2012-05-22 Yong Li [BlackBerry] getPlatformThreadRegisters() should fetch target thread's registers https://bugs.webkit.org/show_bug.cgi?id=87148 Reviewed by George Staikos. Our previous implementation of getPlatformThreadRegisters() read registers in current thread's context but it is supposed to read the target thread's registers. * heap/MachineStackMarker.cpp: (JSC::getPlatformThreadRegisters): 2012-05-05 Filip Pizlo DFG should support reflective arguments access https://bugs.webkit.org/show_bug.cgi?id=85721 Reviewed by Oliver Hunt. Merged r116345 from dfgopt. This adds support for op_create_arguments to the DFG. No other arguments-related opcodes are added by this change, though it does add a lot of the scaffolding necessary for the other ops. This also adds GetByVal/PutByVal optimizations for Arguments. Finally, this rationalizes slowPathCall with no return. Previously, that would work via callOperation() overloads that took InvalidGPRReg as the return GPR. But that creates awful ambiguity, since we had template functions that were polymorphic over all parameters except the second, which was a GPRReg, and a bunch of non-template overloads that also potentially had GPRReg as the second argument. I finally started to hit this ambiguity and was getting absolutely bizarre compiler errors, that made me feel like I was programming in SML. So, I changed the no-argument overloads to take NoResultTag instead, which made everything sensible again by eliminating the overload ambiguity. This is a ~7% speed-up on V8/earley and neutral elsewhere. * bytecode/PredictedType.h: (JSC::isArgumentsPrediction): (JSC): (JSC::isActionableMutableArrayPrediction): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCCallHelpers.h: (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): (CCallHelpers): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): (JSC::DFG::canInlineOpcode): * dfg/DFGCommon.h: * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::unmodifiedArgumentsRegister): (Node): (JSC::DFG::Node::shouldSpeculateArguments): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): (DFG): (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::pickCanTrample): (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedPutById): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedPutById): (JSC::DFG::SpeculativeJIT::compile): * runtime/Arguments.h: (ArgumentsData): (Arguments): (JSC::Arguments::offsetOfData): 2011-05-21 Geoffrey Garen GC allocation trigger should be tuned to system RAM https://bugs.webkit.org/show_bug.cgi?id=87039 Reviewed by Darin Adler. This helps avoid OOM crashes on small platforms, and helps avoid "too much GC" performance issues on big platforms. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::collect): * heap/Heap.h: (Heap): GC balances between a fixed minimum and a proportional multiplier, which are limited based on system RAM. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::createContextGroup): (JSC::JSGlobalData::create): (JSC::JSGlobalData::createLeaked): * runtime/JSGlobalData.h: (JSGlobalData): Renamed HeapSize to HeapType because the exact size is influenced by the heap type, but not determined by it. 2012-05-21 Gavin Barraclough Disable private names by default in WebCore https://bugs.webkit.org/show_bug.cgi?id=87088 Reviewed by Geoff Garen. r117859 introduced a preliminary implementation of ES6-like private name objects to JSC. These are probably not yet ready to be web-facing, so disabling by default in WebCore. Opting-in for JSC & DumpRenderTree so that we can still run the fast/js/names.html test. * jsc.cpp: (GlobalObject): (GlobalObject::javaScriptExperimentsEnabled): - Implemented new trap to opt-in to private names support. * runtime/JSGlobalObject.cpp: (JSC): (JSC::JSGlobalObject::reset): - Only add the Name property to the global object if experiments are enabled. * runtime/JSGlobalObject.h: (GlobalObjectMethodTable): - Added new trap to enabled experiments. (JSGlobalObject): (JSC::JSGlobalObject::finishCreation): - Set the global object's m_experimentsEnabled state on construction. (JSC::JSGlobalObject::javaScriptExperimentsEnabled): - Defaults to off. 2012-05-06 Filip Pizlo Truncating multiplication on integers should not OSR exit every time https://bugs.webkit.org/show_bug.cgi?id=85752 Reviewed by Gavin Barraclough. Merge r116264 from dfgopt. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGGraph.h: (JSC::DFG::Graph::mulShouldSpeculateInteger): (Graph): (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileArithMul): 2012-05-21 Csaba Osztrogonác DFG should be able to compute dominators https://bugs.webkit.org/show_bug.cgi?id=85269 Unreviewed trivial 32 bit buildfix after r117861. * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): 2012-05-21 Filip Pizlo DFG should be able to compute dominators https://bugs.webkit.org/show_bug.cgi?id=85269 Reviewed by Oliver Hunt. Merged r115754 from dfgopt. Implements a naive dominator calculator, which is currently just used to print information in graph dumps. I've enabled it by default mainly to be able to track its performance impact. So far it appears that there is none, which is unsurprising given that the number of basic blocks in most procedures is small. Also tweaked bytecode dumping to reveal more useful information about the nature of the code block. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * dfg/DFGDominators.cpp: Added. (DFG): (JSC::DFG::Dominators::Dominators): (JSC::DFG::Dominators::~Dominators): (JSC::DFG::Dominators::compute): (JSC::DFG::Dominators::iterateForBlock): * dfg/DFGDominators.h: Added. (DFG): (Dominators): (JSC::DFG::Dominators::invalidate): (JSC::DFG::Dominators::computeIfNecessary): (JSC::DFG::Dominators::isValid): (JSC::DFG::Dominators::dominates): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (Graph): 2012-05-21 Michael Saboff Cleanup of Calls to operationStrCat and operationNewArray and Use Constructor after r117729 https://bugs.webkit.org/show_bug.cgi?id=87027 Reviewed by Oliver Hunt. Change calls to operationStrCat and operationNewArray to provide the pointer to the EncodedJSValue* data buffer instead of the ScratchBuffer that contains it. Added a ScratchBuffer::create() function. This is a clean-up to r117729. * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::create): (JSC::ScratchBuffer::dataBuffer): (JSC::JSGlobalData::scratchBufferForSize): 2012-05-15 Gavin Barraclough Add support for private names https://bugs.webkit.org/show_bug.cgi?id=86509 Reviewed by Oliver Hunt. The spec isn't final, but we can start adding support to allow property maps to contain keys that aren't identifiers. * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertySlot): (JSC::::put): (JSC::::deleteProperty): (JSC::::getStaticValue): (JSC::::staticFunctionGetter): (JSC::::callbackGetter): - Only expose public named properties over the JSC API. * CMakeLists.txt: * DerivedSources.make: * DerivedSources.pri: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: - Added new files to build system. * dfg/DFGOperations.cpp: (JSC::DFG::operationPutByValInternal): - Added support for property access with name objects. * interpreter/CallFrame.h: (JSC::ExecState::privateNamePrototypeTable): - Added hash table for NamePrototype * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): - Added support for property access with name objects. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Added support for property access with name objects. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opIn): * runtime/JSActivation.cpp: (JSC::JSActivation::symbolTableGet): (JSC::JSActivation::symbolTablePut): (JSC::JSActivation::symbolTablePutWithAttributes): - Added support for property access with name objects. * runtime/JSGlobalData.cpp: (JSC): (JSC::JSGlobalData::JSGlobalData): (JSC::JSGlobalData::~JSGlobalData): * runtime/JSGlobalData.h: (JSGlobalData): - Added hash table for NamePrototype * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::reset): * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::privateNameStructure): (JSC::JSGlobalObject::symbolTableHasProperty): - Added new global properties. * runtime/JSType.h: * runtime/JSTypeInfo.h: (JSC::TypeInfo::isName): - Added type for NameInstances, for fast isName check. * runtime/JSVariableObject.cpp: (JSC::JSVariableObject::deleteProperty): (JSC::JSVariableObject::symbolTableGet): * runtime/JSVariableObject.h: (JSC::JSVariableObject::symbolTableGet): (JSC::JSVariableObject::symbolTablePut): (JSC::JSVariableObject::symbolTablePutWithAttributes): - symbol table lookup should take a PropertyName. * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::HashTable::entry): - entry lookup should take a PropertyName. * runtime/NameConstructor.cpp: Added. (JSC): (JSC::NameConstructor::NameConstructor): (JSC::NameConstructor::finishCreation): (JSC::constructPrivateName): (JSC::NameConstructor::getConstructData): (JSC::NameConstructor::getCallData): * runtime/NameConstructor.h: Added. (JSC): (NameConstructor): (JSC::NameConstructor::create): (JSC::NameConstructor::createStructure): - Added constructor. * runtime/NameInstance.cpp: Added. (JSC): (JSC::NameInstance::NameInstance): (JSC::NameInstance::destroy): * runtime/NameInstance.h: Added. (JSC): (NameInstance): (JSC::NameInstance::createStructure): (JSC::NameInstance::create): (JSC::NameInstance::privateName): (JSC::NameInstance::nameString): (JSC::NameInstance::finishCreation): (JSC::isName): - Added instance. * runtime/NamePrototype.cpp: Added. (JSC): (JSC::NamePrototype::NamePrototype): (JSC::NamePrototype::finishCreation): (JSC::NamePrototype::getOwnPropertySlot): (JSC::NamePrototype::getOwnPropertyDescriptor): (JSC::privateNameProtoFuncToString): * runtime/NamePrototype.h: Added. (JSC): (NamePrototype): (JSC::NamePrototype::create): (JSC::NamePrototype::createStructure): - Added prototype. * runtime/PrivateName.h: Added. (JSC): (PrivateName): (JSC::PrivateName::PrivateName): (JSC::PrivateName::uid): - A private name object holds a StringImpl that can be used as a unique key in a property map. * runtime/PropertyMapHashTable.h: (JSC::PropertyTable::find): (JSC::PropertyTable::findWithString): - Strings should only match keys in the table that are identifiers. * runtime/PropertyName.h: (JSC::PropertyName::PropertyName): (PropertyName): (JSC::PropertyName::uid): (JSC::PropertyName::publicName): (JSC::PropertyName::asIndex): (JSC::operator==): (JSC::operator!=): - replaced impl() & ustring() with uid() [to get the raw impl] and publicName() [impl or null, if not an identifier]. * runtime/Structure.cpp: (JSC::Structure::despecifyDictionaryFunction): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::get): (JSC::Structure::despecifyFunction): (JSC::Structure::putSpecificValue): (JSC::Structure::remove): (JSC::Structure::getPropertyNamesFromStructure): * runtime/Structure.h: (JSC::Structure::get): - call uid() to get a PropertyName raw impl, for use as a key. 2012-04-30 Filip Pizlo Bytecode dumps should contain data about the state of get_by_id caches https://bugs.webkit.org/show_bug.cgi?id=85246 Reviewed by Gavin Barraclough. Merge r115694 from dfgopt. Changed the DFG bytecode parser (and the code that calls it) to be able to call codeBlock->dump() on the code blocks being parsed. Changed bytecode dumping to be able to print the state of get_by_id caches inline with the bytecode. Removed the old StructureStubInfo dumping code, which no longer worked right, and was incapable of telling us information about chain and list accesses. This change does not add dumping for put_by_id caches. We can add that at a later time. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::printUnaryOp): (JSC::CodeBlock::printBinaryOp): (JSC::CodeBlock::printConditionalJump): (JSC::CodeBlock::printGetByIdOp): (JSC::dumpStructure): (JSC): (JSC::dumpChain): (JSC::CodeBlock::printGetByIdCacheStatus): (JSC::CodeBlock::printCallOp): (JSC::CodeBlock::printPutByIdOp): (JSC::printGlobalResolveInfo): (JSC::CodeBlock::printStructure): (JSC::CodeBlock::printStructures): (JSC::CodeBlock::dump): (JSC::CodeBlock::visitStructures): (JSC::ProgramCodeBlock::jitCompileImpl): (JSC::EvalCodeBlock::jitCompileImpl): (JSC::FunctionCodeBlock::jitCompileImpl): * bytecode/CodeBlock.h: (CodeBlock): (JSC::CodeBlock::jitCompile): (ProgramCodeBlock): (EvalCodeBlock): (FunctionCodeBlock): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (ByteCodeParser): (JSC::DFG::ByteCodeParser::parseCodeBlock): (JSC::DFG::parse): * dfg/DFGByteCodeParser.h: (DFG): * dfg/DFGDriver.cpp: (JSC::DFG::compile): (JSC::DFG::tryCompile): (JSC::DFG::tryCompileFunction): * dfg/DFGDriver.h: (DFG): (JSC::DFG::tryCompile): (JSC::DFG::tryCompileFunction): * dfg/DFGOSRExitCompiler.cpp: * jit/JITDriver.h: (JSC::jitCompileIfAppropriate): (JSC::jitCompileFunctionIfAppropriate): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::jitCompileAndSetHeuristics): * runtime/Executable.cpp: (JSC::EvalExecutable::jitCompile): (JSC::EvalExecutable::compileInternal): (JSC::ProgramExecutable::jitCompile): (JSC::ProgramExecutable::compileInternal): (JSC::FunctionExecutable::jitCompileForCall): (JSC::FunctionExecutable::jitCompileForConstruct): (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): * runtime/Executable.h: (EvalExecutable): (ProgramExecutable): (FunctionExecutable): (JSC::FunctionExecutable::jitCompileFor): * runtime/ExecutionHarness.h: (JSC::prepareForExecution): (JSC::prepareFunctionForExecution): 2012-05-21 Carlos Garcia Campos Unreviewed. Fix make distcheck. * GNUmakefile.list.am: Add missing header files. 2012-05-21 Allan Sandfeld Jensen GCC 4.7 and C++11 https://bugs.webkit.org/show_bug.cgi?id=86465 Reviewed by Darin Adler. Set emptyValueIsZero flag so RegExpKey can be used with the non-copyable RegExp values. * runtime/RegExpKey.h: 2012-05-20 Michael Saboff JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection https://bugs.webkit.org/show_bug.cgi?id=86553 Reviewed by Gavin Barraclough. Scratch buffers can contain the only reference to live objects. Therefore visit scratch buffer contents as conservative roots. Changed the scratch buffers to be a struct with an "active" length and the actual buffer. The users of the scratch buffer emit code where needed to set and clear the active length as appropriate. During marking, the active count is used for conservative marking. * dfg/DFGAssemblyHelpers.h: (JSC::DFG::AssemblyHelpers::debugCall): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGThunks.cpp: (JSC::DFG::osrExitGenerationThunkGenerator): * heap/Heap.cpp: (JSC::Heap::markRoots): * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::gatherConservativeRoots): * runtime/JSGlobalData.h: (JSC::ScratchBuffer::ScratchBuffer): (ScratchBuffer): (JSC::ScratchBuffer::allocationSize): (JSC::ScratchBuffer::setActiveLength): (JSC::ScratchBuffer::activeLength): (JSC::ScratchBuffer::activeLengthPtr): (JSC::ScratchBuffer::dataBuffer): (JSGlobalData): (JSC::JSGlobalData::scratchBufferForSize): 2012-05-20 Filip Pizlo Predicted types should know about arguments https://bugs.webkit.org/show_bug.cgi?id=85165 Reviewed by Oliver Hunt. Merge r115604 from dfgopt. * bytecode/PredictedType.cpp: (JSC::predictionToString): (JSC::predictionToAbbreviatedString): (JSC::predictionFromClassInfo): * bytecode/PredictedType.h: (JSC): (JSC::isMyArgumentsPrediction): (JSC::isArgumentsPrediction): 2012-05-20 Filip Pizlo Bytecompiler should emit trivially fewer jumps in loops https://bugs.webkit.org/show_bug.cgi?id=85144 Reviewed by Oliver Hunt. Merged r115587 from dfgopt. 1-2% across the board win. * bytecompiler/NodesCodegen.cpp: (JSC::WhileNode::emitBytecode): (JSC::ForNode::emitBytecode): 2012-05-19 Vivek Galatage Windows build broken due to changes in the http://trac.webkit.org/changeset/117646 https://bugs.webkit.org/show_bug.cgi?id=86939 The changeset 117646 changed the JSString::toBoolean signature. This change is for fixing the windows build break. Reviewed by Ryosuke Niwa. