantFoldingPhase::foldConstants): 17347 173482013-11-11 Filip Pizlo <fpizlo@apple.com> 17349 17350 Make bytecode dumping use the right opcode names for inc/dec. 17351 17352 Rubber stamped by Mark Hahnenberg. 17353 17354 * bytecode/CodeBlock.cpp: 17355 (JSC::CodeBlock::dumpBytecode): 17356 173572013-11-10 Filip Pizlo <fpizlo@apple.com> 17358 17359 DFG Int52 boxing code may clobber the source without telling anyone 17360 https://bugs.webkit.org/show_bug.cgi?id=124137 17361 17362 Reviewed by Mark Hahnenberg. 17363 17364 * dfg/DFGSpeculativeJIT64.cpp: 17365 (JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically). 17366 * jit/AssemblyHelpers.h: Document the invariant for boxInt52. 17367 * jsc.cpp: 17368 (GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it. 17369 173702013-11-11 Oliver Hunt <oliver@apple.com> 17371 17372 ExtJS breaks with modern Array.prototype.values API due to use of with() 17373 https://bugs.webkit.org/show_bug.cgi?id=123440 17374 17375 Reviewed by Beth Dakin. 17376 17377 As with our attempt to make Arguments use the Array prototype, ExtJS has 17378 a weird dependency on not adding new APIs to core types. In this case 17379 Array.prototype.values. The fix is to remove it, and push for ES6 to drop 17380 the API. 17381 17382 * runtime/ArrayPrototype.cpp: 17383 173842013-11-11 Gabor Rapcsanyi <rgabor@webkit.org> 17385 17386 Fix CPU(ARM_TRADITIONAL) build after r159039. 17387 https://bugs.webkit.org/show_bug.cgi?id=124149 17388 17389 Reviewed by Geoffrey Garen. 17390 17391 * assembler/ARMAssembler.h: 17392 (JSC::ARMAssembler::firstRegister): 17393 (JSC::ARMAssembler::lastRegister): 17394 (JSC::ARMAssembler::firstFPRegister): 17395 (JSC::ARMAssembler::lastFPRegister): 17396 * assembler/MacroAssemblerARM.h: 17397 * jit/FPRInfo.h: 17398 173992013-11-09 Filip Pizlo <fpizlo@apple.com> 17400 17401 Switch FTL GetById/PutById IC's over to using AnyRegCC 17402 https://bugs.webkit.org/show_bug.cgi?id=124094 17403 17404 Reviewed by Sam Weinig. 17405 17406 This closes the loop on inline caches (IC's) in the FTL. The goal is to have IC's 17407 in LLVM-generated code that are just as efficient (if not more so) than what a 17408 custom JIT could do. As in zero sources of overhead. Not a single extra instruction 17409 or even register allocation pathology. We accomplish this by having two thingies in 17410 LLVM. First is the llvm.experimental.patchpoint intrinsic, which is sort of an 17411 inline machine code snippet that we can fill in with whatever we want and then 17412 modify subsequently. But you have only two choices of how to pass values to a 17413 patchpoint: (1) via the calling convention or (2) via the stackmap. Neither are good 17414 for operands to an IC (like the base pointer for a GetById, for example). (1) is bad 17415 because it results in things being pinned to certain registers a priori; a custom 17416 JIT (like the DFG) will not pin IC operands to any registers a priori but will allow 17417 the register allocator to do whatever it wants. (2) is bad because the operands may 17418 be spilled or may be represented in other crazy ways. You generally want an IC to 17419 have its operands in registers. Also, patchpoints only return values using the 17420 calling convention, which is unfortunate since it pins the return value to a 17421 register a priori. This is where the second thingy comes in: the AnyRegCC. This is 17422 a special calling convention only for use with patchpoints. It means that arguments 17423 passed "by CC" in the patchpoint can be placed in any register, and the register 17424 that gets used is reported as part of the stackmap. It also means that the return 17425 value (if there is one) can be placed in any register, and the stackmap will tell 17426 you which one it was. Thus, patchpoints combined with AnyRegCC mean that you not 17427 only get the kind of self-modifying code that you want for IC's, but you also get 17428 all of the register allocation goodness that a custom JIT would have given you. 17429 Except that you're getting it from LLVM and not a custom JIT. Awesome. 17430 17431 Even though all of the fun stuff is on the LLVM side, this patch was harder than 17432 you'd expect. 17433 17434 First the obvious bits: 17435 17436 - IC patchpoints now use AnyRegCC instead of the C CC. (CC = calling convention.) 17437 17438 - FTL::fixFunctionBasedOnStackMaps() now correctly figures out which registers the 17439 IC is supposed to use instead of assuming C CC argument registers. 17440 17441 And then all of the stuff that broke and that this patch fixes: 17442 17443 - IC sizing based on generating a dummy IC (what FTLInlineCacheSize did) is totally 17444 bad on x86-64, where various register permutations lead to bizarre header bytes 17445 and eclectic SIB encodings. I changed that to have magic constants, for now. 17446 17447 - Slow path calls didn't preserve the CC return register. 17448 17449 - Repatch's scratch register allocation would get totally confused if the operand 17450 registers weren't one of the DFG-style "temp" registers. And by "totally confused" 17451 I mean that it would crash. 17452 17453 - We assumed that r10 is callee-saved. It's not. That one dude's PPT about x86-64 17454 cdecl that I found on the intertubes was not a trustworthy source of information, 17455 apparently. 17456 17457 - Call repatching didn't know that the FTL does its IC slow calls via specially 17458 generated thunks. This was particularly fun to fix: basically, now when we relink 17459 an IC call in the FTL, we use the old call target to find the SlowPathCallKey, 17460 which tells us everything we need to know to generate (or look up) a new thunk for 17461 the new function we want to call. 17462 17463 * assembler/MacroAssemblerCodeRef.h: 17464 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): 17465 (JSC::MacroAssemblerCodePtr::isEmptyValue): 17466 (JSC::MacroAssemblerCodePtr::isDeletedValue): 17467 (JSC::MacroAssemblerCodePtr::hash): 17468 (JSC::MacroAssemblerCodePtr::emptyValue): 17469 (JSC::MacroAssemblerCodePtr::deletedValue): 17470 (JSC::MacroAssemblerCodePtrHash::hash): 17471 (JSC::MacroAssemblerCodePtrHash::equal): 17472 * assembler/MacroAssemblerX86Common.h: 17473 * assembler/RepatchBuffer.h: 17474 (JSC::RepatchBuffer::RepatchBuffer): 17475 (JSC::RepatchBuffer::codeBlock): 17476 * ftl/FTLAbbreviations.h: 17477 (JSC::FTL::setInstructionCallingConvention): 17478 * ftl/FTLCompile.cpp: 17479 (JSC::FTL::fixFunctionBasedOnStackMaps): 17480 * ftl/FTLInlineCacheSize.cpp: 17481 (JSC::FTL::sizeOfGetById): 17482 (JSC::FTL::sizeOfPutById): 17483 * ftl/FTLJITFinalizer.cpp: 17484 (JSC::FTL::JITFinalizer::finalizeFunction): 17485 * ftl/FTLLocation.cpp: 17486 (JSC::FTL::Location::forStackmaps): 17487 * ftl/FTLLocation.h: 17488 * ftl/FTLLowerDFGToLLVM.cpp: 17489 (JSC::FTL::LowerDFGToLLVM::compileGetById): 17490 (JSC::FTL::LowerDFGToLLVM::compilePutById): 17491 * ftl/FTLOSRExitCompiler.cpp: 17492 (JSC::FTL::compileStub): 17493 * ftl/FTLSlowPathCall.cpp: 17494 * ftl/FTLSlowPathCallKey.h: 17495 (JSC::FTL::SlowPathCallKey::withCallTarget): 17496 * ftl/FTLStackMaps.cpp: 17497 (JSC::FTL::StackMaps::Location::directGPR): 17498 (JSC::FTL::StackMaps::Location::restoreInto): 17499 * ftl/FTLStackMaps.h: 17500 * ftl/FTLThunks.h: 17501 (JSC::FTL::generateIfNecessary): 17502 (JSC::FTL::keyForThunk): 17503 (JSC::FTL::Thunks::keyForSlowPathCallThunk): 17504 * jit/FPRInfo.h: 17505 (JSC::FPRInfo::toIndex): 17506 * jit/GPRInfo.h: 17507 (JSC::GPRInfo::toIndex): 17508 (JSC::GPRInfo::debugName): 17509 * jit/RegisterSet.cpp: 17510 (JSC::RegisterSet::calleeSaveRegisters): 17511 * jit/RegisterSet.h: 17512 (JSC::RegisterSet::filter): 17513 * jit/Repatch.cpp: 17514 (JSC::readCallTarget): 17515 (JSC::repatchCall): 17516 (JSC::repatchByIdSelfAccess): 17517 (JSC::tryCacheGetByID): 17518 (JSC::tryCachePutByID): 17519 (JSC::tryBuildPutByIdList): 17520 (JSC::resetGetByID): 17521 (JSC::resetPutByID): 17522 * jit/ScratchRegisterAllocator.h: 17523 (JSC::ScratchRegisterAllocator::lock): 17524 175252013-11-10 Oliver Hunt <oliver@apple.com> 17526 17527 Implement Set iterators 17528 https://bugs.webkit.org/show_bug.cgi?id=124129 17529 17530 Reviewed by Antti Koivisto. 17531 17532 Add Set iterator classes and implementations 17533 17534 * JavaScriptCore.xcodeproj/project.pbxproj: 17535 * runtime/CommonIdentifiers.h: 17536 * runtime/JSGlobalObject.cpp: 17537 * runtime/JSGlobalObject.h: 17538 * runtime/JSSetIterator.cpp: Added. 17539 (JSC::JSSetIterator::finishCreation): 17540 (JSC::JSSetIterator::visitChildren): 17541 (JSC::JSSetIterator::createPair): 17542 * runtime/JSSetIterator.h: Added. 17543 (JSC::JSSetIterator::createStructure): 17544 (JSC::JSSetIterator::create): 17545 (JSC::JSSetIterator::next): 17546 (JSC::JSSetIterator::JSSetIterator): 17547 * runtime/SetIteratorConstructor.cpp: Added. 17548 (JSC::SetIteratorConstructor::finishCreation): 17549 * runtime/SetIteratorConstructor.h: Added. 17550 (JSC::SetIteratorConstructor::create): 17551 (JSC::SetIteratorConstructor::createStructure): 17552 (JSC::SetIteratorConstructor::SetIteratorConstructor): 17553 * runtime/SetIteratorPrototype.cpp: Added. 17554 (JSC::SetIteratorPrototype::finishCreation): 17555 (JSC::SetIteratorPrototypeFuncIterator): 17556 (JSC::SetIteratorPrototypeFuncNext): 17557 * runtime/SetIteratorPrototype.h: Added. 17558 (JSC::SetIteratorPrototype::create): 17559 (JSC::SetIteratorPrototype::createStructure): 17560 (JSC::SetIteratorPrototype::SetIteratorPrototype): 17561 * runtime/SetPrototype.cpp: 17562 (JSC::SetPrototype::finishCreation): 17563 (JSC::setProtoFuncValues): 17564 (JSC::setProtoFuncEntries): 17565 (JSC::setProtoFuncKeys): 17566 175672013-11-09 Oliver Hunt <oliver@apple.com> 17568 17569 Add Map Iterators 17570 https://bugs.webkit.org/show_bug.cgi?id=124109 17571 17572 Reviewed by Andreas Kling. 17573 17574 Added new Map iterator implementation. This is a mostly boilerplate patch 17575 however there's a a little bit of additional logic added to the MapData iterator 17576 to deal with the possibility of map mutation between creation of the iterator 17577 and use of it. We'll be able to improve the performance of this substantially 17578 by using intrinsics, however I'm pondering coming up with a better way to define 17579 these thunks without requiring so much duplicated logic. 17580 17581 * CMakeLists.txt: 17582 * GNUmakefile.list.am: 17583 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 17584 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 17585 * JavaScriptCore.xcodeproj/project.pbxproj: 17586 * runtime/CommonIdentifiers.h: 17587 * runtime/JSGlobalObject.cpp: 17588 * runtime/JSGlobalObject.h: 17589 * runtime/JSMapIterator.cpp: Added. 17590 (JSC::JSMapIterator::finishCreation): 17591 (JSC::JSMapIterator::visitChildren): 17592 (JSC::JSMapIterator::createPair): 17593 * runtime/JSMapIterator.h: Added. 17594 (JSC::JSMapIterator::createStructure): 17595 (JSC::JSMapIterator::create): 17596 (JSC::JSMapIterator::next): 17597 (JSC::JSMapIterator::JSMapIterator): 17598 * runtime/MapData.h: 17599 (JSC::MapData::const_iterator::ensureSlot): 17600 * runtime/MapIteratorConstructor.cpp: Added. 17601 (JSC::MapIteratorConstructor::finishCreation): 17602 * runtime/MapIteratorConstructor.h: Added. 17603 (JSC::MapIteratorConstructor::create): 17604 (JSC::MapIteratorConstructor::createStructure): 17605 (JSC::MapIteratorConstructor::MapIteratorConstructor): 17606 * runtime/MapIteratorPrototype.cpp: Added. 17607 (JSC::MapIteratorPrototype::finishCreation): 17608 (JSC::MapIteratorPrototypeFuncIterator): 17609 (JSC::MapIteratorPrototypeFuncNext): 17610 * runtime/MapIteratorPrototype.h: Added. 17611 (JSC::MapIteratorPrototype::create): 17612 (JSC::MapIteratorPrototype::createStructure): 17613 (JSC::MapIteratorPrototype::MapIteratorPrototype): 17614 * runtime/MapPrototype.cpp: 17615 (JSC::MapPrototype::finishCreation): 17616 (JSC::mapProtoFuncValues): 17617 (JSC::mapProtoFuncEntries): 17618 (JSC::mapProtoFuncKeys): 17619 176202013-11-08 Zan Dobersek <zdobersek@igalia.com> 17621 17622 Unreviewed GTK build fix. 17623 17624 * GNUmakefile.list.am: Remove redundant build targets. 17625 176262013-11-08 Filip Pizlo <fpizlo@apple.com> 17627 17628 Remove dead FTL C ABI support 17629 https://bugs.webkit.org/show_bug.cgi?id=124100 17630 17631 Reviewed by Jer Noble. 17632 17633 * JavaScriptCore.xcodeproj/project.pbxproj: 17634 * ftl/FTLCArgumentGetter.cpp: Removed. 17635 * ftl/FTLCArgumentGetter.h: Removed. 17636 * ftl/FTLOSRExitCompiler.cpp: 17637 * jit/FPRInfo.h: 17638 176392013-11-08 Filip Pizlo <fpizlo@apple.com> 17640 17641 FTL should support Phantom(FinalObject:) 17642 https://bugs.webkit.org/show_bug.cgi?id=124092 17643 17644 Reviewed by Oliver Hunt. 17645 17646 * ftl/FTLAbstractHeapRepository.h: 17647 * ftl/FTLCapabilities.cpp: 17648 (JSC::FTL::canCompile): 17649 * ftl/FTLLowerDFGToLLVM.cpp: 17650 (JSC::FTL::LowerDFGToLLVM::speculate): 17651 (JSC::FTL::LowerDFGToLLVM::isType): 17652 (JSC::FTL::LowerDFGToLLVM::isNotType): 17653 (JSC::FTL::LowerDFGToLLVM::speculateFinalObject): 17654 176552013-11-08 Filip Pizlo <fpizlo@apple.com> 17656 17657 Get rid of the FTL tail call APIs since they are unused 17658 https://bugs.webkit.org/show_bug.cgi?id=124093 17659 17660 Reviewed by Oliver Hunt. 17661 17662 * ftl/FTLAbbreviations.h: 17663 (JSC::FTL::buildCall): 17664 * ftl/FTLOutput.h: 17665 176662013-11-08 Filip Pizlo <fpizlo@apple.com> 17667 17668 FTL should support AllocatePropertyStorage 17669 https://bugs.webkit.org/show_bug.cgi?id=124086 17670 17671 Reviewed by Oliver Hunt. 17672 17673 Also rationalized some offsets in the DFG. 17674 17675 * dfg/DFGSpeculativeJIT.cpp: 17676 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 17677 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 17678 * ftl/FTLCapabilities.cpp: 17679 (JSC::FTL::canCompile): 17680 * ftl/FTLIntrinsicRepository.h: 17681 * ftl/FTLLowerDFGToLLVM.cpp: 17682 (JSC::FTL::LowerDFGToLLVM::compileNode): 17683 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage): 17684 176852013-11-08 Filip Pizlo <fpizlo@apple.com> 17686 17687 Get rid of the bizarre Darwin/x86-only MacroAssembler::shouldBlindForSpecificArch(uintptr_t) overload 17688 https://bugs.webkit.org/show_bug.cgi?id=124087 17689 17690 Reviewed by Michael Saboff. 17691 17692 * assembler/MacroAssembler.h: 17693 (JSC::MacroAssembler::shouldBlindPointerForSpecificArch): 17694 (JSC::MacroAssembler::shouldBlind): 17695 * assembler/MacroAssemblerX86Common.h: 17696 (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch): 17697 176982013-11-08 Filip Pizlo <fpizlo@apple.com> 17699 17700 FTL should support NewArrayBuffer 17701 https://bugs.webkit.org/show_bug.cgi?id=124067 17702 17703 Reviewed by Michael Saboff. 17704 17705 This expanded coverage and revealed some bugs. 17706 17707 This revealed a bug in FTL::OSRExitCompiler where it was assuming that it could save 17708 the framePointer in regT3 even though DFG::reifyInlinedCallFrames() would clobber it. 17709 It turns out that this can be fixed by just completely restoring the stack prior to 17710 doing reifyInlineCallFrames(). 17711 17712 I used this as an opportunity to simplify NewArray. That revealed a bug; whenever we say 17713 lowJSValue() in there we need to use ManualOperandSpeculation since we're using it to 17714 rebox values even when we also have to do some speculations. The speculations are done 17715 at the top of compileNewArray(). 17716 17717 This also revealed a bug in StringCharAt() for the OOB case. 17718 17719 * ftl/FTLAbstractHeapRepository.h: 17720 (JSC::FTL::AbstractHeapRepository::forIndexingType): 17721 * ftl/FTLCapabilities.cpp: 17722 (JSC::FTL::canCompile): 17723 * ftl/FTLIntrinsicRepository.h: 17724 * ftl/FTLLowerDFGToLLVM.cpp: 17725 (JSC::FTL::LowerDFGToLLVM::compileNode): 17726 (JSC::FTL::LowerDFGToLLVM::compileNewArray): 17727 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): 17728 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): 17729 * ftl/FTLOSRExitCompiler.cpp: 17730 (JSC::FTL::compileStub): 17731 177322013-11-08 Filip Pizlo <fpizlo@apple.com> 17733 17734 It should be easy to disable blinding on a per-architecture basis 17735 https://bugs.webkit.org/show_bug.cgi?id=124083 17736 17737 Reviewed by Michael Saboff. 17738 17739 * assembler/AbstractMacroAssembler.h: 17740 (JSC::AbstractMacroAssembler::haveScratchRegisterForBlinding): 17741 (JSC::AbstractMacroAssembler::scratchRegisterForBlinding): 17742 (JSC::AbstractMacroAssembler::canBlind): 17743 (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch): 17744 * assembler/MacroAssembler.h: 17745 (JSC::MacroAssembler::shouldBlind): 17746 (JSC::MacroAssembler::store32): 17747 (JSC::MacroAssembler::branch32): 17748 (JSC::MacroAssembler::branchAdd32): 17749 (JSC::MacroAssembler::branchMul32): 17750 * assembler/MacroAssemblerX86Common.h: 17751 (JSC::MacroAssemblerX86Common::canBlind): 17752 * assembler/MacroAssemblerX86_64.h: 17753 (JSC::MacroAssemblerX86_64::haveScratchRegisterForBlinding): 17754 177552013-11-08 Oliver Hunt <oliver@apple.com> 17756 17757 Remove more accidentally added files. 17758 17759 * runtime/SetIteratorConstructor.cpp: Removed. 17760 * runtime/SetIteratorConstructor.h: Removed. 17761 * runtime/SetIteratorPrototype.cpp: Removed. 17762 * runtime/SetIteratorPrototype.h: Removed. 17763 177642013-11-08 Oliver Hunt <oliver@apple.com> 17765 17766 Remove accidentally added files. 17767 17768 * runtime/JSSetIterator.cpp: Removed. 17769 * runtime/JSSetIterator.h: Removed. 17770 177712013-11-08 Oliver Hunt <oliver@apple.com> 17772 17773 Fix minor (unobservable) bug in ArrayIterator::next() 17774 https://bugs.webkit.org/show_bug.cgi?id=124061 17775 17776 Reviewed by Beth Dakin. 17777 17778 I noticed this while reading the array iterator code. Due to how 17779 ArrayIterator::next() and our enumeration behaviour is implemented 17780 this is not actually a code path that can be hit. But in order to 17781 future proof this it should be correct. 17782 17783 * runtime/JSArrayIterator.cpp: 17784 (JSC::arrayIteratorNext): 17785 177862013-11-08 Mark Lam <mark.lam@apple.com> 17787 17788 Move breakpoint (and exception break) functionality into JSC::Debugger. 17789 https://bugs.webkit.org/show_bug.cgi?id=121796. 17790 17791 Reviewed by Geoffrey Garen. 17792 17793 - In ScriptDebugServer and JSC::Debugger, SourceID and BreakpointID are 17794 now numeric tokens. 17795 17796 - JSC::Debugger now tracks user defined breakpoints in a JSC::Breakpoint 17797 record. Previously, this info is tracked in the ScriptBreakpoint record 17798 in ScriptDebugServer. The only element of ScriptBreakpoint that is not 17799 being tracked by JSC::Breakpoint is the ScriptBreakpointAction. 17800 The ScriptBreakpointAction is still tracked by the ScriptDebugServer 17801 in a list keyed on the corresponding BreakpointID. 17802 The ScriptBreakpoint record is now only used as a means of passing 17803 breakpoint paramaters to the ScriptDebugServer. 17804 17805 - ScriptDebugServer now no longer accesses the JSC::CallFrame* directly. 17806 It always goes through the DebuggerCallFrame. 17807 17808 * GNUmakefile.list.am: 17809 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 17810 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 17811 * JavaScriptCore.xcodeproj/project.pbxproj: 17812 * debugger/Breakpoint.h: Added. 17813 (JSC::Breakpoint::Breakpoint): 17814 - Breakpoint class to track info for each breakpoint in JSC::Debugger. 17815 * debugger/Debugger.cpp: 17816 (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): 17817 (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): 17818 (JSC::Debugger::Debugger): 17819 (JSC::Debugger::detach): 17820 (JSC::Debugger::updateNeedForOpDebugCallbacks): 17821 (JSC::Debugger::setBreakpoint): 17822 (JSC::Debugger::removeBreakpoint): 17823 (JSC::Debugger::hasBreakpoint): 17824 (JSC::Debugger::clearBreakpoints): 17825 (JSC::Debugger::setBreakpointsActivated): 17826 (JSC::Debugger::setPauseOnExceptionsState): 17827 (JSC::Debugger::setPauseOnNextStatement): 17828 (JSC::Debugger::breakProgram): 17829 (JSC::Debugger::continueProgram): 17830 (JSC::Debugger::stepIntoStatement): 17831 (JSC::Debugger::stepOverStatement): 17832 (JSC::Debugger::stepOutOfFunction): 17833 (JSC::Debugger::updateCallFrame): 17834 (JSC::Debugger::updateCallFrameAndPauseIfNeeded): 17835 (JSC::Debugger::pauseIfNeeded): 17836 (JSC::Debugger::exception): 17837 (JSC::Debugger::atStatement): 17838 (JSC::Debugger::callEvent): 17839 (JSC::Debugger::returnEvent): 17840 (JSC::Debugger::willExecuteProgram): 17841 (JSC::Debugger::didExecuteProgram): 17842 (JSC::Debugger::didReachBreakpoint): 17843 (JSC::Debugger::currentDebuggerCallFrame): 17844 * debugger/Debugger.h: 17845 * debugger/DebuggerCallFrame.cpp: 17846 (JSC::DebuggerCallFrame::sourceID): 17847 (JSC::DebuggerCallFrame::sourceIDForCallFrame): 17848 * debugger/DebuggerCallFrame.h: 17849 * debugger/DebuggerPrimitives.h: Added. 17850 - define SourceID, noSourceID, BreakpointID, and noBreakpointID. 17851 178522013-11-08 Oliver Hunt <oliver@apple.com> 17853 17854 Map.forEach crashes on deleted values 17855 https://bugs.webkit.org/show_bug.cgi?id=124017 17856 17857 Reviewed by Ryosuke Niwa. 17858 17859 MapData iterator did not consider the case of the first entries 17860 being holes. To fix this I've refactored iteration so that we 17861 can perform an initialisation increment on construction, whle 17862 retaining the useful assertion in MapData::const_iterator::operator++ 17863 17864 * runtime/MapData.h: 17865 (JSC::MapData::const_iterator::operator++): 17866 (JSC::MapData::const_iterator::internalIncrement): 17867 (JSC::MapData::const_iterator::const_iterator): 17868 178692013-11-08 Julien Brianceau <jbriance@cisco.com> 17870 17871 REGRESSION(r158883): Fix crashes for ARM architecture. 17872 https://bugs.webkit.org/show_bug.cgi?id=124038 17873 17874 Reviewed by Michael Saboff. 17875 17876 * jit/GPRInfo.h: Remove r11 from the temporary register set, use a free register for 17877 nonPreservedNonReturnGPR and remove obsolete declaration of bucketCounterRegister. 17878 (JSC::GPRInfo::toRegister): 17879 (JSC::GPRInfo::toIndex): 17880 * jit/JITOperations.cpp: Frame pointer register is r11 for ARM_TRADITIONAL and 17881 r7 for ARM_THUMB2 instead of r5 since r158883. 17882 178832013-11-08 Julien Brianceau <jbriance@cisco.com> 17884 17885 REGRESSION(r158883): Fix crashes for MIPS architecture. 17886 https://bugs.webkit.org/show_bug.cgi?id=124044 17887 17888 Reviewed by Michael Saboff. 17889 17890 * jit/JITOperations.cpp: Frame pointer register is fp instead of s0 since r158883 for MIPS. 17891 * jit/ThunkGenerators.cpp: Save and restore the new frame pointer register. 17892 (JSC::returnFromJavaScript): 17893 (JSC::callToJavaScript): 17894 178952013-11-08 peavo@outlook.com <peavo@outlook.com> 17896 17897 [Win] JavaScript crash in getHostCallReturnValue. 17898 https://bugs.webkit.org/show_bug.cgi?id=124040 17899 17900 Reviewed by Geoffrey Garen. 17901 17902 * jit/JITOperations.cpp: Update MSVC assembler code in getHostCallReturnValue according to gcc x86 version. 17903 179042013-11-08 Julien Brianceau <jbriance@cisco.com> 17905 17906 [mips] Fix typo (introduced in r158751). 17907 https://bugs.webkit.org/show_bug.cgi?id=124033. 17908 17909 Reviewed by Csaba Osztrogonác. 17910 17911 * jit/ThunkGenerators.cpp: 17912 (JSC::callToJavaScript): 17913 179142013-11-08 Julien Brianceau <jbriance@cisco.com> 17915 17916 [arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL). 17917 https://bugs.webkit.org/show_bug.cgi?id=123891 17918 17919 Reviewed by Michael Saboff. 17920 17921 Although patchableBranch32 is implemented in MacroAssemblerARM.h, the used implementation 17922 is the generic one in MacroAssembler.h. This patch fixes it and also implements the 17923 patchableJump() function for CPU(ARM_TRADITIONAL). These specific implementations are 17924 needed for this architecture backend to ensure that these jumps can be relinked. 17925 17926 * assembler/MacroAssembler.h: 17927 * assembler/MacroAssemblerARM.h: 17928 (JSC::MacroAssemblerARM::patchableJump): 17929 * jit/GPRInfo.h: Remove static_cast that are generating warnings in debug builds. 17930 (JSC::GPRInfo::toIndex): 17931 (JSC::GPRInfo::debugName): 17932 179332013-11-07 Mark Lam <mark.lam@apple.com> 17934 17935 Get rid of the regT* definitions in JSInterfaceJIT.h. 17936 https://bugs.webkit.org/show_bug.cgi?id=123806. 17937 17938 Reviewed by Geoffrey Garen. 17939 17940 JSInterfaceJIT now inherits from GPRInfo and FPRInfo, and relies on them 17941 to provide all the register definitions. 17942 17943 * jit/GPRInfo.h: 17944 (JSC::GPRInfo::toArgumentRegister): 17945 * jit/JIT.cpp: 17946 (JSC::JIT::emitEnterOptimizationCheck): 17947 (JSC::JIT::privateCompile): 17948 * jit/JITArithmetic.cpp: 17949 (JSC::JIT::emit_compareAndJumpSlow): 17950 * jit/JITArithmetic32_64.cpp: 17951 (JSC::JIT::emit_compareAndJumpSlow): 17952 * jit/JITCall.cpp: 17953 (JSC::JIT::compileLoadVarargs): 17954 * jit/JITCall32_64.cpp: 17955 (JSC::JIT::compileLoadVarargs): 17956 * jit/JITInlines.h: 17957 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): 17958 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): 17959 * jit/JITOpcodes.cpp: 17960 (JSC::JIT::emit_op_end): 17961 (JSC::JIT::emitSlow_op_new_object): 17962 (JSC::JIT::emit_op_ret): 17963 (JSC::JIT::emit_op_ret_object_or_this): 17964 (JSC::JIT::emit_op_throw): 17965 (JSC::JIT::emit_op_get_pnames): 17966 (JSC::JIT::emit_op_switch_imm): 17967 (JSC::JIT::emit_op_switch_char): 17968 (JSC::JIT::emit_op_switch_string): 17969 (JSC::JIT::emit_op_create_activation): 17970 (JSC::JIT::emit_op_create_arguments): 17971 (JSC::JIT::emitSlow_op_jfalse): 17972 (JSC::JIT::emitSlow_op_jtrue): 17973 (JSC::JIT::emitSlow_op_eq): 17974 (JSC::JIT::emitSlow_op_neq): 17975 (JSC::JIT::emitSlow_op_get_argument_by_val): 17976 (JSC::JIT::emitSlow_op_loop_hint): 17977 * jit/JITOpcodes32_64.cpp: 17978 (JSC::JIT::privateCompileCTINativeCall): 17979 (JSC::JIT::emit_op_end): 17980 (JSC::JIT::emitSlow_op_new_object): 17981 (JSC::JIT::emitSlow_op_jfalse): 17982 (JSC::JIT::emitSlow_op_jtrue): 17983 (JSC::JIT::emitSlow_op_eq): 17984 (JSC::JIT::emitSlow_op_neq): 17985 (JSC::JIT::emit_op_throw): 17986 (JSC::JIT::emit_op_get_pnames): 17987 (JSC::JIT::emit_op_switch_imm): 17988 (JSC::JIT::emit_op_switch_char): 17989 (JSC::JIT::emit_op_switch_string): 17990 (JSC::JIT::emit_op_create_activation): 17991 (JSC::JIT::emit_op_create_arguments): 17992 (JSC::JIT::emitSlow_op_get_argument_by_val): 17993 * jit/JSInterfaceJIT.h: 17994 (JSC::JSInterfaceJIT::JSInterfaceJIT): 17995 * jit/SlowPathCall.h: 17996 (JSC::JITSlowPathCall::call): 17997 * jit/ThunkGenerators.cpp: 17998 179992013-11-07 Filip Pizlo <fpizlo@apple.com> 18000 18001 FTL should support NewArray 18002 https://bugs.webkit.org/show_bug.cgi?id=124010 18003 18004 Reviewed by Oliver Hunt. 18005 18006 * ftl/FTLCapabilities.cpp: 18007 (JSC::FTL::canCompile): 18008 * ftl/FTLIntrinsicRepository.h: 18009 * ftl/FTLLowerDFGToLLVM.cpp: 18010 (JSC::FTL::LowerDFGToLLVM::compileNode): 18011 (JSC::FTL::LowerDFGToLLVM::compileNewObject): 18012 (JSC::FTL::LowerDFGToLLVM::compileNewArray): 18013 (JSC::FTL::LowerDFGToLLVM::allocateCell): 18014 (JSC::FTL::LowerDFGToLLVM::allocateObject): 18015 (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd): 18016 (JSC::FTL::LowerDFGToLLVM::ArrayValues::ArrayValues): 18017 (JSC::FTL::LowerDFGToLLVM::allocateJSArray): 18018 * ftl/FTLOutput.h: 18019 (JSC::FTL::Output::loadDouble): 18020 (JSC::FTL::Output::storeDouble): 18021 180222013-11-07 Michael Saboff <msaboff@apple.com> 18023 18024 Change CallFrameRegister to architected frame pointer register 18025 https://bugs.webkit.org/show_bug.cgi?id=123956 18026 18027 Reviewed by Geoffrey Garen. 18028 18029 Changed X86 and ARM variants as well as MIPS to use their respective architected 18030 frame pointer registers. The freed up callFrameRegisteris are made available to 18031 the DFG register allocator. Modified the FTL OSR exit compiler to use a temporary 18032 register as a stand in for the destination callFrameRegister since the FTL frame 18033 pointer register is needed to extract values from the FTL stack. 18034 18035 Reviewed by Geoffrey Garen. 18036 18037 * assembler/ARMAssembler.h: 18038 * assembler/ARMv7Assembler.h: 18039 * assembler/MacroAssemblerMIPS.h: 18040 * ftl/FTLOSRExitCompiler.cpp: 18041 (JSC::FTL::compileStub): 18042 * jit/AssemblyHelpers.h: 18043 (JSC::AssemblyHelpers::addressFor): 18044 * jit/GPRInfo.h: 18045 (JSC::GPRInfo::toRegister): 18046 (JSC::GPRInfo::toIndex): 18047 * jit/JITOperations.cpp: 18048 * jit/JSInterfaceJIT.h: 18049 * jit/ThunkGenerators.cpp: 18050 (JSC::callToJavaScript): 18051 * offlineasm/arm.rb: 18052 * offlineasm/arm64.rb: 18053 * offlineasm/mips.rb: 18054 * offlineasm/x86.rb: 18055 180562013-11-07 Oliver Hunt <oliver@apple.com> 18057 18058 Reproducible crash when using Map (affects Web Inspector) 18059 https://bugs.webkit.org/show_bug.cgi?id=123940 18060 18061 Reviewed by Geoffrey Garen. 18062 18063 Trivial fix. Once again we get bitten by attempting to be clever when 18064 growing while adding entries to indexing maps. 18065 18066 Now we simply do a find(), and then add() _after_ we've ensured there is 18067 sufficient space in the MapData list. 18068 18069 * runtime/MapData.cpp: 18070 (JSC::MapData::add): 18071 180722013-11-07 Mark Lam <mark.lam@apple.com> 18073 18074 Cosmetic: rename xxxId to xxxID for ScriptId, SourceId, and BreakpointId. 18075 https://bugs.webkit.org/show_bug.cgi?id=123945. 18076 18077 Reviewed by Geoffrey Garen. 18078 18079 * debugger/DebuggerCallFrame.cpp: 18080 (JSC::DebuggerCallFrame::sourceID): 18081 (JSC::DebuggerCallFrame::sourceIDForCallFrame): 18082 * debugger/DebuggerCallFrame.h: 18083 180842013-11-07 Michael Saboff <msaboff@apple.com> 18085 18086 returnFromJavaScript() for ARM_THUMB2 uses push()s which should be pop()s 18087 https://bugs.webkit.org/show_bug.cgi?id=124006 18088 18089 Rubber stamped by Mark Hahnenberg. 18090 18091 Changed the push() calls to pop(). 18092 18093 * jit/ThunkGenerators.cpp: 18094 (JSC::returnFromJavaScript): 18095 180962013-11-07 Michael Saboff <msaboff@apple.com> 18097 18098 Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC) 18099 https://bugs.webkit.org/show_bug.cgi?id=123998 18100 18101 Reviewed by Mark Lam. 18102 18103 Dead code removal. Passing esp as the first "C" argument to a JavaScript 18104 function is no longer needed. 18105 18106 * jit/ThunkGenerators.cpp: 18107 (JSC::callToJavaScript): 18108 181092013-11-07 Julien Brianceau <jbriance@cisco.com> 18110 18111 Fix build for architectures with 4 argument registers (broken since r158820). 18112 https://bugs.webkit.org/show_bug.cgi?id=123969 18113 18114 Reviewed by Andreas Kling. 18115 18116 * jit/CCallHelpers.h: 18117 (JSC::CCallHelpers::setupArguments): 18118 181192013-11-05 Filip Pizlo <fpizlo@apple.com> 18120 18121 FTL should support CheckFunction 18122 https://bugs.webkit.org/show_bug.cgi?id=123862 18123 18124 Reviewed by Sam Weinig. 18125 18126 * ftl/FTLCapabilities.cpp: 18127 (JSC::FTL::canCompile): 18128 * ftl/FTLLowerDFGToLLVM.cpp: 18129 (JSC::FTL::LowerDFGToLLVM::compileNode): 18130 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): 18131 181322013-11-06 Filip Pizlo <fpizlo@apple.com> 18133 18134 IC code should handle the call frame register not being the callFrameRegister 18135 https://bugs.webkit.org/show_bug.cgi?id=123865 18136 18137 Reviewed by Geoffrey Garen. 18138 18139 For now, in the FTL, the call frame may be something other than our frame pointer, 18140 since it's an argument passed in according to whatever convention LLVM picks. 18141 18142 This is temporary in two ways - pretty soon the callFrameRegister will be the actual 18143 frame pointer and not some other register, and LLVM will not pass the frame pointer 18144 as an argument to IC's. 18145 18146 * bytecode/StructureStubInfo.h: 18147 * dfg/DFGSpeculativeJIT32_64.cpp: 18148 (JSC::DFG::SpeculativeJIT::cachedGetById): 18149 (JSC::DFG::SpeculativeJIT::cachedPutById): 18150 * dfg/DFGSpeculativeJIT64.cpp: 18151 (JSC::DFG::SpeculativeJIT::cachedGetById): 18152 (JSC::DFG::SpeculativeJIT::cachedPutById): 18153 * ftl/FTLCompile.cpp: 18154 (JSC::FTL::fixFunctionBasedOnStackMaps): 18155 * ftl/FTLInlineCacheSize.cpp: 18156 (JSC::FTL::sizeOfGetById): 18157 (JSC::FTL::sizeOfPutById): 18158 * jit/CCallHelpers.h: 18159 (JSC::CCallHelpers::setupArguments): 18160 * jit/JITInlineCacheGenerator.cpp: 18161 (JSC::JITByIdGenerator::JITByIdGenerator): 18162 (JSC::JITPutByIdGenerator::JITPutByIdGenerator): 18163 * jit/JITInlineCacheGenerator.h: 18164 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): 18165 * jit/JITPropertyAccess.cpp: 18166 (JSC::JIT::emit_op_get_by_id): 18167 (JSC::JIT::emit_op_put_by_id): 18168 * jit/JITPropertyAccess32_64.cpp: 18169 (JSC::JIT::emit_op_get_by_id): 18170 (JSC::JIT::emit_op_put_by_id): 18171 * jit/Repatch.cpp: 18172 (JSC::tryBuildGetByIDList): 18173 (JSC::emitPutTransitionStub): 18174 181752013-11-06 Daniel Bates <dabates@apple.com> 18176 18177 [iOS] Upstream Letterpress effect 18178 https://bugs.webkit.org/show_bug.cgi?id=123932 18179 18180 Reviewed by Sam Weinig. 18181 18182 Add feature define ENABLE_LETTERPRESS disabled by default. We only enable 18183 letterpress on iOS. 18184 18185 * Configurations/FeatureDefines.xcconfig: 18186 181872013-11-05 Oliver Hunt <oliver@apple.com> 18188 18189 Support iteration of the Arguments object 18190 https://bugs.webkit.org/show_bug.cgi?id=123835 18191 18192 Reviewed by Mark Lam. 18193 18194 Add an ArgumentsIterator object, and associated classes so that we can support 18195 iteration of the arguments object. 18196 18197 This is a largely mechanical patch. The only gnarliness is in the 18198 logic to avoid reifying the Arguments object in for(... of arguments) 18199 scenarios. 18200 18201 * GNUmakefile.list.am: 18202 * JavaScriptCore.xcodeproj/project.pbxproj: 18203 * bytecompiler/BytecodeGenerator.cpp: 18204 (JSC::BytecodeGenerator::emitEnumeration): 18205 * runtime/Arguments.cpp: 18206 (JSC::Arguments::getOwnPropertySlot): 18207 (JSC::argumentsFuncIterator): 18208 * runtime/Arguments.h: 18209 * runtime/ArgumentsIteratorConstructor.cpp: Added. 18210 (JSC::ArgumentsIteratorConstructor::finishCreation): 18211 * runtime/ArgumentsIteratorConstructor.h: Added. 18212 (JSC::ArgumentsIteratorConstructor::create): 18213 (JSC::ArgumentsIteratorConstructor::createStructure): 18214 (JSC::ArgumentsIteratorConstructor::ArgumentsIteratorConstructor): 18215 * runtime/ArgumentsIteratorPrototype.cpp: Added. 18216 (JSC::ArgumentsIteratorPrototype::finishCreation): 18217 (JSC::argumentsIteratorPrototypeFuncIterator): 18218 (JSC::argumentsIteratorPrototypeFuncNext): 18219 * runtime/ArgumentsIteratorPrototype.h: Added. 18220 (JSC::ArgumentsIteratorPrototype::create): 18221 (JSC::ArgumentsIteratorPrototype::createStructure): 18222 (JSC::ArgumentsIteratorPrototype::ArgumentsIteratorPrototype): 18223 * runtime/CommonIdentifiers.h: 18224 * runtime/JSArgumentsIterator.cpp: Added. 18225 (JSC::JSArgumentsIterator::finishCreation): 18226 * runtime/JSArgumentsIterator.h: Added. 18227 (JSC::JSArgumentsIterator::createStructure): 18228 (JSC::JSArgumentsIterator::create): 18229 (JSC::JSArgumentsIterator::next): 18230 (JSC::JSArgumentsIterator::JSArgumentsIterator): 18231 * runtime/JSArrayIterator.cpp: 18232 (JSC::createIteratorResult): 18233 * runtime/JSGlobalObject.cpp: 18234 * runtime/JSGlobalObject.h: 18235 182362013-11-06 Filip Pizlo <fpizlo@apple.com> 18237 18238 DFG CheckArray(NonArray) should prove that the child isn't an array 18239 https://bugs.webkit.org/show_bug.cgi?id=123911 18240 <rdar://problem/15202803> 18241 18242 Reviewed by Mark Hahnenberg. 18243 18244 * dfg/DFGSpeculativeJIT.cpp: 18245 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 18246 * ftl/FTLLowerDFGToLLVM.cpp: 18247 (JSC::FTL::LowerDFGToLLVM::isArrayType): 18248 182492013-11-06 Mark Hahnenberg <mhahnenberg@apple.com> 18250 18251 JSExport doesn't support constructors 18252 https://bugs.webkit.org/show_bug.cgi?id=123380 18253 18254 Reviewed by Geoffrey Garen. 18255 18256 Needed another linked-on-or-after check for when we're deciding whether 18257 we should copy over init family methods. 18258 18259 Factored out the link time checks into a separate function so that they can be cached. 18260 18261 Factored out the check for init-family method selectors into helper function and changed it to 18262 match the description in the clang docs, namely that there can be underscores at the beginning 18263 and the first letter after 'init' part of the selector (if there is one) must be a capital letter. 18264 18265 Updated tests to make sure we don't treat "initialize" as an init-family method and that we do 18266 treat "_init" as an init-family method. 18267 18268 * API/JSWrapperMap.h: 18269 * API/JSWrapperMap.mm: 18270 (isInitFamilyMethod): 18271 (shouldSkipMethodWithName): 18272 (copyMethodsToObject): 18273 (allocateConstructorForCustomClass): 18274 (supportsInitMethodConstructors): 18275 * API/tests/testapi.mm: 18276 (-[ClassA initialize]): 18277 (-[ClassD initialize]): 18278 182792013-11-06 Michael Saboff <msaboff@apple.com> 18280 18281 Change ctiTrampoline into a thunk 18282 https://bugs.webkit.org/show_bug.cgi?id=123844 18283 18284 Reviewed by Filip Pizlo. 18285 18286 Converted ctiTrampoline and ctiOpThrowNotCaught into thunks named callToJavaScript 18287 and returnFromJavaScript. Cleaned up and in some cases removed JITStubsXXX.h files 18288 after removing ctiTrampoline and ctiOpThrowNotCaught. Added callJavaScriptJITFunction 18289 to VM that is a function pointer to the callToJavaScript thunk. 18290 18291 * GNUmakefile.list.am: 18292 * JavaScriptCore.xcodeproj/project.pbxproj: 18293 * dfg/DFGDriver.cpp: 18294 (JSC::DFG::compileImpl): 18295 * jit/JITCode.cpp: 18296 (JSC::JITCode::execute): 18297 * jit/JITExceptions.cpp: 18298 (JSC::genericUnwind): 18299 * jit/JITStubs.cpp: 18300 * jit/JITStubs.h: 18301 * jit/JITStubsARM.h: 18302 * jit/JITStubsARM64.h: Removed. 18303 * jit/JITStubsARMv7.h: 18304 * jit/JITStubsMIPS.h: Removed. 18305 * jit/JITStubsMSVC64.asm: 18306 * jit/JITStubsSH4.h: Removed. 18307 * jit/JITStubsX86.h: 18308 * jit/JITStubsX86_64.h: 18309 * jit/JSInterfaceJIT.h: 18310 * jit/ThunkGenerators.cpp: 18311 (JSC::returnFromJavaScript): 18312 (JSC::callToJavaScript): 18313 * jit/ThunkGenerators.h: 18314 * runtime/VM.cpp: 18315 (JSC::VM::VM): 18316 * runtime/VM.h: 18317 183182013-11-05 Filip Pizlo <fpizlo@apple.com> 18319 18320 FTL should support StringCharCodeAt 18321 https://bugs.webkit.org/show_bug.cgi?id=123854 18322 18323 Reviewed by Sam Weinig. 18324 18325 * ftl/FTLCapabilities.cpp: 18326 (JSC::FTL::canCompile): 18327 * ftl/FTLLowerDFGToLLVM.cpp: 18328 (JSC::FTL::LowerDFGToLLVM::compileNode): 18329 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): 18330 183312013-11-05 Filip Pizlo <fpizlo@apple.com> 18332 18333 FTL should support NewObject 18334 https://bugs.webkit.org/show_bug.cgi?id=123849 18335 18336 Reviewed by Oliver Hunt. 18337 18338 * ftl/FTLAbstractHeapRepository.cpp: 18339 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): 18340 * ftl/FTLAbstractHeapRepository.h: 18341 * ftl/FTLCapabilities.cpp: 18342 (JSC::FTL::canCompile): 18343 * ftl/FTLIntrinsicRepository.h: 18344 * ftl/FTLLowerDFGToLLVM.cpp: 18345 (JSC::FTL::LowerDFGToLLVM::compileNode): 18346 (JSC::FTL::LowerDFGToLLVM::compileNewObject): 18347 (JSC::FTL::LowerDFGToLLVM::allocate): 18348 183492013-11-05 Filip Pizlo <fpizlo@apple.com> 18350 18351 FTL should support StringCharAt 18352 https://bugs.webkit.org/show_bug.cgi?id=123855 18353 18354 Reviewed by Oliver Hunt. 18355 18356 This is just like GetByVal for String, so we reuse that code. 18357 18358 * ftl/FTLCapabilities.cpp: 18359 (JSC::FTL::canCompile): 18360 * ftl/FTLLowerDFGToLLVM.cpp: 18361 (JSC::FTL::LowerDFGToLLVM::compileNode): 18362 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 18363 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): 18364 183652013-11-05 Filip Pizlo <fpizlo@apple.com> 18366 18367 Remove old unused code for hypothetical LLVM intrinsics 18368 https://bugs.webkit.org/show_bug.cgi?id=123824 18369 18370 Reviewed by Oliver Hunt. 18371 18372 * ftl/FTLIntrinsicRepository.h: 18373 183742013-11-05 Filip Pizlo <fpizlo@apple.com> 18375 18376 FTL should support String character access operations 18377 https://bugs.webkit.org/show_bug.cgi?id=123783 18378 18379 Reviewed by Oliver Hunt. 18380 18381 Implements: 18382 18383 - string.length 18384 18385 - string[index] 18386 18387 * ftl/FTLAbstractHeapRepository.h: 18388 * ftl/FTLCapabilities.cpp: 18389 (JSC::FTL::canCompile): 18390 * ftl/FTLIntrinsicRepository.h: 18391 * ftl/FTLLowerDFGToLLVM.cpp: 18392 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 18393 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): 18394 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 18395 183962013-11-05 Mark Hahnenberg <mhahnenberg@apple.com> 18397 18398 ObjCCallbackFunctionImpl's NSInvocation shouldn't retain its target or arguments 18399 https://bugs.webkit.org/show_bug.cgi?id=123822 18400 18401 Reviewed by Geoffrey Garen. 18402 18403 Using -retainArguments on ObjCCallbackFunctionImpl's NSInvocation leads to memory leaks. 18404 We should handle retaining/releasing the target ourselves, and we should never retain the arguments. 18405 18406 * API/ObjCCallbackFunction.mm: 18407 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): 18408 (JSC::ObjCCallbackFunctionImpl::name): 18409 (objCCallbackFunctionForInvocation): 18410 (objCCallbackFunctionForMethod): 18411 (objCCallbackFunctionForBlock): 18412 184132013-11-05 Julien Brianceau <jbriance@cisco.com> 18414 18415 Fix build for architectures with 4 argument registers (broken since r158681). 18416 https://bugs.webkit.org/show_bug.cgi?id=123826 18417 18418 Reviewed by Michael Saboff. 18419 18420 * jit/CCallHelpers.h: 18421 (JSC::CCallHelpers::setupArgumentsWithExecState): 18422 (JSC::CCallHelpers::setupArguments): 18423 184242013-11-05 Filip Pizlo <fpizlo@apple.com> 18425 18426 Fix register allocation inside control flow in GetByVal String 18427 https://bugs.webkit.org/show_bug.cgi?id=123816 18428 18429 Reviewed by Geoffrey Garen. 18430 18431 * dfg/DFGSpeculativeJIT.cpp: 18432 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 18433 184342013-11-05 Filip Pizlo <fpizlo@apple.com> 18435 18436 Remove FTL::LowerDFGToLLVM::compileJSConstant() 18437 https://bugs.webkit.org/show_bug.cgi?id=123817 18438 18439 Reviewed by Geoffrey Garen. 18440 18441 * ftl/FTLLowerDFGToLLVM.cpp: 18442 184432013-11-04 Filip Pizlo <fpizlo@apple.com> 18444 18445 FTL should support PutById 18446 https://bugs.webkit.org/show_bug.cgi?id=123784 18447 18448 Reviewed by Geoffrey Garen. 18449 18450 * ftl/FTLAbbreviations.h: 18451 (JSC::FTL::buildCall): 18452 * ftl/FTLCapabilities.cpp: 18453 (JSC::FTL::canCompile): 18454 * ftl/FTLCompile.cpp: 18455 (JSC::FTL::generateICFastPath): 18456 (JSC::FTL::fixFunctionBasedOnStackMaps): 18457 * ftl/FTLInlineCacheDescriptor.h: 18458 (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor): 18459 (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor): 18460 (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor): 18461 (JSC::FTL::PutByIdDescriptor::ecmaMode): 18462 (JSC::FTL::PutByIdDescriptor::putKind): 18463 * ftl/FTLIntrinsicRepository.h: 18464 * ftl/FTLLowerDFGToLLVM.cpp: 18465 (JSC::FTL::LowerDFGToLLVM::compileNode): 18466 (JSC::FTL::LowerDFGToLLVM::compilePutById): 18467 * ftl/FTLOutput.h: 18468 (JSC::FTL::Output::call): 18469 * ftl/FTLSlowPathCall.cpp: 18470 (JSC::FTL::callOperation): 18471 * ftl/FTLSlowPathCall.h: 18472 * ftl/FTLState.h: 18473 * jit/CCallHelpers.h: 18474 (JSC::CCallHelpers::setupArguments): 18475 * runtime/Executable.h: 18476 (JSC::ScriptExecutable::ecmaMode): 18477 184782013-11-04 Filip Pizlo <fpizlo@apple.com> 18479 18480 GetById->GetByOffset and PutById->PutByOffset folding should mark haveStructures since it may result in structure transition watchpoints 18481 https://bugs.webkit.org/show_bug.cgi?id=123788 18482 18483 Reviewed by Geoffrey Garen. 18484 18485 haveStructures is true if there are any currentlyKnownStructures that have 18486 interesting values, since that's the only time when clobbering needs to do things. 18487 It's a really important compile-time optimization. But that also means that anytime 18488 we might cause currentlyKnownStructures to get set - like when we might insert some 18489 structure transition watchpoints - we need to set haveStructures. We were forgetting 18490 to do that for GetById->GetByOffset and PutById->PutByOffset because, I guess, we 18491 forgot that those might insert structure transition watchpoints. 18492 18493 * dfg/DFGAbstractInterpreterInlines.h: 18494 (JSC::DFG::::executeEffects): 18495 184962013-11-05 Julien Brianceau <jbriance@cisco.com> 18497 18498 [mips] Make regTx registers match between JSInterfaceJIT and GPRInfo. 18499 https://bugs.webkit.org/show_bug.cgi?id=123807 18500 18501 Reviewed by Mark Lam. 18502 18503 * jit/GPRInfo.h: 18504 (JSC::GPRInfo::toIndex): 18505 * jit/JSInterfaceJIT.h: 18506 185072013-11-05 Julien Brianceau <jbriance@cisco.com> 18508 18509 REGRESSION(r158315): Fix register mixup in JIT::compileOpCall. 18510 https://bugs.webkit.org/show_bug.cgi?id=123799 18511 18512 Reviewed by Mark Lam. 18513 18514 Changeset r158315 is crashing architectures where JSInterfaceJIT::regT3 is 18515 different from GPRInfo::regT3. This is the case for MIPS architecture. 18516 18517 * jit/JITCall32_64.cpp: 18518 (JSC::JIT::compileOpCall): 18519 185202013-11-05 Julien Brianceau <jbriance@cisco.com> 18521 18522 [mips] Fix build for MIPS platforms. 18523 https://bugs.webkit.org/show_bug.cgi?id=123796 18524 18525 Reviewed by Michael Saboff. 18526 18527 * assembler/LinkBuffer.cpp: 18528 (JSC::LinkBuffer::linkCode): Add specific MIPS call to relocateJumps. 18529 * assembler/MIPSAssembler.h: Remove executableCopy (because of r157690) and set relocateJumps function public. 18530 (JSC::MIPSAssembler::firstRegister): 18531 (JSC::MIPSAssembler::lastRegister): 18532 (JSC::MIPSAssembler::firstFPRegister): 18533 (JSC::MIPSAssembler::lastFPRegister): 18534 (JSC::MIPSAssembler::buffer): Needed since r157690. 18535 * assembler/MacroAssemblerMIPS.h: Add framePointerRegister. 18536 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameter warning. 18537 185382013-11-04 Filip Pizlo <fpizlo@apple.com> 18539 18540 internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249 18541 https://bugs.webkit.org/show_bug.cgi?id=123778 18542 18543 Unreviewed, remove the other such assertion. 18544 18545 * dfg/DFGConstantFoldingPhase.cpp: 18546 (JSC::DFG::ConstantFoldingPhase::foldConstants): 18547 185482013-11-04 Michael Saboff <msaboff@apple.com> 18549 18550 REGRESSION(r158586): plugins/refcount-leaks.html fails 18551 https://bugs.webkit.org/show_bug.cgi?id=123765 18552 18553 We were leaving a hole of one slot above a new frame when pushing the new frame on 18554 the stack with pushFrame(). This unused slot can contain residual values that will 18555 be marked during GC. 18556 18557 Reviewed by Filip Pizlo. 18558 18559 * interpreter/JSStackInlines.h: 18560 (JSC::JSStack::pushFrame): 18561 185622013-11-04 Filip Pizlo <fpizlo@apple.com> 18563 18564 internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249 18565 https://bugs.webkit.org/show_bug.cgi?id=123778 18566 18567 Reviewed by Geoffrey Garen. 18568 18569 This assertion was just wrong: ee do an execute() above the assertion. The assertion 18570 is asserting that if we need a watchpoint (i.e. the best proven structure was not the 18571 current structure) then it must be the future possible structure. But while that may 18572 have been true before execute(), it won't be true after if the PutById was a 18573 transition. Of course, this can only happen in the concurrent JIT in which case the 18574 code would be invalidated anyway since we would only transform the code in a way that 18575 leveraged the lack of a transition if we inserted a watchpoint, in which case we 18576 would realize that the watchpoint had been fired during compilation. 18577 18578 Since this requires concurrent JIT awesomeness, I don't know how to test it. 18579 18580 * dfg/DFGConstantFoldingPhase.cpp: 18581 (JSC::DFG::ConstantFoldingPhase::foldConstants): 18582 185832013-11-04 Filip Pizlo <fpizlo@apple.com> 18584 18585 DFG CheckArray(String) should just be a Phantom(String:) 18586 https://bugs.webkit.org/show_bug.cgi?id=123779 18587 18588 Reviewed by Geoffrey Garen. 18589 18590 This should be a speed-up since Phantom(String:) is smart enough to use the string 18591 structure. It should also be a simplification since CheckArray(String) was totally 18592 redundant. 18593 18594 Also FixupPhase was assuming that it may see CheckArray's. That's wrong. It can 18595 create CheckArray's but it won't see them as input since no previous phase can 18596 create them. 18597 18598 * dfg/DFGFixupPhase.cpp: 18599 (JSC::DFG::FixupPhase::fixupNode): 18600 (JSC::DFG::FixupPhase::checkArray): 18601 * dfg/DFGSpeculativeJIT.cpp: 18602 (JSC::DFG::SpeculativeJIT::checkArray): 18603 186042013-11-04 Filip Pizlo <fpizlo@apple.com> 18605 18606 DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing 18607 https://bugs.webkit.org/show_bug.cgi?id=123760 18608 <rdar://problem/15356705> 18609 18610 Reviewed by Mark Hahnenberg and Oliver Hunt. 18611 18612 * dfg/DFGOperations.cpp: 18613 186142013-11-04 Michael Saboff <msaboff@apple.com> 18615 18616 Eliminate HostCall bit from JSC Stack CallerFrame 18617 https://bugs.webkit.org/show_bug.cgi?id=123642 18618 18619 Reviewed by Geoffrey Garen. 18620 18621 Replace the HostCallFrame bit or'ed to the CallerFrame value in a CallFrame with 18622 a VM entry sentinel CallFrame. Logically, the VM entry sentinel call frame is 18623 pushed on the stack before the callee frame when calling from native to JavaScript 18624 code. The callee frame's CallerFrame points at the VM entry sentinel call frame 18625 and the VM entry sentinel call frame's CallerFrame points to the real caller. 18626 The VM entry sentinel call frame has a sentinel (1) in the CodeBlock to indicate 18627 its a VM entry sentinel call frame. It's ScopeChain has vm.topCallFrame at the 18628 time of the call. This allows for a complete stack walk as well as walking just 18629 the contiguous JS frames. 18630 18631 The VM entry sentinel call frame and callee frame are currently allocated and 18632 initialized in ExecState::init(), but this initialization will be moved to 18633 ctiTrampoline when we actually move onto the native stack. 18634 18635 * bytecode/CodeBlock.cpp: 18636 (JSC::CodeBlock::noticeIncomingCall): 18637 * debugger/DebuggerCallFrame.cpp: 18638 (JSC::DebuggerCallFrame::callerFrame): 18639 * dfg/DFGJITCompiler.cpp: 18640 (JSC::DFG::JITCompiler::compileExceptionHandlers): 18641 * interpreter/CallFrame.h: 18642 (JSC::ExecState::frameExtent): 18643 (JSC::ExecState::currentVPC): 18644 (JSC::ExecState::setCurrentVPC): 18645 (JSC::ExecState::init): 18646 (JSC::ExecState::noCaller): 18647 (JSC::ExecState::isVMEntrySentinel): 18648 (JSC::ExecState::vmEntrySentinelCallerFrame): 18649 (JSC::ExecState::initializeVMEntrySentinelFrame): 18650 (JSC::ExecState::callerFrameSkippingVMEntrySentinel): 18651 (JSC::ExecState::vmEntrySentinelCodeBlock): 18652 * interpreter/Interpreter.cpp: 18653 (JSC::unwindCallFrame): 18654 (JSC::Interpreter::getStackTrace): 18655 * interpreter/Interpreter.h: 18656 (JSC::TopCallFrameSetter::TopCallFrameSetter): 18657 (JSC::TopCallFrameSetter::~TopCallFrameSetter): 18658 (JSC::NativeCallFrameTracer::NativeCallFrameTracer): 18659 * interpreter/JSStack.cpp: 18660 (JSC::JSStack::~JSStack): 18661 * interpreter/JSStackInlines.h: 18662 (JSC::JSStack::getStartOfFrame): 18663 (JSC::JSStack::pushFrame): 18664 (JSC::JSStack::popFrame): 18665 * interpreter/Register.h: 18666 (JSC::Register::operator=): 18667 (JSC::Register::callFrame): 18668 * interpreter/StackVisitor.cpp: 18669 (JSC::StackVisitor::readFrame): 18670 (JSC::StackVisitor::readNonInlinedFrame): 18671 (JSC::StackVisitor::readInlinedFrame): 18672 (JSC::StackVisitor::Frame::print): 18673 * interpreter/VMInspector.cpp: 18674 (JSC::VMInspector::countFrames): 18675 * jit/JIT.cpp: 18676 (JSC::JIT::privateCompileExceptionHandlers): 18677 * jit/JITOperations.cpp: 18678 * jit/JITStubsARM.h: 18679 (JSC::ctiTrampoline): 18680 * jit/JITStubsARM64.h: 18681 * jit/JITStubsARMv7.h: 18682 (JSC::ctiTrampoline): 18683 * jit/JITStubsMIPS.h: 18684 * jit/JITStubsMSVC64.asm: 18685 * jit/JITStubsSH4.h: 18686 * jit/JITStubsX86.h: 18687 * jit/JITStubsX86_64.h: 18688 * jsc.cpp: 18689 (functionDumpCallFrame): 18690 * llint/LowLevelInterpreter.cpp: 18691 (JSC::CLoop::execute): 18692 * runtime/VM.cpp: 18693 (JSC::VM::VM): 18694 (JSC::VM::throwException): 18695 186962013-11-04 Mark Hahnenberg <mhahnenberg@apple.com> 18697 18698 JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid 18699 https://bugs.webkit.org/show_bug.cgi?id=123746 18700 18701 Reviewed by Geoffrey Garen. 18702 18703 This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant 18704 with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte 18705 allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish 18706 anybody else for the rare case that somebody decides to allocate a 0-length typed array. 18707 It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations, 18708 no 0-byte copying. 18709 18710 Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when 18711 their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that 18712 when length is 0 m_vector is null. 18713 18714 * dfg/DFGSpeculativeJIT.cpp: 18715 (JSC::DFG::SpeculativeJIT::compileNewTypedArray): 18716 * dfg/DFGSpeculativeJIT.h: 18717 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): 18718 * heap/CopiedSpaceInlines.h: 18719 (JSC::CopiedSpace::tryAllocate): 18720 * runtime/ArrayBuffer.h: 18721 (JSC::ArrayBuffer::create): 18722 * runtime/JSArrayBufferView.cpp: 18723 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): 18724 * runtime/JSGenericTypedArrayViewInlines.h: 18725 (JSC::::visitChildren): 18726 (JSC::::copyBackingStore): 18727 (JSC::::slowDownAndWasteMemory): 18728 187292013-11-04 Julien Brianceau <jbriance@cisco.com> 18730 18731 [sh4] Refactor jumps in baseline JIT to return label after the jump. 18732 https://bugs.webkit.org/show_bug.cgi?id=123734 18733 18734 Reviewed by Michael Saboff. 18735 18736 Current implementation of jumps in sh4 baseline JIT returns a label on the jump itself 18737 and not after it. This is not correct and leads to issues like infinite loop the DFG 18738 (https://bugs.webkit.org/show_bug.cgi?id=122597 for instance). This refactor fixes this 18739 and also simplifies the link and relink procedures for sh4 jumps. 18740 18741 * assembler/MacroAssemblerSH4.h: 18742 (JSC::MacroAssemblerSH4::branchDouble): 18743 (JSC::MacroAssemblerSH4::branchTrue): 18744 (JSC::MacroAssemblerSH4::branchFalse): 18745 * assembler/SH4Assembler.h: 18746 (JSC::SH4Assembler::jmp): 18747 (JSC::SH4Assembler::extraInstrForBranch): 18748 (JSC::SH4Assembler::jne): 18749 (JSC::SH4Assembler::je): 18750 (JSC::SH4Assembler::bra): 18751 (JSC::SH4Assembler::linkJump): 18752 (JSC::SH4Assembler::relinkJump): 18753 187542013-11-03 Filip Pizlo <fpizlo@apple.com> 18755 18756 Generated color wheel displays incorrectly (regressed in r155567) 18757 https://bugs.webkit.org/show_bug.cgi?id=123664 18758 18759 Reviewed by Andreas Kling. 18760 18761 Interestingly, r155567 just "un-broke" the attempt to constant-fold ArithMod, but 18762 that constant folding was just wrong to begin with. There is no evidence that this 18763 constant folding rule is profitable. I'm removing it instead of trying to think 18764 about what it means for it to be correct. 18765 18766 * dfg/DFGAbstractInterpreterInlines.h: 18767 (JSC::DFG::::executeEffects): 18768 187692013-11-03 Filip Pizlo <fpizlo@apple.com> 18770 18771 Unreviewed, it is no longer necessary to call DisablePrettyStackTrace. 18772 18773 * llvm/library/LLVMExports.cpp: 18774 (initializeAndGetJSCLLVMAPI): 18775 187762013-11-02 Mark Lam <mark.lam@apple.com> 18777 18778 Assertion failure in non-JIT'ed LLInt on ARM Thumb. 18779 https://bugs.webkit.org/show_bug.cgi?id=97569. 18780 18781 Reviewed by Geoffrey Garen. 18782 18783 * assembler/MacroAssemblerCodeRef.h: 18784 - Thumb2 alignment assertions do not apply to the C Loop LLINT because 18785 the arguments passed to those assertions are actually OpcodeIDs 18786 masquerading as addresses. 18787 * llint/LLIntOfflineAsmConfig.h: 18788 - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section. 18789 Moving them there. 18790 * llint/LowLevelInterpreter.cpp: 18791 - Keep the compiler happy from some unreferenced C Loop labels. 18792 187932013-11-02 Filip Pizlo <fpizlo@apple.com> 18794 18795 FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout 18796 https://bugs.webkit.org/show_bug.cgi?id=122318 18797 18798 Reviewed by Geoffrey Garen. 18799 18800 This all now works. This patch just updates our implementation to work with LLVM trunk, 18801 and removes all of the old code that tried to do OSR exits and heap accesses without 18802 the benefit of those intrinsics. 18803 18804 In particular: 18805 18806 - StackMaps parsing now uses the new, less compact, but more future-proof, format. 18807 18808 - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove 18809 all code for ftlUsesStackmaps = false, since that was only there for back when we 18810 didn't have the intrinsics. 18811 18812 - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic, 18813 ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling). 18814 18815 - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate 18816 the exit thunks until after we parse the stackmaps. 18817 18818 - Remove all of the exit thunk and compiler code for the no-stackmaps case. 18819 18820 * dfg/DFGDriver.cpp: 18821 (JSC::DFG::compileImpl): 18822 * ftl/FTLCompile.cpp: 18823 (JSC::FTL::mmAllocateDataSection): 18824 * ftl/FTLExitThunkGenerator.cpp: 18825 (JSC::FTL::ExitThunkGenerator::emitThunk): 18826 * ftl/FTLIntrinsicRepository.h: 18827 * ftl/FTLLocation.cpp: 18828 (JSC::FTL::Location::forStackmaps): 18829 * ftl/FTLLowerDFGToLLVM.cpp: 18830 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 18831 (JSC::FTL::LowerDFGToLLVM::lower): 18832 (JSC::FTL::LowerDFGToLLVM::compileGetById): 18833 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): 18834 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 18835 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 18836 (JSC::FTL::LowerDFGToLLVM::callStackmap): 18837 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 18838 * ftl/FTLOSRExitCompilationInfo.h: 18839 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo): 18840 * ftl/FTLOSRExitCompiler.cpp: 18841 (JSC::FTL::compileStub): 18842 (JSC::FTL::compileFTLOSRExit): 18843 * ftl/FTLStackMaps.cpp: 18844 (JSC::FTL::StackMaps::Location::parse): 18845 (JSC::FTL::StackMaps::parse): 18846 (WTF::printInternal): 18847 * ftl/FTLStackMaps.h: 18848 * ftl/FTLThunks.cpp: 18849 (JSC::FTL::osrExitGenerationThunkGenerator): 18850 * ftl/FTLThunks.h: 18851 (JSC::FTL::Thunks::getOSRExitGenerationThunk): 18852 * runtime/Options.h: 18853 188542013-11-02 Patrick Gansterer <paroga@webkit.org> 18855 18856 Add missing getHostCallReturnValue() for MSVC ARM 18857 https://bugs.webkit.org/show_bug.cgi?id=123685 18858 18859 Reviewed by Darin Adler. 18860 18861 * jit/JITStubsARM.h: 18862 188632013-11-02 Patrick Gansterer <paroga@webkit.org> 18864 18865 Fix MSVC warning about unary minus operator 18866 https://bugs.webkit.org/show_bug.cgi?id=123674 18867 18868 Reviewed by Darin Adler. 18869 18870 Change some static_cast<> to silence the following warning of Microsoft compiler: 18871 warning C4146: unary minus operator applied to unsigned type, result still unsigned 18872 18873 * jit/Repatch.cpp: 18874 (JSC::emitPutTransitionStub): 18875 188762013-11-02 Filip Pizlo <fpizlo@apple.com> 18877 18878 Disable LLVM's pretty stack traces, which involve intercepting fatal signals 18879 https://bugs.webkit.org/show_bug.cgi?id=123681 18880 18881 Reviewed by Geoffrey Garen. 18882 18883 * llvm/library/LLVMExports.cpp: 18884 (initializeAndGetJSCLLVMAPI): 18885 188862013-11-02 Filip Pizlo <fpizlo@apple.com> 18887 18888 LLVM assertion failures should funnel into WTF's crash handling 18889 https://bugs.webkit.org/show_bug.cgi?id=123682 18890 18891 Reviewed by Geoffrey Garen. 18892 18893 Inside llvmForJSC, we override assertion-related functions and funnel them 18894 into g_llvmTrapCallback(). We also now register a fatal error handler inside 18895 the library and funnel that into g_llvmTrapCallback, and have 18896 initializeAndGetJSCLLVMAPI() take such a callback as an argument. 18897 18898 Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we 18899 pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC. 18900 18901 * llvm/InitializeLLVM.cpp: 18902 (JSC::initializeLLVM): 18903 * llvm/InitializeLLVMPOSIX.cpp: 18904 (JSC::initializeLLVMPOSIX): 18905 * llvm/library/LLVMExports.cpp: 18906 (llvmCrash): 18907 (initializeAndGetJSCLLVMAPI): 18908 * llvm/library/LLVMOverrides.cpp: 18909 (raise): 18910 (__assert_rtn): 18911 (abort): 18912 * llvm/library/LLVMTrapCallback.h: Added. 18913 189142013-11-02 Filip Pizlo <fpizlo@apple.com> 18915 18916 CodeBlock::jettison() shouldn't call baselineVersion() 18917 https://bugs.webkit.org/show_bug.cgi?id=123675 18918 18919 Reviewed by Geoffrey Garen. 18920 18921 Fix more uses of baselineVersion(). 18922 18923 * bytecode/CodeBlock.cpp: 18924 (JSC::CodeBlock::jettison): 18925 * bytecode/CodeBlock.h: 18926 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 18927 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal): 18928 189292013-11-02 Filip Pizlo <fpizlo@apple.com> 18930 18931 LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js 18932 https://bugs.webkit.org/show_bug.cgi?id=123535 18933 18934 Reviewed by Geoffrey Garen. 18935 18936 Use double comparisons for doubles. 18937 18938 * ftl/FTLLowerDFGToLLVM.cpp: 18939 (JSC::FTL::LowerDFGToLLVM::doubleToInt32): 18940 189412013-11-02 Patrick Gansterer <paroga@webkit.org> 18942 18943 Various small WinCE build fixes 18944 18945 * jsc.cpp: 18946 (main): 18947 189482013-11-02 Patrick Gansterer <paroga@webkit.org> 18949 18950 Fix MSVC ARM build after r157581. 18951 18952 * jit/JITStubsARM.h: 18953 189542013-11-01 Filip Pizlo <fpizlo@apple.com> 18955 18956 FTL should use a simple optimization pipeline by default 18957 https://bugs.webkit.org/show_bug.cgi?id=123638 18958 18959 Reviewed by Geoffrey Garen. 18960 18961 20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true. 18962 18963 * ftl/FTLCompile.cpp: 18964 (JSC::FTL::compile): 18965 * runtime/Options.h: 18966 189672013-11-01 Andreas Kling <akling@apple.com> 18968 18969 Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds. 18970 <https://webkit.org/b/123639> 18971 18972 JSC::ParserArenaRefCounted really needed to have the new/delete 18973 operators overridden, in order for JSC::ScopeNode to be able to 18974 choose that "operator new" out of the two it inherits. 18975 18976 Reviewed by Anders Carlsson. 18977 189782013-11-01 Filip Pizlo <fpizlo@apple.com> 18979 18980 OSR exit profiling should be robust against all code being cleared 18981 https://bugs.webkit.org/show_bug.cgi?id=123629 18982 <rdar://problem/15365476> 18983 18984 Reviewed by Michael Saboff. 18985 18986 The problem here is two-fold: 18987 18988 1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we 18989 have cleared the CodeBlock for all or some Executables. This means that doing 18990 codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since 18991 there wasn't a baseline code block reachable from the Executable anymore. The 18992 solution is that we shouldn't be asking for the baseline code block reachable from 18993 the owning executable (what baselineVersion did), but instead we should be asking 18994 for the baseline version reachable from the code block being watchpointed (basically 18995 what CodeBlock::alternative() did). 18996 18997 2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock() 18998 may return null, for the same reason as above - we might have cleared the baseline 18999 codeblock for the executable that was inlined. The solution is to just not do 19000 profiling if there isn't a baseline code block anymore. 19001 19002 * bytecode/CodeBlock.cpp: 19003 (JSC::CodeBlock::baselineAlternative): 19004 (JSC::CodeBlock::baselineVersion): 19005 (JSC::CodeBlock::jettison): 19006 * bytecode/CodeBlock.h: 19007 * bytecode/CodeBlockJettisoningWatchpoint.cpp: 19008 (JSC::CodeBlockJettisoningWatchpoint::fireInternal): 19009 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 19010 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal): 19011 * dfg/DFGOSRExitBase.cpp: 19012 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 19013 * jit/AssemblyHelpers.h: 19014 (JSC::AssemblyHelpers::AssemblyHelpers): 19015 * runtime/Executable.cpp: 19016 (JSC::FunctionExecutable::baselineCodeBlockFor): 19017 190182013-10-31 Oliver Hunt <oliver@apple.com> 19019 19020 JavaScript parser bug 19021 https://bugs.webkit.org/show_bug.cgi?id=123506 19022 19023 Reviewed by Mark Lam. 19024 19025 Add ParserState as an abstraction and use that to save and restore 19026 the parser state around nested functions (We'll need to use this in 19027 more places in future). Also fix a minor error typo this testcases 19028 hit. 19029 19030 * parser/Parser.cpp: 19031 (JSC::::parseFunctionInfo): 19032 (JSC::::parseAssignmentExpression): 19033 * parser/Parser.h: 19034 (JSC::Parser::saveState): 19035 (JSC::Parser::restoreState): 19036 190372013-10-31 Filip Pizlo <fpizlo@apple.com> 19038 19039 FTL Int32ToDouble should handle the forward type check case where you need a recovery 19040 https://bugs.webkit.org/show_bug.cgi?id=123605 19041 19042 Reviewed by Mark Hahnenberg. 19043 19044 If you have a Int32ToDouble that needs to do a type check and it's required to do a 19045 forward exit, then it needs to manually pass in a value recovery for itself in the 19046 OSR exit - since this is one of those forward-exiting nodes that doesn't have a 19047 preceding MovHint. 19048 19049 * ftl/FTLLowerDFGToLLVM.cpp: 19050 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): 19051 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck): 19052 190532013-10-31 Filip Pizlo <fpizlo@apple.com> 19054 19055 FTL should implement InvalidationPoint in terms of llvm.stackmap 19056 https://bugs.webkit.org/show_bug.cgi?id=113647 19057 19058 Reviewed by Mark Hahnenberg. 19059 19060 This is pretty straightforward now that InvalidationPoint has exactly the semantics 19061 that agree with llvm.stackmap. 19062 19063 * ftl/FTLCompile.cpp: 19064 (JSC::FTL::fixFunctionBasedOnStackMaps): 19065 * ftl/FTLLowerDFGToLLVM.cpp: 19066 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): 19067 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 19068 (JSC::FTL::LowerDFGToLLVM::buildExitArguments): 19069 (JSC::FTL::LowerDFGToLLVM::callStackmap): 19070 * ftl/FTLOSRExitCompilationInfo.h: 19071 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo): 19072 190732013-10-30 Oliver Hunt <oliver@apple.com> 19074 19075 Implement basic ES6 Math functions 19076 https://bugs.webkit.org/show_bug.cgi?id=123536 19077 19078 Reviewed by Michael Saboff. 19079 19080 Fairly trivial patch to implement the core ES6 Math functions. 19081 19082 This doesn't implement Math.hypot as it is not a trivial function. 19083 I've also skipped Math.sign as I am yet to be convinced the spec 19084 behaviour is good. Everything else is trivial. 19085 19086 * runtime/MathObject.cpp: 19087 (JSC::MathObject::finishCreation): 19088 (JSC::mathProtoFuncACosh): 19089 (JSC::mathProtoFuncASinh): 19090 (JSC::mathProtoFuncATanh): 19091 (JSC::mathProtoFuncCbrt): 19092 (JSC::mathProtoFuncCosh): 19093 (JSC::mathProtoFuncExpm1): 19094 (JSC::mathProtoFuncFround): 19095 (JSC::mathProtoFuncLog1p): 19096 (JSC::mathProtoFuncLog10): 19097 (JSC::mathProtoFuncLog2): 19098 (JSC::mathProtoFuncSinh): 19099 (JSC::mathProtoFuncTanh): 19100 (JSC::mathProtoFuncTrunc): 19101 191022013-10-31 Filip Pizlo <fpizlo@apple.com> 19103 19104 FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame 19105 https://bugs.webkit.org/show_bug.cgi?id=123591 19106 19107 Reviewed by Mark Hahnenberg. 19108 19109 This gets us to pass more tests with ftlUsesStackmaps. 19110 19111 * ftl/FTLLocation.cpp: 19112 (JSC::FTL::Location::restoreInto): 19113 * ftl/FTLLocation.h: 19114 * ftl/FTLThunks.cpp: 19115 (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator): 19116 191172013-10-31 Alexey Proskuryakov <ap@apple.com> 19118 19119 Enable WebCrypto on Mac 19120 https://bugs.webkit.org/show_bug.cgi?id=123587 19121 19122 Reviewed by Anders Carlsson. 19123 19124 * Configurations/FeatureDefines.xcconfig: Do it. 19125 191262013-10-31 Filip Pizlo <fpizlo@apple.com> 19127 19128 Unreviewed, really remove CachedTranscendentalFunction.h. 19129 19130 * GNUmakefile.list.am: 19131 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 19132 191332013-10-31 Filip Pizlo <fpizlo@apple.com> 19134 19135 Remove CachedTranscendentalFunction because caching math functions is an ugly idea 19136 https://bugs.webkit.org/show_bug.cgi?id=123574 19137 19138 Reviewed by Mark Hahnenberg. 19139 19140 This is performance-neutral because I also make Math.cos/sin intrinsic. This means that 19141 we gain the "overhead" of actually computing sin and cos but we lose the overhead of 19142 going through the native call thunks. 19143 19144 Caching transcendental functions is a really ugly idea. It works for SunSpider because 19145 that benchmark makes very predictable calls into Math.sin. But I don't believe that this 19146 is representative of any kind of reality, and so for sensible uses of Math.sin/cos all 19147 that this was doing was adding more call overhead and some hashing overhead. 19148 19149 * JavaScriptCore.xcodeproj/project.pbxproj: 19150 * dfg/DFGAbstractInterpreterInlines.h: 19151 (JSC::DFG::::executeEffects): 19152 * dfg/DFGBackwardsPropagationPhase.cpp: 19153 (JSC::DFG::BackwardsPropagationPhase::propagate): 19154 * dfg/DFGByteCodeParser.cpp: 19155 (JSC::DFG::ByteCodeParser::handleIntrinsic): 19156 * dfg/DFGCSEPhase.cpp: 19157 (JSC::DFG::CSEPhase::performNodeCSE): 19158 * dfg/DFGClobberize.h: 19159 (JSC::DFG::clobberize): 19160 * dfg/DFGFixupPhase.cpp: 19161 (JSC::DFG::FixupPhase::fixupNode): 19162 * dfg/DFGNodeType.h: 19163 * dfg/DFGPredictionPropagationPhase.cpp: 19164 (JSC::DFG::PredictionPropagationPhase::propagate): 19165 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 19166 * dfg/DFGSafeToExecute.h: 19167 (JSC::DFG::safeToExecute): 19168 * dfg/DFGSpeculativeJIT.h: 19169 (JSC::DFG::SpeculativeJIT::callOperation): 19170 * dfg/DFGSpeculativeJIT32_64.cpp: 19171 (JSC::DFG::SpeculativeJIT::compile): 19172 * dfg/DFGSpeculativeJIT64.cpp: 19173 (JSC::DFG::SpeculativeJIT::compile): 19174 * jit/JITOperations.h: 19175 * runtime/CachedTranscendentalFunction.h: Removed. 19176 * runtime/DateInstanceCache.h: 19177 * runtime/Intrinsic.h: 19178 * runtime/MathObject.cpp: 19179 (JSC::MathObject::finishCreation): 19180 (JSC::mathProtoFuncCos): 19181 (JSC::mathProtoFuncSin): 19182 * runtime/VM.h: 19183 191842013-10-30 Filip Pizlo <fpizlo@apple.com> 19185 19186 Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html 19187 https://bugs.webkit.org/show_bug.cgi?id=123551 19188 <rdar://problem/15356238> 19189 19190 Reviewed by Mark Hahnenberg. 19191 19192 WatchpointSets have always had this "fire everything on deletion" policy because it 19193 seemed like a good fail-safe at the time I first implemented WatchpointSets. But 19194 it's actually causing bugs rather than providing safety: 19195 19196 - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms 19197 for either keeping the WatchpointSets alive or noticing when they are collected. 19198 So this wasn't actually providing any safety. 19199 19200 One example of this is Structures, where: 19201 19202 - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also 19203 register weak references to the Structure, and the GC will jettison a CodeBlock 19204 if the Structure(s) it cares about dies. 19205 19206 - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will 19207 also be cleared by GC if the Structures die. 19208 19209 - The WatchpointSet destructor would get invoked from finalization/destruction. 19210 This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that 19211 method requires doing things that access heap objects. This would usually cause 19212 problems on VM destruction, since then the CodeBlocks would still be alive but the 19213 whole heap would be destroyed. 19214 19215 This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since 19216 that method doesn't really allocate objects, and it is likely necessary because 19217 jettison() may be called from deep in the stack. 19218 19219 * bytecode/CodeBlock.cpp: 19220 (JSC::CodeBlock::jettison): 19221 * bytecode/Watchpoint.cpp: 19222 (JSC::WatchpointSet::~WatchpointSet): 19223 * bytecode/Watchpoint.h: 19224 192252013-10-30 Mark Lam <mark.lam@apple.com> 19226 19227 Unreviewed, fix C Loop LLINT build. 19228 19229 * bytecode/CodeBlockJettisoningWatchpoint.cpp: 19230 (JSC::CodeBlockJettisoningWatchpoint::fireInternal): 19231 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: 19232 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal): 19233 192342013-10-30 Filip Pizlo <fpizlo@apple.com> 19235 19236 Unreviewed, fix FTL build. 19237 19238 * ftl/FTLAbstractHeapRepository.h: 19239 * ftl/FTLLowerDFGToLLVM.cpp: 19240 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 19241 192422013-10-30 Alexey Proskuryakov <ap@apple.com> 19243 19244 Add a way to fulfill promises from DOM code 19245 https://bugs.webkit.org/show_bug.cgi?id=123466 19246 19247 Reviewed by Sam Weinig. 19248 19249 * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h 19250 private headers for WebCore to use. 19251 19252 * runtime/JSPromise.h: 19253 * runtime/JSPromiseResolver.h: 19254 Export functions that JSDOMPromise will use. 19255 192562013-10-30 Mark Lam <mark.lam@apple.com> 19257 19258 Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI . 19259 https://bugs.webkit.org/show_bug.cgi?id=123444. 19260 19261 Reviewed by Geoffrey Garen. 19262 19263 - Introduced an explicit CallerFrameAndPC struct. 19264 - A CallFrame is expected to start with a CallerFrameAndPC struct. 19265 - The Register class no longer supports CallFrame* and Instruction*. 19266 19267 These hides the differences between JSVALUE32_64 and JSVALUE64 in 19268 terms of managing the callerFrame() and returnPC() values. 19269 19270 - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to 19271 go through CallFrame to access the appropriate values and offsets. 19272 CallFrame, in turn, will access the callerFrame and returnPC via 19273 the CallerFrameAndPC struct. 19274 19275 - InlineCallFrame will provide offsets for its callerFrame and 19276 returnPC. It will make use of CallFrame::callerFrameOffset() and 19277 CallerFrame::returnPCOffset() to compute these. 19278 19279 * bytecode/CodeOrigin.h: 19280 (JSC::InlineCallFrame::callerFrameOffset): 19281 (JSC::InlineCallFrame::returnPCOffset): 19282 * dfg/DFGJITCompiler.cpp: 19283 (JSC::DFG::JITCompiler::compileEntry): 19284 (JSC::DFG::JITCompiler::compileExceptionHandlers): 19285 * dfg/DFGOSRExitCompilerCommon.cpp: 19286 (JSC::DFG::reifyInlinedCallFrames): 19287 * dfg/DFGSpeculativeJIT.h: 19288 (JSC::DFG::SpeculativeJIT::calleeFrameSlot): 19289 (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): 19290 (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): 19291 (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): 19292 (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): 19293 (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): 19294 - Prefixed all the above with callee since they apply to the callee frame. 19295 (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): 19296 - Added to set the callerFrame pointer in the callee frame. 19297 19298 * dfg/DFGSpeculativeJIT32_64.cpp: 19299 (JSC::DFG::SpeculativeJIT::emitCall): 19300 (JSC::DFG::SpeculativeJIT::compile): 19301 * dfg/DFGSpeculativeJIT64.cpp: 19302 (JSC::DFG::SpeculativeJIT::emitCall): 19303 (JSC::DFG::SpeculativeJIT::compile): 19304 * ftl/FTLLink.cpp: 19305 (JSC::FTL::compileEntry): 19306 (JSC::FTL::link): 19307 * interpreter/CallFrame.h: 19308 (JSC::ExecState::callerFrame): 19309 (JSC::ExecState::callerFrameOffset): 19310 (JSC::ExecState::returnPC): 19311 (JSC::ExecState::hasReturnPC): 19312 (JSC::ExecState::clearReturnPC): 19313 (JSC::ExecState::returnPCOffset): 19314 (JSC::ExecState::setCallerFrame): 19315 (JSC::ExecState::setReturnPC): 19316 (JSC::ExecState::callerFrameAndPC): 19317 * interpreter/JSStack.h: 19318 * interpreter/Register.h: 19319 * jit/AssemblyHelpers.h: 19320 (JSC::AssemblyHelpers::emitPutToCallFrameHeader): 19321 - Convert to using storePtr() here and simplify the code. 19322 (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr): 19323 (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader): 19324 (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr): 19325 (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader): 19326 - Helpers to emit gets/puts of the callerFrame and returnPC. 19327 (JSC::AssemblyHelpers::addressForByteOffset): 19328 * jit/JIT.cpp: 19329 (JSC::JIT::JIT): 19330 (JSC::JIT::privateCompile): 19331 (JSC::JIT::privateCompileExceptionHandlers): 19332 * jit/JITCall.cpp: 19333 (JSC::JIT::compileCallEval): 19334 (JSC::JIT::compileOpCall): 19335 * jit/JITCall32_64.cpp: 19336 (JSC::JIT::emit_op_ret): 19337 (JSC::JIT::emit_op_ret_object_or_this): 19338 (JSC::JIT::compileCallEval): 19339 (JSC::JIT::compileOpCall): 19340 * jit/JITInlines.h: 19341 (JSC::JIT::unmap): 19342 * jit/JITOpcodes.cpp: 19343 (JSC::JIT::emit_op_end): 19344 (JSC::JIT::emit_op_ret): 19345 (JSC::JIT::emit_op_ret_object_or_this): 19346 * jit/JITOpcodes32_64.cpp: 19347 (JSC::JIT::privateCompileCTINativeCall): 19348 (JSC::JIT::emit_op_end): 19349 * jit/JITOperations.cpp: 19350 * jit/SpecializedThunkJIT.h: 19351 (JSC::SpecializedThunkJIT::returnJSValue): 19352 (JSC::SpecializedThunkJIT::returnDouble): 19353 (JSC::SpecializedThunkJIT::returnInt32): 19354 (JSC::SpecializedThunkJIT::returnJSCell): 19355 * jit/ThunkGenerators.cpp: 19356 (JSC::throwExceptionFromCallSlowPathGenerator): 19357 (JSC::slowPathFor): 19358 (JSC::nativeForGenerator): 19359 19360 * llint/LLIntData.cpp: 19361 (JSC::LLInt::Data::performAssertions): 19362 * llint/LowLevelInterpreter.asm: 19363 - Updated offsets and asserts to match the new CallFrame layout. 19364 193652013-10-30 Filip Pizlo <fpizlo@apple.com> 19366 19367 Unreviewed, fix Mac. 19368 19369 * assembler/AbstractMacroAssembler.h: 19370 (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets): 19371 (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange): 19372 193732013-10-30 Filip Pizlo <fpizlo@apple.com> 19374 19375 Unreviewed, fix Windows. 19376 19377 * bytecode/CodeBlock.cpp: 19378 (JSC::CodeBlock::jettison): 19379 193802013-10-30 Filip Pizlo <fpizlo@apple.com> 19381 19382 Unreviewed, fix Windows. 19383 19384 * bytecode/CodeBlock.h: 19385 (JSC::CodeBlock::addFrequentExitSite): 19386 193872013-10-29 Filip Pizlo <fpizlo@apple.com> 19388 19389 Add InvalidationPoints to the DFG and use them for all watchpoints 19390 https://bugs.webkit.org/show_bug.cgi?id=123472 19391 19392 Reviewed by Mark Hahnenberg. 19393 19394 This makes a fundamental change to how watchpoints work in the DFG. 19395 19396 Previously, a watchpoint was an instruction whose execution semantics were something 19397 like: 19398 19399 if (watchpoint->invalidated) 19400 exit 19401 19402 We would implement this without any branch by using jump replacement. 19403 19404 This is a very good optimization. But it's a bit awkward once you get a lot of 19405 watchpoints: semantically we will have lots of these branches in the code, which the 19406 compiler needs to reason about even though they don't actually result in any emitted 19407 code. 19408 19409 Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would 19410 be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be 19411 called into again, but it would do nothing for CodeBlocks that were already on the 19412 stack. 19413 19414 This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump 19415 replacement has nothing to do with watchpoints; instead it's something that happens if 19416 you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over 19417 all of the potential call-return safe-exit-points in a CodeBlock. We call these 19418 "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG 19419 collect all of the watchpoint sets that the CodeBlock cares about, and then registering 19420 a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it 19421 jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into 19422 (because the entrypoint now points to baseline code) and can't be returned into 19423 (because returning exits to baseline before the next bytecode instruction). 19424 19425 This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow 19426 for jettison() to be used effectively for things like breakpointing and single-stepping 19427 in the debugger. 19428 19429 Well, basically, this mechanism just takes us into the HotSpot-style world where anyone 19430 can, at any time and for any reason, request that an optimized CodeBlock is rendered 19431 immediately invalid. You can use this for many cool things, I'm sure. 19432 19433 * CMakeLists.txt: 19434 * GNUmakefile.list.am: 19435 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 19436 * JavaScriptCore.xcodeproj/project.pbxproj: 19437 * assembler/AbstractMacroAssembler.h: 19438 * bytecode/CodeBlock.cpp: 19439 (JSC::CodeBlock::jettison): 19440 * bytecode/CodeBlock.h: 19441 * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added. 19442 (JSC::CodeBlockJettisoningWatchpoint::fireInternal): 19443 * bytecode/CodeBlockJettisoningWatchpoint.h: Added. 19444 (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): 19445 * bytecode/ExitKind.cpp: 19446 (JSC::exitKindToString): 19447 * bytecode/ExitKind.h: 19448 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added. 19449 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal): 19450 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added. 19451 (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint): 19452 * dfg/DFGAbstractHeap.h: 19453 * dfg/DFGAbstractInterpreterInlines.h: 19454 (JSC::DFG::::executeEffects): 19455 * dfg/DFGClobberize.cpp: 19456 (JSC::DFG::writesOverlap): 19457 * dfg/DFGClobberize.h: 19458 (JSC::DFG::clobberize): 19459 (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps): 19460 (JSC::DFG::AbstractHeapOverlaps::operator()): 19461 (JSC::DFG::AbstractHeapOverlaps::result): 19462 * dfg/DFGCommonData.cpp: 19463 (JSC::DFG::CommonData::invalidate): 19464 * dfg/DFGCommonData.h: 19465 (JSC::DFG::CommonData::CommonData): 19466 * dfg/DFGDesiredWatchpoints.cpp: 19467 (JSC::DFG::DesiredWatchpoints::addLazily): 19468 (JSC::DFG::DesiredWatchpoints::reallyAdd): 19469 * dfg/DFGDesiredWatchpoints.h: 19470 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): 19471 (JSC::DFG::GenericDesiredWatchpoints::addLazily): 19472 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): 19473 (JSC::DFG::GenericDesiredWatchpoints::areStillValid): 19474 * dfg/DFGFixupPhase.cpp: 19475 (JSC::DFG::FixupPhase::fixupNode): 19476 * dfg/DFGInvalidationPointInjectionPhase.cpp: Added. 19477 (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase): 19478 (JSC::DFG::InvalidationPointInjectionPhase::run): 19479 (JSC::DFG::InvalidationPointInjectionPhase::handle): 19480 (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck): 19481 (JSC::DFG::performInvalidationPointInjection): 19482 * dfg/DFGInvalidationPointInjectionPhase.h: Added. 19483 * dfg/DFGJITCode.h: 19484 * dfg/DFGJITCompiler.cpp: 19485 (JSC::DFG::JITCompiler::linkOSRExits): 19486 (JSC::DFG::JITCompiler::link): 19487 * dfg/DFGJITCompiler.h: 19488 * dfg/DFGJumpReplacement.cpp: Added. 19489 (JSC::DFG::JumpReplacement::fire): 19490 * dfg/DFGJumpReplacement.h: Added. 19491 (JSC::DFG::JumpReplacement::JumpReplacement): 19492 * dfg/DFGNodeType.h: 19493 * dfg/DFGOSRExitCompilationInfo.h: 19494 * dfg/DFGOperations.cpp: 19495 * dfg/DFGPlan.cpp: 19496 (JSC::DFG::Plan::compileInThreadImpl): 19497 (JSC::DFG::Plan::reallyAdd): 19498 * dfg/DFGPredictionPropagationPhase.cpp: 19499 (JSC::DFG::PredictionPropagationPhase::propagate): 19500 * dfg/DFGSafeToExecute.h: 19501 (JSC::DFG::safeToExecute): 19502 * dfg/DFGSpeculativeJIT.cpp: 19503 (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): 19504 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 19505 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 19506 * dfg/DFGSpeculativeJIT.h: 19507 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid): 19508 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 19509 * dfg/DFGSpeculativeJIT32_64.cpp: 19510 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 19511 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 19512 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 19513 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 19514 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 19515 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 19516 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 19517 (JSC::DFG::SpeculativeJIT::compile): 19518 * dfg/DFGSpeculativeJIT64.cpp: 19519 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 19520 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 19521 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 19522 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 19523 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 19524 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 19525 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 19526 (JSC::DFG::SpeculativeJIT::compile): 19527 * dfg/DFGWatchpointCollectionPhase.cpp: Added. 19528 (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase): 19529 (JSC::DFG::WatchpointCollectionPhase::run): 19530 (JSC::DFG::WatchpointCollectionPhase::handle): 19531 (JSC::DFG::WatchpointCollectionPhase::handleEdge): 19532 (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined): 19533 (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): 19534 (JSC::DFG::WatchpointCollectionPhase::addLazily): 19535 (JSC::DFG::WatchpointCollectionPhase::globalObject): 19536 (JSC::DFG::performWatchpointCollection): 19537 * dfg/DFGWatchpointCollectionPhase.h: Added. 19538 * ftl/FTLCapabilities.cpp: 19539 (JSC::FTL::canCompile): 19540 * ftl/FTLLowerDFGToLLVM.cpp: 19541 (JSC::FTL::LowerDFGToLLVM::compileNode): 19542 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): 19543 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 19544 (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint): 19545 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): 19546 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 19547 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): 19548 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): 19549 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 19550 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): 19551 * jit/JITOperations.cpp: 19552 * jit/JumpReplacementWatchpoint.cpp: Removed. 19553 * jit/JumpReplacementWatchpoint.h: Removed. 19554 195552013-10-25 Mark Hahnenberg <mhahnenberg@apple.com> 19556 19557 JSExport doesn't support constructors 19558 https://bugs.webkit.org/show_bug.cgi?id=123380 19559 19560 Reviewed by Geoffrey Garen. 19561 19562 Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 19563 Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 19564 are met with a type error stating that it cannot be called as a constructor. 19565 19566 It would be nice to expand JSExport's functionality to support this idiom. It is a natural 19567 extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 19568 JavaScript client code. 19569 19570 The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 19571 Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 19572 ObjCCallbackFunction object which can already properly handle being invoked as a constructor. 19573 19574 * API/JSWrapperMap.mm: 19575 (copyMethodsToObject): 19576 (allocateConstructorForCustomClass): 19577 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): 19578 (tryUnwrapObjcObject): 19579 * API/ObjCCallbackFunction.h: 19580 (JSC::ObjCCallbackFunction::impl): 19581 * API/ObjCCallbackFunction.mm: 19582 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): 19583 (JSC::ObjCCallbackFunctionImpl::wrappedConstructor): 19584 (JSC::ObjCCallbackFunctionImpl::isConstructible): 19585 (JSC::ObjCCallbackFunction::getConstructData): 19586 (JSC::ObjCCallbackFunctionImpl::name): 19587 (JSC::ObjCCallbackFunctionImpl::call): 19588 (objCCallbackFunctionForInvocation): 19589 (objCCallbackFunctionForInit): 19590 (tryUnwrapConstructor): 19591 * API/tests/testapi.mm: 19592 (-[TextXYZ initWithString:]): 19593 (-[ClassA initWithA:]): 19594 (-[ClassB initWithA:b:]): 19595 (-[ClassC initWithA:]): 19596 (-[ClassC initWithA:b:]): 19597 195982013-10-30 peavo@outlook.com <peavo@outlook.com> 19599 19600 [Win] Compile errors when enabling DFG JIT. 19601 https://bugs.webkit.org/show_bug.cgi?id=120998 19602 19603 Reviewed by Brent Fulgham. 19604 19605 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files. 19606 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 19607 * dfg/DFGAllocator.h: Removed scope. 19608 * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once. 19609 (JSC::DFG::globalWorklist): 19610 * heap/DeferGC.h: Link fix, member needs to be public. 19611 * jit/JITOperationWrappers.h: Added required assembler macros. 19612 196132013-10-30 Iago Toral Quiroga <itoral@igalia.com> 19614 19615 Add result caching for Math.cos 19616 https://bugs.webkit.org/show_bug.cgi?id=123255 19617 19618 Reviewed by Brent Fulgham. 19619 19620 * runtime/MathObject.cpp: 19621 (JSC::mathProtoFuncCos): 19622 * runtime/VM.h: 19623 196242013-10-30 Alex Christensen <achristensen@webkit.org> 19625 19626 Disabled JIT on Win64. 19627 https://bugs.webkit.org/show_bug.cgi?id=122472 19628 19629 Reviewed by Geoffrey Garen. 19630 19631 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 19632 Disabled building JITStubsMSVC64. 19633 196342013-10-29 Michael Saboff <msaboff@apple.com> 19635 19636 Change local variable register allocation to start at offset -1 19637 https://bugs.webkit.org/show_bug.cgi?id=123182 19638 19639 Reviewed by Geoffrey Garen. 19640 19641 Adjusted the virtual register mapping down by one slot. Reduced 19642 the CallFrame header slots offsets by one. They now start at 0. 19643 Changed arity fixup to no longer skip passed register slot 0 as this 19644 is now part of the CallFrame header. 19645 19646 * bytecode/VirtualRegister.h: 19647 (JSC::operandIsLocal): 19648 (JSC::operandIsArgument): 19649 (JSC::VirtualRegister::localToOperand): 19650 (JSC::VirtualRegister::operandToLocal): 19651 Adjusted functions for shift in mapping from local to register offset. 19652 19653 * dfg/DFGByteCodeParser.cpp: 19654 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): 19655 (JSC::DFG::ByteCodeParser::addCall): 19656 (JSC::DFG::ByteCodeParser::handleInlining): 19657 (JSC::DFG::ByteCodeParser::parseBlock): 19658 * dfg/DFGVariableEventStream.cpp: 19659 (JSC::DFG::VariableEventStream::reconstruct): 19660 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 19661 (JSC::DFG::VirtualRegisterAllocationPhase::run): 19662 * interpreter/CallFrame.h: 19663 (JSC::ExecState::frameExtent): 19664 (JSC::ExecState::offsetFor): 19665 * interpreter/Interpreter.cpp: 19666 (JSC::loadVarargs): 19667 (JSC::Interpreter::dumpRegisters): 19668 (JSC::Interpreter::executeCall): 19669 * llint/LLIntData.cpp: 19670 (JSC::LLInt::Data::performAssertions): 19671 * llint/LowLevelInterpreter.asm: 19672 Adjusted math to accomodate for shift in call frame slots. 19673 19674 * dfg/DFGJITCompiler.cpp: 19675 (JSC::DFG::JITCompiler::compileFunction): 19676 * dfg/DFGSpeculativeJIT.h: 19677 (JSC::DFG::SpeculativeJIT::calleeFrameOffset): 19678 * interpreter/CallFrame.cpp: 19679 (JSC::CallFrame::frameExtentInternal): 19680 * interpreter/JSStackInlines.h: 19681 (JSC::JSStack::pushFrame): 19682 * jit/JIT.cpp: 19683 (JSC::JIT::privateCompile): 19684 * jit/JITOperations.cpp: 19685 * llint/LLIntSlowPaths.cpp: 19686 (JSC::LLInt::llint_slow_path_stack_check): 19687 * runtime/CommonSlowPaths.h: 19688 (JSC::CommonSlowPaths::arityCheckFor): 19689 Fixed offset calculation to use VirtualRegister and related calculation instead of 19690 doing seperate calculations. 19691 19692 * interpreter/JSStack.h: 19693 Adjusted CallFrame slots down by one. Did some miscellaneous fixing of dumpRegisters() 19694 in the process of testing the fixes. 19695 19696 * jit/ThunkGenerators.cpp: 19697 (JSC::arityFixup): 19698 Changed arity fixup to no longer skip passed register slot 0 as this 19699 is now part of the CallFrame header. 19700 19701 * llint/LowLevelInterpreter32_64.asm: 19702 * llint/LowLevelInterpreter64.asm: 19703 Changed arity fixup to no longer skip passed register slot 0 as this 19704 is now part of the CallFrame header. Updated op_enter processing for 19705 the change in local registers. 19706 19707 * runtime/JSGlobalObject.h: 19708 Removed the now unneeded extra slot in the global callframe 19709 197102013-10-29 Julien Brianceau <jbriance@cisco.com> 19711 19712 [arm] Fix lots of crashes because of 4th argument register trampling. 19713 https://bugs.webkit.org/show_bug.cgi?id=123421 19714 19715 Reviewed by Michael Saboff. 19716 19717 r3 register is the 4th argument register for ARM and also a scratch 19718 register in the baseline JIT for this architecture. We can use r6 19719 instead, as this used to be the timeoutCheckRegister and it is no 19720 longer used since r148119. 19721 19722 * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM. 19723 * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7. 19724 * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM. 19725 (JSC::GPRInfo::toRegister): 19726 (JSC::GPRInfo::toIndex): 19727 * jit/JITStubsARM.h: 19728 (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init. 19729 * jit/JITStubsARMv7.h: 19730 (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init. 19731 * jit/JSInterfaceJIT.h: Remove useless stuff. 19732 * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6. 19733 (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved. 19734 (JSC::Yarr::YarrGenerator::generateReturn): 19735 197362013-10-29 Julien Brianceau <jbriance@cisco.com> 19737 19738 Fix CPU(ARM_TRADITIONAL) build after r157690. 19739 https://bugs.webkit.org/show_bug.cgi?id=123247 19740 19741 Reviewed by Michael Saboff. 19742 19743 Since r157690, the executableCopy function has been removed from AssemblerBuffer.h 19744 and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp). 19745 As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL, 19746 this part of code still needs to be called and absolute jumps must be corrected to anticipate 19747 the copy of the executable code through memcpy. 19748 19749 * assembler/ARMAssembler.cpp: 19750 (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy 19751 and correct absolute jump values using the delta between the source and destination buffers. 19752 * assembler/ARMAssembler.h: 19753 * assembler/LinkBuffer.cpp: 19754 (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy. 19755 197562013-10-28 Filip Pizlo <fpizlo@apple.com> 19757 19758 OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo 19759 https://bugs.webkit.org/show_bug.cgi?id=123423 19760 19761 Reviewed by Mark Hahnenberg. 19762 19763 Also enable ExitKind to tell you if it's a watchpoint. 19764 19765 * bytecode/ExitKind.cpp: 19766 (JSC::exitKindToString): 19767 * bytecode/ExitKind.h: 19768 (JSC::isWatchpoint): 19769 * dfg/DFGByteCodeParser.cpp: 19770 (JSC::DFG::ByteCodeParser::setLocal): 19771 (JSC::DFG::ByteCodeParser::setArgument): 19772 (JSC::DFG::ByteCodeParser::handleCall): 19773 (JSC::DFG::ByteCodeParser::handleGetById): 19774 (JSC::DFG::ByteCodeParser::parseBlock): 19775 * dfg/DFGJITCompiler.cpp: 19776 (JSC::DFG::JITCompiler::linkOSRExits): 19777 (JSC::DFG::JITCompiler::link): 19778 * dfg/DFGJITCompiler.h: 19779 (JSC::DFG::JITCompiler::appendExitInfo): 19780 * dfg/DFGOSRExit.cpp: 19781 (JSC::DFG::OSRExit::OSRExit): 19782 * dfg/DFGOSRExit.h: 19783 * dfg/DFGOSRExitCompilationInfo.h: 19784 (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo): 19785 * dfg/DFGOSRExitCompiler.cpp: 19786 * dfg/DFGSpeculativeJIT.cpp: 19787 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 19788 * dfg/DFGSpeculativeJIT32_64.cpp: 19789 (JSC::DFG::SpeculativeJIT::compile): 19790 * dfg/DFGSpeculativeJIT64.cpp: 19791 (JSC::DFG::SpeculativeJIT::compile): 19792 197932013-10-28 Myles C. Maxfield <mmaxfield@apple.com> 19794 19795 Parsing support for -webkit-text-decoration-skip: ink 19796 https://bugs.webkit.org/show_bug.cgi?id=123358 19797 19798 Reviewed by Dean Jackson. 19799 19800 Adding ENABLE(CSS3_TEXT_DECORATION) 19801 19802 * Configurations/FeatureDefines.xcconfig: 19803 198042013-10-24 Filip Pizlo <fpizlo@apple.com> 19805 19806 Get rid of InlineStart so that I don't have to implement it in FTL 19807 https://bugs.webkit.org/show_bug.cgi?id=123302 19808 19809 Reviewed by Geoffrey Garen. 19810 19811 InlineStart was a special instruction that we would insert at the top of inlined code, 19812 so that the backend could capture the OSR state of arguments to an inlined call. It used 19813 to be that only the backend had this information, so this instruction was sort of an ugly 19814 callback from the backend for filling in some data structures. 19815 19816 But in the time since when that code was written (two years ago?), we rationalized how 19817 variables work. It's now the case that variables that the runtime must know about are 19818 treated specially in IR (they are "flushed") and we know how we will represent them even 19819 before we get to the backend. The last place that makes changes to their representation 19820 is the StackLayoutPhase. 19821 19822 So, this patch gets rid of InlineStart, but keeps around the special meta-data that the 19823 instruction had. Instead of handling the bookkeeping in the backend, we handle it in 19824 StackLayoutPhase. This means that the DFG and FTL can share code for handling this 19825 bookkeeping. This also means that now the FTL can compile code blocks that had inlining. 19826 19827 Of course, giving the FTL the ability to handle code blocks that had inlining means that 19828 we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call 19829 frames. This patch also fixes that. 19830 19831 * dfg/DFGAbstractInterpreterInlines.h: 19832 (JSC::DFG::::executeEffects): 19833 * dfg/DFGByteCodeParser.cpp: 19834 (JSC::DFG::ByteCodeParser::handleInlining): 19835 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 19836 * dfg/DFGClobberize.h: 19837 (JSC::DFG::clobberize): 19838 * dfg/DFGFixupPhase.cpp: 19839 (JSC::DFG::FixupPhase::fixupNode): 19840 * dfg/DFGGraph.h: 19841 * dfg/DFGNode.h: 19842 * dfg/DFGNodeType.h: 19843 * dfg/DFGPredictionPropagationPhase.cpp: 19844 (JSC::DFG::PredictionPropagationPhase::propagate): 19845 * dfg/DFGSafeToExecute.h: 19846 (JSC::DFG::safeToExecute): 19847 * dfg/DFGSpeculativeJIT.cpp: 19848 * dfg/DFGSpeculativeJIT.h: 19849 * dfg/DFGSpeculativeJIT32_64.cpp: 19850 (JSC::DFG::SpeculativeJIT::compile): 19851 * dfg/DFGSpeculativeJIT64.cpp: 19852 (JSC::DFG::SpeculativeJIT::compile): 19853 * dfg/DFGStackLayoutPhase.cpp: 19854 (JSC::DFG::StackLayoutPhase::run): 19855 * ftl/FTLLink.cpp: 19856 (JSC::FTL::link): 19857 198582013-10-24 Filip Pizlo <fpizlo@apple.com> 19859 19860 The GetById->GetByOffset AI-based optimization should actually do things 19861 https://bugs.webkit.org/show_bug.cgi?id=123299 19862 19863 Reviewed by Oliver Hunt. 19864 19865 20% speed-up on Octane/gbemu. 19866 19867 * bytecode/GetByIdStatus.cpp: 19868 (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op. 19869 198702013-10-28 Carlos Garcia Campos <cgarcia@igalia.com> 19871 19872 Unreviewed. Fix make distcheck. 19873 19874 * GNUmakefile.list.am: Add missing files to compilation. 19875 198762013-10-25 Oliver Hunt <oliver@apple.com> 19877 19878 Refactor parser rollback logic 19879 https://bugs.webkit.org/show_bug.cgi?id=123372 19880 19881 Reviewed by Brady Eidson. 19882 19883 Add a sane abstraction for rollbacks in the parser. 19884 19885 * parser/Parser.cpp: 19886 (JSC::::parseSourceElements): 19887 (JSC::::parseObjectLiteral): 19888 * parser/Parser.h: 19889 (JSC::Parser::createSavePoint): 19890 (JSC::Parser::restoreSavePoint): 19891 198922013-10-25 peavo@outlook.com <peavo@outlook.com> 19893 19894 [Win] Javascript crash with DFG JIT enabled. 19895 https://bugs.webkit.org/show_bug.cgi?id=121001 19896 19897 Reviewed by Geoffrey Garen. 19898 19899 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)), 19900 results in a call to JIT::storeDouble(FPRegisterID src, const void* address), 19901 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows). 19902 This causes the register to be written to address 0, hence the crash. 19903 19904 * assembler/MacroAssemblerX86.h: 19905 (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer. 19906 * dfg/DFGOSRExitCompiler32_64.cpp: 19907 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter. 19908 * dfg/DFGThunks.cpp: 19909 (JSC::DFG::osrExitGenerationThunkGenerator): Ditto. 19910 199112013-10-25 Oliver Hunt <oliver@apple.com> 19912 19913 Fix a number of problems with destructuring of arguments 19914 https://bugs.webkit.org/show_bug.cgi?id=123357 19915 19916 Reviewed by Filip Pizlo. 19917 19918 This renames the destructuring node's emitBytecode to bindValue 19919 in order to remove the existing confusion over what was happening. 19920 19921 We then fix an incorrect fall through in the destructuring arguments 19922 logic, and fix the then exposed bug where we placed the index rather 19923 than value into the bound property. 19924 19925 * bytecompiler/BytecodeGenerator.cpp: 19926 (JSC::BytecodeGenerator::BytecodeGenerator): 19927 * bytecompiler/NodesCodegen.cpp: 19928 (JSC::ForInNode::emitBytecode): 19929 (JSC::ForOfNode::emitBytecode): 19930 (JSC::DeconstructingAssignmentNode::emitBytecode): 19931 (JSC::ArrayPatternNode::bindValue): 19932 (JSC::ArrayPatternNode::emitDirectBinding): 19933 (JSC::ObjectPatternNode::bindValue): 19934 (JSC::BindingNode::bindValue): 19935 * parser/Nodes.h: 19936 199372013-10-25 Joseph Pecoraro <pecoraro@apple.com> 19938 19939 Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac 19940 https://bugs.webkit.org/show_bug.cgi?id=123111 19941 19942 Reviewed by Timothy Hatcher. 19943 19944 * Configurations/FeatureDefines.xcconfig: 19945 199462013-10-25 Oliver Hunt <oliver@apple.com> 19947 19948 Fix MSVC again 19949 19950 * parser/Parser.cpp: 19951 199522013-10-25 Oliver Hunt <oliver@apple.com> 19953 19954 Fix MSVC 19955 19956 * parser/Parser.cpp: 19957 199582013-10-25 Oliver Hunt <oliver@apple.com> 19959 19960 Improve JSC Parser error messages 19961 https://bugs.webkit.org/show_bug.cgi?id=123341 19962 19963 Reviewed by Andreas Kling. 19964 19965 This patch moves away from the current cludgy mechanisms used to produce 19966 error messages and moves to something closer to case by case errors. 19967 19968 This results in a large change size as previously we may just have 19969 'failIfFalse(foo)', but now the logic becomes either 19970 'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())' 19971 Or alternatively 19972 19973 if (!foo) 19974 check for 'interesting' errors, before falling back to generic error 19975 19976 This means that this patch is large, but produces no semantic changes, and 19977 only hits slow (e.g. error) paths. 19978 19979 * parser/Parser.cpp: 19980 (JSC::::Parser): 19981 (JSC::::parseSourceElements): 19982 (JSC::::parseVarDeclaration): 19983 (JSC::::parseConstDeclaration): 19984 (JSC::::parseDoWhileStatement): 19985 (JSC::::parseWhileStatement): 19986 (JSC::::parseVarDeclarationList): 19987 (JSC::::createBindingPattern): 19988 (JSC::::parseDeconstructionPattern): 19989 (JSC::::parseConstDeclarationList): 19990 (JSC::::parseForStatement): 19991 (JSC::::parseBreakStatement): 19992 (JSC::::parseContinueStatement): 19993 (JSC::::parseReturnStatement): 19994 (JSC::::parseThrowStatement): 19995 (JSC::::parseWithStatement): 19996 (JSC::::parseSwitchStatement): 19997 (JSC::::parseSwitchClauses): 19998 (JSC::::parseSwitchDefaultClause): 19999 (JSC::::parseTryStatement): 20000 (JSC::::parseDebuggerStatement): 20001 (JSC::::parseBlockStatement): 20002 (JSC::::parseStatement): 20003 (JSC::::parseFormalParameters): 20004 (JSC::::parseFunctionBody): 20005 (JSC::stringForFunctionMode): 20006 (JSC::::parseFunctionInfo): 20007 (JSC::::parseFunctionDeclaration): 20008 (JSC::::parseExpressionOrLabelStatement): 20009 (JSC::::parseExpressionStatement): 20010 (JSC::::parseIfStatement): 20011 (JSC::::parseExpression): 20012 (JSC::::parseAssignmentExpression): 20013 (JSC::::parseConditionalExpression): 20014 (JSC::::parseBinaryExpression): 20015 (JSC::::parseProperty): 20016 (JSC::::parseObjectLiteral): 20017 (JSC::::parseStrictObjectLiteral): 20018 (JSC::::parseArrayLiteral): 20019 (JSC::::parsePrimaryExpression): 20020 (JSC::::parseArguments): 20021 (JSC::::parseMemberExpression): 20022 (JSC::operatorString): 20023 (JSC::::parseUnaryExpression): 20024 (JSC::::printUnexpectedTokenText): 20025 * parser/Parser.h: 20026 (JSC::Scope::hasDeclaredVariable): 20027 (JSC::Scope::hasDeclaredParameter): 20028 (JSC::Parser::hasDeclaredVariable): 20029 (JSC::Parser::hasDeclaredParameter): 20030 (JSC::Parser::setErrorMessage): 20031 200322013-10-24 Mark Rowe <mrowe@apple.com> 20033 20034 Remove references to OS X 10.7 from Xcode configuration settings. 20035 20036 Now that we're not building for OS X 10.7 they're no longer needed. 20037 20038 Reviewed by Anders Carlsson. 20039 20040 * Configurations/Base.xcconfig: 20041 * Configurations/DebugRelease.xcconfig: 20042 * Configurations/FeatureDefines.xcconfig: 20043 * Configurations/Version.xcconfig: 20044 200452013-10-24 Mark Rowe <mrowe@apple.com> 20046 20047 <rdar://problem/15312643> Prepare for the mysterious future. 20048 20049 Reviewed by David Kilzer. 20050 20051 * Configurations/Base.xcconfig: 20052 * Configurations/DebugRelease.xcconfig: 20053 * Configurations/FeatureDefines.xcconfig: 20054 * Configurations/Version.xcconfig: 20055 200562013-10-24 Mark Lam <mark.lam@apple.com> 20057 20058 Better way to fix part of broken C Loop LLINT build. 20059 https://bugs.webkit.org/show_bug.cgi?id=123271. 20060 20061 Reviewed by Geoffrey Garen. 20062 20063 Undoing offline asm hackery. 20064 20065 * llint/LowLevelInterpreter.cpp: 20066 * llint/LowLevelInterpreter32_64.asm: 20067 * llint/LowLevelInterpreter64.asm: 20068 * offlineasm/cloop.rb: 20069 * offlineasm/instructions.rb: 20070 200712013-10-24 Mark Lam <mark.lam@apple.com> 20072 20073 Fix broken C Loop LLINT build. 20074 https://bugs.webkit.org/show_bug.cgi?id=123271. 20075 20076 Reviewed by Michael Saboff. 20077 20078 * bytecode/CodeBlock.cpp: 20079 (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM(). 20080 (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code. 20081 * bytecode/GetByIdStatus.cpp: 20082 (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM(). 20083 * bytecode/PutByIdStatus.cpp: 20084 (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM(). 20085 * bytecode/StructureStubInfo.h: 20086 - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used 20087 in function prototypes even when !ENABLE(JIT). Rather that adding #if's 20088 in many places, we just provide a stub/placeholder implementation that 20089 is unused but keeps the compiler happy. 20090 * jit/JITOperations.h: Added #if ENABLE(JIT). 20091 * llint/LowLevelInterpreter32_64.asm: 20092 * llint/LowLevelInterpreter64.asm: 20093 - The putByVal() macro reifies a slow path which is never taken in one case. 20094 This translates into a label that is never used in the C Loop LLINT. The 20095 C++ compiler doesn't like unused labels. So, we fix this by adding a 20096 cloopUnusedLabel offline asm instruction that synthesizes the following: 20097 20098 if (false) goto unusedLabel; 20099 20100 This keeps the C++ compiler happy without changing code behavior. 20101 * offlineasm/cloop.rb: Implementing cloopUnusedLabel. 20102 * offlineasm/instructions.rb: Declaring cloopUnusedLabel. 20103 * runtime/Executable.cpp: 20104 (JSC::setupJIT): Added UNUSED_PARAM()s. 20105 (JSC::ScriptExecutable::prepareForExecutionImpl): 20106 - run-javascriptcore-tests have phases that forces the LLINT to be off 20107 which in turn asserts that the JIT is enabled. With the C Loop LLINT, 20108 this combination is illegal. So, we override the setup code here to 20109 always use the LLINT if !ENABLE(JIT) regardless of what options are 20110 passed in. 20111 201122013-10-24 peavo@outlook.com <peavo@outlook.com> 20113 20114 Uninitialized member causes crash when DFG JIT is not enabled. 20115 https://bugs.webkit.org/show_bug.cgi?id=123270 20116 20117 Reviewed by Brent Fulgham. 20118 20119 The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless. 20120 This causes an early crash on Windows, which doesn't have DFG JIT enabled. 20121 20122 * runtime/VM.cpp: 20123 (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled. 20124 201252013-10-24 Ryuan Choi <ryuan.choi@samsung.com> 20126 20127 [EFL] Build break with latest EFL 1.8 libraries. 20128 https://bugs.webkit.org/show_bug.cgi?id=123245 20129 20130 Reviewed by Gyuyoung Kim. 20131 20132 After fixed build break on EFL 1.8 at r138326, EFL libraries are changed 20133 Eo typedef and splitted header files which contain version macro. 20134 20135 * PlatformEfl.cmake: Added EO path to include directories. 20136 * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist. 20137 201382013-10-23 Filip Pizlo <fpizlo@apple.com> 20139 20140 Put all uses of LLVM intrinsics behind a single Option 20141 https://bugs.webkit.org/show_bug.cgi?id=123219 20142 20143 Reviewed by Mark Hahnenberg. 20144 20145 * ftl/FTLExitThunkGenerator.cpp: 20146 (JSC::FTL::ExitThunkGenerator::emitThunk): 20147 * ftl/FTLLowerDFGToLLVM.cpp: 20148 (JSC::FTL::generateExitThunks): 20149 (JSC::FTL::LowerDFGToLLVM::compileGetById): 20150 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 20151 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 20152 * ftl/FTLOSRExitCompiler.cpp: 20153 (JSC::FTL::compileFTLOSRExit): 20154 * runtime/Options.h: 20155 201562013-10-23 Daniel Bates <dabates@apple.com> 20157 20158 Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864> 20159 (https://bugs.webkit.org/show_bug.cgi?id=123169) 20160 20161 Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X. 20162 20163 * Configurations/Base.xcconfig: 20164 201652013-10-23 Michael Saboff <msaboff@apple.com> 20166 20167 LLInt arity check exception processing should start unwinding from caller 20168 https://bugs.webkit.org/show_bug.cgi?id=123209 20169 20170 Reviewed by Oliver Hunt. 20171 20172 Use the caller frame returned from slow_path_call_arityCheck to process exceptions. 20173 20174 * llint/LowLevelInterpreter32_64.asm: 20175 * llint/LowLevelInterpreter64.asm: 20176 201772013-10-22 Filip Pizlo <fpizlo@apple.com> 20178 20179 FTL should be able to do some simple inline caches using LLVM patchpoints 20180 https://bugs.webkit.org/show_bug.cgi?id=123164 20181 20182 Reviewed by Mark Hahnenberg. 20183 20184 This implements GetById inline caches in the FTL using llvm.webkit.patchpoint. 20185 20186 The idea is that we ask LLVM for a nop slide the size of a GetById inline 20187 cache and then fill in the code after LLVM compilation is complete. For now, we 20188 just use the system calling convention for the arguments and return. We also 20189 still make some assumptions about registers that aren't correct. But, most of 20190 the scaffolding is there and this will successfully patch an inline cache. 20191 20192 * JavaScriptCore.xcodeproj/project.pbxproj: 20193 * assembler/AbstractMacroAssembler.h: 20194 * assembler/LinkBuffer.cpp: 20195 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): 20196 (JSC::LinkBuffer::linkCode): 20197 (JSC::LinkBuffer::allocate): 20198 * assembler/LinkBuffer.h: 20199 (JSC::LinkBuffer::LinkBuffer): 20200 (JSC::LinkBuffer::link): 20201 * ftl/FTLAbbreviations.h: 20202 (JSC::FTL::constNull): 20203 (JSC::FTL::buildCall): 20204 * ftl/FTLCapabilities.cpp: 20205 (JSC::FTL::canCompile): 20206 * ftl/FTLCompile.cpp: 20207 (JSC::FTL::fixFunctionBasedOnStackMaps): 20208 * ftl/FTLInlineCacheDescriptor.h: Added. 20209 (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor): 20210 (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor): 20211 (JSC::FTL::GetByIdDescriptor::stackmapID): 20212 (JSC::FTL::GetByIdDescriptor::codeOrigin): 20213 (JSC::FTL::GetByIdDescriptor::uid): 20214 * ftl/FTLInlineCacheSize.cpp: Added. 20215 (JSC::FTL::sizeOfGetById): 20216 (JSC::FTL::sizeOfPutById): 20217 * ftl/FTLInlineCacheSize.h: Added. 20218 * ftl/FTLIntrinsicRepository.h: 20219 * ftl/FTLJITFinalizer.cpp: 20220 (JSC::FTL::JITFinalizer::finalizeFunction): 20221 * ftl/FTLJITFinalizer.h: 20222 * ftl/FTLLocation.cpp: 20223 (JSC::FTL::Location::directGPR): 20224 * ftl/FTLLocation.h: 20225 * ftl/FTLLowerDFGToLLVM.cpp: 20226 (JSC::FTL::LowerDFGToLLVM::compileGetById): 20227 * ftl/FTLOutput.h: 20228 (JSC::FTL::Output::call): 20229 * ftl/FTLSlowPathCall.cpp: Added. 20230 (JSC::FTL::callOperation): 20231 * ftl/FTLSlowPathCall.h: Added. 20232 (JSC::FTL::SlowPathCall::SlowPathCall): 20233 (JSC::FTL::SlowPathCall::call): 20234 (JSC::FTL::SlowPathCall::key): 20235 * ftl/FTLSlowPathCallKey.cpp: Added. 20236 (JSC::FTL::SlowPathCallKey::dump): 20237 * ftl/FTLSlowPathCallKey.h: Added. 20238 (JSC::FTL::SlowPathCallKey::SlowPathCallKey): 20239 (JSC::FTL::SlowPathCallKey::usedRegisters): 20240 (JSC::FTL::SlowPathCallKey::callTarget): 20241 (JSC::FTL::SlowPathCallKey::offset): 20242 (JSC::FTL::SlowPathCallKey::isEmptyValue): 20243 (JSC::FTL::SlowPathCallKey::isDeletedValue): 20244 (JSC::FTL::SlowPathCallKey::operator==): 20245 (JSC::FTL::SlowPathCallKey::hash): 20246 (JSC::FTL::SlowPathCallKeyHash::hash): 20247 (JSC::FTL::SlowPathCallKeyHash::equal): 20248 * ftl/FTLStackMaps.cpp: 20249 (JSC::FTL::StackMaps::Location::directGPR): 20250 * ftl/FTLStackMaps.h: 20251 * ftl/FTLState.h: 20252 * ftl/FTLThunks.cpp: 20253 (JSC::FTL::slowPathCallThunkGenerator): 20254 * ftl/FTLThunks.h: 20255 (JSC::FTL::Thunks::getSlowPathCallThunk): 20256 * jit/CCallHelpers.h: 20257 (JSC::CCallHelpers::setupArguments): 20258 * jit/GPRInfo.h: 20259 * jit/JITInlineCacheGenerator.cpp: 20260 (JSC::garbageStubInfo): 20261 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): 20262 (JSC::JITByIdGenerator::finalize): 20263 * jit/JITInlineCacheGenerator.h: 20264 (JSC::JITByIdGenerator::slowPathBegin): 20265 * jit/RegisterSet.cpp: 20266 (JSC::RegisterSet::stackRegisters): 20267 (JSC::RegisterSet::specialRegisters): 20268 (JSC::RegisterSet::calleeSaveRegisters): 20269 (JSC::RegisterSet::allGPRs): 20270 (JSC::RegisterSet::allFPRs): 20271 (JSC::RegisterSet::allRegisters): 20272 (JSC::RegisterSet::dump): 20273 * jit/RegisterSet.h: 20274 (JSC::RegisterSet::exclude): 20275 (JSC::RegisterSet::numberOfSetRegisters): 20276 (JSC::RegisterSet::RegisterSet): 20277 (JSC::RegisterSet::isEmptyValue): 20278 (JSC::RegisterSet::isDeletedValue): 20279 (JSC::RegisterSet::operator==): 20280 (JSC::RegisterSet::hash): 20281 (JSC::RegisterSetHash::hash): 20282 (JSC::RegisterSetHash::equal): 20283 * runtime/Options.h: 20284 202852013-10-22 Filip Pizlo <fpizlo@apple.com> 20286 20287 jitCompileAndSetHeuristics should DeferGCForAWhile 20288 https://bugs.webkit.org/show_bug.cgi?id=123196 20289 20290 Reviewed by Mark Hahnenberg. 20291 20292 This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of 20293 my machines. I don't think this is testable; we just need to steadily converge towards 20294 getting our uses of DeferGC to be right and then be careful not to regress. We're not 20295 there yet, obviously. 20296 20297 * llint/LLIntSlowPaths.cpp: 20298 (JSC::LLInt::jitCompileAndSetHeuristics): 20299 203002013-10-23 Daniel Bates <dabates@apple.com> 20301 20302 [iOS] Upstream more JavaScriptCore build configuration changes 20303 https://bugs.webkit.org/show_bug.cgi?id=123169 20304 20305 Reviewed by David Kilzer. 20306 20307 * Configurations/Base.xcconfig: 20308 * Configurations/Version.xcconfig: 20309 * Configurations/iOS.xcconfig: Added. 20310 * JavaScriptCore.xcodeproj/project.pbxproj: 20311 203122013-10-23 Daniel Bates <dabates@apple.com> 20313 20314 [iOS] Export DefaultGCActivityCallback member functions 20315 https://bugs.webkit.org/show_bug.cgi?id=123175 20316 20317 Reviewed by David Kilzer. 20318 20319 * runtime/GCActivityCallback.h: 20320 203212013-10-23 Daniel Bates <dabates@apple.com> 20322 20323 [iOS] Upstream more ARMv7s bits 20324 https://bugs.webkit.org/show_bug.cgi?id=123052 20325 20326 Reviewed by Joseph Pecoraro. 20327 20328 * Configurations/JavaScriptCore.xcconfig: 20329 203302013-10-22 Andreas Kling <akling@apple.com> 20331 20332 Minor VM* -> VM& cleanups in HashTable and Keywords. 20333 <https://webkit.org/b/123183> 20334 20335 Turn some VM* variables that will never be null into VM&. 20336 20337 Reviewed by Geoffrey Garen. 20338 203392013-10-22 Geoffrey Garen <ggaren@apple.com> 20340 20341 REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't! 20342 https://bugs.webkit.org/show_bug.cgi?id=123179 20343 20344 Reviewed by Mark Hahnenberg. 20345 20346 * parser/NodeConstructors.h: 20347 (JSC::LogicalOpNode::LogicalOpNode): 20348 * parser/ResultType.h: 20349 (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean. 20350 This is JavaScript (aka Sparta). 20351 203522013-10-22 Commit Queue <commit-queue@webkit.org> 20353 20354 Unreviewed, rolling out r157819. 20355 http://trac.webkit.org/changeset/157819 20356 https://bugs.webkit.org/show_bug.cgi?id=123180 20357 20358 Broke 32-bit builds (Requested by smfr on #webkit). 20359 20360 * Configurations/JavaScriptCore.xcconfig: 20361 * Configurations/ToolExecutable.xcconfig: 20362 203632013-10-22 Daniel Bates <dabates@apple.com> 20364 20365 [iOS] Upstream more ARMv7s bits 20366 https://bugs.webkit.org/show_bug.cgi?id=123052 20367 20368 Reviewed by Joseph Pecoraro. 20369 20370 * Configurations/JavaScriptCore.xcconfig: 20371 * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm 20372 modifying a file in JavaScriptCore/Configurations. 20373 203742013-10-22 Daniel Bates <dabates@apple.com> 20375 20376 [iOS] Upstream JSLock changes 20377 https://bugs.webkit.org/show_bug.cgi?id=123107 20378 20379 Reviewed by Geoffrey Garen. 20380 20381 * runtime/JSLock.cpp: 20382 (JSC::JSLock::unlock): 20383 (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS. 20384 (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also 20385 use pre-increment instead of post-increment when we're not using the return value of the instruction. 20386 (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change 20387 places where we were using post-increment/post-decrement to use pre-increment/pre-decrement, 20388 since we don't use the return value of such instructions. 20389 (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally. 20390 Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0. 20391 (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS. 20392 * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of 20393 the argument is sufficiently descriptive of its purpose. 20394 203952013-10-22 Julien Brianceau <jbriance@cisco.com> 20396 20397 [arm] Add missing setupArgumentsWithExecState() prototypes to fix build. 20398 https://bugs.webkit.org/show_bug.cgi?id=123166 20399 20400 Reviewed by Michael Saboff. 20401 20402 * jit/CCallHelpers.h: 20403 (JSC::CCallHelpers::setupArgumentsWithExecState): 20404 204052013-10-22 Julien Brianceau <jbriance@cisco.com> 20406 20407 [sh4][mips][arm] Fix crashes in JSC (32-bit only). 20408 https://bugs.webkit.org/show_bug.cgi?id=123165 20409 20410 Reviewed by Michael Saboff. 20411 20412 * jit/JITInlines.h: 20413 (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG. 20414 (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :) 20415 (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG. 20416 (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype. 20417 204182013-10-22 Julien Brianceau <jbriance@cisco.com> 20419 20420 REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool. 20421 https://bugs.webkit.org/show_bug.cgi?id=123092 20422 20423 Reviewed by Michael Saboff. 20424 20425 Impacted architectures are SH4 and ARM_TRADITIONAL. 20426 20427 * assembler/ARMAssembler.h: 20428 (JSC::ARMAssembler::buffer): 20429 * assembler/AssemblerBufferWithConstantPool.h: 20430 (JSC::AssemblerBufferWithConstantPool::flushConstantPool): 20431 * assembler/LinkBuffer.cpp: 20432 (JSC::LinkBuffer::linkCode): 20433 * assembler/SH4Assembler.h: 20434 (JSC::SH4Assembler::buffer): 20435 204362013-10-22 Julien Brianceau <jbriance@cisco.com> 20437 20438 Remove unused stuff in JIT stubs. 20439 https://bugs.webkit.org/show_bug.cgi?id=123155 20440 20441 Reviewed by Michael Saboff. 20442 20443 * jit/JITStubs.h: 20444 * jit/JITStubsARM.h: 20445 (JSC::ctiTrampoline): 20446 * jit/JITStubsARM64.h: 20447 * jit/JITStubsARMv7.h: 20448 * jit/JITStubsMIPS.h: 20449 * jit/JITStubsSH4.h: 20450 * jit/JITStubsX86.h: 20451 * jit/JITStubsX86_64.h: 20452 204532013-10-22 Daniel Bates <dabates@apple.com> 20454 20455 [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework 20456 https://bugs.webkit.org/show_bug.cgi?id=123115 20457 <rdar://problem/13696872> 20458 20459 Reviewed by Andy Estes. 20460 20461 Based on a patch by Mark Hahnenberg. 20462 20463 Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS. 20464 20465 * API/JSBase.cpp: 20466 204672013-10-22 Julien Brianceau <jbriance@cisco.com> 20468 20469 [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 20470 https://bugs.webkit.org/show_bug.cgi?id=123157 20471 20472 Reviewed by Andreas Kling. 20473 20474 * assembler/SH4Assembler.h: 20475 (JSC::SH4Assembler::lastRegister): 20476 (JSC::SH4Assembler::firstFPRegister): 20477 (JSC::SH4Assembler::lastFPRegister): 20478 204792013-10-22 Brian Holt <brian.holt@samsung.com> 20480 20481 Build break on ARMv7 after r157209 20482 https://bugs.webkit.org/show_bug.cgi?id=122890 20483 20484 Reviewed by Csaba Osztrogonác. 20485 20486 Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL. 20487 20488 * assembler/ARMAssembler.h: 20489 * assembler/MacroAssemblerARM.h: 20490 (JSC::MacroAssemblerARM::firstRegister): 20491 (JSC::MacroAssemblerARM::lastRegister): 20492 (JSC::MacroAssemblerARM::firstFPRegister): 20493 (JSC::MacroAssemblerARM::lastFPRegister): 20494 204952013-10-21 Daniel Bates <dabates@apple.com> 20496 20497 [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout() 20498 https://bugs.webkit.org/show_bug.cgi?id=123045 20499 20500 Reviewed by Joseph Pecoraro. 20501 20502 * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout 20503 to global method table. 20504 * runtime/JSGlobalObject.cpp: Ditto. 20505 * runtime/JSGlobalObject.h: 20506 (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added. 20507 205082013-10-21 Daniel Bates <dabates@apple.com> 20509 20510 [iOS] Upstream JSC Objective-C API compiler warning fixes 20511 https://bugs.webkit.org/show_bug.cgi?id=123125 20512 20513 Reviewed by Mark Hahnenberg. 20514 20515 Based on a patch by Mark Hahnenberg. 20516 20517 * API/JSValue.mm: 20518 (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float. 20519 (-[JSValue toSize]): Ditto. 20520 * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7. 20521 205222013-10-21 Daniel Bates <dabates@apple.com> 20523 20524 [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as 20525 available since iOS 7.0 20526 https://bugs.webkit.org/show_bug.cgi?id=123122 20527 20528 Reviewed by Dan Bernstein. 20529 20530 * API/JSContext.h: 20531 * API/JSManagedValue.h: 20532 * API/JSValue.h: 20533 * API/JSVirtualMachine.h: 20534 205352013-10-20 Mark Lam <mark.lam@apple.com> 20536 20537 Avoid JSC debugger overhead unless needed. 20538 https://bugs.webkit.org/show_bug.cgi?id=123084. 20539 20540 Reviewed by Geoffrey Garen. 20541 20542 - If no breakpoints are set, we now avoid calling the debug hook callbacks. 20543 - If no break on exception is set, we also avoid exception event debug callbacks. 20544 - When we return from the ScriptDebugServer to the JSC::Debugger, we may no 20545 longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame 20546 pointer in the ScriptDebugServer may become stale. To avoid this issue, before 20547 returning, the ScriptDebugServer will clear its m_currentCallFrame if 20548 needsOpDebugCallbacks() is false. 20549 20550 * debugger/Debugger.cpp: 20551 (JSC::Debugger::Debugger): 20552 (JSC::Debugger::setNeedsExceptionCallbacks): 20553 (JSC::Debugger::setShouldPause): 20554 (JSC::Debugger::updateNumberOfBreakpoints): 20555 (JSC::Debugger::updateNeedForOpDebugCallbacks): 20556 * debugger/Debugger.h: 20557 * interpreter/Interpreter.cpp: 20558 (JSC::Interpreter::unwind): 20559 (JSC::Interpreter::debug): 20560 * jit/JITOpcodes.cpp: 20561 (JSC::JIT::emit_op_debug): 20562 * jit/JITOpcodes32_64.cpp: 20563 (JSC::JIT::emit_op_debug): 20564 * llint/LLIntOffsetsExtractor.cpp: 20565 * llint/LowLevelInterpreter.asm: 20566 205672013-10-21 Brent Fulgham <bfulgham@apple.com> 20568 20569 [WIN] Unreviewed build correction. 20570 20571 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation 20572 sources, not header files. 20573 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 20574 205752013-10-21 Oliver Hunt <oliver@apple.com> 20576 20577 Support computed property names in object literals 20578 https://bugs.webkit.org/show_bug.cgi?id=123112 20579 20580 Reviewed by Michael Saboff. 20581 20582 Add support for computed property names to the parser. 20583 20584 * bytecompiler/NodesCodegen.cpp: 20585 (JSC::PropertyListNode::emitBytecode): 20586 * parser/ASTBuilder.h: 20587 (JSC::ASTBuilder::createProperty): 20588 (JSC::ASTBuilder::getName): 20589 * parser/NodeConstructors.h: 20590 (JSC::PropertyNode::PropertyNode): 20591 * parser/Nodes.h: 20592 (JSC::PropertyNode::expressionName): 20593 (JSC::PropertyNode::name): 20594 * parser/Parser.cpp: 20595 (JSC::::parseProperty): 20596 (JSC::::parseStrictObjectLiteral): 20597 * parser/SyntaxChecker.h: 20598 (JSC::SyntaxChecker::Property::Property): 20599 (JSC::SyntaxChecker::createProperty): 20600 (JSC::SyntaxChecker::operatorStackPop): 20601 206022013-10-21 Michael Saboff <msaboff@apple.com> 20603 20604 Add option so that JSC will crash if it can't allocate executable memory for the JITs 20605 https://bugs.webkit.org/show_bug.cgi?id=123048 20606 <rdar://problem/12856193> 20607 20608 Reviewed by Geoffrey Garen. 20609 20610 Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash 20611 when checking the validity of the executable allocator. The default value for this option is 20612 false, but jsc sets it to true when built for iOS to make it straightforward to identify whether 20613 the app can obtain executable memory. 20614 20615 * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS. 20616 (main): 20617 * runtime/Options.h: Added option crashIfCantAllocateJITMemory. 20618 * runtime/VM.cpp: 20619 (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory 20620 is enabled. 20621 206222013-10-21 Nadav Rotem <nrotem@apple.com> 20623 20624 Remove AllInOneFile.cpp 20625 https://bugs.webkit.org/show_bug.cgi?id=123055 20626 20627 Reviewed by Csaba Osztrogonác. 20628 20629 * AllInOneFile.cpp: Removed. 20630 206312013-10-20 Filip Pizlo <fpizlo@apple.com> 20632 20633 Unreviewed, cleanup a FIXME comment. 20634 20635 * jit/Repatch.cpp: 20636 206372013-10-20 Filip Pizlo <fpizlo@apple.com> 20638 20639 StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries 20640 https://bugs.webkit.org/show_bug.cgi?id=123076 20641 20642 Reviewed by Sam Weinig. 20643 20644 Start preparing for a world in which we are patching code generated by LLVM, which may have 20645 very different register usage conventions than our JITs. This requires us being more explicit 20646 about the registers we are using. For example, the repatching code shouldn't take for granted 20647 that tagMaskRegister holds the TagMask or that the register is even in use. 20648 20649 * CMakeLists.txt: 20650 * GNUmakefile.list.am: 20651 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 20652 * JavaScriptCore.xcodeproj/project.pbxproj: 20653 * assembler/MacroAssembler.h: 20654 (JSC::MacroAssembler::numberOfRegisters): 20655 (JSC::MacroAssembler::registerIndex): 20656 (JSC::MacroAssembler::numberOfFPRegisters): 20657 (JSC::MacroAssembler::fpRegisterIndex): 20658 (JSC::MacroAssembler::totalNumberOfRegisters): 20659 * bytecode/StructureStubInfo.h: 20660 * dfg/DFGSpeculativeJIT.cpp: 20661 (JSC::DFG::SpeculativeJIT::usedRegisters): 20662 * dfg/DFGSpeculativeJIT.h: 20663 * ftl/FTLSaveRestore.cpp: 20664 (JSC::FTL::bytesForGPRs): 20665 (JSC::FTL::bytesForFPRs): 20666 (JSC::FTL::offsetOfGPR): 20667 (JSC::FTL::offsetOfFPR): 20668 * jit/JITInlineCacheGenerator.cpp: 20669 (JSC::JITByIdGenerator::JITByIdGenerator): 20670 (JSC::JITPutByIdGenerator::JITPutByIdGenerator): 20671 * jit/JITInlineCacheGenerator.h: 20672 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): 20673 * jit/JITPropertyAccess.cpp: 20674 (JSC::JIT::emit_op_get_by_id): 20675 (JSC::JIT::emit_op_put_by_id): 20676 * jit/JITPropertyAccess32_64.cpp: 20677 (JSC::JIT::emit_op_get_by_id): 20678 (JSC::JIT::emit_op_put_by_id): 20679 * jit/RegisterSet.cpp: Added. 20680 (JSC::RegisterSet::specialRegisters): 20681 * jit/RegisterSet.h: Added. 20682 (JSC::RegisterSet::RegisterSet): 20683 (JSC::RegisterSet::set): 20684 (JSC::RegisterSet::clear): 20685 (JSC::RegisterSet::get): 20686 (JSC::RegisterSet::merge): 20687 * jit/Repatch.cpp: 20688 (JSC::generateProtoChainAccessStub): 20689 (JSC::tryCacheGetByID): 20690 (JSC::tryBuildGetByIDList): 20691 (JSC::emitPutReplaceStub): 20692 (JSC::tryRepatchIn): 20693 (JSC::linkClosureCall): 20694 * jit/TempRegisterSet.cpp: Added. 20695 (JSC::TempRegisterSet::TempRegisterSet): 20696 * jit/TempRegisterSet.h: 20697 206982013-10-20 Julien Brianceau <jbriance@cisco.com> 20699 20700 [sh4] Fix build (broken since r157690). 20701 https://bugs.webkit.org/show_bug.cgi?id=123081 20702 20703 Reviewed by Andreas Kling. 20704 20705 * assembler/AssemblerBufferWithConstantPool.h: 20706 * assembler/SH4Assembler.h: 20707 (JSC::SH4Assembler::buffer): 20708 (JSC::SH4Assembler::readCallTarget): 20709 207102013-10-19 Filip Pizlo <fpizlo@apple.com> 20711 20712 Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union 20713 https://bugs.webkit.org/show_bug.cgi?id=123079 20714 20715 Reviewed by Geoffrey Garen. 20716 20717 * jit/TempRegisterSet.h: 20718 207192013-10-19 Filip Pizlo <fpizlo@apple.com> 20720 20721 Rename RegisterSet to TempRegisterSet 20722 https://bugs.webkit.org/show_bug.cgi?id=123077 20723 20724 Reviewed by Dan Bernstein. 20725 20726 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 20727 * JavaScriptCore.xcodeproj/project.pbxproj: 20728 * bytecode/StructureStubInfo.h: 20729 * dfg/DFGJITCompiler.h: 20730 * dfg/DFGSpeculativeJIT.h: 20731 (JSC::DFG::SpeculativeJIT::usedRegisters): 20732 * jit/JITInlineCacheGenerator.cpp: 20733 (JSC::JITByIdGenerator::JITByIdGenerator): 20734 (JSC::JITPutByIdGenerator::JITPutByIdGenerator): 20735 * jit/JITInlineCacheGenerator.h: 20736 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): 20737 * jit/JITPropertyAccess.cpp: 20738 (JSC::JIT::emit_op_get_by_id): 20739 (JSC::JIT::emit_op_put_by_id): 20740 * jit/JITPropertyAccess32_64.cpp: 20741 (JSC::JIT::emit_op_get_by_id): 20742 (JSC::JIT::emit_op_put_by_id): 20743 * jit/RegisterSet.h: Removed. 20744 * jit/ScratchRegisterAllocator.h: 20745 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): 20746 * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h. 20747 (JSC::TempRegisterSet::TempRegisterSet): 20748 (JSC::TempRegisterSet::asPOD): 20749 (JSC::TempRegisterSet::copyInfo): 20750 207512013-10-19 Filip Pizlo <fpizlo@apple.com> 20752 20753 Restructure LinkBuffer to allow for alternate allocation strategies 20754 https://bugs.webkit.org/show_bug.cgi?id=123071 20755 20756 Reviewed by Oliver Hunt. 20757 20758 The idea is to eventually allow a LinkBuffer to place the code into an already 20759 allocated region of memory. That region of memory could be the nop-slide left behind 20760 by a llvm.webkit.patchpoint. 20761 20762 * assembler/ARM64Assembler.h: 20763 (JSC::ARM64Assembler::buffer): 20764 * assembler/AssemblerBuffer.h: 20765 * assembler/LinkBuffer.cpp: 20766 (JSC::LinkBuffer::copyCompactAndLinkCode): 20767 (JSC::LinkBuffer::linkCode): 20768 (JSC::LinkBuffer::allocate): 20769 (JSC::LinkBuffer::shrink): 20770 * assembler/LinkBuffer.h: 20771 (JSC::LinkBuffer::LinkBuffer): 20772 (JSC::LinkBuffer::didFailToAllocate): 20773 * assembler/X86Assembler.h: 20774 (JSC::X86Assembler::buffer): 20775 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM): 20776 207772013-10-19 Alexey Proskuryakov <ap@apple.com> 20778 20779 Some includes in JSC seem to use an incorrect style 20780 https://bugs.webkit.org/show_bug.cgi?id=123057 20781 20782 Reviewed by Geoffrey Garen. 20783 20784 Changed pseudo-system includes to user ones. 20785 20786 * API/JSContextRef.cpp: 20787 * API/JSStringRefCF.cpp: 20788 * API/JSValueRef.cpp: 20789 * API/OpaqueJSString.cpp: 20790 * jit/JIT.h: 20791 * parser/SyntaxChecker.h: 20792 * runtime/WeakGCMap.h: 20793 207942013-10-19 Filip Pizlo <fpizlo@apple.com> 20795 20796 Baseline JIT and DFG IC code generation should be unified and rationalized 20797 https://bugs.webkit.org/show_bug.cgi?id=122939 20798 20799 Reviewed by Geoffrey Garen. 20800 20801 Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus 20802 some register info and creates JIT inline caches for you. Used this to even furhter 20803 unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope 20804 is that we'll be able to use it for cascading ICs: an IC for some instruction may realize 20805 that it needs to do the equivalent of get_by_id, so with this generator it will be able 20806 to create an IC even though it wasn't associated with a get_by_id bytecode instruction. 20807 20808 * CMakeLists.txt: 20809 * GNUmakefile.list.am: 20810 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 20811 * JavaScriptCore.xcodeproj/project.pbxproj: 20812 * assembler/AbstractMacroAssembler.h: 20813 (JSC::AbstractMacroAssembler::DataLabelCompact::label): 20814 * bytecode/CodeBlock.h: 20815 (JSC::CodeBlock::ecmaMode): 20816 * dfg/DFGInlineCacheWrapper.h: Added. 20817 (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper): 20818 * dfg/DFGInlineCacheWrapperInlines.h: Added. 20819 (JSC::DFG::::finalize): 20820 * dfg/DFGJITCompiler.cpp: 20821 (JSC::DFG::JITCompiler::link): 20822 * dfg/DFGJITCompiler.h: 20823 (JSC::DFG::JITCompiler::addGetById): 20824 (JSC::DFG::JITCompiler::addPutById): 20825 * dfg/DFGSpeculativeJIT32_64.cpp: 20826 (JSC::DFG::SpeculativeJIT::cachedGetById): 20827 (JSC::DFG::SpeculativeJIT::cachedPutById): 20828 * dfg/DFGSpeculativeJIT64.cpp: 20829 (JSC::DFG::SpeculativeJIT::cachedGetById): 20830 (JSC::DFG::SpeculativeJIT::cachedPutById): 20831 (JSC::DFG::SpeculativeJIT::compile): 20832 * jit/AssemblyHelpers.h: 20833 (JSC::AssemblyHelpers::isStrictModeFor): 20834 (JSC::AssemblyHelpers::strictModeFor): 20835 * jit/GPRInfo.h: 20836 (JSC::JSValueRegs::tagGPR): 20837 * jit/JIT.cpp: 20838 (JSC::JIT::JIT): 20839 (JSC::JIT::privateCompileSlowCases): 20840 (JSC::JIT::privateCompile): 20841 * jit/JIT.h: 20842 * jit/JITInlineCacheGenerator.cpp: Added. 20843 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): 20844 (JSC::JITByIdGenerator::JITByIdGenerator): 20845 (JSC::JITByIdGenerator::finalize): 20846 (JSC::JITByIdGenerator::generateFastPathChecks): 20847 (JSC::JITGetByIdGenerator::generateFastPath): 20848 (JSC::JITPutByIdGenerator::JITPutByIdGenerator): 20849 (JSC::JITPutByIdGenerator::generateFastPath): 20850 (JSC::JITPutByIdGenerator::slowPathFunction): 20851 * jit/JITInlineCacheGenerator.h: Added. 20852 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator): 20853 (JSC::JITInlineCacheGenerator::stubInfo): 20854 (JSC::JITByIdGenerator::JITByIdGenerator): 20855 (JSC::JITByIdGenerator::reportSlowPathCall): 20856 (JSC::JITByIdGenerator::slowPathJump): 20857 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): 20858 (JSC::JITPutByIdGenerator::JITPutByIdGenerator): 20859 * jit/JITPropertyAccess.cpp: 20860 (JSC::JIT::emit_op_get_by_id): 20861 (JSC::JIT::emitSlow_op_get_by_id): 20862 (JSC::JIT::emit_op_put_by_id): 20863 (JSC::JIT::emitSlow_op_put_by_id): 20864 * jit/JITPropertyAccess32_64.cpp: 20865 (JSC::JIT::emit_op_get_by_id): 20866 (JSC::JIT::emitSlow_op_get_by_id): 20867 (JSC::JIT::emit_op_put_by_id): 20868 (JSC::JIT::emitSlow_op_put_by_id): 20869 * jit/RegisterSet.h: 20870 (JSC::RegisterSet::set): 20871 208722013-10-19 Alexey Proskuryakov <ap@apple.com> 20873 20874 APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it 20875 https://bugs.webkit.org/show_bug.cgi?id=123067 20876 20877 Reviewed by Geoffrey Garen. 20878 20879 * API/APICast.h: Include it. 20880 208812013-10-19 Filip Pizlo <fpizlo@apple.com> 20882 20883 FTL::Location should treat the offset as an addend in the case of a Register location 20884 https://bugs.webkit.org/show_bug.cgi?id=123062 20885 20886 Reviewed by Sam Weinig. 20887 20888 * ftl/FTLLocation.cpp: 20889 (JSC::FTL::Location::forStackmaps): 20890 (JSC::FTL::Location::dump): 20891 (JSC::FTL::Location::restoreInto): 20892 * ftl/FTLLocation.h: 20893 (JSC::FTL::Location::forRegister): 20894 (JSC::FTL::Location::hasAddend): 20895 (JSC::FTL::Location::addend): 20896 208972013-10-19 Nadav Rotem <nrotem@apple.com> 20898 20899 DFG dominators: document and rename stuff. 20900 https://bugs.webkit.org/show_bug.cgi?id=123056 20901 20902 Reviewed by Filip Pizlo. 20903 20904 Documented the code and renamed some variables. 20905 20906 * dfg/DFGDominators.cpp: 20907 (JSC::DFG::Dominators::compute): 20908 (JSC::DFG::Dominators::pruneDominators): 20909 * dfg/DFGDominators.h: 20910 209112013-10-19 Julien Brianceau <jbriance@cisco.com> 20912 20913 Fix build failure for architectures with 4 argument registers. 20914 https://bugs.webkit.org/show_bug.cgi?id=123060 20915 20916 Reviewed by Michael Saboff. 20917 20918 Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers. 20919 Remove SH4 specific code no longer needed since callOperation prototype change in r157660. 20920 20921 * dfg/DFGSpeculativeJIT.h: 20922 (JSC::DFG::SpeculativeJIT::callOperation): 20923 * jit/CCallHelpers.h: 20924 (JSC::CCallHelpers::setupArgumentsWithExecState): 20925 * jit/JITInlines.h: 20926 (JSC::JIT::callOperation): 20927 209282013-10-18 Filip Pizlo <fpizlo@apple.com> 20929 20930 Unreviewed, fix FTL build. 20931 20932 * ftl/FTLIntrinsicRepository.h: 20933 * ftl/FTLLowerDFGToLLVM.cpp: 20934 (JSC::FTL::LowerDFGToLLVM::compileGetById): 20935 209362013-10-18 Filip Pizlo <fpizlo@apple.com> 20937 20938 A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs 20939 https://bugs.webkit.org/show_bug.cgi?id=122940 20940 20941 Reviewed by Oliver Hunt. 20942 20943 This accomplishes a number of simplifications. StructureStubInfo is now non-moving, 20944 whereas previously it was in a Vector, so it moved. This allows you to use pointers to 20945 StructureStubInfo. This also eliminates the use of return PC as a way of finding the 20946 StructureStubInfo's. It removes some of the need for the compile-time property access 20947 records; for example the DFG no longer has to save information about registers in a 20948 property access record only to later save it to the stub info. 20949 20950 The main thing is accomplishes is that it makes it easier to add StructureStubInfo's 20951 at any stage of compilation. 20952 20953 * bytecode/CodeBlock.cpp: 20954 (JSC::CodeBlock::printGetByIdCacheStatus): 20955 (JSC::CodeBlock::dumpBytecode): 20956 (JSC::CodeBlock::~CodeBlock): 20957 (JSC::CodeBlock::propagateTransitions): 20958 (JSC::CodeBlock::finalizeUnconditionally): 20959 (JSC::CodeBlock::addStubInfo): 20960 (JSC::CodeBlock::getStubInfoMap): 20961 (JSC::CodeBlock::shrinkToFit): 20962 * bytecode/CodeBlock.h: 20963 (JSC::CodeBlock::begin): 20964 (JSC::CodeBlock::end): 20965 (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): 20966 * bytecode/CodeOrigin.h: 20967 (JSC::CodeOrigin::CodeOrigin): 20968 (JSC::CodeOrigin::isHashTableDeletedValue): 20969 (JSC::CodeOrigin::hash): 20970 (JSC::CodeOriginHash::hash): 20971 (JSC::CodeOriginHash::equal): 20972 * bytecode/GetByIdStatus.cpp: 20973 (JSC::GetByIdStatus::computeFor): 20974 * bytecode/GetByIdStatus.h: 20975 * bytecode/PutByIdStatus.cpp: 20976 (JSC::PutByIdStatus::computeFor): 20977 * bytecode/PutByIdStatus.h: 20978 * bytecode/StructureStubInfo.h: 20979 (JSC::getStructureStubInfoCodeOrigin): 20980 * dfg/DFGByteCodeParser.cpp: 20981 (JSC::DFG::ByteCodeParser::parseBlock): 20982 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 20983 * dfg/DFGJITCompiler.cpp: 20984 (JSC::DFG::JITCompiler::link): 20985 * dfg/DFGJITCompiler.h: 20986 (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord): 20987 (JSC::DFG::InRecord::InRecord): 20988 * dfg/DFGSpeculativeJIT.cpp: 20989 (JSC::DFG::SpeculativeJIT::compileIn): 20990 * dfg/DFGSpeculativeJIT.h: 20991 (JSC::DFG::SpeculativeJIT::callOperation): 20992 * dfg/DFGSpeculativeJIT32_64.cpp: 20993 (JSC::DFG::SpeculativeJIT::cachedGetById): 20994 (JSC::DFG::SpeculativeJIT::cachedPutById): 20995 * dfg/DFGSpeculativeJIT64.cpp: 20996 (JSC::DFG::SpeculativeJIT::cachedGetById): 20997 (JSC::DFG::SpeculativeJIT::cachedPutById): 20998 * jit/CCallHelpers.h: 20999 (JSC::CCallHelpers::setupArgumentsWithExecState): 21000 * jit/JIT.cpp: 21001 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 21002 (JSC::JIT::privateCompile): 21003 * jit/JIT.h: 21004 (JSC::PropertyStubCompilationInfo::slowCaseInfo): 21005 * jit/JITInlines.h: 21006 (JSC::JIT::callOperation): 21007 * jit/JITOperations.cpp: 21008 * jit/JITOperations.h: 21009 * jit/JITPropertyAccess.cpp: 21010 (JSC::JIT::emitSlow_op_get_by_id): 21011 (JSC::JIT::emitSlow_op_put_by_id): 21012 * jit/JITPropertyAccess32_64.cpp: 21013 (JSC::JIT::emitSlow_op_get_by_id): 21014 (JSC::JIT::emitSlow_op_put_by_id): 21015 * jit/Repatch.cpp: 21016 (JSC::appropriateGenericPutByIdFunction): 21017 (JSC::appropriateListBuildingPutByIdFunction): 21018 (JSC::resetPutByID): 21019 210202013-10-18 Oliver Hunt <oliver@apple.com> 21021 21022 Spread operator should be performing direct "puts" and not triggering setters 21023 https://bugs.webkit.org/show_bug.cgi?id=123047 21024 21025 Reviewed by Geoffrey Garen. 21026 21027 Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread 21028 to array construct. This required a new PutByValDirect node to be introduced to 21029 the DFG. The current implementation simply changes the slow path function that 21030 is called, but in future this could be made faster as it does not need to check 21031 the prototype chain. 21032 21033 * bytecode/CodeBlock.cpp: 21034 (JSC::CodeBlock::dumpBytecode): 21035 (JSC::CodeBlock::CodeBlock): 21036 * bytecode/Opcode.h: 21037 (JSC::padOpcodeName): 21038 * bytecompiler/BytecodeGenerator.cpp: 21039 (JSC::BytecodeGenerator::emitDirectPutByVal): 21040 * bytecompiler/BytecodeGenerator.h: 21041 * bytecompiler/NodesCodegen.cpp: 21042 (JSC::ArrayNode::emitBytecode): 21043 * dfg/DFGAbstractInterpreterInlines.h: 21044 (JSC::DFG::::executeEffects): 21045 * dfg/DFGBackwardsPropagationPhase.cpp: 21046 (JSC::DFG::BackwardsPropagationPhase::propagate): 21047 * dfg/DFGByteCodeParser.cpp: 21048 (JSC::DFG::ByteCodeParser::parseBlock): 21049 * dfg/DFGCSEPhase.cpp: 21050 (JSC::DFG::CSEPhase::getArrayLengthElimination): 21051 (JSC::DFG::CSEPhase::getByValLoadElimination): 21052 (JSC::DFG::CSEPhase::checkStructureElimination): 21053 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 21054 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 21055 (JSC::DFG::CSEPhase::putByOffsetStoreElimination): 21056 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): 21057 (JSC::DFG::CSEPhase::performNodeCSE): 21058 * dfg/DFGCapabilities.cpp: 21059 (JSC::DFG::capabilityLevel): 21060 * dfg/DFGClobberize.h: 21061 (JSC::DFG::clobberize): 21062 * dfg/DFGFixupPhase.cpp: 21063 (JSC::DFG::FixupPhase::fixupNode): 21064 * dfg/DFGGraph.h: 21065 (JSC::DFG::Graph::clobbersWorld): 21066 * dfg/DFGNode.h: 21067 (JSC::DFG::Node::hasArrayMode): 21068 * dfg/DFGNodeType.h: 21069 * dfg/DFGOperations.cpp: 21070 (JSC::DFG::putByVal): 21071 (JSC::DFG::operationPutByValInternal): 21072 * dfg/DFGOperations.h: 21073 * dfg/DFGPredictionPropagationPhase.cpp: 21074 (JSC::DFG::PredictionPropagationPhase::propagate): 21075 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 21076 * dfg/DFGSafeToExecute.h: 21077 (JSC::DFG::safeToExecute): 21078 * dfg/DFGSpeculativeJIT32_64.cpp: 21079 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 21080 (JSC::DFG::SpeculativeJIT::compile): 21081 * dfg/DFGSpeculativeJIT64.cpp: 21082 (JSC::DFG::SpeculativeJIT::compile): 21083 * dfg/DFGTypeCheckHoistingPhase.cpp: 21084 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 21085 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 21086 * jit/JIT.cpp: 21087 (JSC::JIT::privateCompileMainPass): 21088 (JSC::JIT::privateCompileSlowCases): 21089 * jit/JIT.h: 21090 (JSC::JIT::compileDirectPutByVal): 21091 * jit/JITOperations.cpp: 21092 * jit/JITOperations.h: 21093 * jit/JITPropertyAccess.cpp: 21094 (JSC::JIT::emitSlow_op_put_by_val): 21095 (JSC::JIT::privateCompilePutByVal): 21096 * jit/JITPropertyAccess32_64.cpp: 21097 (JSC::JIT::emitSlow_op_put_by_val): 21098 * llint/LLIntSlowPaths.cpp: 21099 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 21100 * llint/LLIntSlowPaths.h: 21101 * llint/LowLevelInterpreter32_64.asm: 21102 * llint/LowLevelInterpreter64.asm: 21103 211042013-10-18 Daniel Bates <dabates@apple.com> 21105 21106 [iOS] Export symbol for VM::sharedInstanceExists() 21107 https://bugs.webkit.org/show_bug.cgi?id=123046 21108 21109 Reviewed by Mark Hahnenberg. 21110 21111 * runtime/VM.h: 21112 211132013-10-18 Daniel Bates <dabates@apple.com> 21114 21115 [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS 21116 https://bugs.webkit.org/show_bug.cgi?id=123049 21117 21118 Reviewed by Mark Hahnenberg. 21119 21120 * heap/Heap.cpp: 21121 (JSC::Heap::setIncrementalSweeper): 21122 * heap/Heap.h: 21123 * heap/HeapTimer.h: 21124 * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor. 21125 Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock 21126 (we include its header in the .cpp file) and remove include for header wtf/HashSet.h 21127 (duplicates the include in the .cpp). 21128 * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't 21129 making use of this now, but we'll make use of it in a subsequent patch. 21130 211312013-10-18 Anders Carlsson <andersca@apple.com> 21132 21133 Remove spaces between template angle brackets 21134 https://bugs.webkit.org/show_bug.cgi?id=123040 21135 21136 Reviewed by Andreas Kling. 21137 21138 * API/JSCallbackObject.cpp: 21139 (JSC::::create): 21140 * API/JSObjectRef.cpp: 21141 * bytecode/CodeBlock.h: 21142 (JSC::CodeBlock::constants): 21143 (JSC::CodeBlock::setConstantRegisters): 21144 * bytecode/DFGExitProfile.h: 21145 * bytecode/EvalCodeCache.h: 21146 * bytecode/Operands.h: 21147 * bytecode/UnlinkedCodeBlock.h: 21148 (JSC::UnlinkedCodeBlock::constantRegisters): 21149 * bytecode/Watchpoint.h: 21150 * bytecompiler/BytecodeGenerator.h: 21151 * bytecompiler/StaticPropertyAnalysis.h: 21152 * bytecompiler/StaticPropertyAnalyzer.h: 21153 * dfg/DFGArgumentsSimplificationPhase.cpp: 21154 * dfg/DFGBlockInsertionSet.h: 21155 * dfg/DFGCSEPhase.cpp: 21156 (JSC::DFG::performCSE): 21157 (JSC::DFG::performStoreElimination): 21158 * dfg/DFGCommonData.h: 21159 * dfg/DFGDesiredStructureChains.h: 21160 * dfg/DFGDesiredWatchpoints.h: 21161 * dfg/DFGJITCompiler.h: 21162 * dfg/DFGOSRExitCompiler32_64.cpp: 21163 (JSC::DFG::OSRExitCompiler::compileExit): 21164 * dfg/DFGOSRExitCompiler64.cpp: 21165 (JSC::DFG::OSRExitCompiler::compileExit): 21166 * dfg/DFGWorklist.h: 21167 * heap/BlockAllocator.h: 21168 (JSC::CopiedBlock): 21169 (JSC::MarkedBlock): 21170 (JSC::WeakBlock): 21171 (JSC::MarkStackSegment): 21172 (JSC::CopyWorkListSegment): 21173 (JSC::HandleBlock): 21174 * heap/Heap.h: 21175 * heap/Local.h: 21176 * heap/MarkedBlock.h: 21177 * heap/Strong.h: 21178 * jit/AssemblyHelpers.cpp: 21179 (JSC::AssemblyHelpers::decodedCodeMapFor): 21180 * jit/AssemblyHelpers.h: 21181 * jit/SpecializedThunkJIT.h: 21182 * parser/Nodes.h: 21183 * parser/Parser.cpp: 21184 (JSC::::parseIfStatement): 21185 * parser/Parser.h: 21186 (JSC::Scope::copyCapturedVariablesToVector): 21187 (JSC::parse): 21188 * parser/ParserArena.h: 21189 * parser/SourceProviderCacheItem.h: 21190 * profiler/LegacyProfiler.cpp: 21191 (JSC::dispatchFunctionToProfiles): 21192 * profiler/LegacyProfiler.h: 21193 (JSC::LegacyProfiler::currentProfiles): 21194 * profiler/ProfileNode.h: 21195 (JSC::ProfileNode::children): 21196 * profiler/ProfilerDatabase.h: 21197 * runtime/Butterfly.h: 21198 (JSC::Butterfly::contiguousInt32): 21199 (JSC::Butterfly::contiguous): 21200 * runtime/GenericTypedArrayViewInlines.h: 21201 (JSC::::create): 21202 * runtime/Identifier.h: 21203 (JSC::Identifier::add): 21204 * runtime/JSPromise.h: 21205 * runtime/PropertyMapHashTable.h: 21206 * runtime/PropertyNameArray.h: 21207 * runtime/RegExpCache.h: 21208 * runtime/SparseArrayValueMap.h: 21209 * runtime/SymbolTable.h: 21210 * runtime/VM.h: 21211 * tools/CodeProfile.cpp: 21212 (JSC::truncateTrace): 21213 * tools/CodeProfile.h: 21214 * yarr/YarrInterpreter.cpp: 21215 * yarr/YarrInterpreter.h: 21216 (JSC::Yarr::BytecodePattern::BytecodePattern): 21217 * yarr/YarrJIT.cpp: 21218 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): 21219 (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion): 21220 (JSC::Yarr::YarrGenerator::opCompileBody): 21221 * yarr/YarrPattern.cpp: 21222 (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses): 21223 (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions): 21224 * yarr/YarrPattern.h: 21225 212262013-10-18 Mark Lam <mark.lam@apple.com> 21227 21228 Remove excess reserved space in ctiTrampoline frames for X86 and X86_64. 21229 https://bugs.webkit.org/show_bug.cgi?id=123037. 21230 21231 Reviewed by Geoffrey Garen. 21232 21233 * jit/JITStubsMSVC64.asm: 21234 * jit/JITStubsX86.h: 21235 * jit/JITStubsX86_64.h: 21236 212372013-10-18 Filip Pizlo <fpizlo@apple.com> 21238 21239 Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests 21240 https://bugs.webkit.org/show_bug.cgi?id=121661 21241 21242 Reviewed by Mark Hahnenberg. 21243 21244 This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent 21245 so I added a return-early check using isCompilationThread(). 21246 21247 Here's why this makes sense. Structure has two ways to tell you about the layout of the objects 21248 it is describing: m_offset and the property table. Most structures only have m_offset and report 21249 null for the property table. If the property table is there, it will tell you additional 21250 information and that information subsumes m_offset - but the m_offset is still there. So, when 21251 we have a property table, we have to keep it in sync with the m_offset. There is a bunch of 21252 machinery to do this. 21253 21254 Changing the property table only happens on the main thread. 21255 21256 Because the machinery to change the property table is so complex, especially with respect to 21257 keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be 21258 called at key points before and after changes to the property table or the offset. 21259 21260 Most clients of Structure who care about object layout, including the concurrent thread, will 21261 want to know m_offset and not the property table. If they want the property table, they will 21262 already be super careful. The concurrent thread has special methods for this, like 21263 Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent 21264 view of the property table. 21265 21266 Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be 21267 called when the relevant lock is already held. So, we'd have awkward recursive locking issues. 21268 21269 But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(), 21270 which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there 21271 because we have found that it helps quickly identify situations where the property table and 21272 m_offset get out of sync - mainly because code that changes either of those things will usually 21273 also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually* 21274 need the property table; it uses the m_offset. The concurrent JIT is correct to call 21275 outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where 21276 it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because 21277 outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab 21278 locks, and that same structure is having its property table modified by the main thread, we end 21279 up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its* 21280 property table modified - instead what happens is that some downstream structure steals the 21281 property table and then starts adding things to it. The concurrent thread loads the property 21282 table before it's stolen, and hence the badness. 21283 21284 I suspect there are other code paths that lead to the concurrent JIT calling some Structure 21285 method that it is fine and safe to call, but then that method calls checkOffsetConsistency(), 21286 and then you have a possible crash. 21287 21288 The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is 21289 aware of its uselessness to the concurrent JIT thread. This change makes it return early if 21290 it's in the concurrent JIT. 21291 21292 * runtime/StructureInlines.h: 21293 (JSC::Structure::checkOffsetConsistency): 21294 212952013-10-18 Daniel Bates <dabates@apple.com> 21296 21297 Add SPI to disable the garbage collector timer 21298 https://bugs.webkit.org/show_bug.cgi?id=122921 21299 21300 Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently 21301 omitted. 21302 21303 * heap/Heap.cpp: 21304 (JSC::Heap::setGarbageCollectionTimerEnabled): 21305 213062013-10-18 Julien Brianceau <jbriance@cisco.com> 21307 21308 Group 64-bit specific and 32-bit specific callOperation implementations. 21309 https://bugs.webkit.org/show_bug.cgi?id=123024 21310 21311 Reviewed by Michael Saboff. 21312 21313 This is not a big deal, but could be less confusing when reading the code. 21314 21315 * jit/JITInlines.h: 21316 (JSC::JIT::callOperation): 21317 (JSC::JIT::callOperationWithCallFrameRollbackOnException): 21318 (JSC::JIT::callOperationNoExceptionCheck): 21319 213202013-10-18 Nadav Rotem <nrotem@apple.com> 21321 21322 Fix a FlushLiveness problem. 21323 https://bugs.webkit.org/show_bug.cgi?id=122984 21324 21325 Reviewed by Filip Pizlo. 21326 21327 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 21328 (JSC::DFG::FlushLivenessAnalysisPhase::process): 21329 213302013-10-18 Michael Saboff <msaboff@apple.com> 21331 21332 Change native function call stubs to use JIT operations instead of ctiVMHandleException 21333 https://bugs.webkit.org/show_bug.cgi?id=122982 21334 21335 Reviewed by Geoffrey Garen. 21336 21337 Change ctiVMHandleException to operationVMHandleException. Change all exception operations to 21338 return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow. 21339 This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980 21340 in the process. 21341 21342 * dfg/DFGJITCompiler.cpp: 21343 (JSC::DFG::JITCompiler::compileExceptionHandlers): 21344 * jit/CCallHelpers.h: 21345 (JSC::CCallHelpers::jumpToExceptionHandler): 21346 * jit/JIT.cpp: 21347 (JSC::JIT::privateCompileExceptionHandlers): 21348 * jit/JIT.h: 21349 * jit/JITExceptions.cpp: 21350 (JSC::genericUnwind): 21351 * jit/JITExceptions.h: 21352 * jit/JITInlines.h: 21353 (JSC::JIT::callOperationNoExceptionCheck): 21354 * jit/JITOpcodes.cpp: 21355 (JSC::JIT::emit_op_throw): 21356 * jit/JITOpcodes32_64.cpp: 21357 (JSC::JIT::privateCompileCTINativeCall): 21358 (JSC::JIT::emit_op_throw): 21359 * jit/JITOperations.cpp: 21360 * jit/JITOperations.h: 21361 * jit/JITStubs.cpp: 21362 * jit/JITStubs.h: 21363 * jit/JITStubsARM.h: 21364 * jit/JITStubsARM64.h: 21365 * jit/JITStubsARMv7.h: 21366 * jit/JITStubsMIPS.h: 21367 * jit/JITStubsMSVC64.asm: 21368 * jit/JITStubsSH4.h: 21369 * jit/JITStubsX86.h: 21370 * jit/JITStubsX86_64.h: 21371 * jit/Repatch.cpp: 21372 (JSC::tryBuildGetByIDList): 21373 * jit/SlowPathCall.h: 21374 (JSC::JITSlowPathCall::call): 21375 * jit/ThunkGenerators.cpp: 21376 (JSC::throwExceptionFromCallSlowPathGenerator): 21377 (JSC::nativeForGenerator): 21378 * runtime/VM.h: 21379 (JSC::VM::callFrameForThrowOffset): 21380 (JSC::VM::targetMachinePCForThrowOffset): 21381 213822013-10-18 Julien Brianceau <jbriance@cisco.com> 21383 21384 Fix J_JITOperation_EAapJ call for MIPS and ARM EABI. 21385 https://bugs.webkit.org/show_bug.cgi?id=123023 21386 21387 Reviewed by Michael Saboff. 21388 21389 * jit/JITInlines.h: 21390 (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment 21391 using EABI_32BIT_DUMMY_ARG here. 21392 213932013-10-17 Filip Pizlo <fpizlo@apple.com> 21394 21395 Unreviewed, another ARM64 build fix. 21396 21397 Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work 21398 on ARM64 and none of its uses are legit - they should all be using 21399 andPtr(TrustedImm32, blah) anyway. 21400 21401 * assembler/MacroAssembler.h: 21402 * assembler/MacroAssemblerARM64.h: 21403 * dfg/DFGJITCompiler.cpp: 21404 (JSC::DFG::JITCompiler::compileExceptionHandlers): 21405 * jit/JIT.cpp: 21406 (JSC::JIT::privateCompileExceptionHandlers): 21407 214082013-10-17 Filip Pizlo <fpizlo@apple.com> 21409 21410 Unreviewed, speculative ARM64 build fix. 21411 21412 move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is 21413 implemented. So, you have to use TrustedImmPtr in the superclasses. 21414 21415 * assembler/MacroAssemblerARM64.h: 21416 (JSC::MacroAssemblerARM64::store8): 21417 (JSC::MacroAssemblerARM64::branchTest8): 21418 214192013-10-17 Filip Pizlo <fpizlo@apple.com> 21420 21421 Unreviewed, speculative ARM build fix. 21422 https://bugs.webkit.org/show_bug.cgi?id=122890 21423 <rdar://problem/15258624> 21424 21425 * assembler/ARM64Assembler.h: 21426 (JSC::ARM64Assembler::firstRegister): 21427 (JSC::ARM64Assembler::lastRegister): 21428 (JSC::ARM64Assembler::firstFPRegister): 21429 (JSC::ARM64Assembler::lastFPRegister): 21430 * assembler/MacroAssemblerARM64.h: 21431 * assembler/MacroAssemblerARMv7.h: 21432 214332013-10-17 Andreas Kling <akling@apple.com> 21434 21435 Pass VM instead of JSGlobalObject to JSONObject constructor. 21436 <https://webkit.org/b/122999> 21437 21438 JSONObject was only use the JSGlobalObject to grab at the VM. 21439 Dodge a few loads by passing the VM directly instead. 21440 21441 Reviewed by Geoffrey Garen. 21442 21443 * runtime/JSONObject.cpp: 21444 (JSC::JSONObject::JSONObject): 21445 (JSC::JSONObject::finishCreation): 21446 * runtime/JSONObject.h: 21447 (JSC::JSONObject::create): 21448 214492013-10-17 Geoffrey Garen <ggaren@apple.com> 21450 21451 Removed the JITStackFrame struct 21452 https://bugs.webkit.org/show_bug.cgi?id=123001 21453 21454 Reviewed by Anders Carlsson. 21455 21456 * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all 21457 our helper functions obey the C function call ABI. 21458 214592013-10-17 Geoffrey Garen <ggaren@apple.com> 21460 21461 Removed an unused #define 21462 https://bugs.webkit.org/show_bug.cgi?id=123000 21463 21464 Reviewed by Anders Carlsson. 21465 21466 * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX, 21467 since it is unused now. This is a step toward using the C stack. 21468 214692013-10-17 Geoffrey Garen <ggaren@apple.com> 21470 21471 Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks 21472 https://bugs.webkit.org/show_bug.cgi?id=122973 21473 21474 Reviewed by Michael Saboff. 21475 21476 * jit/ThunkGenerators.cpp: 21477 (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code, 21478 so I removed it. 21479 21480 The code acted as if it needed to pass an argument to 21481 lookupExceptionHandler, and as if it passed that argument to itself 21482 through JITStackFrame. However, lookupExceptionHandler does not take 21483 an argument (other than the default ExecState argument), and the code 21484 did not initialize the thing that it thought it passed to itself! 21485 214862013-10-17 Alex Christensen <achristensen@webkit.org> 21487 21488 Run JavaScriptCore tests again on Windows. 21489 https://bugs.webkit.org/show_bug.cgi?id=122787 21490 21491 Reviewed by Tim Horton. 21492 21493 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added. 21494 * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581. 21495 214962013-10-17 Geoffrey Garen <ggaren@apple.com> 21497 21498 Removed restoreArgumentReference (another use of JITStackFrame) 21499 https://bugs.webkit.org/show_bug.cgi?id=122997 21500 21501 Reviewed by Oliver Hunt. 21502 21503 * jit/JSInterfaceJIT.h: Removed an unused function. This is a step 21504 toward using the C stack. 21505 215062013-10-17 Oliver Hunt <oliver@apple.com> 21507 21508 Remove JITStubCall.h 21509 https://bugs.webkit.org/show_bug.cgi?id=122991 21510 21511 Reviewed by Geoff Garen. 21512 21513 Happily this is no longer used 21514 21515 * GNUmakefile.list.am: 21516 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 21517 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 21518 * JavaScriptCore.xcodeproj/project.pbxproj: 21519 * jit/JIT.cpp: 21520 * jit/JITArithmetic.cpp: 21521 * jit/JITArithmetic32_64.cpp: 21522 * jit/JITCall.cpp: 21523 * jit/JITCall32_64.cpp: 21524 * jit/JITOpcodes.cpp: 21525 * jit/JITOpcodes32_64.cpp: 21526 * jit/JITPropertyAccess.cpp: 21527 * jit/JITPropertyAccess32_64.cpp: 21528 * jit/JITStubCall.h: Removed. 21529 215302013-10-17 Geoffrey Garen <ggaren@apple.com> 21531 21532 Removed a use of JITSTACKFRAME_ARGS_INDEX 21533 https://bugs.webkit.org/show_bug.cgi?id=122989 21534 21535 Reviewed by Oliver Hunt. 21536 21537 * jit/JITStubCall.h: Removed an unused function. This is one step closer 21538 to using the C stack. 21539 215402013-10-17 Geoffrey Garen <ggaren@apple.com> 21541 21542 Change emit_op_catch to use another method to materialize VM 21543 https://bugs.webkit.org/show_bug.cgi?id=122977 21544 21545 Reviewed by Oliver Hunt. 21546 21547 * jit/JITOpcodes.cpp: 21548 (JSC::JIT::emit_op_catch): 21549 * jit/JITOpcodes32_64.cpp: 21550 (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency 21551 on JITStackFrame. It is also faster and simpler. 21552 215532013-10-17 Geoffrey Garen <ggaren@apple.com> 21554 21555 Eliminate emitGetJITStubArg() - dead code 21556 https://bugs.webkit.org/show_bug.cgi?id=122975 21557 21558 Reviewed by Anders Carlsson. 21559 21560 * jit/JIT.h: 21561 * jit/JITInlines.h: Removed unused, deprecated function. 21562 215632013-10-17 Mark Lam <mark.lam@apple.com> 21564 21565 Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h. 21566 https://bugs.webkit.org/show_bug.cgi?id=122979. 21567 21568 Reviewed by Michael Saboff. 21569 21570 * jit/JITStubs.cpp: 21571 * jit/JITStubs.h: 21572 * jit/JITStubsARM.h: 21573 * jit/JITStubsARM64.h: 21574 * jit/JITStubsARMv7.h: 21575 * jit/JITStubsMIPS.h: 21576 * jit/JITStubsSH4.h: 21577 * jit/JITStubsX86.h: 21578 * jit/JITStubsX86_64.h: 21579 * runtime/VM.cpp: 21580 (JSC::VM::VM): 21581 215822013-10-17 Michael Saboff <msaboff@apple.com> 21583 21584 Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction() 21585 https://bugs.webkit.org/show_bug.cgi?id=122974 21586 21587 Reviewed by Geoffrey Garen. 21588 21589 Eliminated unneeded storing to JITStackFrame. 21590 21591 * dfg/DFGJITCompiler.cpp: 21592 (JSC::DFG::JITCompiler::compileFunction): 21593 215942013-10-17 Michael Saboff <msaboff@apple.com> 21595 21596 Transition cti_op_throw and cti_vm_throw to a JIT operation 21597 https://bugs.webkit.org/show_bug.cgi?id=122931 21598 21599 Reviewed by Filip Pizlo. 21600 21601 Moved cti_op_throw to operationThrow. Made the caller responsible for jumping to the 21602 catch handler. Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline() 21603 and their callers as it is now dead code. There is some work needed on the Microsoft X86 21604 callOperation to handle the need to provide space for structure return value. 21605 21606 * jit/JIT.h: 21607 * jit/JITInlines.h: 21608 (JSC::JIT::callOperation): 21609 * jit/JITOpcodes.cpp: 21610 (JSC::JIT::emit_op_throw): 21611 * jit/JITOpcodes32_64.cpp: 21612 (JSC::JIT::emit_op_throw): 21613 (JSC::JIT::emit_op_catch): 21614 * jit/JITOperations.cpp: 21615 * jit/JITOperations.h: 21616 * jit/JITStubs.cpp: 21617 * jit/JITStubs.h: 21618 * jit/JITStubsARM.h: 21619 * jit/JITStubsARM64.h: 21620 * jit/JITStubsARMv7.h: 21621 * jit/JITStubsMIPS.h: 21622 * jit/JITStubsMSVC64.asm: 21623 * jit/JITStubsSH4.h: 21624 * jit/JITStubsX86.h: 21625 * jit/JITStubsX86_64.h: 21626 * jit/JSInterfaceJIT.h: 21627 216282013-10-17 Mark Lam <mark.lam@apple.com> 21629 21630 Remove JITStackFrame references in the C Loop LLINT. 21631 https://bugs.webkit.org/show_bug.cgi?id=122950. 21632 21633 Reviewed by Michael Saboff. 21634 21635 * jit/JITStubs.h: 21636 * llint/LowLevelInterpreter.cpp: 21637 (JSC::CLoop::execute): 21638 * offlineasm/cloop.rb: 21639 216402013-10-17 Mark Lam <mark.lam@apple.com> 21641 21642 Remove JITStackFrame references in JIT probes. 21643 https://bugs.webkit.org/show_bug.cgi?id=122947. 21644 21645 Reviewed by Michael Saboff. 21646 21647 * assembler/MacroAssemblerARM.cpp: 21648 (JSC::MacroAssemblerARM::ProbeContext::dump): 21649 * assembler/MacroAssemblerARM.h: 21650 * assembler/MacroAssemblerARMv7.cpp: 21651 (JSC::MacroAssemblerARMv7::ProbeContext::dump): 21652 * assembler/MacroAssemblerARMv7.h: 21653 * assembler/MacroAssemblerX86Common.cpp: 21654 (JSC::MacroAssemblerX86Common::ProbeContext::dump): 21655 * assembler/MacroAssemblerX86Common.h: 21656 * jit/JITStubsARM.h: 21657 * jit/JITStubsARMv7.h: 21658 * jit/JITStubsX86.h: 21659 * jit/JITStubsX86Common.h: 21660 * jit/JITStubsX86_64.h: 21661 216622013-10-17 Julien Brianceau <jbriance@cisco.com> 21663 21664 Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4. 21665 https://bugs.webkit.org/show_bug.cgi?id=122949 21666 21667 Reviewed by Andreas Kling. 21668 21669 * jit/CCallHelpers.h: 21670 (JSC::CCallHelpers::setupArgumentsWithExecState): 21671 216722013-10-16 Mark Lam <mark.lam@apple.com> 21673 21674 Transition remaining op_get* JITStubs to JIT operations. 21675 https://bugs.webkit.org/show_bug.cgi?id=122925. 21676 21677 Reviewed by Geoffrey Garen. 21678 21679 Transitioning: 21680 cti_op_get_by_id_generic 21681 cti_op_get_by_val 21682 cti_op_get_by_val_generic 21683 cti_op_get_by_val_string 21684 21685 * dfg/DFGOperations.cpp: 21686 * dfg/DFGOperations.h: 21687 * jit/JIT.h: 21688 * jit/JITInlines.h: 21689 (JSC::JIT::callOperation): 21690 * jit/JITOpcodes.cpp: 21691 (JSC::JIT::emitSlow_op_get_arguments_length): 21692 (JSC::JIT::emitSlow_op_get_argument_by_val): 21693 * jit/JITOpcodes32_64.cpp: 21694 (JSC::JIT::emitSlow_op_get_arguments_length): 21695 (JSC::JIT::emitSlow_op_get_argument_by_val): 21696 * jit/JITOperations.cpp: 21697 * jit/JITOperations.h: 21698 * jit/JITPropertyAccess.cpp: 21699 (JSC::JIT::emitSlow_op_get_by_val): 21700 (JSC::JIT::emitSlow_op_get_by_pname): 21701 (JSC::JIT::privateCompileGetByVal): 21702 * jit/JITPropertyAccess32_64.cpp: 21703 (JSC::JIT::emitSlow_op_get_by_val): 21704 (JSC::JIT::emitSlow_op_get_by_pname): 21705 * jit/JITStubs.cpp: 21706 * jit/JITStubs.h: 21707 * runtime/Executable.cpp: 21708 (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build. 21709 * runtime/Options.cpp: 21710 (JSC::Options::initialize): 21711 217122013-10-16 Filip Pizlo <fpizlo@apple.com> 21713 21714 Introduce WTF::Bag and start using it for InlineCallFrameSet 21715 https://bugs.webkit.org/show_bug.cgi?id=122941 21716 21717 Reviewed by Geoffrey Garen. 21718 21719 Use Bag for InlineCallFrameSet. If this works out then I'll make other 21720 SegmentedVectors into Bags as well. 21721 21722 * bytecode/InlineCallFrameSet.cpp: 21723 (JSC::InlineCallFrameSet::add): 21724 * bytecode/InlineCallFrameSet.h: 21725 (JSC::InlineCallFrameSet::begin): 21726 (JSC::InlineCallFrameSet::end): 21727 * dfg/DFGArgumentsSimplificationPhase.cpp: 21728 (JSC::DFG::ArgumentsSimplificationPhase::run): 21729 * dfg/DFGJITCompiler.cpp: 21730 (JSC::DFG::JITCompiler::link): 21731 * dfg/DFGStackLayoutPhase.cpp: 21732 (JSC::DFG::StackLayoutPhase::run): 21733 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 21734 (JSC::DFG::VirtualRegisterAllocationPhase::run): 21735 217362013-10-16 Filip Pizlo <fpizlo@apple.com> 21737 21738 libllvmForJSC shouldn't call exit(1) on report_fatal_error() 21739 https://bugs.webkit.org/show_bug.cgi?id=122905 21740 <rdar://problem/15237856> 21741 21742 Reviewed by Michael Saboff. 21743 21744 Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and 21745 then always call it to install something that calls CRASH(). 21746 21747 * llvm/InitializeLLVM.cpp: 21748 (JSC::llvmCrash): 21749 (JSC::initializeLLVMOnce): 21750 (JSC::initializeLLVM): 21751 * llvm/LLVMAPIFunctions.h: 21752 217532013-10-16 Filip Pizlo <fpizlo@apple.com> 21754 21755 Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary 21756 https://bugs.webkit.org/show_bug.cgi?id=122938 21757 21758 Reviewed by Sam Weinig. 21759 21760 This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint. 21761 21762 * jit/Repatch.cpp: 21763 (JSC::tryBuildGetByIDList): 21764 217652013-10-16 Filip Pizlo <fpizlo@apple.com> 21766 21767 JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it 21768 https://bugs.webkit.org/show_bug.cgi?id=122937 21769 21770 Reviewed by Geoffrey Garen. 21771 21772 JITStubCall used to do it. 21773 21774 This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass. 21775 21776 * jit/JIT.h: 21777 (JSC::JIT::appendCall): 21778 217792013-10-16 Michael Saboff <msaboff@apple.com> 21780 21781 transition void cti_op_put_by_val* stubs to JIT operations 21782 https://bugs.webkit.org/show_bug.cgi?id=122903 21783 21784 Reviewed by Geoffrey Garen. 21785 21786 Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and 21787 operationPutByValGeneric. 21788 21789 * jit/CCallHelpers.h: 21790 (JSC::CCallHelpers::setupArgumentsWithExecState): 21791 * jit/JIT.h: 21792 * jit/JITInlines.h: 21793 (JSC::JIT::callOperation): 21794 * jit/JITOperations.cpp: 21795 * jit/JITOperations.h: 21796 * jit/JITPropertyAccess.cpp: 21797 (JSC::JIT::emitSlow_op_put_by_val): 21798 (JSC::JIT::privateCompilePutByVal): 21799 * jit/JITPropertyAccess32_64.cpp: 21800 (JSC::JIT::emitSlow_op_put_by_val): 21801 * jit/JITStubs.cpp: 21802 * jit/JITStubs.h: 21803 * jit/JSInterfaceJIT.h: 21804 218052013-10-16 Oliver Hunt <oliver@apple.com> 21806 21807 Implement ES6 spread operator 21808 https://bugs.webkit.org/show_bug.cgi?id=122911 21809 21810 Reviewed by Michael Saboff. 21811 21812 Implement the ES6 spread operator 21813 21814 This has a little bit of refactoring to move the enumeration logic out ForOfNode 21815 and into BytecodeGenerator, and then adds the logic to make it nicely callback 21816 driven. 21817 21818 The rest of the logic is just the addition of the SpreadExpressionNode, the parsing, 21819 and actually handling the spread. 21820 21821 * bytecompiler/BytecodeGenerator.cpp: 21822 (JSC::BytecodeGenerator::emitNewArray): 21823 (JSC::BytecodeGenerator::emitCall): 21824 (JSC::BytecodeGenerator::emitEnumeration): 21825 * bytecompiler/BytecodeGenerator.h: 21826 * bytecompiler/NodesCodegen.cpp: 21827 (JSC::ArrayNode::emitBytecode): 21828 (JSC::ForOfNode::emitBytecode): 21829 (JSC::SpreadExpressionNode::emitBytecode): 21830 * parser/ASTBuilder.h: 21831 (JSC::ASTBuilder::createSpreadExpression): 21832 * parser/Lexer.cpp: 21833 (JSC::::lex): 21834 * parser/NodeConstructors.h: 21835 (JSC::SpreadExpressionNode::SpreadExpressionNode): 21836 * parser/Nodes.h: 21837 (JSC::ExpressionNode::isSpreadExpression): 21838 (JSC::SpreadExpressionNode::expression): 21839 * parser/Parser.cpp: 21840 (JSC::::parseArrayLiteral): 21841 (JSC::::parseArguments): 21842 (JSC::::parseMemberExpression): 21843 * parser/Parser.h: 21844 (JSC::Parser::getTokenName): 21845 (JSC::Parser::updateErrorMessageSpecialCase): 21846 * parser/ParserTokens.h: 21847 * parser/SyntaxChecker.h: 21848 (JSC::SyntaxChecker::createSpreadExpression): 21849 218502013-10-16 Filip Pizlo <fpizlo@apple.com> 21851 21852 Add a useLLInt option to jsc 21853 https://bugs.webkit.org/show_bug.cgi?id=122930 21854 21855 Reviewed by Geoffrey Garen. 21856 21857 * runtime/Executable.cpp: 21858 (JSC::setupLLInt): 21859 (JSC::setupJIT): 21860 (JSC::ScriptExecutable::prepareForExecutionImpl): 21861 * runtime/Options.h: 21862 218632013-10-16 Mark Hahnenberg <mhahnenberg@apple.com> 21864 21865 Build fix. 21866 21867 Forgot to svn add DeferGC.cpp 21868 21869 * heap/DeferGC.cpp: Added. 21870 218712013-10-16 Filip Pizlo <fpizlo@apple.com> 21872 21873 r157411 fails run-javascriptcore-tests when run with Baseline JIT 21874 https://bugs.webkit.org/show_bug.cgi?id=122902 21875 21876 Reviewed by Mark Hahnenberg. 21877 21878 It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's 21879 not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching 21880 logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById 21881 didn't. Turns out that there's even a helpful method, 21882 Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you! 21883 21884 * jit/Repatch.cpp: 21885 (JSC::tryCachePutByID): 21886 218872013-10-16 Mark Hahnenberg <mhahnenberg@apple.com> 21888 21889 llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock 21890 https://bugs.webkit.org/show_bug.cgi?id=122667 21891 21892 Reviewed by Geoffrey Garen. 21893 21894 The issue this patch is attempting to fix is that there are places in our codebase 21895 where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some 21896 operations that can initiate a garbage collection. Garbage collection then calls 21897 some methods of CodeBlock that also take the ConcurrentJITLock (because they don't 21898 always necessarily run during garbage collection). This causes a deadlock. 21899 21900 To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 21901 into a thread-local field that indicates that it is unsafe to perform any operation 21902 that could trigger garbage collection on the current thread. In debug builds, 21903 ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 21904 detect deadlocks. 21905 21906 This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker, 21907 which uses the DeferGC mechanism to prevent collections from occurring while the 21908 lock is held. 21909 21910 * CMakeLists.txt: 21911 * GNUmakefile.list.am: 21912 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 21913 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 21914 * JavaScriptCore.xcodeproj/project.pbxproj: 21915 * heap/DeferGC.h: 21916 (JSC::DisallowGC::DisallowGC): 21917 (JSC::DisallowGC::~DisallowGC): 21918 (JSC::DisallowGC::isGCDisallowedOnCurrentThread): 21919 (JSC::DisallowGC::initialize): 21920 * jit/Repatch.cpp: 21921 (JSC::repatchPutByID): 21922 (JSC::buildPutByIdList): 21923 * llint/LLIntSlowPaths.cpp: 21924 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 21925 * runtime/ConcurrentJITLock.h: 21926 (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): 21927 (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): 21928 (JSC::ConcurrentJITLockerBase::unlockEarly): 21929 (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): 21930 (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker): 21931 (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer): 21932 (JSC::ConcurrentJITLocker::ConcurrentJITLocker): 21933 * runtime/InitializeThreading.cpp: 21934 (JSC::initializeThreadingOnce): 21935 * runtime/JSCellInlines.h: 21936 (JSC::allocateCell): 21937 * runtime/JSSymbolTableObject.h: 21938 (JSC::symbolTablePut): 21939 * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it 21940 can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 21941 before the caller has a chance to use the newly created PropertyTable. The garbage collection 21942 clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this, 21943 we must DeferGC until the caller is done getting the newly materialized PropertyTable from 21944 the Structure. 21945 (JSC::Structure::materializePropertyMap): 21946 (JSC::Structure::despecifyDictionaryFunction): 21947 (JSC::Structure::changePrototypeTransition): 21948 (JSC::Structure::despecifyFunctionTransition): 21949 (JSC::Structure::attributeChangeTransition): 21950 (JSC::Structure::toDictionaryTransition): 21951 (JSC::Structure::preventExtensionsTransition): 21952 (JSC::Structure::takePropertyTableOrCloneIfPinned): 21953 (JSC::Structure::isSealed): 21954 (JSC::Structure::isFrozen): 21955 (JSC::Structure::addPropertyWithoutTransition): 21956 (JSC::Structure::removePropertyWithoutTransition): 21957 (JSC::Structure::get): 21958 (JSC::Structure::despecifyFunction): 21959 (JSC::Structure::despecifyAllFunctions): 21960 (JSC::Structure::putSpecificValue): 21961 (JSC::Structure::createPropertyMap): 21962 (JSC::Structure::getPropertyNamesFromStructure): 21963 * runtime/Structure.h: 21964 (JSC::Structure::materializePropertyMapIfNecessary): 21965 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 21966 * runtime/StructureInlines.h: 21967 (JSC::Structure::get): 21968 * runtime/SymbolTable.h: 21969 (JSC::SymbolTable::find): 21970 (JSC::SymbolTable::end): 21971 219722013-10-16 Daniel Bates <dabates@apple.com> 21973 21974 Add SPI to disable the garbage collector timer 21975 https://bugs.webkit.org/show_bug.cgi?id=122921 21976 21977 Reviewed by Geoffrey Garen. 21978 21979 Based on a patch by Mark Hahnenberg. 21980 21981 * API/JSBase.cpp: 21982 (JSDisableGCTimer): Added; SPI function. 21983 * API/JSBasePrivate.h: 21984 * heap/BlockAllocator.cpp: 21985 (JSC::createBlockFreeingThread): Added. 21986 (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread() 21987 to conditionally create the "block freeing" thread depending on the value of 21988 GCActivityCallback::s_shouldCreateGCTimer. 21989 (JSC::BlockAllocator::~BlockAllocator): 21990 * heap/BlockAllocator.h: 21991 (JSC::BlockAllocator::deallocate): 21992 * heap/Heap.cpp: 21993 (JSC::Heap::didAbandon): 21994 (JSC::Heap::collect): 21995 (JSC::Heap::didAllocate): 21996 * heap/HeapTimer.cpp: 21997 (JSC::HeapTimer::timerDidFire): 21998 * runtime/GCActivityCallback.cpp: 21999 * runtime/GCActivityCallback.h: 22000 (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object 22001 when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer 22002 object (since DefaultGCActivityCallback ultimately extends HeapTimer). 22003 220042013-10-16 Commit Queue <commit-queue@webkit.org> 22005 22006 Unreviewed, rolling out r157529. 22007 http://trac.webkit.org/changeset/157529 22008 https://bugs.webkit.org/show_bug.cgi?id=122919 22009 22010 Caused score test failures and some build failures. (Requested 22011 by rfong on #webkit). 22012 22013 * bytecompiler/BytecodeGenerator.cpp: 22014 (JSC::BytecodeGenerator::emitNewArray): 22015 (JSC::BytecodeGenerator::emitCall): 22016 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): 22017 * bytecompiler/BytecodeGenerator.h: 22018 * bytecompiler/NodesCodegen.cpp: 22019 (JSC::ArrayNode::emitBytecode): 22020 (JSC::CallArguments::CallArguments): 22021 (JSC::ForOfNode::emitBytecode): 22022 (JSC::BindingNode::collectBoundIdentifiers): 22023 * parser/ASTBuilder.h: 22024 * parser/Lexer.cpp: 22025 (JSC::::lex): 22026 * parser/NodeConstructors.h: 22027 (JSC::DotAccessorNode::DotAccessorNode): 22028 * parser/Nodes.h: 22029 * parser/Parser.cpp: 22030 (JSC::::parseArrayLiteral): 22031 (JSC::::parseArguments): 22032 (JSC::::parseMemberExpression): 22033 * parser/Parser.h: 22034 (JSC::Parser::getTokenName): 22035 (JSC::Parser::updateErrorMessageSpecialCase): 22036 * parser/ParserTokens.h: 22037 * parser/SyntaxChecker.h: 22038 220392013-10-16 Julien Brianceau <jbriance@cisco.com> 22040 22041 Remove useless architecture specific implementation in DFG. 22042 https://bugs.webkit.org/show_bug.cgi?id=122917. 22043 22044 Reviewed by Michael Saboff. 22045 22046 With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine 22047 as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case. 22048 22049 * dfg/DFGSpeculativeJIT.h: 22050 220512013-10-16 Julien Brianceau <jbriance@cisco.com> 22052 22053 Remove unused JIT::restoreArgumentReferenceForTrampoline function. 22054 https://bugs.webkit.org/show_bug.cgi?id=122916. 22055 22056 Reviewed by Michael Saboff. 22057 22058 This architecture specific function is not used anymore, so get rid of it. 22059 22060 * jit/JIT.h: 22061 * jit/JITInlines.h: 22062 220632013-10-16 Oliver Hunt <oliver@apple.com> 22064 22065 Implement ES6 spread operator 22066 https://bugs.webkit.org/show_bug.cgi?id=122911 22067 22068 Reviewed by Michael Saboff. 22069 22070 Implement the ES6 spread operator 22071 22072 This has a little bit of refactoring to move the enumeration logic out ForOfNode 22073 and into BytecodeGenerator, and then adds the logic to make it nicely callback 22074 driven. 22075 22076 The rest of the logic is just the addition of the SpreadExpressionNode, the parsing, 22077 and actually handling the spread. 22078 22079 * bytecompiler/BytecodeGenerator.cpp: 22080 (JSC::BytecodeGenerator::emitNewArray): 22081 (JSC::BytecodeGenerator::emitCall): 22082 (JSC::BytecodeGenerator::emitEnumeration): 22083 * bytecompiler/BytecodeGenerator.h: 22084 * bytecompiler/NodesCodegen.cpp: 22085 (JSC::ArrayNode::emitBytecode): 22086 (JSC::ForOfNode::emitBytecode): 22087 (JSC::SpreadExpressionNode::emitBytecode): 22088 * parser/ASTBuilder.h: 22089 (JSC::ASTBuilder::createSpreadExpression): 22090 * parser/Lexer.cpp: 22091 (JSC::::lex): 22092 * parser/NodeConstructors.h: 22093 (JSC::SpreadExpressionNode::SpreadExpressionNode): 22094 * parser/Nodes.h: 22095 (JSC::ExpressionNode::isSpreadExpression): 22096 (JSC::SpreadExpressionNode::expression): 22097 * parser/Parser.cpp: 22098 (JSC::::parseArrayLiteral): 22099 (JSC::::parseArguments): 22100 (JSC::::parseMemberExpression): 22101 * parser/Parser.h: 22102 (JSC::Parser::getTokenName): 22103 (JSC::Parser::updateErrorMessageSpecialCase): 22104 * parser/ParserTokens.h: 22105 * parser/SyntaxChecker.h: 22106 (JSC::SyntaxChecker::createSpreadExpression): 22107 221082013-10-16 Mark Lam <mark.lam@apple.com> 22109 22110 Transition void cti_op_tear_off* methods to JIT operations for 32 bit. 22111 https://bugs.webkit.org/show_bug.cgi?id=122899. 22112 22113 Reviewed by Michael Saboff. 22114 22115 * jit/JITOpcodes32_64.cpp: 22116 (JSC::JIT::emit_op_tear_off_activation): 22117 (JSC::JIT::emit_op_tear_off_arguments): 22118 * jit/JITStubs.cpp: 22119 * jit/JITStubs.h: 22120 221212013-10-16 Julien Brianceau <jbriance@cisco.com> 22122 22123 Remove more of the UNINTERRUPTED_SEQUENCE thing 22124 https://bugs.webkit.org/show_bug.cgi?id=122885 22125 22126 Reviewed by Andreas Kling. 22127 22128 It was not completely removed by r157481, leading to build failure for sh4 architecture. 22129 22130 * jit/JIT.h: 22131 * jit/JITInlines.h: 22132 221332013-10-15 Filip Pizlo <fpizlo@apple.com> 22134 22135 Get rid of the StructureStubInfo::patch union 22136 https://bugs.webkit.org/show_bug.cgi?id=122877 22137 22138 Reviewed by Sam Weinig. 22139 22140 Just simplifying code by getting rid of data structures that ain't used no more. 22141 22142 Note that I replace the patch union with a patch struct. This means we say things like 22143 stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra 22144 encapsulation makes the code more readable: the patch struct contains just those things 22145 that you need to know to perform patching. 22146 22147 * bytecode/StructureStubInfo.h: 22148 * dfg/DFGJITCompiler.cpp: 22149 (JSC::DFG::JITCompiler::link): 22150 * jit/JIT.cpp: 22151 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 22152 * jit/Repatch.cpp: 22153 (JSC::repatchByIdSelfAccess): 22154 (JSC::replaceWithJump): 22155 (JSC::linkRestoreScratch): 22156 (JSC::generateProtoChainAccessStub): 22157 (JSC::tryCacheGetByID): 22158 (JSC::getPolymorphicStructureList): 22159 (JSC::patchJumpToGetByIdStub): 22160 (JSC::tryBuildGetByIDList): 22161 (JSC::emitPutReplaceStub): 22162 (JSC::emitPutTransitionStub): 22163 (JSC::tryCachePutByID): 22164 (JSC::tryBuildPutByIdList): 22165 (JSC::tryRepatchIn): 22166 (JSC::resetGetByID): 22167 (JSC::resetPutByID): 22168 (JSC::resetIn): 22169 221702013-10-15 Nadav Rotem <nrotem@apple.com> 22171 22172 FTL: add support for Int52ToValue and fix putByVal of int52s. 22173 https://bugs.webkit.org/show_bug.cgi?id=122873 22174 22175 Reviewed by Filip Pizlo. 22176 22177 * ftl/FTLCapabilities.cpp: 22178 (JSC::FTL::canCompile): 22179 * ftl/FTLLowerDFGToLLVM.cpp: 22180 (JSC::FTL::LowerDFGToLLVM::compileNode): 22181 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): 22182 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 22183 221842013-10-15 Filip Pizlo <fpizlo@apple.com> 22185 22186 Get rid of the UNINTERRUPTED_SEQUENCE thing 22187 https://bugs.webkit.org/show_bug.cgi?id=122876 22188 22189 Reviewed by Mark Hahnenberg. 22190 22191 It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that. 22192 22193 Moreover, we should resist the temptation to bring anything like this back. We don't 22194 want to have inline caches that only work if the assembler lays out code in a specific 22195 predetermined way. 22196 22197 * jit/JIT.h: 22198 * jit/JITCall.cpp: 22199 (JSC::JIT::compileOpCall): 22200 * jit/JITCall32_64.cpp: 22201 (JSC::JIT::compileOpCall): 22202 222032013-10-15 Filip Pizlo <fpizlo@apple.com> 22204 22205 Baseline JIT should use the DFG GetById IC 22206 https://bugs.webkit.org/show_bug.cgi?id=122861 22207 22208 Reviewed by Oliver Hunt. 22209 22210 This mostly just kills a ton of code. 22211 22212 Note that this doesn't yet do all of the simplifications that can be done, but it does 22213 kill dead code. I'll have another change to simplify StructureStubInfo's unions and such. 22214 22215 * bytecode/CodeBlock.cpp: 22216 (JSC::CodeBlock::resetStubInternal): 22217 * jit/JIT.cpp: 22218 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 22219 * jit/JIT.h: 22220 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo): 22221 * jit/JITInlines.h: 22222 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile): 22223 (JSC::JIT::callOperation): 22224 * jit/JITPropertyAccess.cpp: 22225 (JSC::JIT::compileGetByIdHotPath): 22226 (JSC::JIT::emitSlow_op_get_by_id): 22227 (JSC::JIT::emitSlow_op_get_from_scope): 22228 * jit/JITPropertyAccess32_64.cpp: 22229 (JSC::JIT::compileGetByIdHotPath): 22230 (JSC::JIT::emitSlow_op_get_by_id): 22231 (JSC::JIT::emitSlow_op_get_from_scope): 22232 * jit/JITStubs.cpp: 22233 * jit/JITStubs.h: 22234 * jit/Repatch.cpp: 22235 (JSC::repatchGetByID): 22236 (JSC::buildGetByIDList): 22237 * jit/ThunkGenerators.cpp: 22238 * jit/ThunkGenerators.h: 22239 222402013-10-15 Dean Jackson <dino@apple.com> 22241 22242 Add ENABLE_WEB_ANIMATIONS flag 22243 https://bugs.webkit.org/show_bug.cgi?id=122871 22244 22245 Reviewed by Tim Horton. 22246 22247 Eventually might be http://dev.w3.org/fxtf/web-animations/ 22248 but this is just engine-internal work at the moment. 22249 22250 * Configurations/FeatureDefines.xcconfig: 22251 222522013-10-15 Julien Brianceau <jbriance@cisco.com> 22253 22254 [sh4] Some calls don't match sh4 ABI. 22255 https://bugs.webkit.org/show_bug.cgi?id=122863 22256 22257 Reviewed by Michael Saboff. 22258 22259 * dfg/DFGSpeculativeJIT.h: 22260 (JSC::DFG::SpeculativeJIT::callOperation): 22261 * jit/CCallHelpers.h: 22262 (JSC::CCallHelpers::setupArgumentsWithExecState): 22263 * jit/JITInlines.h: 22264 (JSC::JIT::callOperation): 22265 222662013-10-15 Daniel Bates <dabates@apple.com> 22267 22268 [iOS] Upstream JavaScriptCore support for ARM64 22269 https://bugs.webkit.org/show_bug.cgi?id=122762 22270 22271 Reviewed by Oliver Hunt and Filip Pizlo. 22272 22273 * Configurations/Base.xcconfig: 22274 * Configurations/DebugRelease.xcconfig: 22275 * Configurations/JavaScriptCore.xcconfig: 22276 * Configurations/ToolExecutable.xcconfig: 22277 * JavaScriptCore.xcodeproj/project.pbxproj: 22278 * assembler/ARM64Assembler.h: Added. 22279 * assembler/AbstractMacroAssembler.h: 22280 (JSC::isARM64): 22281 (JSC::AbstractMacroAssembler::Label::Label): 22282 (JSC::AbstractMacroAssembler::Jump::Jump): 22283 (JSC::AbstractMacroAssembler::Jump::link): 22284 (JSC::AbstractMacroAssembler::Jump::linkTo): 22285 (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister): 22286 (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate): 22287 (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate): 22288 (JSC::AbstractMacroAssembler::CachedTempRegister::value): 22289 (JSC::AbstractMacroAssembler::CachedTempRegister::setValue): 22290 (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate): 22291 (JSC::AbstractMacroAssembler::invalidateAllTempRegisters): 22292 (JSC::AbstractMacroAssembler::isTempRegisterValid): 22293 (JSC::AbstractMacroAssembler::clearTempRegisterValid): 22294 (JSC::AbstractMacroAssembler::setTempRegisterValid): 22295 * assembler/LinkBuffer.cpp: 22296 (JSC::LinkBuffer::copyCompactAndLinkCode): 22297 (JSC::LinkBuffer::linkCode): 22298 * assembler/LinkBuffer.h: 22299 * assembler/MacroAssembler.h: 22300 (JSC::MacroAssembler::isPtrAlignedAddressOffset): 22301 (JSC::MacroAssembler::pushToSave): 22302 (JSC::MacroAssembler::popToRestore): 22303 (JSC::MacroAssembler::patchableBranchTest32): 22304 * assembler/MacroAssemblerARM64.h: Added. 22305 * assembler/MacroAssemblerARMv7.h: 22306 * dfg/DFGFixupPhase.cpp: 22307 (JSC::DFG::FixupPhase::fixupNode): 22308 * dfg/DFGOSRExitCompiler32_64.cpp: 22309 (JSC::DFG::OSRExitCompiler::compileExit): 22310 * dfg/DFGOSRExitCompiler64.cpp: 22311 (JSC::DFG::OSRExitCompiler::compileExit): 22312 * dfg/DFGSpeculativeJIT.cpp: 22313 (JSC::DFG::SpeculativeJIT::compileArithDiv): 22314 (JSC::DFG::SpeculativeJIT::compileArithMod): 22315 * disassembler/ARM64/A64DOpcode.cpp: Added. 22316 * disassembler/ARM64/A64DOpcode.h: Added. 22317 * disassembler/ARM64Disassembler.cpp: Added. 22318 * heap/MachineStackMarker.cpp: 22319 (JSC::getPlatformThreadRegisters): 22320 (JSC::otherThreadStackPointer): 22321 * heap/Region.h: 22322 * jit/AssemblyHelpers.h: 22323 (JSC::AssemblyHelpers::debugCall): 22324 * jit/CCallHelpers.h: 22325 * jit/ExecutableAllocator.h: 22326 * jit/FPRInfo.h: 22327 (JSC::FPRInfo::toRegister): 22328 (JSC::FPRInfo::toIndex): 22329 (JSC::FPRInfo::debugName): 22330 * jit/GPRInfo.h: 22331 (JSC::GPRInfo::toRegister): 22332 (JSC::GPRInfo::toIndex): 22333 (JSC::GPRInfo::debugName): 22334 * jit/JITInlines.h: 22335 (JSC::JIT::restoreArgumentReferenceForTrampoline): 22336 * jit/JITOperationWrappers.h: 22337 * jit/JITOperations.cpp: 22338 * jit/JITStubs.cpp: 22339 (JSC::performPlatformSpecificJITAssertions): 22340 (JSC::tryCachePutByID): 22341 * jit/JITStubs.h: 22342 (JSC::JITStackFrame::returnAddressSlot): 22343 * jit/JITStubsARM64.h: Added. 22344 * jit/JSInterfaceJIT.h: 22345 * jit/Repatch.cpp: 22346 (JSC::emitRestoreScratch): 22347 (JSC::generateProtoChainAccessStub): 22348 (JSC::tryCacheGetByID): 22349 (JSC::emitPutReplaceStub): 22350 (JSC::tryCachePutByID): 22351 (JSC::tryRepatchIn): 22352 * jit/ScratchRegisterAllocator.h: 22353 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): 22354 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): 22355 * jit/ThunkGenerators.cpp: 22356 (JSC::nativeForGenerator): 22357 (JSC::floorThunkGenerator): 22358 (JSC::ceilThunkGenerator): 22359 * jsc.cpp: 22360 (main): 22361 * llint/LLIntOfflineAsmConfig.h: 22362 * llint/LLIntSlowPaths.cpp: 22363 (JSC::LLInt::handleHostCall): 22364 * llint/LowLevelInterpreter.asm: 22365 * llint/LowLevelInterpreter64.asm: 22366 * offlineasm/arm.rb: 22367 * offlineasm/arm64.rb: Added. 22368 * offlineasm/backends.rb: 22369 * offlineasm/instructions.rb: 22370 * offlineasm/risc.rb: 22371 * offlineasm/transform.rb: 22372 * yarr/YarrJIT.cpp: 22373 (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes): 22374 (JSC::Yarr::YarrGenerator::initCallFrame): 22375 (JSC::Yarr::YarrGenerator::removeCallFrame): 22376 (JSC::Yarr::YarrGenerator::generateEnter): 22377 * yarr/YarrJIT.h: 22378 223792013-10-15 Mark Lam <mark.lam@apple.com> 22380 22381 Fix 3 operand sub operation in C loop LLINT. 22382 https://bugs.webkit.org/show_bug.cgi?id=122866. 22383 22384 Reviewed by Geoffrey Garen. 22385 22386 * offlineasm/cloop.rb: 22387 223882013-10-15 Mark Hahnenberg <mhahnenberg@apple.com> 22389 22390 ObjCCallbackFunctionImpl shouldn't store a JSContext 22391 https://bugs.webkit.org/show_bug.cgi?id=122531 22392 22393 Reviewed by Geoffrey Garen. 22394 22395 The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 22396 in the common case. It's also no longer necessary in that we can look up the current JSContext 22397 by looking using the globalObject of the callee when the function callback is invoked. 22398 22399 Also added a new test that would cause us to crash previously. The test required making 22400 JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef 22401 in C API callbacks. 22402 22403 * API/JSContextRef.h: 22404 * API/JSContextRefPrivate.h: 22405 * API/ObjCCallbackFunction.mm: 22406 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): 22407 (JSC::objCCallbackFunctionCallAsFunction): 22408 (objCCallbackFunctionForInvocation): 22409 * API/WebKitAvailability.h: 22410 * API/tests/CurrentThisInsideBlockGetterTest.h: Added. 22411 * API/tests/CurrentThisInsideBlockGetterTest.mm: Added. 22412 (CallAsConstructor): 22413 (ConstructorFinalize): 22414 (ConstructorClass): 22415 (+[JSValue valueWithConstructorDescriptor:inContext:]): 22416 (-[JSContext valueWithConstructorDescriptor:]): 22417 (currentThisInsideBlockGetterTest): 22418 * API/tests/testapi.mm: 22419 * JavaScriptCore.xcodeproj/project.pbxproj: 22420 * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers. 22421 224222013-10-15 Julien Brianceau <jbriance@cisco.com> 22423 22424 Fix build after r157457 for architecture with 4 argument registers. 22425 https://bugs.webkit.org/show_bug.cgi?id=122860 22426 22427 Reviewed by Michael Saboff. 22428 22429 * jit/CCallHelpers.h: 22430 (JSC::CCallHelpers::setupStubArguments134): 22431 224322013-10-14 Michael Saboff <msaboff@apple.com> 22433 22434 transition void cti_op_* methods to JIT operations. 22435 https://bugs.webkit.org/show_bug.cgi?id=122617 22436 22437 Reviewed by Geoffrey Garen. 22438 22439 Converted the follow stubs to JIT operations: 22440 cti_handle_watchdog_timer 22441 cti_op_debug 22442 cti_op_pop_scope 22443 cti_op_profile_did_call 22444 cti_op_profile_will_call 22445 cti_op_put_by_index 22446 cti_op_put_getter_setter 22447 cti_op_tear_off_activation 22448 cti_op_tear_off_arguments 22449 cti_op_throw_static_error 22450 cti_optimize 22451 22452 * dfg/DFGOperations.cpp: 22453 * dfg/DFGOperations.h: 22454 * jit/CCallHelpers.h: 22455 (JSC::CCallHelpers::setupArgumentsWithExecState): 22456 (JSC::CCallHelpers::setupThreeStubArgsGPR): 22457 (JSC::CCallHelpers::setupStubArguments): 22458 (JSC::CCallHelpers::setupStubArguments134): 22459 * jit/JIT.cpp: 22460 (JSC::JIT::emitEnterOptimizationCheck): 22461 * jit/JIT.h: 22462 * jit/JITInlines.h: 22463 (JSC::JIT::callOperation): 22464 * jit/JITOpcodes.cpp: 22465 (JSC::JIT::emit_op_tear_off_activation): 22466 (JSC::JIT::emit_op_tear_off_arguments): 22467 (JSC::JIT::emit_op_push_with_scope): 22468 (JSC::JIT::emit_op_pop_scope): 22469 (JSC::JIT::emit_op_push_name_scope): 22470 (JSC::JIT::emit_op_throw_static_error): 22471 (JSC::JIT::emit_op_debug): 22472 (JSC::JIT::emit_op_profile_will_call): 22473 (JSC::JIT::emit_op_profile_did_call): 22474 (JSC::JIT::emitSlow_op_loop_hint): 22475 * jit/JITOpcodes32_64.cpp: 22476 (JSC::JIT::emit_op_push_with_scope): 22477 (JSC::JIT::emit_op_pop_scope): 22478 (JSC::JIT::emit_op_push_name_scope): 22479 (JSC::JIT::emit_op_throw_static_error): 22480 (JSC::JIT::emit_op_debug): 22481 (JSC::JIT::emit_op_profile_will_call): 22482 (JSC::JIT::emit_op_profile_did_call): 22483 * jit/JITOperations.cpp: 22484 * jit/JITOperations.h: 22485 * jit/JITPropertyAccess.cpp: 22486 (JSC::JIT::emit_op_put_by_index): 22487 (JSC::JIT::emit_op_put_getter_setter): 22488 * jit/JITPropertyAccess32_64.cpp: 22489 (JSC::JIT::emit_op_put_by_index): 22490 (JSC::JIT::emit_op_put_getter_setter): 22491 * jit/JITStubs.cpp: 22492 * jit/JITStubs.h: 22493 224942013-10-15 Julien Brianceau <jbriance@cisco.com> 22495 22496 [sh4] Introduce const pools in LLINT. 22497 https://bugs.webkit.org/show_bug.cgi?id=122746 22498 22499 Reviewed by Michael Saboff. 22500 22501 In current implementation of LLINT for sh4, immediate values outside range -128..127 are 22502 loaded this way: 22503 22504 mov.l .label, rx 22505 bra out 22506 nop 22507 .balign 4 22508 .label: .long immvalue 22509 out: 22510 22511 This change introduces const pools for sh4 implementation to avoid lots of useless branches 22512 and reduce code size. It also removes lines of dirty code, like jmpf and callf. 22513 22514 * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions. 22515 * offlineasm/sh4.rb: 22516 225172013-10-15 Mark Lam <mark.lam@apple.com> 22518 22519 Fix broken C Loop LLINT build. 22520 https://bugs.webkit.org/show_bug.cgi?id=122839. 22521 22522 Reviewed by Michael Saboff. 22523 22524 * dfg/DFGFlushedAt.cpp: 22525 * jit/JITOperations.h: 22526 225272013-10-14 Mark Lam <mark.lam@apple.com> 22528 22529 Transition *switch* and *scope* JITStubs to JIT operations. 22530 https://bugs.webkit.org/show_bug.cgi?id=122757. 22531 22532 Reviewed by Geoffrey Garen. 22533 22534 Transitioning: 22535 cti_op_switch_char 22536 cti_op_switch_imm 22537 cti_op_switch_string 22538 cti_op_resolve_scope 22539 cti_op_get_from_scope 22540 cti_op_put_to_scope 22541 22542 * jit/JIT.h: 22543 * jit/JITInlines.h: 22544 (JSC::JIT::callOperation): 22545 * jit/JITOpcodes.cpp: 22546 (JSC::JIT::emit_op_switch_imm): 22547 (JSC::JIT::emit_op_switch_char): 22548 (JSC::JIT::emit_op_switch_string): 22549 * jit/JITOpcodes32_64.cpp: 22550 (JSC::JIT::emit_op_switch_imm): 22551 (JSC::JIT::emit_op_switch_char): 22552 (JSC::JIT::emit_op_switch_string): 22553 * jit/JITOperations.cpp: 22554 * jit/JITOperations.h: 22555 * jit/JITPropertyAccess.cpp: 22556 (JSC::JIT::emitSlow_op_resolve_scope): 22557 (JSC::JIT::emitSlow_op_get_from_scope): 22558 (JSC::JIT::emitSlow_op_put_to_scope): 22559 * jit/JITPropertyAccess32_64.cpp: 22560 (JSC::JIT::emitSlow_op_resolve_scope): 22561 (JSC::JIT::emitSlow_op_get_from_scope): 22562 (JSC::JIT::emitSlow_op_put_to_scope): 22563 * jit/JITStubs.cpp: 22564 * jit/JITStubs.h: 22565 225662013-10-14 Filip Pizlo <fpizlo@apple.com> 22567 22568 DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread 22569 https://bugs.webkit.org/show_bug.cgi?id=122786 22570 22571 Reviewed by Mark Hahnenberg. 22572 22573 * bytecode/CodeBlock.cpp: 22574 (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC. 22575 * jit/Repatch.cpp: 22576 (JSC::repatchPutByID): Doing the PutById patching should hold the lock. 22577 (JSC::buildPutByIdList): Ditto. 22578 225792013-10-14 Nadav Rotem <nrotem@apple.com> 22580 22581 Add FTL support for LogicalNot(string) 22582 https://bugs.webkit.org/show_bug.cgi?id=122765 22583 22584 Reviewed by Filip Pizlo. 22585 22586 This patch is tested by: 22587 regress/script-tests/emscripten-cube2hash.js.ftl-eager 22588 22589 * ftl/FTLCapabilities.cpp: 22590 (JSC::FTL::canCompile): 22591 * ftl/FTLLowerDFGToLLVM.cpp: 22592 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot): 22593 225942013-10-14 Julien Brianceau <jbriance@cisco.com> 22595 22596 [sh4] Fixes after r157404 and r157411. 22597 https://bugs.webkit.org/show_bug.cgi?id=122782 22598 22599 Reviewed by Michael Saboff. 22600 22601 * dfg/DFGSpeculativeJIT.h: 22602 (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG. 22603 * jit/CCallHelpers.h: 22604 (JSC::CCallHelpers::setupArgumentsWithExecState): 22605 * jit/JITInlines.h: 22606 (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG. 22607 * jit/JITPropertyAccess32_64.cpp: 22608 (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE. 22609 226102013-10-14 Commit Queue <commit-queue@webkit.org> 22611 22612 Unreviewed, rolling out r157413. 22613 http://trac.webkit.org/changeset/157413 22614 https://bugs.webkit.org/show_bug.cgi?id=122779 22615 22616 Appears to have caused frequent crashes (Requested by ap on 22617 #webkit). 22618 22619 * CMakeLists.txt: 22620 * GNUmakefile.list.am: 22621 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 22622 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 22623 * JavaScriptCore.xcodeproj/project.pbxproj: 22624 * heap/DeferGC.cpp: Removed. 22625 * heap/DeferGC.h: 22626 * jit/JITStubs.cpp: 22627 (JSC::tryCacheGetByID): 22628 (JSC::DEFINE_STUB_FUNCTION): 22629 * llint/LLIntSlowPaths.cpp: 22630 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 22631 * runtime/ConcurrentJITLock.h: 22632 * runtime/InitializeThreading.cpp: 22633 (JSC::initializeThreadingOnce): 22634 * runtime/JSCellInlines.h: 22635 (JSC::allocateCell): 22636 * runtime/Structure.cpp: 22637 (JSC::Structure::materializePropertyMap): 22638 (JSC::Structure::putSpecificValue): 22639 (JSC::Structure::createPropertyMap): 22640 * runtime/Structure.h: 22641 226422013-10-14 Mark Hahnenberg <mhahnenberg@apple.com> 22643 22644 COLLECT_ON_EVERY_ALLOCATION causes assertion failures 22645 https://bugs.webkit.org/show_bug.cgi?id=122652 22646 22647 Reviewed by Filip Pizlo. 22648 22649 COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism, 22650 so we would end up ASSERTing during garbage collection. 22651 22652 * heap/MarkedAllocator.cpp: 22653 (JSC::MarkedAllocator::allocateSlowCase): 22654 226552013-10-11 Oliver Hunt <oliver@apple.com> 22656 22657 Separate out array iteration intrinsics 22658 https://bugs.webkit.org/show_bug.cgi?id=122656 22659 22660 Reviewed by Michael Saboff. 22661 22662 Separate out the intrinsics for key and values iteration 22663 of arrays. 22664 22665 This requires moving moving array iteration into the iterator 22666 instance, rather than the prototype, but this is essentially 22667 unobservable so we'll live with it for now. 22668 22669 * jit/ThunkGenerators.cpp: 22670 (JSC::arrayIteratorNextThunkGenerator): 22671 (JSC::arrayIteratorNextKeyThunkGenerator): 22672 (JSC::arrayIteratorNextValueThunkGenerator): 22673 * jit/ThunkGenerators.h: 22674 * runtime/ArrayIteratorPrototype.cpp: 22675 (JSC::ArrayIteratorPrototype::finishCreation): 22676 * runtime/Intrinsic.h: 22677 * runtime/JSArrayIterator.cpp: 22678 (JSC::JSArrayIterator::finishCreation): 22679 (JSC::createIteratorResult): 22680 (JSC::arrayIteratorNext): 22681 (JSC::arrayIteratorNextKey): 22682 (JSC::arrayIteratorNextValue): 22683 (JSC::arrayIteratorNextGeneric): 22684 * runtime/VM.cpp: 22685 (JSC::thunkGeneratorForIntrinsic): 22686 226872013-10-11 Mark Hahnenberg <mhahnenberg@apple.com> 22688 22689 llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock 22690 https://bugs.webkit.org/show_bug.cgi?id=122667 22691 22692 Reviewed by Filip Pizlo. 22693 22694 The issue this patch is attempting to fix is that there are places in our codebase 22695 where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some 22696 operations that can initiate a garbage collection. Garbage collection then calls 22697 some methods of CodeBlock that also take the ConcurrentJITLock (because they don't 22698 always necessarily run during garbage collection). This causes a deadlock. 22699 22700 To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 22701 into a thread-local field that indicates that it is unsafe to perform any operation 22702 that could trigger garbage collection on the current thread. In debug builds, 22703 ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 22704 detect deadlocks. 22705 22706 This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker, 22707 which uses the DeferGC mechanism to prevent collections from occurring while the 22708 lock is held. 22709 22710 * CMakeLists.txt: 22711 * GNUmakefile.list.am: 22712 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 22713 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 22714 * JavaScriptCore.xcodeproj/project.pbxproj: 22715 * heap/DeferGC.cpp: Added. 22716 * heap/DeferGC.h: 22717 (JSC::DisallowGC::DisallowGC): 22718 (JSC::DisallowGC::~DisallowGC): 22719 (JSC::DisallowGC::isGCDisallowedOnCurrentThread): 22720 (JSC::DisallowGC::initialize): 22721 * jit/JITStubs.cpp: 22722 (JSC::tryCachePutByID): 22723 (JSC::tryCacheGetByID): 22724 (JSC::DEFINE_STUB_FUNCTION): 22725 * llint/LLIntSlowPaths.cpp: 22726 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 22727 * runtime/ConcurrentJITLock.h: 22728 (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase): 22729 (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase): 22730 (JSC::ConcurrentJITLockerBase::unlockEarly): 22731 (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker): 22732 (JSC::ConcurrentJITLocker::ConcurrentJITLocker): 22733 * runtime/InitializeThreading.cpp: 22734 (JSC::initializeThreadingOnce): 22735 * runtime/JSCellInlines.h: 22736 (JSC::allocateCell): 22737 * runtime/Structure.cpp: 22738 (JSC::Structure::materializePropertyMap): 22739 (JSC::Structure::putSpecificValue): 22740 (JSC::Structure::createPropertyMap): 22741 * runtime/Structure.h: 22742 227432013-10-14 Filip Pizlo <fpizlo@apple.com> 22744 22745 Baseline JIT should use the DFG's PutById IC 22746 https://bugs.webkit.org/show_bug.cgi?id=122704 22747 22748 Reviewed by Mark Hahnenberg. 22749 22750 Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing 22751 that JIT to use the DFG's (i.e. JITOperations) PutById IC. 22752 22753 The only complicated part was that the PutById operations assumed that we first did a 22754 cell speculation, which the baseline JIT obviously won't do. So I changed all of those 22755 slow paths to deal with EncodedJSValue's. 22756 22757 * bytecode/CodeBlock.cpp: 22758 (JSC::CodeBlock::resetStubInternal): 22759 * bytecode/PutByIdStatus.cpp: 22760 (JSC::PutByIdStatus::computeFor): 22761 * dfg/DFGSpeculativeJIT.h: 22762 (JSC::DFG::SpeculativeJIT::callOperation): 22763 * dfg/DFGSpeculativeJIT32_64.cpp: 22764 (JSC::DFG::SpeculativeJIT::cachedPutById): 22765 * dfg/DFGSpeculativeJIT64.cpp: 22766 (JSC::DFG::SpeculativeJIT::cachedPutById): 22767 * jit/CCallHelpers.h: 22768 (JSC::CCallHelpers::setupArgumentsWithExecState): 22769 * jit/JIT.cpp: 22770 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 22771 * jit/JIT.h: 22772 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo): 22773 (JSC::PropertyStubCompilationInfo::slowCaseInfo): 22774 * jit/JITInlines.h: 22775 (JSC::JIT::callOperation): 22776 * jit/JITOperationWrappers.h: 22777 * jit/JITOperations.cpp: 22778 * jit/JITOperations.h: 22779 * jit/JITPropertyAccess.cpp: 22780 (JSC::JIT::compileGetByIdHotPath): 22781 (JSC::JIT::compileGetByIdSlowCase): 22782 (JSC::JIT::emit_op_put_by_id): 22783 (JSC::JIT::emitSlow_op_put_by_id): 22784 * jit/JITPropertyAccess32_64.cpp: 22785 (JSC::JIT::compileGetByIdSlowCase): 22786 (JSC::JIT::emit_op_put_by_id): 22787 (JSC::JIT::emitSlow_op_put_by_id): 22788 * jit/JITStubs.cpp: 22789 * jit/JITStubs.h: 22790 * jit/Repatch.cpp: 22791 (JSC::appropriateGenericPutByIdFunction): 22792 (JSC::appropriateListBuildingPutByIdFunction): 22793 (JSC::resetPutByID): 22794 227952013-10-13 Filip Pizlo <fpizlo@apple.com> 22796 22797 FTL should have an inefficient but correct implementation of GetById 22798 https://bugs.webkit.org/show_bug.cgi?id=122740 22799 22800 Reviewed by Mark Hahnenberg. 22801 22802 It took some effort to realize that the node->prediction() check in the DFG backends 22803 are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit 22804 if !prediction. 22805 22806 But other than that this was an easy patch. 22807 22808 * dfg/DFGByteCodeParser.cpp: 22809 (JSC::DFG::ByteCodeParser::handleGetById): 22810 * dfg/DFGSpeculativeJIT32_64.cpp: 22811 (JSC::DFG::SpeculativeJIT::compile): 22812 * dfg/DFGSpeculativeJIT64.cpp: 22813 (JSC::DFG::SpeculativeJIT::compile): 22814 * ftl/FTLCapabilities.cpp: 22815 (JSC::FTL::canCompile): 22816 * ftl/FTLIntrinsicRepository.h: 22817 * ftl/FTLLowerDFGToLLVM.cpp: 22818 (JSC::FTL::LowerDFGToLLVM::compileNode): 22819 (JSC::FTL::LowerDFGToLLVM::compileGetById): 22820 228212013-10-13 Mark Lam <mark.lam@apple.com> 22822 22823 Transition misc cti_op_* JITStubs to JIT operations. 22824 https://bugs.webkit.org/show_bug.cgi?id=122645. 22825 22826 Reviewed by Michael Saboff. 22827 22828 Stubs converted: 22829 cti_op_check_has_instance 22830 cti_op_create_arguments 22831 cti_op_del_by_id 22832 cti_op_instanceof 22833 cti_to_object 22834 cti_op_push_activation 22835 cti_op_get_pnames 22836 cti_op_load_varargs 22837 22838 * dfg/DFGOperations.cpp: 22839 * dfg/DFGOperations.h: 22840 * jit/CCallHelpers.h: 22841 (JSC::CCallHelpers::setupArgumentsWithExecState): 22842 * jit/JIT.h: 22843 (JSC::JIT::emitStoreCell): 22844 * jit/JITCall.cpp: 22845 (JSC::JIT::compileLoadVarargs): 22846 * jit/JITCall32_64.cpp: 22847 (JSC::JIT::compileLoadVarargs): 22848 * jit/JITInlines.h: 22849 (JSC::JIT::callOperation): 22850 * jit/JITOpcodes.cpp: 22851 (JSC::JIT::emit_op_get_pnames): 22852 (JSC::JIT::emit_op_create_activation): 22853 (JSC::JIT::emit_op_create_arguments): 22854 (JSC::JIT::emitSlow_op_check_has_instance): 22855 (JSC::JIT::emitSlow_op_instanceof): 22856 (JSC::JIT::emitSlow_op_get_argument_by_val): 22857 * jit/JITOpcodes32_64.cpp: 22858 (JSC::JIT::emitSlow_op_check_has_instance): 22859 (JSC::JIT::emitSlow_op_instanceof): 22860 (JSC::JIT::emit_op_get_pnames): 22861 (JSC::JIT::emit_op_create_activation): 22862 (JSC::JIT::emit_op_create_arguments): 22863 (JSC::JIT::emitSlow_op_get_argument_by_val): 22864 * jit/JITOperations.cpp: 22865 * jit/JITOperations.h: 22866 * jit/JITPropertyAccess.cpp: 22867 (JSC::JIT::emit_op_del_by_id): 22868 * jit/JITPropertyAccess32_64.cpp: 22869 (JSC::JIT::emit_op_del_by_id): 22870 * jit/JITStubs.cpp: 22871 * jit/JITStubs.h: 22872 228732013-10-13 Filip Pizlo <fpizlo@apple.com> 22874 22875 FTL OSR exit should perform zero extension on values smaller than 64-bit 22876 https://bugs.webkit.org/show_bug.cgi?id=122688 22877 22878 Reviewed by Gavin Barraclough. 22879 22880 In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit 22881 register will have zeros on the high bits. In the few cases where the high bits are 22882 non-zero, the DFG sort of tells us this explicitly. 22883 22884 But when working with llvm.webkit.stackmap, it doesn't work that way. Consider we might 22885 emit LLVM IR like: 22886 22887 %2 = trunc i64 %1 to i32 22888 stuff %2 22889 call @llvm.webkit.stackmap(...., %2) 22890 22891 LLVM may never actually emit a truncation instruction of any kind. And that's great - in 22892 many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high 22893 bits anyway. Hence LLVM may tell us that %2 is in the register that still had the value 22894 from before truncation, and that register may have garbage in the high bits. 22895 22896 This means that on our end, if we want a 32-bit value and we want that value to be 22897 zero-extended, we should zero-extend it ourselves. This is pretty easy and should be 22898 cheap, so we should just do it and not make it a requirement that LLVM does it on its 22899 end. 22900 22901 This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true. 22902 22903 * ftl/FTLOSRExitCompiler.cpp: 22904 (JSC::FTL::compileStubWithOSRExitStackmap): 22905 * ftl/FTLValueFormat.cpp: 22906 (JSC::FTL::reboxAccordingToFormat): 22907 22908== Rolled over to ChangeLog-2013-10-13 == 22909