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-05-18 Filip Pizlo REGRESSION(117646): fast/canvas/webgl/glsl-conformance.html is crashing in the DFG https://bugs.webkit.org/show_bug.cgi?id=86929 Reviewed by Oliver Hunt. The problem was that if CFG simplification saw a Branch with identical successors, it would always perform a basic block merge. But that's wrong if the successor has other predecessors. * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run): 2012-05-18 Filip Pizlo DFG CFG simplification crashes if it's trying to remove an unreachable block that has an already-killed-off unreachable successor https://bugs.webkit.org/show_bug.cgi?id=86918 Reviewed by Oliver Hunt. This fixes crashes in: inspector/styles/styles-computed-trace.html inspector/console/console-big-array.html * dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::fixPhis): 2012-05-18 Filip Pizlo DFG should have control flow graph simplification https://bugs.webkit.org/show_bug.cgi?id=84553 Reviewed by Oliver Hunt. Merged r115512 from dfgopt. This change gives the DFG the ability to simplify the control flow graph as part of an optimization fixpoint that includes CSE, CFA, and constant folding. This required a number of interesting changes including: - Solidifying the set of invariants that the DFG obeys. For example, the head and tail of each basic block must advertise the set of live locals and the set of available locals, respectively. It must do so by referring to the first access to the local in the block (for head) and the last one (for tail). This patch introduces the start of a validation step that may be turned on even with asserts disabled. To ensure that these invariants are preserved, I had to remove the redundant phi elimination phase. For now I just remove the call, but in the future we will probably remove it entirely unless we find a use for it. - Making it easier to get the boolean version of a JSValue. This is a pure operation, but we previously did not treat it as such. - Fixing the merging and filtering of AbstractValues that correspond to concrete JSValues. This was previously broken and was limiting the effect of running constant folding. Fixing this meant that I had to change how constant folding eliminates GetLocal nodes, so as to ensure that the resulting graph still obeys DFG rules. - Introducing simplified getters for some of the things that DFG phases want to know about, like the Nth child of a node (now just graph.child(...) if you don't care about performance too much) or getting successors of a basic block. The current CFG simplifier can handle almost all of the cases that it ought to handle; the noteworthy one that is not yet handled is removing basic blocks that just have jumps. To do this right we need to be able to remove jump-only blocks that also perform keep-alive on some values. To make this work, we need to be able to hoist the keep-alive into (or just above) a Branch. This is not fundamentally difficult but I opted to let this patch omit this optimization. We can handle this later. This is a big win on programs that include inline functions that are often called with constant arguments. Of course, SunSpider, V8, and Kraken don't count. Those benchmarks are completely neutral with this change. * API/JSValueRef.cpp: (JSValueToBoolean): * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * bytecode/CodeBlock.h: (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex): * bytecode/Operands.h: (JSC::Operands::setOperandFirstTime): (Operands): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::execute): (JSC::DFG::AbstractState::mergeStateAtTail): (JSC::DFG::AbstractState::mergeToSuccessors): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::isClear): (JSC::DFG::AbstractValue::operator!=): (JSC::DFG::AbstractValue::merge): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::validateIgnoringValue): (AbstractValue): * dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::child): (JSC::DFG::AdjacencyList::setChild): (AdjacencyList): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::~BasicBlock): (BasicBlock): (JSC::DFG::BasicBlock::numNodes): (JSC::DFG::BasicBlock::nodeIndex): (JSC::DFG::BasicBlock::isPhiIndex): (JSC::DFG::BasicBlock::isInPhis): (JSC::DFG::BasicBlock::isInBlock): * dfg/DFGByteCodeParser.cpp: (ByteCodeParser): (DFG): (JSC::DFG::ByteCodeParser::parse): * dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): (JSC::DFG::CFAPhase::performBlockCFA): (JSC::DFG::performCFA): * dfg/DFGCFAPhase.h: (DFG): * dfg/DFGCFGSimplificationPhase.cpp: Added. (DFG): (CFGSimplificationPhase): (JSC::DFG::CFGSimplificationPhase::CFGSimplificationPhase): (JSC::DFG::CFGSimplificationPhase::run): (JSC::DFG::CFGSimplificationPhase::killUnreachable): (JSC::DFG::CFGSimplificationPhase::findOperandSource): (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): (JSC::DFG::CFGSimplificationPhase::jettisonBlock): (JSC::DFG::CFGSimplificationPhase::fixPhis): (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors): (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference): (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution): (OperandSubstitution): (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump): (JSC::DFG::CFGSimplificationPhase::skipGetLocal): (JSC::DFG::CFGSimplificationPhase::fixTailOperand): (JSC::DFG::CFGSimplificationPhase::mergeBlocks): (JSC::DFG::performCFGSimplification): * dfg/DFGCFGSimplificationPhase.h: Added. (DFG): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::run): (CSEPhase): (JSC::DFG::CSEPhase::impureCSE): (JSC::DFG::CSEPhase::globalVarLoadElimination): (JSC::DFG::CSEPhase::getByValLoadElimination): (JSC::DFG::CSEPhase::checkStructureLoadElimination): (JSC::DFG::CSEPhase::getByOffsetLoadElimination): (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::performBlockCSE): (JSC::DFG::performCSE): * dfg/DFGCSEPhase.h: (DFG): * dfg/DFGCommon.h: * dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::run): (JSC::DFG::performConstantFolding): * dfg/DFGConstantFoldingPhase.h: (DFG): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGEdge.h: (Edge): (JSC::DFG::Edge::operator UnspecifiedBoolType*): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::run): (JSC::DFG::FixupPhase::fixupBlock): (JSC::DFG::performFixup): * dfg/DFGFixupPhase.h: (DFG): * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): (JSC::DFG::Graph::handleSuccessor): (DFG): (JSC::DFG::Graph::determineReachability): (JSC::DFG::Graph::resetReachability): * dfg/DFGGraph.h: (JSC::DFG::Graph::deref): (JSC::DFG::Graph::changeIndex): (Graph): (JSC::DFG::Graph::changeEdge): (JSC::DFG::Graph::numSuccessors): (JSC::DFG::Graph::successor): (JSC::DFG::Graph::successorForCondition): (JSC::DFG::Graph::isPredictedNumerical): (JSC::DFG::Graph::byValIsPure): (JSC::DFG::Graph::clobbersWorld): (JSC::DFG::Graph::numChildren): (JSC::DFG::Graph::child): * dfg/DFGNode.h: (JSC::DFG::Node::convertToConstant): (JSC::DFG::Node::numSuccessors): (Node): (JSC::DFG::Node::successor): (JSC::DFG::Node::successorForCondition): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): * dfg/DFGOperations.cpp: * dfg/DFGPhase.cpp: (JSC::DFG::Phase::endPhase): * dfg/DFGPhase.h: (JSC::DFG::runPhase): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::run): (JSC::DFG::performPredictionPropagation): * dfg/DFGPredictionPropagationPhase.h: (DFG): * dfg/DFGRedundantPhiEliminationPhase.cpp: (JSC::DFG::RedundantPhiEliminationPhase::run): (JSC::DFG::performRedundantPhiElimination): * dfg/DFGRedundantPhiEliminationPhase.h: (DFG): * dfg/DFGScoreBoard.h: (JSC::DFG::ScoreBoard::use): (ScoreBoard): (JSC::DFG::ScoreBoard::useIfHasResult): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::createOSREntries): (JSC::DFG::SpeculativeJIT::linkOSREntries): (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): (JSC::DFG::SpeculativeJIT::compileRegExpExec): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::nextBlock): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::use): (JSC::DFG::SpeculativeJIT::jump): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGValidate.cpp: Added. (DFG): (Validate): (JSC::DFG::Validate::Validate): (JSC::DFG::Validate::validate): (JSC::DFG::Validate::reportValidationContext): (JSC::DFG::Validate::dumpData): (JSC::DFG::Validate::dumpGraphIfAppropriate): (JSC::DFG::validate): * dfg/DFGValidate.h: Added. (DFG): (JSC::DFG::validate): * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): (JSC::DFG::performVirtualRegisterAllocation): * dfg/DFGVirtualRegisterAllocationPhase.h: (DFG): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncFilter): (JSC::arrayProtoFuncEvery): (JSC::arrayProtoFuncSome): * runtime/BooleanConstructor.cpp: (JSC::constructBoolean): (JSC::callBooleanConstructor): * runtime/JSCell.h: (JSCell): * runtime/JSObject.cpp: (JSC): * runtime/JSObject.h: * runtime/JSString.cpp: (JSC::JSString::toBoolean): * runtime/JSString.h: (JSString): (JSC::JSCell::toBoolean): (JSC::JSValue::toBoolean): * runtime/JSValue.h: * runtime/ObjectConstructor.cpp: (JSC::toPropertyDescriptor): * runtime/RegExpConstructor.cpp: (JSC::setRegExpConstructorMultiline): * runtime/RegExpPrototype.cpp: (JSC::regExpProtoFuncToString): 2012-05-18 Filip Pizlo Unreviewed, build fix. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 2012-04-17 Filip Pizlo DFG should have constant propagation https://bugs.webkit.org/show_bug.cgi?id=84004 Reviewed by Gavin Barraclough. Merge r114554 from dfgopt. Changes AbstractValue to be able to hold a "set" of constants, where the maximum set size is 1 - so merging a value containing constant A with another value containing constant B where A != B will result in the AbstractValue claiming that it does not know any constants (i.e. it'll just have a predicted type and possible a structure). Added a constant folding phase that uses this new information to replace pure operations known to have constant results with JSConstants. This is OSR-exit-aware, in that it will prepend a Phantom that refers to all of the kids of the node we replaced. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::beginBasicBlock): (JSC::DFG::AbstractState::endBasicBlock): (JSC::DFG::AbstractState::execute): * dfg/DFGAbstractState.h: (AbstractState): * dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::clear): (JSC::DFG::AbstractValue::isClear): (JSC::DFG::AbstractValue::makeTop): (JSC::DFG::AbstractValue::clobberValue): (AbstractValue): (JSC::DFG::AbstractValue::valueIsTop): (JSC::DFG::AbstractValue::value): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::operator==): (JSC::DFG::AbstractValue::merge): (JSC::DFG::AbstractValue::filter): (JSC::DFG::AbstractValue::validate): (JSC::DFG::AbstractValue::checkConsistency): (JSC::DFG::AbstractValue::dump): * dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::initialize): (AdjacencyList): (JSC::DFG::AdjacencyList::reset): * dfg/DFGBasicBlock.h: (JSC::DFG::BasicBlock::BasicBlock): (BasicBlock): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::constantCSE): (CSEPhase): (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGConstantFoldingPhase.cpp: Added. (DFG): (ConstantFoldingPhase): (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase): (JSC::DFG::ConstantFoldingPhase::run): (JSC::DFG::performConstantFolding): * dfg/DFGConstantFoldingPhase.h: Added. (DFG): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGGraph.h: (Graph): (JSC::DFG::Graph::convertToConstant): * dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::execute): * dfg/DFGNode.h: (JSC::DFG::Node::convertToConstant): (Node): * runtime/JSValue.cpp: (JSC::JSValue::description): * runtime/JSValue.h: (JSValue): 2012-05-18 Caio Marcelo de Oliveira Filho Fix build for Qt by using ASSERT_UNUSED in DFGSpeculativeJIT https://bugs.webkit.org/show_bug.cgi?id=86902 Reviewed by Andreas Kling. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 2012-04-16 Filip Pizlo DFG should have out-of-line slow paths https://bugs.webkit.org/show_bug.cgi?id=83992 Reviewed by Oliver Hunt. Merge of r114472 and r114553 from dfgopt. Introduces the notion of slow path code generation closures in the DFG. These are defined in DFGSlowPathGenerator.h, though they are fairly extensible so DFGSpeculativeJIT64.cpp and DFGSpeculativeJIT32_64.cpp define a couple special-purpose ones. A slow path generation closure (DFG::SlowPathGenerator) is executed after the main speculative path is generated. This makes them great for scheduling slow path code out of the way of the hot paths. This patch also converts most - but not all - of the DFG to use slow path generators instead of inline slow paths. The result is a sub-1% improvement on SunSpider and V8, and a miniscule regression on Kraken. * JavaScriptCore.xcodeproj/project.pbxproj: * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr): (TrustedImmPtr): (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32): (TrustedImm32): * bytecode/StructureStubInfo.h: * dfg/DFGCommon.h: * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): (JSC::DFG::JITCompiler::compile): (JSC::DFG::JITCompiler::compileFunction): * dfg/DFGJITCompiler.h: (DFG): (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord): (PropertyAccessRecord): (JITCompiler): * dfg/DFGSilentRegisterSavePlan.h: Added. (DFG): (SilentRegisterSavePlan): (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan): (JSC::DFG::SilentRegisterSavePlan::spillAction): (JSC::DFG::SilentRegisterSavePlan::fillAction): (JSC::DFG::SilentRegisterSavePlan::nodeIndex): (JSC::DFG::SilentRegisterSavePlan::gpr): (JSC::DFG::SilentRegisterSavePlan::fpr): * dfg/DFGSlowPathGenerator.h: Added. (DFG): (SlowPathGenerator): (JSC::DFG::SlowPathGenerator::SlowPathGenerator): (JSC::DFG::SlowPathGenerator::~SlowPathGenerator): (JSC::DFG::SlowPathGenerator::generate): (JSC::DFG::SlowPathGenerator::label): (JSC::DFG::SlowPathGenerator::call): (JumpingSlowPathGenerator): (JSC::DFG::JumpingSlowPathGenerator::JumpingSlowPathGenerator): (JSC::DFG::JumpingSlowPathGenerator::linkFrom): (JSC::DFG::JumpingSlowPathGenerator::jumpTo): (CallSlowPathGenerator): (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator): (JSC::DFG::CallSlowPathGenerator::call): (JSC::DFG::CallSlowPathGenerator::setUp): (JSC::DFG::CallSlowPathGenerator::recordCall): (JSC::DFG::CallSlowPathGenerator::tearDown): (CallResultAndNoArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal): (CallResultAndOneArgumentSlowPathGenerator): (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator): (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal): (CallResultAndTwoArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal): (CallResultAndThreeArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal): (CallResultAndFourArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal): (CallResultAndFiveArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator): (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal): (JSC::DFG::slowPathCall): (AssigningSlowPathGenerator): (JSC::DFG::AssigningSlowPathGenerator::AssigningSlowPathGenerator): (JSC::DFG::AssigningSlowPathGenerator::generateInternal): (JSC::DFG::slowPathMove): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::SpeculativeJIT): (DFG): (JSC::DFG::SpeculativeJIT::~SpeculativeJIT): (JSC::DFG::SpeculativeJIT::addSlowPathGenerator): (JSC::DFG::SpeculativeJIT::runSlowPathGenerators): (JSC::DFG::SpeculativeJIT::compileValueToInt32): (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): * dfg/DFGSpeculativeJIT.h: (DFG): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): (JSC::DFG::SpeculativeJIT::silentSpill): (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl): (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters): (JSC::DFG::SpeculativeJIT::pickCanTrample): (JSC::DFG::SpeculativeJIT::silentFillAllRegisters): (JSC::DFG::SpeculativeJIT::callOperation): * dfg/DFGSpeculativeJIT32_64.cpp: (ValueToNumberSlowPathGenerator): (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator): (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal): (DFG): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): (CompareAndBoxBooleanSlowPathGenerator): (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (ValueToNumberSlowPathGenerator): (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator): (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal): (DFG): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): (CompareAndBoxBooleanSlowPathGenerator): (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::compile): 2012-05-18 Tony Chang remove the CSS_GRID_LAYOUT compiler define, but default grid layout to off https://bugs.webkit.org/show_bug.cgi?id=86767 Reviewed by Ojan Vafai. * Configurations/FeatureDefines.xcconfig: Remove ENABLE_CSS_GRID_LAYOUT. 2012-05-17 Filip Pizlo Setting array index -1 and looping over array causes bad behavior https://bugs.webkit.org/show_bug.cgi?id=86733 Reviewed by Oliver Hunt. * dfg/DFGOperations.cpp: 2012-05-17 Geoffrey Garen Not reviewed. Rolled out r117495 because it caused som out of memory crashes. * heap/Heap.cpp: (JSC::Heap::collect): 2012-05-17 Geoffrey Garen Refactored the Heap to move more MarkedSpace logic into MarkedSpace https://bugs.webkit.org/show_bug.cgi?id=86790 Reviewed by Gavin Barraclough. * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): (JSC::Heap::markRoots): (JSC): (JSC::Heap::objectCount): (JSC::Heap::size): (JSC::Heap::capacity): (JSC::Heap::collect): * heap/Heap.h: (Heap): Took all the functors from here... * heap/MarkedBlock.h: (CountFunctor): (JSC::MarkedBlock::CountFunctor::CountFunctor): (JSC::MarkedBlock::CountFunctor::count): (JSC::MarkedBlock::CountFunctor::returnValue): (MarkedBlock): * heap/MarkedSpace.h: (JSC::ClearMarks::operator()): (JSC): (JSC::Sweep::operator()): (JSC::MarkCount::operator()): (JSC::Size::operator()): (JSC::Capacity::operator()): (MarkedSpace): (JSC::MarkedSpace::clearMarks): (JSC::MarkedSpace::sweep): (JSC::MarkedSpace::objectCount): (JSC::MarkedSpace::size): (JSC::MarkedSpace::capacity): and put them here. 2012-05-17 Geoffrey Garen Increase the GC allocation trigger https://bugs.webkit.org/show_bug.cgi?id=86699 Reviewed by Sam Weinig. This helps a lot when the heap is growing, and helps to resolve the regression caused by r116484. * heap/Heap.cpp: (JSC::Heap::collect): 2012-05-16 Mark Hahnenberg GC in the middle of JSObject::allocatePropertyStorage can cause badness https://bugs.webkit.org/show_bug.cgi?id=83839 Reviewed by Geoff Garen. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage. (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're growing our already-existing PropertyStorage. * runtime/JSObject.h: (JSObject): (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage and the new structure so that we can be sure a GC never occurs when our Structure info is out of sync with our PropertyStorage. (JSC): (JSC::JSObject::putDirectInternal): Moved the check to see if we should allocate more backing store before the actual property insertion into the structure. (JSC::JSObject::putDirectWithoutTransition): Ditto. (JSC::JSObject::transitionTo): Ditto. * runtime/Structure.cpp: (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy for property backing stores contained within the Structure class. (JSC): * runtime/Structure.h: (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion into the Structure would require resizing the property backing store so that they can preallocate the required storage. (Structure): 2012-05-16 Geoffrey Garen GC is not thread-safe when moving values between C stacks https://bugs.webkit.org/show_bug.cgi?id=86672 Reviewed by Phil Pizlo. GC pauses thread A while marking thread A, and then B while marking B, which isn't safe against A and B moving values between each others' stacks. This is a theoretical bug -- I haven't been able to reproduce it in the wild. * heap/MachineStackMarker.cpp: (JSC::MachineThreads::gatherFromOtherThread): (JSC::MachineThreads::gatherConservativeRoots): Pause all C stacks for the duration of stack marking, to avoid missing values that might be moving between C stacks. 2012-05-15 Mark Hahnenberg Block freeing thread should not free blocks when we are actively requesting them https://bugs.webkit.org/show_bug.cgi?id=86519 Reviewed by Geoff Garen. * heap/BlockAllocator.h: (JSC::BlockAllocator::allocate): Reordering the setting of the flag so its done while we hold the lock to ensure proper locking. 2012-05-15 Filip Pizlo shrinkToFit() is often not called for Vectors in CodeBlock https://bugs.webkit.org/show_bug.cgi?id=86436 Reviewed by Oliver Hunt. The vectors in CodeBlock are often appended to during various stages of compilation, but we neglect to shrink them after compilation finishes. This patch takes the most brutal possible approach: shrink all the vectors after the bytecompile phase, and then shrink them again after the appropriate JITing phase. The two shrinks are necessary because the JIT may append more stuff, but may also generate code that directly references things in other vectors; hence some can only be shrunk before JIT and some after. Also, we may allow a CodeBlock to sit around for a long time - possibly forever - before invoking the JIT, hence it makes sense to have two shrinks. This is performance neutral on the major benchmarks we track. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::shrinkToFit): * bytecode/CodeBlock.h: (CodeBlock): (JSC::CodeBlock::appendWeakReferenceTransition): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): * dfg/DFGDriver.cpp: (JSC::DFG::compile): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * jit/JIT.cpp: (JSC::JIT::privateCompile): 2012-05-15 Oliver Hunt Make error information available even if all we have is line number information. https://bugs.webkit.org/show_bug.cgi?id=86547 Reviewed by Filip Pizlo. We don't need expression information to generate useful line, file, and stack information, so only require that we have line number info available. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * runtime/Executable.h: (JSC): 2012-05-15 Mark Hahnenberg Block freeing thread should not free blocks when we are actively requesting them https://bugs.webkit.org/show_bug.cgi?id=86519 Reviewed by Geoffrey Garen. The block freeing thread shoots us in the foot if it decides to run while we're actively requesting blocks and returning them. This situation can arise when there is a lot of copying collection going on in steady state. We allocate a large swath of pages to copy into, then we return all the newly free old pages to the BlockAllocator. In this state, if the block freeing thread wakes up in between collections (which is more likely than it waking up during a collection) and frees half of these pages, they will be needed almost immediately during the next collection, causing a storm of VM allocations which we know are going to be very slow. What we'd like is for when things have quieted down the block freeing thread can then return memory to the OS. Usually this will be when a page has fully loaded and has a low allocation rate. In this situation, our opportunistic collections will only be running at least every few seconds, thus the extra time spent doing VM allocations won't matter nearly as much as, say, while a page is loading. * heap/BlockAllocator.cpp: (JSC::BlockAllocator::BlockAllocator): Initialize our new field. (JSC::BlockAllocator::blockFreeingThreadMain): We check if we've seen any block requests recently. If so, reset our flag and go back to sleep. We also don't bother with locking here. If we miss out on an update, we'll see it when we wake up again. * heap/BlockAllocator.h: Add new field to track whether or not we've received recent block requests. (BlockAllocator): (JSC::BlockAllocator::allocate): If we receive a request for a block, set our field that tracks that to true. We don't bother locking since we assume that writing to a bool is atomic. 2012-05-14 Luke Macpherson Introduce ENABLE_CSS_VARIABLES compile flag. https://bugs.webkit.org/show_bug.cgi?id=86338 Reviewed by Dimitri Glazkov. Add a configuration option for CSS Variables support, disabling it by default. * Configurations/FeatureDefines.xcconfig: 2012-05-14 Gavin Barraclough Cannot login to iCloud https://bugs.webkit.org/show_bug.cgi?id=86321 Reviewed by Filip Pizlo. This is a bug introduced by bug#85853, we shouldn't allow assignment to the prototype property of functions to be cached, since we need to clear the cached inheritorID. * runtime/JSFunction.cpp: (JSC::JSFunction::put): 2012-05-14 Michael Saboff Enh: Add the Ability to Disable / Enable JavaScript GC Timer https://bugs.webkit.org/show_bug.cgi?id=86382 Reviewed by Darin Adler. Add flag to GCActivityCallback to enable / disable activity timer. Add api via Heap to set the flag's value. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Windows export * heap/Heap.cpp: (JSC::Heap::setGarbageCollectionTimerEnabled): * heap/Heap.h: * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::isEnabled): (JSC::GCActivityCallback::setEnabled): (JSC::GCActivityCallback::GCActivityCallback): * runtime/GCActivityCallbackCF.cpp: (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): 2012-05-14 Michael Saboff Increase Debug Logging in MarkStack::validate() https://bugs.webkit.org/show_bug.cgi?id=86408 Rubber-stamped by Filip Pizlo. Added some descriptive debug messages for the conditions and values when a cell validation fails. * heap/MarkStack.cpp: (JSC::MarkStack::validate): 2012-05-14 Carlos Garcia Campos Unreviewed. Fix make distcheck. * GNUmakefile.list.am: Add missing header file. 2012-05-14 Yong Li DFG JIT didn't work with ARM EABI. https://bugs.webkit.org/show_bug.cgi?id=84449 Reviewed by Filip Pizlo. Add a 32-bit dummy argument for some callOperation() methods to make it work for ARM EABI. * dfg/DFGCCallHelpers.h: (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): (CCallHelpers): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::callOperation): 2012-05-13 Gavin Barraclough Introduce PropertyName class https://bugs.webkit.org/show_bug.cgi?id=86241 Reviewed by Darin Adler. This patch introduced a couple of small bugs. * runtime/PropertyName.h: (JSC::toUInt32FromCharacters): - Returning wrong value for "" - should not convert to 0. (JSC::PropertyName::PropertyName): - Remove the ASSERT, it was a little too aspirational. 2012-05-13 Filip Pizlo DFG performs incorrect constant folding on double-to-uint32 conversion in Uint32Array PutByVal https://bugs.webkit.org/show_bug.cgi?id=86330 Reviewed by Darin Adler. static_cast(d) is wrong, since JS semantics require us to use toInt32(d). In particular, C++ casts on typical hardware (like x86 and similar) will return 0x80000000 for double values that are out of range of the int32 domain (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call for wrap-around; for example the double value 4294967297 ought to become the int32 value 1, not 0x80000000. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 2012-05-11 Gavin Barraclough Introduce PropertyName class https://bugs.webkit.org/show_bug.cgi?id=86241 Reviewed by Geoff Garen. Replace 'const Identifier&' arguments to functions accessing object properties with a new 'PropertyName' type. This change paves the way to allow for properties keyed by values that are not Identifiers. This change is largely a mechanical find & replace. It also changes JSFunction's constructor to take a UString& instead of an Identifier& (since in some cases we can no longer guarantee that we'lll have an Identifier), and unifies Identifier's methods to obtain array indices onto PropertyName. The new PropertyName class retains the ability to support .impl() and .ustring(), but in a future patch we may need to rework this, since not all PropertyNames should be equal based on their string representation. * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::finishCreation): * API/JSCallbackFunction.h: (JSCallbackFunction): (JSC::JSCallbackFunction::create): * API/JSCallbackObject.h: (JSCallbackObject): * API/JSCallbackObjectFunctions.h: (JSC::::getOwnPropertySlot): (JSC::::getOwnPropertyDescriptor): (JSC::::put): (JSC::::deleteProperty): (JSC::::getStaticValue): (JSC::::staticFunctionGetter): (JSC::::callbackGetter): * API/JSObjectRef.cpp: (JSObjectMakeFunctionWithCallback): * JSCTypedArrayStubs.h: (JSC): * JavaScriptCore.xcodeproj/project.pbxproj: * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::getOwnPropertySlot): (JSC::DebuggerActivation::put): (JSC::DebuggerActivation::putDirectVirtual): (JSC::DebuggerActivation::deleteProperty): (JSC::DebuggerActivation::getOwnPropertyDescriptor): (JSC::DebuggerActivation::defineOwnProperty): * debugger/DebuggerActivation.h: (DebuggerActivation): * jsc.cpp: (GlobalObject::addFunction): (GlobalObject::addConstructableFunction): * runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertySlot): (JSC::Arguments::getOwnPropertyDescriptor): (JSC::Arguments::put): (JSC::Arguments::deleteProperty): (JSC::Arguments::defineOwnProperty): * runtime/Arguments.h: (Arguments): * runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::finishCreation): (JSC::ArrayConstructor::getOwnPropertySlot): (JSC::ArrayConstructor::getOwnPropertyDescriptor): * runtime/ArrayConstructor.h: (ArrayConstructor): * runtime/ArrayPrototype.cpp: (JSC::ArrayPrototype::getOwnPropertySlot): (JSC::ArrayPrototype::getOwnPropertyDescriptor): (JSC::putProperty): * runtime/ArrayPrototype.h: (ArrayPrototype): * runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::finishCreation): * runtime/BooleanPrototype.cpp: (JSC::BooleanPrototype::getOwnPropertySlot): (JSC::BooleanPrototype::getOwnPropertyDescriptor): * runtime/BooleanPrototype.h: (BooleanPrototype): * runtime/ClassInfo.h: (MethodTable): * runtime/DateConstructor.cpp: (JSC::DateConstructor::finishCreation): (JSC::DateConstructor::getOwnPropertySlot): (JSC::DateConstructor::getOwnPropertyDescriptor): * runtime/DateConstructor.h: (DateConstructor): * runtime/DatePrototype.cpp: (JSC::DatePrototype::getOwnPropertySlot): (JSC::DatePrototype::getOwnPropertyDescriptor): * runtime/DatePrototype.h: (DatePrototype): * runtime/Error.h: (JSC::StrictModeTypeErrorFunction::create): * runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::finishCreation): * runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::getOwnPropertySlot): (JSC::ErrorPrototype::getOwnPropertyDescriptor): * runtime/ErrorPrototype.h: (ErrorPrototype): * runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::finishCreation): * runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::finishCreation): (JSC::FunctionPrototype::addFunctionProperties): (JSC::functionProtoFuncBind): * runtime/FunctionPrototype.h: (JSC::FunctionPrototype::create): (FunctionPrototype): * runtime/Identifier.cpp: (JSC): * runtime/Identifier.h: (Identifier): * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): * runtime/InternalFunction.h: (InternalFunction): * runtime/JSActivation.cpp: (JSC::JSActivation::symbolTableGet): (JSC::JSActivation::symbolTablePut): (JSC::JSActivation::symbolTablePutWithAttributes): (JSC::JSActivation::getOwnPropertySlot): (JSC::JSActivation::put): (JSC::JSActivation::putDirectVirtual): (JSC::JSActivation::deleteProperty): (JSC::JSActivation::argumentsGetter): * runtime/JSActivation.h: (JSActivation): * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): (JSC::JSArray::getOwnPropertySlot): (JSC::JSArray::getOwnPropertyDescriptor): (JSC::JSArray::put): (JSC::JSArray::deleteProperty): * runtime/JSArray.h: (JSArray): (JSC): * runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::finishCreation): * runtime/JSBoundFunction.h: (JSBoundFunction): * runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertySlot): (JSC::JSCell::put): (JSC::JSCell::deleteProperty): (JSC::JSCell::putDirectVirtual): (JSC::JSCell::defineOwnProperty): (JSC::JSCell::getOwnPropertyDescriptor): * runtime/JSCell.h: (JSCell): * runtime/JSFunction.cpp: (JSC::JSFunction::create): (JSC::JSFunction::finishCreation): (JSC::JSFunction::argumentsGetter): (JSC::JSFunction::callerGetter): (JSC::JSFunction::lengthGetter): (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::getOwnPropertyDescriptor): (JSC::JSFunction::put): (JSC::JSFunction::deleteProperty): (JSC::JSFunction::defineOwnProperty): (JSC::getCalculatedDisplayName): * runtime/JSFunction.h: (JSFunction): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::put): (JSC::JSGlobalObject::putDirectVirtual): (JSC::JSGlobalObject::defineOwnProperty): (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::createThrowTypeError): (JSC::JSGlobalObject::getOwnPropertySlot): (JSC::JSGlobalObject::getOwnPropertyDescriptor): * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::hasOwnPropertyForWrite): (JSC::JSGlobalObject::symbolTableHasProperty): * runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::getOwnPropertySlot): (JSC::JSNotAnObject::getOwnPropertyDescriptor): (JSC::JSNotAnObject::put): (JSC::JSNotAnObject::deleteProperty): * runtime/JSNotAnObject.h: (JSNotAnObject): * runtime/JSONObject.cpp: (JSC::JSONObject::getOwnPropertySlot): (JSC::JSONObject::getOwnPropertyDescriptor): * runtime/JSONObject.h: (JSONObject): * runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putDirectVirtual): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::hasProperty): (JSC::JSObject::deleteProperty): (JSC::JSObject::hasOwnProperty): (JSC::callDefaultValueFunction): (JSC::JSObject::findPropertyHashEntry): (JSC::JSObject::getPropertySpecificValue): (JSC::JSObject::removeDirect): (JSC::JSObject::getOwnPropertyDescriptor): (JSC::JSObject::getPropertyDescriptor): (JSC::putDescriptor): (JSC::JSObject::defineOwnProperty): * runtime/JSObject.h: (JSObject): (JSC::JSObject::getDirect): (JSC::JSObject::getDirectLocation): (JSC::JSObject::inlineGetOwnPropertySlot): (JSC::JSObject::getOwnPropertySlot): (JSC::JSCell::fastGetOwnPropertySlot): (JSC::JSObject::getPropertySlot): (JSC::JSObject::get): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putOwnDataProperty): (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSValue::get): (JSC::JSValue::put): * runtime/JSStaticScopeObject.cpp: (JSC::JSStaticScopeObject::put): (JSC::JSStaticScopeObject::putDirectVirtual): (JSC::JSStaticScopeObject::getOwnPropertySlot): * runtime/JSStaticScopeObject.h: (JSStaticScopeObject): * runtime/JSString.cpp: (JSC::JSString::getOwnPropertySlot): (JSC::JSString::getStringPropertyDescriptor): * runtime/JSString.h: (JSString): (JSC::JSString::getStringPropertySlot): * runtime/JSValue.cpp: (JSC::JSValue::putToPrimitive): * runtime/JSValue.h: (JSC): (JSValue): * runtime/JSVariableObject.cpp: (JSC::JSVariableObject::deleteProperty): (JSC::JSVariableObject::symbolTableGet): (JSC::JSVariableObject::putDirectVirtual): * runtime/JSVariableObject.h: (JSVariableObject): (JSC::JSVariableObject::symbolTableGet): (JSC::JSVariableObject::symbolTablePut): (JSC::JSVariableObject::symbolTablePutWithAttributes): * runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot): * runtime/Lookup.h: (JSC::HashTable::entry): (JSC): (JSC::getStaticPropertySlot): (JSC::getStaticPropertyDescriptor): (JSC::getStaticFunctionSlot): (JSC::getStaticFunctionDescriptor): (JSC::getStaticValueSlot): (JSC::getStaticValueDescriptor): (JSC::lookupPut): * runtime/MathObject.cpp: (JSC::MathObject::getOwnPropertySlot): (JSC::MathObject::getOwnPropertyDescriptor): * runtime/MathObject.h: (MathObject): * runtime/NativeErrorConstructor.h: (JSC::NativeErrorConstructor::finishCreation): * runtime/NumberConstructor.cpp: (JSC): (JSC::NumberConstructor::finishCreation): (JSC::NumberConstructor::getOwnPropertySlot): (JSC::NumberConstructor::getOwnPropertyDescriptor): (JSC::NumberConstructor::put): (JSC::numberConstructorNaNValue): (JSC::numberConstructorNegInfinity): (JSC::numberConstructorPosInfinity): (JSC::numberConstructorMaxValue): (JSC::numberConstructorMinValue): * runtime/NumberConstructor.h: (NumberConstructor): * runtime/NumberPrototype.cpp: (JSC::NumberPrototype::getOwnPropertySlot): (JSC::NumberPrototype::getOwnPropertyDescriptor): * runtime/NumberPrototype.h: (NumberPrototype): * runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::finishCreation): (JSC::ObjectConstructor::getOwnPropertySlot): (JSC::ObjectConstructor::getOwnPropertyDescriptor): * runtime/ObjectConstructor.h: (ObjectConstructor): * runtime/ObjectPrototype.cpp: (JSC::ObjectPrototype::put): (JSC::ObjectPrototype::defineOwnProperty): (JSC::ObjectPrototype::getOwnPropertySlot): (JSC::ObjectPrototype::getOwnPropertyDescriptor): * runtime/ObjectPrototype.h: (ObjectPrototype): * runtime/PropertySlot.h: (PropertySlot): (JSC::PropertySlot::getValue): * runtime/RegExpConstructor.cpp: (JSC): (JSC::RegExpConstructor::finishCreation): (JSC::RegExpConstructor::getOwnPropertySlot): (JSC::RegExpConstructor::getOwnPropertyDescriptor): (JSC::regExpConstructorDollar1): (JSC::regExpConstructorDollar2): (JSC::regExpConstructorDollar3): (JSC::regExpConstructorDollar4): (JSC::regExpConstructorDollar5): (JSC::regExpConstructorDollar6): (JSC::regExpConstructorDollar7): (JSC::regExpConstructorDollar8): (JSC::regExpConstructorDollar9): (JSC::regExpConstructorInput): (JSC::regExpConstructorMultiline): (JSC::regExpConstructorLastMatch): (JSC::regExpConstructorLastParen): (JSC::regExpConstructorLeftContext): (JSC::regExpConstructorRightContext): (JSC::RegExpConstructor::put): * runtime/RegExpConstructor.h: (RegExpConstructor): * runtime/RegExpMatchesArray.h: (JSC::RegExpMatchesArray::getOwnPropertySlot): (JSC::RegExpMatchesArray::getOwnPropertyDescriptor): (JSC::RegExpMatchesArray::put): (JSC::RegExpMatchesArray::deleteProperty): (JSC::RegExpMatchesArray::defineOwnProperty): * runtime/RegExpObject.cpp: (JSC): (JSC::RegExpObject::getOwnPropertySlot): (JSC::RegExpObject::getOwnPropertyDescriptor): (JSC::RegExpObject::deleteProperty): (JSC::RegExpObject::defineOwnProperty): (JSC::regExpObjectGlobal): (JSC::regExpObjectIgnoreCase): (JSC::regExpObjectMultiline): (JSC::regExpObjectSource): (JSC::RegExpObject::put): * runtime/RegExpObject.h: (RegExpObject): * runtime/RegExpPrototype.cpp: (JSC::RegExpPrototype::getOwnPropertySlot): (JSC::RegExpPrototype::getOwnPropertyDescriptor): * runtime/RegExpPrototype.h: (RegExpPrototype): * runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::deleteProperty): * runtime/StrictEvalActivation.h: (StrictEvalActivation): * runtime/StringConstructor.cpp: (JSC::StringConstructor::finishCreation): (JSC::StringConstructor::getOwnPropertySlot): (JSC::StringConstructor::getOwnPropertyDescriptor): * runtime/StringConstructor.h: (StringConstructor): * runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertySlot): (JSC::StringObject::getOwnPropertyDescriptor): (JSC::StringObject::put): (JSC::StringObject::defineOwnProperty): (JSC::StringObject::deleteProperty): * runtime/StringObject.h: (StringObject): * runtime/StringPrototype.cpp: (JSC::StringPrototype::getOwnPropertySlot): (JSC::StringPrototype::getOwnPropertyDescriptor): * runtime/StringPrototype.h: (StringPrototype): * runtime/Structure.cpp: (JSC::Structure::despecifyDictionaryFunction): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::removePropertyTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::attributeChangeTransition): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition): (JSC::Structure::get): (JSC::Structure::despecifyFunction): (JSC::Structure::putSpecificValue): (JSC::Structure::remove): * runtime/Structure.h: (Structure): (JSC::Structure::get): 2012-05-11 Michael Saboff Rolling out r116659. Causes ASSERT failures on bots. Rubber stamped by Geoff Garen. * heap/Heap.cpp: (JSC::Heap::markRoots): * heap/MarkStack.cpp: (JSC::MarkStackThreadSharedData::markingThreadMain): (JSC::MarkStackThreadSharedData::markingThreadStartFunc): (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData): (JSC::MarkStackThreadSharedData::reset): (JSC::MarkStack::reset): (JSC): (JSC::SlotVisitor::copyAndAppend): * heap/MarkStack.h: (MarkStackThreadSharedData): (MarkStack): * runtime/JSString.h: (JSString): (JSC::JSString::finishCreation): (JSC::JSString::is8Bit): (JSC::JSRopeString::finishCreation): 2012-05-11 Oliver Hunt Appease thread verifier when dealing with the JSC API's shared VM https://bugs.webkit.org/show_bug.cgi?id=86268 Reviewed by Geoffrey Garen. If we're the shared VM, just disable the verifier. This makes debug builds livable against non-webkit clients. * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): 2012-05-11 Filip Pizlo JIT memory allocator is not returning memory to the OS on Darwin https://bugs.webkit.org/show_bug.cgi?id=86047 Reviewed by Geoff Garen. * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 2012-05-11 Geoffrey Garen Clarified JSGlobalData (JavaScript VM) lifetime https://bugs.webkit.org/show_bug.cgi?id=85142 Reviewed by Alexey Proskuryakov. (Follow-up fix.) * API/JSContextRef.cpp: (JSGlobalContextCreate): Restored some code I removed because I misread an #ifdef. (We don't need to test BUILDING_ON_LEOPARD, but we still need the linked-on test, because apps might have been linked on older OS's.) 2012-05-11 Sam Weinig Fix crash seen when running with libgmalloc https://bugs.webkit.org/show_bug.cgi?id=86232 Reviewed by Gavin Barraclough. * heap/MarkStack.cpp: (JSC::MarkStackThreadSharedData::markingThreadMain): Don't delete the SlotVisitor before the ParallelModeEnabler has had a chance to run its destructor. 2012-05-10 Gavin Barraclough Remove op_get_callee Rubber stamped by Geoff Garen. This is now redundant. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/Opcode.h: (JSC): (JSC::padOpcodeName): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: * jit/JITOpcodes.cpp: (JSC): * jit/JITOpcodes32_64.cpp: (JSC): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2012-05-10 Gavin Barraclough Cache inheritorID on JSFunction https://bugs.webkit.org/show_bug.cgi?id=85853 Reviewed by Geoff Garen & Filip Pizlo. An object's prototype is indicated via its structure. To create an otherwise empty object with object A as its prototype, we require a structure with its prototype set to point to A. We wish to use this same structure for all empty objects created with a prototype of A, so we presently store this structure as a property of A, known as the inheritorID. When a function F is invoked as a constructor, where F has a property 'prototype' set to point to A, in order to create the 'this' value for the constructor to use the following steps are taken: - the 'prototype' proptery of F is read, via a regular [[Get]] access. - the inheritorID internal property of the prototype is read. - a new, empty object is constructed with its structure set to point to inheritorID. There are two drawbacks to the current approach: - it requires that every object has an inheritorID field. - it requires a [[Get]] access on every constructor call to access the 'prototype' property. Instead, switch to caching a copy of the inheritorID on the function. Constructor calls now only need read the internal property from the callee, saving a [[Get]]. This also means that JSObject::m_inheritorID is no longer commonly read, and in a future patch we can move to storing this in a more memory efficient fashion. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): * bytecode/Opcode.h: (JSC): (JSC::padOpcodeName): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSFunction): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_create_this): (JSC::JIT::emitSlow_op_create_this): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_create_this): (JSC::JIT::emitSlow_op_create_this): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::cacheInheritorID): (JSC): (JSC::JSFunction::put): (JSC::JSFunction::defineOwnProperty): * runtime/JSFunction.h: (JSC::JSFunction::cachedInheritorID): (JSFunction): (JSC::JSFunction::offsetOfCachedInheritorID): 2012-05-10 Michael Saboff Enh: Hash Const JSString in Backing Stores to Save Memory https://bugs.webkit.org/show_bug.cgi?id=86024 Reviewed by Filip Pizlo. During garbage collection, each marking thread keeps a HashMap of strings. While visiting via MarkStack::copyAndAppend(), we check to see if the string we are visiting is already in the HashMap. If not we add it. If so, we change the reference to the current string we're visiting to the prior string. To somewhat reduce the performance impact of this change, if a string is unique at the end of a marking it will not be checked during further GC phases. In some cases this won't catch all duplicates, but we are trying to catch the growth of duplicate strings. * heap/Heap.cpp: (JSC::Heap::markRoots): * heap/MarkStack.cpp: (JSC::MarkStackThreadSharedData::resetChildren): New method called by the main thread to reset the slave threads. This is primarily done to clear the m_uniqueStrings HashMap. (JSC): (JSC::MarkStackThreadSharedData::markingThreadMain): (JSC::MarkStackThreadSharedData::markingThreadStartFunc): (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData): (JSC::MarkStackThreadSharedData::reset): (JSC::MarkStack::reset): Added call to clear m_uniqueStrings. (JSC::MarkStack::internalAppend): New method that performs the hash consting. (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash consting internalAppend() * heap/MarkStack.h: (MarkStackThreadSharedData): (MarkStack): (JSC::MarkStack::sharedData): * runtime/JSString.h: (JSString): Added m_isHashConstSingleton flag, accessors for the flag and code to initialize the flag. (JSC::JSString::finishCreation): (JSC::JSString::isHashConstSingleton): (JSC::JSString::clearHashConstSingleton): (JSC::JSString::setHashConstSingleton): (JSC::JSRopeString::finishCreation): 2012-05-09 Filip Pizlo JIT memory allocator is not returning memory to the OS on Darwin https://bugs.webkit.org/show_bug.cgi?id=86047 Reviewed by Geoff Garen. Work around the problem by using a different madvise() flag, but only for the JIT memory allocator. Also put in ASSERTs that the call is actually working. * jit/ExecutableAllocatorFixedVMPool.cpp: (JSC::FixedVMPoolExecutableAllocator::notifyNeedPage): (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 2012-05-09 Filip Pizlo It should be possible to get useful debug logging from the JIT memory allocator https://bugs.webkit.org/show_bug.cgi?id=86042 Reviewed by Geoff Garen. * jit/ExecutableAllocator.h: 2012-05-09 Gavin Barraclough GC race condition in OpaqueJSClass::prototype https://bugs.webkit.org/show_bug.cgi?id=86034 Build fix. * API/JSClassRef.cpp: (OpaqueJSClass::prototype): - Eeeep, landed bad version of patch! 2012-05-09 Gavin Barraclough GC race condition in OpaqueJSClass::prototype https://bugs.webkit.org/show_bug.cgi?id=86034 Reviewed by Filip Pizlo. The bug here is basically: if (weakref) weakref->method() where a GC may occur between the if & the method call. * API/JSClassRef.cpp: (OpaqueJSClass::prototype): 2012-05-09 Mark Hahnenberg CopiedSpace does not add pinned blocks back to the to-space filter https://bugs.webkit.org/show_bug.cgi?id=86011 Reviewed by Geoffrey Garen. After a collection has finished, we go through the blocks in from-space and move any of them that are pinned into to-space. At the beginning of collection, we reset the to-space block filter that is used during conservative scanning and add back the blocks that are filled during the collection. However, we neglect to add back those blocks that are moved from from-space to to-space, which can cause the conservative scan to think that some pinned items are not actually in CopiedSpace. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::doneCopying): Add the pinned blocks back to the to-space filter. Also added a comment and assert for future readers that indicates that it's okay that we don't also add the block to the to-space block set since it was never removed. 2012-05-09 Carlos Garcia Campos [GTK] Use independent version numbers for public libraries https://bugs.webkit.org/show_bug.cgi?id=85984 Reviewed by Gustavo Noronha Silva. * GNUmakefile.am: Use LIBJAVASCRIPTCOREGTK_VERSION for library version. 2012-05-09 Carlos Garcia Campos [GTK] Do not install JavaScriptCore platform-specific headers https://bugs.webkit.org/show_bug.cgi?id=85983 Reviewed by Gustavo Noronha Silva. JavaScriptCore.h includes JSStringRefCF.h unconditionally. It was renamed to JavaScript.h in r29234 and it still exists for compatibility with mac and windows users. * GNUmakefile.list.am: Remove JavaScriptCore.h, JSStringRefCF.h and JSStringRefBSTR.h from the sources and headers list. 2012-05-08 Gavin Barraclough ROLLING OUT r114255 GC in the middle of JSObject::allocatePropertyStorage can cause badness https://bugs.webkit.org/show_bug.cgi?id=83839 Reviewed by nobody. This breaks the world, with COLLECT_ON_EVERY_ALLOCATION enabled. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::allocatePropertyStorage): * runtime/JSObject.h: (JSObject): (JSC::JSObject::isUsingInlineStorage): (JSC): (JSC::JSObject::putDirectInternal): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::transitionTo): * runtime/Structure.cpp: (JSC): * runtime/Structure.h: (JSC::Structure::didTransition): 2012-05-08 Mark Hahnenberg Heap should not continually allocate new pages in steady state https://bugs.webkit.org/show_bug.cgi?id=85936 Reviewed by Geoff Garen. Currently, in steady state (i.e. a constant amount of live GC memory with a constant rate of allocation) assuming we've just finished a collection with X live blocks in CopiedSpace, we increase our working set by X blocks in CopiedSpace with each collection we perform. This is due to the fact that we allocate until we run out of free blocks to use in the Heap before we consider whether we should run a collection. In the longer term, this issue will be mostly resolved by implementing quick release for the CopiedSpace. In the shorter term, we should change our policy to check whether we should allocate before trying to use a free block from the Heap. We can change our policy to something more appropriate once we have implemented quick release. This change should also have the convenient side effect of reducing the variance in GC-heavy tests (e.g. v8-splay) due to fact that we are doing less VM allocation during copying collection. Overall, this patch is performance neutral across the benchmarks we track. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::getFreshBlock): Shuffle the request from the BlockAllocator around so that we only do it if the block request must succeed i.e. after we've already checked whether we should do a collection. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateSlowCase): Ditto. (JSC::MarkedAllocator::allocateBlock): We no longer have a failure mode in this function because by the time we've called it, we've already checked whether we should run a collection so there's no point in returning null. * heap/MarkedAllocator.h: Removing old arguments from function declaration. (MarkedAllocator): 2012-05-08 Gavin Barraclough SIGFPE on divide in classic interpreter https://bugs.webkit.org/show_bug.cgi?id=85917 Rubber stamped by Oliver Hunt. * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): - check for divisor of -1. 2012-05-07 Oliver Hunt Rolling out r110287 RS=Filip Pizlo r110287 was meant to be refactoring only, but changed behavior enough to break some websites, including qq.com. 2012-05-07 Andy Estes ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES. * Configurations/FeatureDefines.xcconfig: 2012-05-07 Oliver Hunt Fix release build. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): 2012-05-07 Oliver Hunt LLInt doesn't check for Ropes when performing a character switch https://bugs.webkit.org/show_bug.cgi?id=85837 Reviewed by Filip Pizlo. Make LLint check if the scrutinee of a char switch is a rope, and if so fall back to a slow case. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (LLInt): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2012-05-07 Eric Seidel Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed https://bugs.webkit.org/show_bug.cgi?id=85822 Reviewed by Adam Barth. * Configurations/FeatureDefines.xcconfig: 2012-05-05 Gavin Barraclough Remove TrustedImm32::m_isPointer https://bugs.webkit.org/show_bug.cgi?id=85726 Rubber stamped by Sam Weinig. We used to rely on being able to generate code with known, fixed offsets – to do so we would inhibit more optimal code generation for pointers. This is no longer necessary. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32): (TrustedImm32): * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::store32): (JSC::MacroAssemblerARM::move): (JSC::MacroAssemblerARM::branch32): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::move): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::add32): (JSC::MacroAssemblerMIPS::and32): (JSC::MacroAssemblerMIPS::mul32): (JSC::MacroAssemblerMIPS::or32): (JSC::MacroAssemblerMIPS::sub32): (JSC::MacroAssemblerMIPS::store32): (JSC::MacroAssemblerMIPS::move): 2012-05-04 Filip Pizlo DFG should not Flush GetLocal's https://bugs.webkit.org/show_bug.cgi?id=85663 Reviewed by Oliver Hunt. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushArgument): (JSC::DFG::ByteCodeParser::handleCall): 2012-05-04 Allan Sandfeld Jensen Doesn't build with ENABLE_JIT=0 https://bugs.webkit.org/show_bug.cgi?id=85042 Reviewed by Gavin Barraclough. * bytecode/Operands.h: 2012-05-03 Oliver Hunt Regression(r114702): Clobbering the caller frame register before we've stored it. https://bugs.webkit.org/show_bug.cgi?id=85564 Reviewed by Filip Pizlo. Don't use t0 as a temporary, when we're about to use the value in t0. * llint/LowLevelInterpreter32_64.asm: 2012-05-03 Mark Hahnenberg Removing remainder of accidental printfs. * heap/Heap.cpp: (JSC::Heap::collect): 2012-05-03 Andy Estes If you add printf()s to your garbage collector, the layout tests are gonna have a bad time. * runtime/GCActivityCallbackCF.cpp: (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): 2012-05-03 Mark Hahnenberg Heap::reportAbandonedObjectGraph should not hasten an allocation-triggered collection https://bugs.webkit.org/show_bug.cgi?id=85543 Reviewed by Filip Pizlo. Currently reportAbandonedObjectGraph causes the Heap to think it is closer to its allocation limit for the current cycle, thus hastening an allocation-triggered collection. In reality, it should just affect the opportunistic GC timer. We should track the bytes we think have been abandoned and the bytes that have been allocated separately. * heap/Heap.cpp: Added a new field m_abandonedBytes to Heap to keep track of how much we think we've abandoned. (JSC::Heap::Heap): (JSC::Heap::reportAbandonedObjectGraph): (JSC): (JSC::Heap::didAbandon): Added this function for reportAbandonedObjectGraph to call rather than didAllocate. Works the same as didAllocate, but modifies bytes abandoned rather than bytes allocated. Also notifies the timer, summing the two values together. (JSC::Heap::collect): (JSC::Heap::didAllocate): Now adds the bytes allocated and bytes abandoned when reporting to GCActivityCallback. * heap/Heap.h: (Heap): 2012-05-02 Eric Seidel Sort ENABLE_ defines in FeatureDefines.xcconfig files to make them easier to compare with one another (and easier to autogenerate) https://bugs.webkit.org/show_bug.cgi?id=85433 Reviewed by Adam Barth. I have a script which can autogenerate these xcconfig files as well as the vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists from a central feature list file. In preparation for posting such a tool, I'm re-sorting these xcconfig files to be alphabetically ordered (currently they're close, but not quite). There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which I will fix in a second pass. I will also sort the FEATURE_DEFINES = line in a follow-up patch. * Configurations/FeatureDefines.xcconfig: 2012-05-02 Hojong Han ARM_TRADITIONAL build fix https://bugs.webkit.org/show_bug.cgi?id=85358 Reviewed by Gavin Barraclough. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::lshift32): (MacroAssemblerARM): (JSC::MacroAssemblerARM::or32): (JSC::MacroAssemblerARM::urshift32): (JSC::MacroAssemblerARM::xor32): (JSC::MacroAssemblerARM::branchSub32): 2012-05-02 Mark Hahnenberg Opportunistic GC should give up if the Heap is paged out https://bugs.webkit.org/show_bug.cgi?id=85411 Reviewed by Filip Pizlo. Opportunistic GC is punishing us severely in limited memory situations because its assumptions about how much time a collection will take are way out of whack when the Heap has been paged out by the OS. We should add a simple detection function to the Heap that detects if its is paged out. It will do this by iterating each block of both the MarkedSpace and CopiedSpace. If that operation takes longer than a fixed amount of time (e.g. 100ms), the function returns true. This function will only be run prior to an opportunistic collection (i.e. it will not run during our normal allocation-triggered collections). In my tests, steady state was drastically improved in high memory pressure situations (i.e. the browser was still usable, significant reduction in SPODs). Occasionally, a normal GC would be triggered due to pages doing things in the background, which would cause a significant pause. As we close pages we now cause normal collections rather than full collections, which prevents us from collecting all of the dead memory immediately. One nice way to deal with this issue might be to do incremental sweeping. * heap/CopiedSpace.cpp: (JSC::isBlockListPagedOut): Helper function to reduce code duplication when iterating over to-space, from-space, and the oversize blocks. (JSC): (JSC::CopiedSpace::isPagedOut): Tries to determine whether or not CopiedSpace is paged out by iterating all of the blocks. * heap/CopiedSpace.h: (CopiedSpace): * heap/Heap.cpp: (JSC::Heap::isPagedOut): Tries to determine whether the Heap is paged out by asking the MarkedSpace and CopiedSpace if they are paged out. (JSC): * heap/Heap.h: (Heap): (JSC::Heap::increaseLastGCLength): Added this so that the GC timer can linearly back off each time it determines that the Heap is paged out. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::isPagedOut): Tries to determine if this particular MarkedAllocator's list of blocks are paged out. (JSC): * heap/MarkedAllocator.h: (MarkedAllocator): * heap/MarkedSpace.cpp: (JSC::MarkedSpace::isPagedOut): For each MarkedAllocator, check to see if they're paged out. * heap/MarkedSpace.h: (MarkedSpace): * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::cancel): (JSC): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::cancel): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Added a constant of 100ms for the timeout in determining whether the Heap is paged out or not. (JSC): (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): Added the check to see if we should attempt a collection based on whether or not we can iterate the blocks of the Heap in 100ms. If we can't, we cancel the timer and tell the Heap we just wasted 100ms more trying to do a collection. This gives us a nice linear backoff so we're not constantly re-trying in steady state paged-out-ness. (JSC::DefaultGCActivityCallback::cancel): Added this function which, while currently doing exactly the same thing as willCollect, is more obvious as to what it's doing when we call it in timerDidFire. 2012-05-02 Yong Li Fix GCC X86 build error https://bugs.webkit.org/show_bug.cgi?id=85379 Reviewed by Rob Buis. Always explicitly claim ".text" to make sure functions defined with inline assembly will be created in the correct section. * dfg/DFGOperations.cpp: (JSC): 2012-05-02 Oliver Hunt Unreviewed, rolling out r115388. http://trac.webkit.org/changeset/115388 https://bugs.webkit.org/show_bug.cgi?id=85011 This caused many weird performance problems, and needs to be landed in pieces. * dfg/DFGOperations.cpp: * heap/Heap.cpp: (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): * interpreter/CallFrame.cpp: (JSC::CallFrame::dumpCaller): (JSC): * interpreter/CallFrame.h: (JSC::ExecState::init): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::privateExecute): * interpreter/Interpreter.h: (JSC::Interpreter::execute): * interpreter/RegisterFile.cpp: (JSC::RegisterFile::growSlowCase): (JSC::RegisterFile::gatherConservativeRoots): * interpreter/RegisterFile.h: (JSC::RegisterFile::end): (JSC::RegisterFile::size): (JSC::RegisterFile::addressOfEnd): (RegisterFile): (JSC::RegisterFile::RegisterFile): (JSC::RegisterFile::shrink): (JSC::RegisterFile::grow): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): (JSC::jitCompileFor): (JSC::lazyLinkFor): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::arityCheckFor): 2012-05-01 Oliver Hunt Physijs demo crashes due to DFG not updating topCallFrame correctly. https://bugs.webkit.org/show_bug.cgi?id=85311 Reviewed by Filip Pizlo. A few of the dfg operations failed to correctly set the topCallFrame, and so everything goes wrong. This patch corrects the effected operations, and makes debug builds poison topCallFrame before calling a dfg operation. * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::prepareForExternalCall): (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): (JSC::DFG::SpeculativeJIT::appendCallSetResult): 2012-04-30 Gavin Barraclough Should be able to use YARR JIT without the JS language JIT https://bugs.webkit.org/show_bug.cgi?id=85252 Reviewed by Geoff Garen. Need to split canUseRegExpJIT out of canUseJIT. * runtime/JSGlobalData.cpp: (JSC): (JSC::useJIT): (JSC::JSGlobalData::JSGlobalData): - replace m_canUseJIT with m_canUseAssembler * runtime/JSGlobalData.h: (JSGlobalData): (JSC::JSGlobalData::canUseRegExpJIT): - Added canUseRegExpJIT, distinct from canUseJIT. * runtime/RegExp.cpp: (JSC::RegExp::compile): (JSC::RegExp::compileMatchOnly): - Call canUseRegExpJIT instead of canUseJIT. 2012-04-30 Gavin Barraclough Should be able to build YARR JIT without the JS language JIT https://bugs.webkit.org/show_bug.cgi?id=85242 Reviewed by Michael Saboff. Some build macros are wrong. * assembler/RepatchBuffer.h: * jit/ExecutableAllocator.h: (JSC): * jit/JITExceptions.cpp: * runtime/InitializeThreading.cpp: (JSC::initializeThreadingOnce): 2012-04-26 Gavin Barraclough Arguments object resets attributes on redefinition of a parameter https://bugs.webkit.org/show_bug.cgi?id=84994 Rubber stamped by Oliver Hunt. There is a bug that we always re-add the original property before redefinition, doing so in a way that will reset the attributes without checking configurability. * runtime/Arguments.cpp: (JSC::Arguments::defineOwnProperty): - Only instantiate the property once - do not re-add if it has already been added, or if it has been deleted. 2012-04-30 Ryosuke Niwa Remove an erroneous assertion after r115655. * runtime/NumberPrototype.cpp: (JSC::toUStringWithRadix): 2012-04-30 Myles Maxfield End of Interpreter::tryCacheGetByID can trigger the garbage collector https://bugs.webkit.org/show_bug.cgi?id=84927 Reviewed by Oliver Hunt. * interpreter/Interpreter.cpp: (JSC::Interpreter::tryCacheGetByID): 2012-04-30 Benjamin Poulain jsSingleCharacterString and jsSingleCharacterSubstring are not inlined https://bugs.webkit.org/show_bug.cgi?id=85147 Reviewed by Darin Adler. The functions jsSingleCharacterString() and jsSingleCharacterSubstring() were not inlined by the compiler. This annihilate the gains of using SmallStrings. On stringProtoFuncCharAt(), this patch improves the performance by 11%. * runtime/JSString.h: (JSC::jsSingleCharacterString): (JSC::jsSingleCharacterSubstring): 2012-04-30 Benjamin Poulain Add fast patch for radix == 10 on numberProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=85120 Reviewed by Darin Adler. When radix, we use to turn the doubleValue into a JSValue just to convert it to a String. The problem is that was using the slow path for conversion and for the toString() operation. This patch shortcuts the creation of a JSValue and uses NumericStrings directly. The conversion is split between Integer and Double to ensure the fastest conversion for the common case of integer arguments. Converting number with radix 10 becomes 5% faster. Due to the simpler conversion of number to string for integer, converting integers that do not fall in the two previous optimizations get 32% faster. * runtime/NumberPrototype.cpp: (JSC::extractRadixFromArgs): (JSC::integerValueToString): (JSC::numberProtoFuncToString): 2012-04-30 Carlos Garcia Campos Unreviewed. Fix make distcheck. * GNUmakefile.list.am: Add missing header. 2012-04-28 Geoffrey Garen Factored threaded block allocation into a separate object https://bugs.webkit.org/show_bug.cgi?id=85148 Reviewed by Sam Weinig. 99% of this patch just moves duplicated block allocation and deallocation code into a new object named BlockAllocator, with these exceptions: * heap/BlockAllocator.h: Added. (BlockAllocator::BlockAllocator): The order of declarations here now guards us against an unlikely race condition during startup. * heap/BlockAllocator.cpp: JSC::BlockAllocator::blockFreeingThreadMain): Added a FIXME to highlight a lack of clarity we have in our block deallocation routines. 2012-04-28 Sam Weinig Try to fix the Qt build. * heap/Heap.cpp: (JSC::Heap::lastChanceToFinalize): 2012-04-28 Geoffrey Garen Try to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-28 Geoffrey Garen Clarified JSGlobalData (JavaScript VM) lifetime https://bugs.webkit.org/show_bug.cgi?id=85142 Reviewed by Anders Carlsson. This was so confusing that I didn't feel like I could reason about memory lifetime in the heap without fixing it. The rules are: (1) JSGlobalData owns the virtual machine and all memory in it. (2) Deleting a JSGlobalData frees the virtual machine and all memory in it. (Caveat emptor: if you delete the virtual machine while you're running JIT code or accessing GC objects, you're gonna have a bad time.) (I opted not to make arbitrary sub-objects keep the virtual machine alive automatically because: (a) doing that right would be complex and slow; (b) in the case of an exiting thread or process, there's no clear way to give the garbage collector a chance to try again later; (c) continuing to run the garbage collector after we've been asked to shut down the virtual machine seems rude; (d) we've never really supported that feature, anyway.) (3) Normal ref-counting will do. No need to call a battery of specialty functions to tear down a JSGlobalData. Its foibles notwithstanding, C++ does in fact know how to execute destructors in order. * API/JSContextRef.cpp: (JSGlobalContextCreate): Removed compatibility shim for older operating systems because it's no longer used. (JSGlobalContextRelease): Now that we can rely on JSGlobalData to "do the right thing", this code is much simpler. We still have one special case to notify the garbage collector if we're removing the last reference to the global object, since this can improve memory behavior. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::freeAllBlocks): * heap/CopiedSpace.h: (CopiedSpace): Renamed "destroy" => "freeAllBlocks" because true destruction-time behaviors should be limited to our C++ destructor. * heap/Heap.cpp: (JSC::Heap::~Heap): (JSC): (JSC::Heap::lastChanceToFinalize): * heap/Heap.h: (Heap): (JSC::Heap::heap): Renamed "destroy" => "lastChanceToFinalize" because true destruction-time behaviors should be limited to our C++ destructor. Reorganized the code, putting code that must run before any objects get torn down into lastChanceToFinalize, and code that just tears down objects into our destructor. * heap/Local.h: (JSC::LocalStack::LocalStack): (JSC::LocalStack::push): (LocalStack): See rule (2). * jsc.cpp: (functionQuit): (main): (printUsageStatement): (parseArguments): (jscmain): * testRegExp.cpp: (main): (printUsageStatement): (parseArguments): (realMain): See rule (3). I removed the feature of ensuring orderly tear-down when calling quit() or running in --help mode because it didn't seem very useful and making it work with Windows structured exception handling and NO_RETURN didn't seem like a fun way to spend a Saturday. * runtime/JSGlobalData.h: * runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData): Moved heap to be the first data member in JSGlobalData to ensure that it's destructed last, so other objects that reference it destruct without crashing. This allowed me to remove clearBuiltinStructures() altogether, and helped guarantee rule (3). (JSC::JSGlobalData::~JSGlobalData): Explicitly call lastChanceToFinalize() at the head of our destructor to ensure that all pending finalizers run while the virtual machine is still in a valid state. Trying to resurrect (re-ref) the virtual machine at this point is not valid, but all other operations are. Changed a null to a 0xbbadbeef to clarify just how bad this beef is. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::init): * runtime/JSGlobalObject.h: (JSGlobalObject): (JSC::JSGlobalObject::globalData): See rule (3). 2012-04-27 Geoffrey Garen Try to fix the Windows build. * heap/WeakBlock.h: (WeakBlock): 2012-04-27 Geoffrey Garen Made WeakSet::allocate() static and removed its JSGlobalData argument https://bugs.webkit.org/show_bug.cgi?id=85128 Reviewed by Anders Carlsson. This is a step toward faster finalization. WeakSet::allocate() now deduces which WeakSet to allocate from based on its JSCell* argument. (Currently, there's only one WeakSet, but soon there will be many.) This was a global replace of "globalData.heap.weakSet()->allocate" with "WeakSet::allocate", plus by-hand removal of the JSGlobalData argument. * heap/WeakSetInlines.h: Copied from Source/JavaScriptCore/heap/WeakSet.h. I had to split out WeakSet::allocate() in to a separate header to avoid a cycle. (JSC::WeakSet::allocate): We can mask the pointer we're passed to figure out where to allocate our WeakImpl. (Soon, we'll use this to associate the WeakImpl with the GC block it references.) 2012-04-27 Geoffrey Garen Stop using aligned allocation for WeakBlock https://bugs.webkit.org/show_bug.cgi?id=85124 Reviewed by Anders Carlsson. We don't actually use the alignment for anything. * heap/WeakBlock.cpp: (JSC::WeakBlock::create): (JSC::WeakBlock::WeakBlock): Switched from aligned allocation to regular allocation. * heap/WeakBlock.h: (WeakBlock): Don't use HeapBlock because HeapBlock requires aligned allocation. This change required me to add some declarations that we used to inherit from HeapBlock. (WeakBlock::blockFor): Removed. This function relied on aligned allocation but didn't do anything for us. (WeakBlock::deallocate): Removed. WeakBlock doesn't own any of the deallocation logic, so it shouldn't own the function. * heap/WeakSet.cpp: (JSC::WeakSet::~WeakSet): (JSC::WeakSet::finalizeAll): (JSC::WeakSet::visitLiveWeakImpls): (JSC::WeakSet::visitDeadWeakImpls): (JSC::WeakSet::sweep): (JSC::WeakSet::shrink): (JSC::WeakSet::resetAllocator): (JSC::WeakSet::tryFindAllocator): * heap/WeakSet.h: (WeakSet): Updated declarations to reflect WeakBlock not inheriting from HeapBlock. This allowed me to remove some casts, which was nice. (JSC::WeakSet::deallocate): Directly set the deallocated flag instead of asking WeakBlock to do it for us. We don't need to have a WeakBlock pointer to set the flag, so stop asking for one. 2012-04-27 Kentaro Hara [JSC] Implement a helper method createNotEnoughArgumentsError() https://bugs.webkit.org/show_bug.cgi?id=85102 Reviewed by Geoffrey Garen. In bug 84787, kbr@ requested to avoid hard-coding createTypeError(exec, "Not enough arguments") here and there. This patch implements createNotEnoughArgumentsError(exec) and uses it in JSC bindings. c.f. a corresponding bug for V8 bindings is bug 85097. * runtime/Error.cpp: (JSC::createNotEnoughArgumentsError): (JSC): * runtime/Error.h: (JSC): 2012-04-27 Geoffrey Garen Only allow non-null pointers in the WeakSet https://bugs.webkit.org/show_bug.cgi?id=85119 Reviewed by Darin Adler. This is a step toward more efficient finalization. No clients put non-pointers (JSValues) into Weak and PassWeak. Some clients put null pointers into Weak and PassWeak, but this is more efficient and straight-forward to model with a null in the Weak or PassWeak instead of allocating a WeakImpl just to hold null. * heap/PassWeak.h: (JSC): Removed the Unknown (JSValue) type of weak pointer because it's unused now. (PassWeak): Don't provide a default initializer for our JSCell* argument. This feature was only used in one place, and it was a bug. (JSC::::get): Don't check for a null stored inside our WeakImpl: that's not allowed anymore. (JSC::PassWeak::PassWeak): Handle null as a null WeakImpl instead of allocating a WeakImpl and storing null into it. * heap/Weak.h: (Weak): (JSC::::Weak): Same changes as in PassWeak. * heap/WeakBlock.cpp: (JSC::WeakBlock::visitLiveWeakImpls): (JSC::WeakBlock::visitDeadWeakImpls): Only non-null cells are valid in the WeakSet now, so no need to check for non-cells and null cell pointers. * heap/WeakImpl.h: (JSC::WeakImpl::WeakImpl): Only non-null cells are valid in the WeakSet now, so ASSERT that. 2012-04-27 Gavin Barraclough Math in JavaScript is inaccurate on iOS By defalut IEEE754 denormal support is disabled on iOS; turn it on. Reviewed by Filip Pizlo. * jsc.cpp: (main): - clear the appropriate bit in the fpscr. 2012-04-27 Michael Saboff Memory wasted in JSString for non-rope strings https://bugs.webkit.org/show_bug.cgi?id=84907 Reviewed by Geoffrey Garen. Split JSString into two classes, JSString as a base class that does not include the fibers of a Rope, and a subclass JSRopeString that has the rope functionality. Both classes "share" the same ClassInfo. Added a bool to JSString to indicate that the string was allocated as a JSRopeString to properly handle visiting the fiber children when the rope is resolved and the JSRopeString appears as a JSString. Didn't change the interface of JSString to require any JIT changes. As part of this change, removed "cellSize" from ClassInfo since both classes share the same ClassInfo, but have different sizes. The only use I could find for cellSize was an ASSERT in allocateCell(). This appears to be neutral on performance tests. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Changed JSString::resolveRope to JSRopeString::resolveRope * runtime/ClassInfo.h: (JSC): (ClassInfo): * runtime/JSCell.h: (JSC::allocateCell): * runtime/JSString.cpp: (JSC::JSRopeString::RopeBuilder::expand): (JSC::JSString::visitChildren): (JSC): (JSC::JSRopeString::visitFibers): (JSC::JSRopeString::resolveRope): (JSC::JSRopeString::resolveRopeSlowCase8): (JSC::JSRopeString::resolveRopeSlowCase): (JSC::JSRopeString::outOfMemory): (JSC::JSRopeString::getIndexSlowCase): * runtime/JSString.h: (JSC): (JSString): (JSC::JSString::finishCreation): (JSC::JSString::create): (JSC::JSString::isRope): (JSC::JSString::is8Bit): (JSRopeString): (RopeBuilder): (JSC::JSRopeString::RopeBuilder::RopeBuilder): (JSC::JSRopeString::RopeBuilder::append): (JSC::JSRopeString::RopeBuilder::release): (JSC::JSRopeString::RopeBuilder::length): (JSC::JSRopeString::JSRopeString): (JSC::JSRopeString::finishCreation): (JSC::JSRopeString::createNull): (JSC::JSRopeString::create): (JSC::JSString::value): (JSC::JSString::tryGetValue): (JSC::JSString::getIndex): (JSC::jsStringBuilder): * runtime/Operations.h: (JSC::jsString): (JSC::jsStringFromArguments): 2012-04-27 Oliver Hunt Correct assertion. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): 2012-04-27 Oliver Hunt Lazy link phase of baseline jit fails to propagate exception https://bugs.webkit.org/show_bug.cgi?id=85092 Reviewed by Filip Pizlo. Very simple patch, when linking produces an error we need to actually store the exception prior to throwing it. I can't find any other examples of this, but as we're already in the slow path when throwing an exception I've hardened exception throwing against null exceptions. * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * jit/JITStubs.cpp: (JSC::lazyLinkFor): 2012-04-27 Benjamin Poulain Generalize the single character optimization of numberProtoFuncToString https://bugs.webkit.org/show_bug.cgi?id=85027 Reviewed by Geoffrey Garen. The function numberProtoFuncToString() has an optimization to use SmallStrings::singleCharacterString() when the radix is 36. This patch generalize the optimization for any radix. Any positive number smaller than its radix can be represented by a single character of radixDigits. This makes numberProtoFuncToString() about twice as fast for this case of single digit conversion. * runtime/NumberPrototype.cpp: (JSC::numberProtoFuncToString): 2012-04-27 Gavin Peters Add new ENABLE_LINK_PRERENDER define to control the Prerendering API https://bugs.webkit.org/show_bug.cgi?id=84871 Reviewed by Adam Barth. Prerendering is currently covered by the ENABLE_LINK_PREFETCH macro, but the new Prerendering API separates it from prefetching. Having separate include guards lets ports enable prefetching, a relatively easy change, without needing to build the infrastructure for prerendering, which is considerably more complicated. * Configurations/FeatureDefines.xcconfig: 2012-04-26 Oliver Hunt Allocating WeakImpl should not trigger GC, as that makes the world very tricksy. https://bugs.webkit.org/show_bug.cgi?id=85020 Reviewed by Gavin Barraclough. Now in the event that we are unable to find an allocator for a new handle, just add a new allocator rather than trying to recover "dead" handles through a GC. Find allocator is now much simpler, and addAllocator directly reports the increased memory usage to the heap without causing any GC to happen immediately. * heap/WeakSet.cpp: (JSC::WeakSet::findAllocator): (JSC::WeakSet::addAllocator): 2012-04-26 Oliver Hunt Remove RegisterFile::end()/m_end https://bugs.webkit.org/show_bug.cgi?id=85011 Reviewed by Gavin Barraclough. Get rid of end() and m_end from RegisterFile. From now on we only care about the end of the committed region when calling code. When re-entering the VM we now plant the new CallFrame immediately after whatever the current topCallFrame is. This required adding a routine to CallFrame to determine exactly what we should be doing (in the absence of an existing CallFrame, we can't reason about the frameExtent() so we check for that). This also now means that the GC only marks the portion of the RegisterFile that is actually in use, and that VM re-entry doesn't exhaust the RegisterFile as rapidly. * dfg/DFGOperations.cpp: * heap/Heap.cpp: (JSC::Heap::getConservativeRegisterRoots): (JSC::Heap::markRoots): * interpreter/CallFrame.h: (JSC::ExecState::init): (JSC::ExecState::startOfReusableRegisterFile): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::privateExecute): * interpreter/Interpreter.h: (JSC::Interpreter::execute): * interpreter/RegisterFile.cpp: (JSC::RegisterFile::growSlowCase): (JSC::RegisterFile::gatherConservativeRoots): * interpreter/RegisterFile.h: (JSC::RegisterFile::commitEnd): (JSC::RegisterFile::addressOfEnd): (RegisterFile): (JSC::RegisterFile::RegisterFile): (JSC::RegisterFile::shrink): (JSC::RegisterFile::grow): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): (JSC::jitCompileFor): (JSC::lazyLinkFor): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter.asm: * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::arityCheckFor): 2012-04-26 Filip Pizlo DFG ARMv7 backend should optimize Float32 arrays https://bugs.webkit.org/show_bug.cgi?id=85000 Reviewed by Gavin Barraclough. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::flds): (JSC::ARMv7Assembler::fsts): (JSC::ARMv7Assembler::vcvtds): (JSC::ARMv7Assembler::vcvtsd): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadFloat): (MacroAssemblerARMv7): (JSC::MacroAssemblerARMv7::storeFloat): (JSC::MacroAssemblerARMv7::convertFloatToDouble): (JSC::MacroAssemblerARMv7::convertDoubleToFloat): * bytecode/PredictedType.h: (JSC::isActionableFloatMutableArrayPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateFloat32Array): 2012-04-25 Benjamin Poulain Add a version of StringImpl::find() without offset https://bugs.webkit.org/show_bug.cgi?id=83968 Reviewed by Sam Weinig. Add support for the new StringImpl::find() to UString. Change stringProtoFuncIndexOf() to specifically take advatage of the feature. This gives a 12% gains on a distribution of strings between 30 and 100 characters. * runtime/StringPrototype.cpp: (JSC::substituteBackreferences): (JSC::stringProtoFuncIndexOf): * runtime/UString.h: (UString): (JSC::UString::find): 2012-04-25 Mark Hahnenberg WebCore shouldn't call collectAllGarbage directly https://bugs.webkit.org/show_bug.cgi?id=84897 Reviewed by Geoffrey Garen. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported symbol for reportAbanondedObjectGraph so WebCore can use it. * heap/Heap.h: Ditto. 2012-04-25 Oliver Hunt Biolab disaster crashes on ToT https://bugs.webkit.org/show_bug.cgi?id=84898 Reviewed by Filip Pizlo. Whoops, committed without saving reviewer requested change. * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): 2012-04-25 Oliver Hunt Biolab disaster crashes on ToT https://bugs.webkit.org/show_bug.cgi?id=84898 Reviewed by Filip Pizlo. I recently added an assertion to the Interpreter to catch incorrect updates of topCallFrame. This caused a bunch of sites (including biolab disaster) to crash as we were not correctly handling callee registers of inlined functions, leading to a mismatch. I could not actually make this trigger directly, although it does trigger already on some of the GTK and QT bots. * dfg/DFGVirtualRegisterAllocationPhase.cpp: (JSC::DFG::VirtualRegisterAllocationPhase::run): 2012-04-25 Kenneth Russell Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced https://bugs.webkit.org/show_bug.cgi?id=83655 Reviewed by Oliver Hunt. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.order: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * bytecode/PredictedType.cpp: (JSC::predictionToString): (JSC::predictionToAbbreviatedString): (JSC::predictionFromClassInfo): * bytecode/PredictedType.h: (JSC): (JSC::isActionableIntMutableArrayPrediction): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::execute): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: (JSC::DFG::putByVal): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArgumentTypes): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::ValueSource::forPrediction): (SpeculativeJIT): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jit/JITStubs.h: * llint/LLIntSlowPaths.cpp: (JSC::LLInt::getByVal): (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/JSByteArray.cpp: Removed. * runtime/JSByteArray.h: Removed. * runtime/JSGlobalData.cpp: 2012-04-25 Filip Pizlo http://bellard.org/jslinux/ triggers an assertion failure in the DFG JIT https://bugs.webkit.org/show_bug.cgi?id=84815 Reviewed by Gavin Barraclough. * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 2012-04-25 Michael Saboff Closure in try {} with catch captures all locals from the enclosing function https://bugs.webkit.org/show_bug.cgi?id=84804 Reviewed by Oliver Hunt. Changed the capturing of local variables from capturing when eval is used, within a "with" or within a "catch" to be just when an eval is used. Renamed the function returning that we should capture from getCapturedVariables() to usesEval(), since that what it noew returns. Needed to fix the "with" code to only range check when the activation has actually been torn off. Added m_isTornOff to JSActivation to track this. * parser/Parser.h: (JSC::Scope::usesEval): (JSC::Scope::getCapturedVariables): * runtime/JSActivation.cpp: (JSC::JSActivation::JSActivation): (JSC::JSActivation::symbolTableGet): (JSC::JSActivation::symbolTablePut): * runtime/JSActivation.h: (JSActivation): (JSC::JSActivation::tearOff): 2012-04-24 Mark Hahnenberg GC Activity Callback timer should be based on how much has been allocated since the last collection https://bugs.webkit.org/show_bug.cgi?id=84763 Reviewed by Geoffrey Garen. The desired behavior for the GC timer is to collect at some point in the future, regardless of how little we've allocated. A secondary goal, which is almost if not as important, is for the timer to collect sooner if there is the potential to collect a greater amount of memory. Conversely, as we allocate more memory we'd like to reduce the delay to the next collection. If we're allocating quickly enough, the timer should be preempted in favor of a normal allocation-triggered collection. If allocation were to slow or stop, we'd like the timer to be able to opportunistically run a collection without us having to allocate to the hard limit set by the Heap. This type of policy can be described in terms of the amount of CPU we are willing to dedicate to reclaim a single MB of memory. For example, we might be willing to dedicate 1% of our CPU to reclaim 1 MB. We base our CPU usage off of the length of the last collection, e.g. if our last collection took 1ms, we would want to wait about 100ms before running another collection to reclaim 1 MB. These constants should be tune-able, e.g. 0.1% CPU = 1 MB vs. 1% CPU = 1 MB vs. 10% CPU = 1 MB. * API/JSBase.cpp: Use the new reportAbandonedObjectGraph. (JSGarbageCollect): * API/JSContextRef.cpp: Ditto. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::reportAbandonedObjectGraph): Similar to reportExtraMemoryCost. Clients call this function to notify the Heap that some unknown number of JSC objects might have just been abandoned and are now garbage. The Heap might schedule a new collection timer based on this notification. (JSC): (JSC::Heap::collect): Renamed m_lastFullGCSize to the less confusing m_sizeAfterLastCollect. * heap/Heap.h: (Heap): * heap/MarkedAllocator.h: (JSC::MarkedAllocator::zapFreeList): Fixed a bug in zapFreeList that failed to nullify the current allocator's FreeList once zapping was complete. * runtime/GCActivityCallback.cpp: Removed didAbandonObjectGraph because it was replaced by Heap::reportAbandonedObjectGraph. (JSC): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::willCollect): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Refactored the GC timer code so that we now schedule the timer based on how much we have allocated since the last collection up to a certain amount. We use the length of the previous GC to try to keep our total cost of opportunistic timer-triggered collections around 1% of the CPU per MB of garbage we expect to reclaim up to a maximum of 5 MB. (DefaultGCActivityCallbackPlatformData): (JSC): (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback): (JSC::DefaultGCActivityCallback::commonConstructor): (JSC::scheduleTimer): (JSC::cancelTimer): (JSC::DefaultGCActivityCallback::didAllocate): 2012-04-24 Michael Saboff objectProtoFuncToString creates new string every invocation https://bugs.webkit.org/show_bug.cgi?id=84781 Reviewed by Geoffrey Garen. Cache the results of object toString() in the attached Structure. * runtime/ObjectPrototype.cpp: (JSC::objectProtoFuncToString): * runtime/Structure.cpp: (JSC::Structure::visitChildren): visit new m_hasObjectToStringValue. * runtime/Structure.h: Added new member m_hasObjectToStringValue (JSC): (JSC::Structure::objectToStringValue): (Structure): (JSC::Structure::setObjectToStringValue): 2012-04-24 Thouraya ANDOLSI Reviewed by Oliver Hunt. https://bugs.webkit.org/show_bug.cgi?id=84727. Fix build when ENABLE_JIT_CONSTANT_BLINDING enabled. * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::or32): (JSC::MacroAssemblerSH4::and32): (JSC::MacroAssemblerSH4::lshift32): (JSC::MacroAssemblerSH4::xor32): (JSC::MacroAssemblerSH4::branchSub32): (JSC::MacroAssemblerSH4::urshift32): 2012-04-24 Gavin Barraclough Add explicit patchableBranchPtrWithPatch/patchableJump methods https://bugs.webkit.org/show_bug.cgi?id=84498 Reviewed by Filip Pizlo. Don't rely on inUninterruptedSequence to distinguish which jumps we need to be able to repatch. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::PatchableJump::PatchableJump): (PatchableJump): (JSC::AbstractMacroAssembler::PatchableJump::operator Jump&): (AbstractMacroAssembler): (JSC::AbstractMacroAssembler::AbstractMacroAssembler): - Added PatchableJump type, removed inUninterruptedSequence. * assembler/LinkBuffer.h: (LinkBuffer): (JSC::LinkBuffer::locationOf): - Only allow the location to be taken of patchable branches * assembler/MacroAssembler.h: (MacroAssembler): (JSC::MacroAssembler::patchableBranchPtrWithPatch): (JSC::MacroAssembler::patchableJump): (JSC::MacroAssembler::shouldBlind): - Added default implementation of patchableBranchPtrWithPatch, patchableJump. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::MacroAssemblerARMv7): (MacroAssemblerARMv7): (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch): (JSC::MacroAssemblerARMv7::patchableJump): (JSC::MacroAssemblerARMv7::jump): (JSC::MacroAssemblerARMv7::makeBranch): - Added ARMv7 implementation of patchableBranchPtrWithPatch, patchableJump. * dfg/DFGCorrectableJumpPoint.h: (DFG): (JSC::DFG::CorrectableJumpPoint::switchToLateJump): - Late jumps are PatchableJumps. * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): - replace use of inUninterruptedSequence * dfg/DFGJITCompiler.h: (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord): (PropertyAccessRecord): - replace use of inUninterruptedSequence * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): - replace use of inUninterruptedSequence * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::cachedGetById): (JSC::DFG::SpeculativeJIT::cachedPutById): - replace use of inUninterruptedSequence * jit/JIT.h: (PropertyStubCompilationInfo): - replace use of inUninterruptedSequence * jit/JITInlineMethods.h: (JSC::JIT::beginUninterruptedSequence): (JSC::JIT::endUninterruptedSequence): - replace use of inUninterruptedSequence * jit/JITPropertyAccess.cpp: (JSC::JIT::compileGetByIdHotPath): - replace use of inUninterruptedSequence * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetByIdHotPath): - replace use of inUninterruptedSequence 2012-04-24 Benjamin Poulain Generalize the single character optimization of r114072 https://bugs.webkit.org/show_bug.cgi?id=83961 Reviewed by Eric Seidel. Use the regular String::find(StringImpl*) in all cases now that it has been made faster. * runtime/StringPrototype.cpp: (JSC::replaceUsingStringSearch): 2012-04-24 Filip Pizlo Unreviewed, 32-bit build fix. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Filip Pizlo DFG performs incorrect DCE on (some?) intrinsics https://bugs.webkit.org/show_bug.cgi?id=84746 Reviewed by Oliver Hunt. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (ByteCodeParser): (JSC::DFG::ByteCodeParser::setIntrinsicResult): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): * dfg/DFGNodeType.h: (DFG): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Mark Hahnenberg Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray https://bugs.webkit.org/show_bug.cgi?id=84648 Reviewed by Geoffrey Garen. When emit_op_new_array successfully allocates a new JSArray but fails to allocate the corresponding ArrayStorage for it, it falls back to the out-of-line stub call to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. This leaves us with a JSArray hanging around on the stack or in a register that did not go through its own constructor, thus giving it uninitialized memory in the two fields that are checked in JSArray::visitChildren. * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSArray): We try to allocate the ArrayStorage first, so that if we fail we haven't generated the poisonous JSArray that can cause a GC crash. * jit/JITOpcodes.cpp: (JSC::JIT::emitSlow_op_new_array): 2012-04-23 Filip Pizlo DFG on ARMv7 should not OSR exit on every integer division https://bugs.webkit.org/show_bug.cgi?id=84661 Reviewed by Oliver Hunt. On ARMv7, ArithDiv no longer has to know whether or not to speculate integer (since that was broken with the introduction of Int32ToDouble) nor does it have to know whether or not to convert its result to integer. This is now taken care of for free with the addition of the DoubleAsInt32 node, which represents a double-is-really-int speculation. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOSRExit.cpp: (JSC::DFG::OSRExit::OSRExit): (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow): * dfg/DFGOSRExit.h: (OSRExit): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): (DFG): * dfg/DFGSpeculativeJIT.h: (SpeculativeJIT): (JSC::DFG::SpeculativeJIT::speculationCheck): (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): 2012-04-24 Geoffrey Garen "GlobalHandle" HandleHeap (now WeakSet) allocations grow but do not shrink https://bugs.webkit.org/show_bug.cgi?id=84740 Reviewed by Gavin Barraclough. Shrink! * heap/Heap.cpp: (JSC::Heap::destroy): Be more specific about what's shrinking, since we can also shrink the WeakSet, but we don't do so here. (JSC::Heap::collect): If we're going to shrink the heap, shrink the WeakSet too. Otherwise, its footprint is permanent. * heap/Heap.h: (Heap): Removed shrink() as a public interface, since it's vague about which parts of the heap it affects, and it's really an internal detail. * heap/WeakSet.cpp: (JSC::WeakSet::shrink): Nix any free blocks. We assume that sweep() has already taken place, since that's the convention for shrink() in the heap. * heap/WeakSet.h: (WeakSet): New function! 2012-04-24 Adam Klein Fix includes in StrongInlines.h and ScriptValue.h https://bugs.webkit.org/show_bug.cgi?id=84659 Reviewed by Geoffrey Garen. * heap/StrongInlines.h: Include JSGlobalData.h, since JSGlobalData's definiition is required here. 2012-04-23 Filip Pizlo DFG OSR exit should ensure that all variables have been initialized https://bugs.webkit.org/show_bug.cgi?id=84653 Reviewed by Gavin Barraclough. Initialize all uncaptured dead variables to undefined on OSR exit. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::ValueSource::dump): (JSC::DFG::SpeculativeJIT::compile): (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): * dfg/DFGSpeculativeJIT.h: 2012-04-23 Oliver Hunt Call instruction for the baseline JIT stores origin info in wrong callframe https://bugs.webkit.org/show_bug.cgi?id=84645 Reviewed by Gavin Barraclough. The baseline JIT was updating the wrong callframe when making a call. If the call failed during dispatch (unable to perform codegen, calling a non-object) we would attempt to use this information, but it would be completely wrong. * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2012-04-23 Filip Pizlo DFG must keep alive values that it will perform speculations on https://bugs.webkit.org/show_bug.cgi?id=84638 Reviewed by Oliver Hunt. * dfg/DFGNodeType.h: (DFG): 2012-04-23 Oliver Hunt Fix non-LLInt builds by temporarily removing an over-enthusiastic assertion * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): 2012-04-22 Jon Lee Remove notifications support on Mac Lion. https://bugs.webkit.org/show_bug.cgi?id=84554 Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: 2012-04-21 Darin Adler Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints https://bugs.webkit.org/show_bug.cgi?id=84523 Reviewed by Oliver Hunt. Profiles showed that checks against -1 were costly, and I saw they could be eliminated. Streamlined this code to use standard character types and 0 rather than -1. One benefit of this is that there's no widening and narrowing. Another is that there are many cases where we already have the correct behavior for 0, so can eliminate a branch that was used to test for -1 before. Also eliminates typecasts in the code. * parser/Lexer.cpp: (JSC::Lexer::invalidCharacterMessage): Updated use of String::format since m_current is now a character type, not an int. (JSC::Lexer::setCode): Use 0 rather than -1 when past the end. (JSC::Lexer::shift): Ditto. Also spruced up the comment a bit. (JSC::Lexer::atEnd): Added. New function that distinguishes an actual 0 character from the end of the code. This can be used places we used to cheeck for -1. (JSC::Lexer::peek): Updated to use -1 instead of 0. Removed meaningless comment. (JSC::Lexer::parseFourDigitUnicodeHex): Changed to use character types instead of int. (JSC::Lexer::shiftLineTerminator): Removed now-unneeded type casts. Changed local variable that had a data-member-style name. (JSC::Lexer::parseIdentifier): Removed now-unneeded explicit checks for -1, since the isIdentPart function already returns false for the 0 character. Updated types in a couple other places. Used the atEnd function where needed. (JSC::Lexer::parseIdentifierSlowCase): More of the same. (JSC::characterRequiresParseStringSlowCase): Added overloaded helper function for parseString. (JSC::Lexer::parseString): Ditto. (JSC::Lexer::parseStringSlowCase): Ditto. (JSC::Lexer::parseMultilineComment): Ditto. (JSC::Lexer::lex): More of the same. Also changed code to set the startOffset directly in the tokenInfo instead of putting it in a local variable first, saving some memory access. (JSC::Lexer::scanRegExp): Ditto. (JSC::Lexer::skipRegExp): Ditto. * parser/Lexer.h: Changed return type of the peek function and type of m_current from int to the character type. Added atEnd function. (JSC::Lexer::setOffset): Used 0 instead of -1 and removed an overzealous attempt to optimize. (JSC::Lexer::lexExpectIdentifier): Used 0 instead of -1. 2012-04-21 Darin Adler Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints https://bugs.webkit.org/show_bug.cgi?id=84523 Reviewed by Oliver Hunt. Separate preparation step of copyright dates, renaming, and other small tweaks. * parser/Lexer.cpp: (JSC::Lexer::invalidCharacterMessage): Removed "get" from name to match WebKit naming conventions. (JSC::Lexer::peek): Removed meaningless comment. (JSC::Lexer::parseFourDigitUnicodeHex): Renamed from getUnicodeCharacter to be more precise about what this function does. (JSC::Lexer::shiftLineTerminator): Renamed local variable that had a data-member-style name. (JSC::Lexer::parseStringSlowCase): Updated for new name of parseFourDigitUnicodeHex. (JSC::Lexer::lex): Updated for new name of invalidCharacterMessage. * parser/Lexer.h: Removed an unneeded forward declaration of the RegExp class. Renamed getInvalidCharMessage to invalidCharacterMessage and made it const. Renamed getUnicodeCharacter to parseFourDigitUnicodeHex. 2012-04-20 Filip Pizlo DFG should optimize int8 and int16 arrays on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84503 Reviewed by Oliver Hunt. * assembler/ARMv7Assembler.h: (ARMv7Assembler): (JSC::ARMv7Assembler::ldrsb): (JSC::ARMv7Assembler::ldrsh): * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::load16Signed): (JSC::MacroAssemblerARMv7::load8Signed): * bytecode/PredictedType.h: (JSC::isActionableIntMutableArrayPrediction): * dfg/DFGNode.h: (JSC::DFG::Node::shouldSpeculateInt8Array): (JSC::DFG::Node::shouldSpeculateInt16Array): 2012-04-20 Oliver Hunt Add an ability to find the extent of a callframe https://bugs.webkit.org/show_bug.cgi?id=84513 Reviewed by Filip Pizlo. Add a function to get the extent of a callframe and use that function for a new assertion to make sure the RegisterFile makes sense using that information. * interpreter/CallFrame.cpp: (JSC::CallFrame::frameExtentInternal): (JSC): * interpreter/CallFrame.h: (JSC::ExecState::frameExtent): (ExecState): * interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): 2012-04-20 Benjamin Poulain Inline the JSArray constructor https://bugs.webkit.org/show_bug.cgi?id=84416 Reviewed by Geoffrey Garen. The constructor is trivial, no reason to jump for it. This makes the creation of array ~5% faster (on non-trivial cases, no empty arrays). * runtime/JSArray.cpp: (JSC): * runtime/JSArray.h: (JSC::JSArray::JSArray): * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-20 Mark Hahnenberg Heap should cancel GC timer at the start of the collection https://bugs.webkit.org/show_bug.cgi?id=84477 Reviewed by Geoffrey Garen. Currently the Heap cancels the GC timer at the conclusion of a collection. We should change this to be at the beginning because something (e.g. a finalizer) could call didAbandonObjectGraph(), which will schedule the timer, but then we'll immediately unschedule the timer at the conclusion of the collection, thus potentially preventing large swaths of memory from being reclaimed in a timely manner. * API/JSBase.cpp: (JSGarbageCollect): Remove outdated fix-me and remove check for whether the Heap is busy or not, since we're just scheduling a timer to run a GC in the future. * heap/Heap.cpp: (JSC::Heap::collect): Rename didCollect to willCollect and move the call to the top of Heap::collect. * runtime/GCActivityCallback.cpp: Renamed didCollect to willCollect. (JSC::DefaultGCActivityCallback::willCollect): * runtime/GCActivityCallback.h: Ditto. (JSC::GCActivityCallback::willCollect): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Ditto. (JSC::DefaultGCActivityCallback::willCollect): 2012-04-20 Mark Hahnenberg JSGarbageCollect should not call collectAllGarbage() https://bugs.webkit.org/show_bug.cgi?id=84476 Reviewed by Geoffrey Garen. * API/JSBase.cpp: (JSGarbageCollect): Notify the Heap's GCActivityCallback using didAbandonObjectGraph. 2012-04-19 Oliver Hunt Exception stack traces aren't complete when the exception starts in native code https://bugs.webkit.org/show_bug.cgi?id=84073 Reviewed by Filip Pizlo. Refactored building the stack trace to so that we can construct it earlier, and don't rely on any prior work performed in the exception handling machinery. Also updated LLInt and the DFG to completely initialise the callframes of host function calls. Also fixed a few LLInt paths that failed to correctly update the topCallFrame. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * dfg/DFGJITCompiler.h: * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): * jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTINativeCall): * jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTINativeCall): * jsc.cpp: (functionJSCStack): * llint/LLIntExceptions.cpp: (JSC::LLInt::interpreterThrowInCaller): (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-19 Mark Hahnenberg We're collecting pathologically due to small allocations https://bugs.webkit.org/show_bug.cgi?id=84404 Reviewed by Geoffrey Garen. No change in performance on run-jsc-benchmarks. * dfg/DFGSpeculativeJIT.h: Replacing m_firstFreeCell with m_freeList. (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): * heap/CopiedSpace.cpp: Getting rid of any water mark related stuff, since it's no longer useful. (JSC::CopiedSpace::CopiedSpace): (JSC::CopiedSpace::tryAllocateSlowCase): We now only call didAllocate here rather than carrying out a somewhat complicated accounting job for our old water mark throughout CopiedSpace. (JSC::CopiedSpace::tryAllocateOversize): Call the new didAllocate to notify the Heap of newly allocated stuff. (JSC::CopiedSpace::tryReallocateOversize): (JSC::CopiedSpace::doneFillingBlock): (JSC::CopiedSpace::doneCopying): (JSC::CopiedSpace::destroy): * heap/CopiedSpace.h: (CopiedSpace): * heap/CopiedSpaceInlineMethods.h: (JSC::CopiedSpace::startedCopying): * heap/Heap.cpp: Removed water mark related stuff, replaced with new bytesAllocated and bytesAllocatedLimit to track how much memory has been allocated since the last collection. (JSC::Heap::Heap): (JSC::Heap::reportExtraMemoryCostSlowCase): (JSC::Heap::collect): We now set the new limit of bytes that we can allocate before triggering a collection to be the size of the Heap after the previous collection. Thus, we still have our 2x allocation amount. (JSC::Heap::didAllocate): Notifies the GC activity timer of how many bytes have been allocated thus far and then adds the new number of bytes to the current total. (JSC): * heap/Heap.h: Removed water mark related stuff. (JSC::Heap::notifyIsSafeToCollect): (Heap): (JSC::Heap::shouldCollect): (JSC): * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::tryAllocateHelper): Refactored to use MarkedBlock's new FreeList struct. (JSC::MarkedAllocator::allocateSlowCase): (JSC::MarkedAllocator::addBlock): * heap/MarkedAllocator.h: (MarkedAllocator): (JSC::MarkedAllocator::MarkedAllocator): (JSC::MarkedAllocator::allocate): (JSC::MarkedAllocator::zapFreeList): Refactored to take in a FreeList instead of a FreeCell. * heap/MarkedBlock.cpp: (JSC::MarkedBlock::specializedSweep): (JSC::MarkedBlock::sweep): (JSC::MarkedBlock::sweepHelper): (JSC::MarkedBlock::zapFreeList): * heap/MarkedBlock.h: (FreeList): Added a new struct that keeps track of the current MarkedAllocator's free list including the number of bytes of stuff in the free list so that when the free list is exhausted, the correct amount can be reported to Heap. (MarkedBlock): (JSC::MarkedBlock::FreeList::FreeList): (JSC): * heap/MarkedSpace.cpp: Removing all water mark related stuff. (JSC::MarkedSpace::MarkedSpace): (JSC::MarkedSpace::resetAllocators): * heap/MarkedSpace.h: (MarkedSpace): (JSC): * heap/WeakSet.cpp: (JSC::WeakSet::findAllocator): Refactored to use the didAllocate interface with the Heap. This function still needs work though now that the Heap knows how many bytes have been allocated since the last collection. * jit/JITInlineMethods.h: Refactored to use MarkedBlock's new FreeList struct. (JSC::JIT::emitAllocateBasicJSObject): Ditto. * llint/LowLevelInterpreter.asm: Ditto. * runtime/GCActivityCallback.cpp: (JSC::DefaultGCActivityCallback::didAllocate): * runtime/GCActivityCallback.h: (JSC::GCActivityCallback::didAllocate): Renamed willAllocate to didAllocate to indicate that the allocation that is being reported has already taken place. (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: (JSC): (JSC::DefaultGCActivityCallback::didAllocate): Refactored to return early if the amount of allocation since the last collection is not above a threshold (initially arbitrarily chosen to be 128KB). 2012-04-19 Filip Pizlo MacroAssemblerARMv7::branchTruncateDoubleToUint32 should obey the overflow signal https://bugs.webkit.org/show_bug.cgi?id=84401 Reviewed by Gavin Barraclough. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32): 2012-04-19 Don Olmstead KeywordLookupGenerator.py should take an output file as an argument https://bugs.webkit.org/show_bug.cgi?id=84292 Reviewed by Eric Seidel. Extended KeywordLookupGenerator to accept an additional argument specifying an output file. If this argument is found stdout is redirected to a file for the duration of the script. * KeywordLookupGenerator.py: 2012-04-19 Filip Pizlo It should be possible to perform debugCall on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84381 Reviewed by Oliver Hunt. debugCall() was clobbering the argument to the call it was making, leading to a corrupt ExecState*. This change fixes that issue by using a scratch register that does not clobber arguments, and it also introduces more assertions that we have a valid call frame. * dfg/DFGAssemblyHelpers.cpp: (DFG): (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): * dfg/DFGAssemblyHelpers.h: (JSC::DFG::AssemblyHelpers::selectScratchGPR): (AssemblyHelpers): (JSC::DFG::AssemblyHelpers::debugCall): (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::linkOSRExits): * dfg/DFGOSRExitCompiler.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::selectScratchGPR): 2012-04-19 Filip Pizlo LLInt no-JIT fallback native call trampoline's exception handler incorrectly assumes that the PB/PC has been preserved https://bugs.webkit.org/show_bug.cgi?id=84367 Reviewed by Oliver Hunt. * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: 2012-04-19 Filip Pizlo It should be possible to load from Float64 arrays on ARMv7 without crashing https://bugs.webkit.org/show_bug.cgi?id=84361 Reviewed by Oliver Hunt. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::loadDouble): (JSC::MacroAssemblerARMv7::storeDouble): 2012-04-19 Dominik Röttsches [CMake] Build fix after r114575 https://bugs.webkit.org/show_bug.cgi?id=84322 Reviewed by Simon Hausmann. Build fix, adding WTF when linking jsc shell. * shell/CMakeLists.txt: 2012-04-18 Filip Pizlo JSC testing should have complete coverage over typed array types https://bugs.webkit.org/show_bug.cgi?id=84302 Reviewed by Geoff Garen. Added Uint8ClampedArray to the set of typed arrays that are supported by jsc command-line. * JSCTypedArrayStubs.h: (JSC): * jsc.cpp: (GlobalObject::finishCreation): 2012-04-18 Filip Pizlo jsc command line should support typed arrays by default https://bugs.webkit.org/show_bug.cgi?id=84298 Rubber stamped by Gavin Barraclough. * JSCTypedArrayStubs.h: (JSC): * jsc.cpp: (GlobalObject::finishCreation): 2012-04-18 Filip Pizlo JSVALUE32_64 should be able to perform division on ARM without crashing, and variables forced double should not be scrambled when performing OSR entry https://bugs.webkit.org/show_bug.cgi?id=84272 Reviewed by Geoff Garen. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOSREntry.cpp: (JSC::DFG::prepareOSREntry): 2012-04-18 Don Olmstead JavaScriptCore.gypi not current https://bugs.webkit.org/show_bug.cgi?id=84224 Reviewed by Eric Seidel. Updated JavaScriptCore.gypi to contain the latest sources. Removed os-win32 as it wasn't used. Also removed references to ICU files in the gypi file as ICU is most likely specified by the port itself. Private and public header files were determined by looking at copy-files.cmd within Apple's Visual Studio directory. * JavaScriptCore.gypi: 2012-04-18 Benjamin Poulain Remove m_subclassData from JSArray, move the attribute to subclass as needed https://bugs.webkit.org/show_bug.cgi?id=84249 Reviewed by Geoffrey Garen. JSArray's m_subclassData is only used by WebCore's RuntimeArray. This patch moves the attribute to RuntimeArray to avoid allocating memory for the pointer in the common case. This gives ~1% improvement in JSArray creation microbenchmark thanks to fewer allocations of CopiedSpace. * jit/JITInlineMethods.h: (JSC::JIT::emitAllocateJSArray): * runtime/JSArray.cpp: (JSC::JSArray::JSArray): * runtime/JSArray.h: 2012-04-18 Benjamin Poulain replaceUsingStringSearch: delay the creation of the replace string until needed https://bugs.webkit.org/show_bug.cgi?id=83841 Reviewed by Geoffrey Garen. We do not need to obtain the replaceValue until we have a match. By moving the intialization of replaceValue when needed, we save a few instructions when there is no match. * runtime/StringPrototype.cpp: (JSC::replaceUsingRegExpSearch): (JSC::replaceUsingStringSearch): (JSC::stringProtoFuncReplace): 2012-04-18 Mark Hahnenberg GC activity timer should be tied to allocation, not collection https://bugs.webkit.org/show_bug.cgi?id=83919 Reviewed by Geoffrey Garen. * API/JSContextRef.cpp: Used the new didAbandonObjectGraph callback to indicate that now that we've released a global object, we're abandoning a potentially large number of objects that JSC might want to collect. * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateSlowCase): Added the call to timer's willAllocate function to indicate that we've hit a slow path and are allocating now, so schedule the timer. * heap/Heap.cpp: (JSC::Heap::Heap): (JSC::Heap::collectAllGarbage): Removed the call to discardAllCompiledCode because it was causing us to throw away too much code during our benchmarks (especially vp8, which is very large and thus has large amounts of compiled code). (JSC::Heap::collect): Added the new call to didCollect at the conclusion of a collection so that we can cancel the timer if we no longer need to run a collection. Also added a check at the beginning of a collection to see if we should throw away our compiled code. Currently this is set to happen about once every minute. * heap/Heap.h: Added field to keep track of the last time we threw away our compiled code. * heap/MarkedAllocator.cpp: (JSC::MarkedAllocator::allocateSlowCase): Added call to willAllocate on the allocation slow path, just like in CopiedSpace. * runtime/GCActivityCallback.cpp: Added default stubs for non-CF platforms. (JSC::DefaultGCActivityCallback::willAllocate): (JSC): (JSC::DefaultGCActivityCallback::didCollect): (JSC::DefaultGCActivityCallback::didAbandonObjectGraph): * runtime/GCActivityCallback.h: Added new functions to make JSC's GC timer less arcane. This includes replacing the operator () with willAllocate() and adding an explicit didCollect() to cancel the timer after a collection occurs rather than relying on the way the timer is invoked to cancel itself. Also added a callback for when somebody else (e.g. WebCore or the JSC API) to notify JSC that they have just abandoned an entire graph of objects and that JSC might want to clean them up. (JSC::GCActivityCallback::~GCActivityCallback): (JSC::GCActivityCallback::willAllocate): (JSC::GCActivityCallback::didCollect): (JSC::GCActivityCallback::didAbandonObjectGraph): (JSC::GCActivityCallback::synchronize): (DefaultGCActivityCallback): * runtime/GCActivityCallbackCF.cpp: Re-wired all the run loop stuff to implement the aforementioned functions. We added a flag to check whether the timer was active because the call to CFRunLoopTimerSetNextFireDate actually turned out to be quite expensive (although Instruments couldn't tell us this). (DefaultGCActivityCallbackPlatformData): (JSC): (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): (JSC::DefaultGCActivityCallback::commonConstructor): (JSC::scheduleTimer): (JSC::cancelTimer): (JSC::DefaultGCActivityCallback::willAllocate): (JSC::DefaultGCActivityCallback::didCollect): (JSC::DefaultGCActivityCallback::didAbandonObjectGraph): 2012-04-17 Filip Pizlo DFG should not attempt to get rare case counts for op_mod on ARM https://bugs.webkit.org/show_bug.cgi?id=84218 Reviewed by Geoff Garen. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::makeSafe): * dfg/DFGCommon.h: (JSC::DFG::isX86): (DFG): 2012-04-17 Myles Maxfield BumpPointerAllocator assumes page size is less than MINIMUM_BUMP_POOL_SIZE https://bugs.webkit.org/show_bug.cgi?id=80912 Reviewed by Hajime Morita. * wtf/BumpPointerAllocator.h: (WTF::BumpPointerPool::create): 2012-04-17 Filip Pizlo Attempt to fix Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-17 Filip Pizlo It should be possible to create an inheritorID for the global this object without crashing https://bugs.webkit.org/show_bug.cgi?id=84200 Reviewed by Oliver Hunt. * runtime/JSGlobalThis.cpp: (JSC::JSGlobalThis::setUnwrappedObject): * runtime/JSGlobalThis.h: (JSC::JSGlobalThis::unwrappedObject): (JSGlobalThis): * runtime/JSObject.cpp: (JSC::JSObject::createInheritorID): * runtime/JSObject.h: (JSObject): (JSC::JSObject::resetInheritorID): 2012-04-17 Filip Pizlo DFG and LLInt should not clobber the frame pointer on ARMv7 https://bugs.webkit.org/show_bug.cgi?id=84185 Reviewed by Gavin Barraclough. Changed LLInt to use a different register. Changed DFG to use one fewer registers. We should revisit this and switch the DFG to use a different register instead of r7, but we can do that in a subsequent step since the performance effect is tiny. * dfg/DFGGPRInfo.h: (GPRInfo): (JSC::DFG::GPRInfo::toRegister): (JSC::DFG::GPRInfo::toIndex): * offlineasm/armv7.rb: 2012-04-17 Filip Pizlo use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument https://bugs.webkit.org/show_bug.cgi?id=83942 Reviewed by Gavin Barraclough. Don't use references to the graph after resizing the graph. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::flushArgument): 2012-04-16 Gavin Barraclough Array.prototype.toString should be generic https://bugs.webkit.org/show_bug.cgi?id=81588 Reviewed by Sam Weinig. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): - check for join function, use fast case if base object is array & join is present & default. * runtime/CommonIdentifiers.h: - added 'join'. 2012-04-16 Carlos Garcia Campos Unreviewed. Fix make distcheck issues. * GNUmakefile.list.am: Add missing files. 2012-04-16 Sheriff Bot Unreviewed, rolling out r114309. http://trac.webkit.org/changeset/114309 https://bugs.webkit.org/show_bug.cgi?id=84097 it broke everything (Requested by olliej on #webkit). * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * bytecode/CodeBlock.h: * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (functionJSCStack): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-16 Oliver Hunt Exception stack traces aren't complete when the exception starts in native code https://bugs.webkit.org/show_bug.cgi?id=84073 Reviewed by Gavin Barraclough. Refactored building the stack trace to so that we can construct it earlier, and don't rely on any prior work performed in the exception handling machinery. Also updated LLInt and the DFG to completely initialise the callframes of host function calls. * bytecode/CodeBlock.h: (JSC::CodeBlock::codeOriginIndexForReturn): (CodeBlock): * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::getStackTrace): (JSC::Interpreter::addStackTraceIfNecessary): (JSC): (JSC::Interpreter::throwException): * interpreter/Interpreter.h: (Interpreter): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * jsc.cpp: (functionJSCStack): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleHostCall): * parser/Parser.h: (JSC::::parse): * runtime/Error.cpp: (JSC::addErrorInfo): (JSC::throwError): * runtime/Error.h: (JSC): 2012-04-16 Oliver Hunt Fix COMMANDLINE_TYPEDARRAYS build https://bugs.webkit.org/show_bug.cgi?id=84051 Reviewed by Gavin Barraclough. Update for new putByIndex API and wtf changes. * JSCTypedArrayStubs.h: (JSC): 2012-04-16 Mark Hahnenberg GC in the middle of JSObject::allocatePropertyStorage can cause badness https://bugs.webkit.org/show_bug.cgi?id=83839 Reviewed by Geoffrey Garen. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage. (JSC::DEFINE_STUB_FUNCTION): * runtime/JSObject.cpp: (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're growing our already-existing PropertyStorage. * runtime/JSObject.h: (JSObject): (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage and the new structure so that we can be sure a GC never occurs when our Structure info is out of sync with our PropertyStorage. (JSC): (JSC::JSObject::putDirectInternal): Moved the check to see if we should allocate more backing store before the actual property insertion into the structure. (JSC::JSObject::putDirectWithoutTransition): Ditto. (JSC::JSObject::transitionTo): Ditto. * runtime/Structure.cpp: (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy for property backing stores contained within the Structure class. (JSC): * runtime/Structure.h: (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion into the Structure would require resizing the property backing store so that they can preallocate the required storage. (Structure): 2012-04-13 Sheriff Bot Unreviewed, rolling out r114185. http://trac.webkit.org/changeset/114185 https://bugs.webkit.org/show_bug.cgi?id=83967 Broke a bunch of JavaScript related tests (Requested by andersca on #webkit). * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): * runtime/CommonIdentifiers.h: * tests/mozilla/ecma/Array/15.4.4.2.js: (getTestCases): 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch calls https://bugs.webkit.org/show_bug.cgi?id=83966 Rubber stamped by Oliver Hunt. These aren't being used anywhere! * jit/JIT.h: * jit/JITCall.cpp: (JSC::JIT::compileOpCall): * jit/JITCall32_64.cpp: (JSC::JIT::compileOpCall): 2012-04-13 Hojong Han Array.prototype.toString and Array.prototype.toLocaleString should be generic https://bugs.webkit.org/show_bug.cgi?id=81588 Reviewed by Gavin Barraclough. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): * runtime/CommonIdentifiers.h: * tests/mozilla/ecma/Array/15.4.4.2.js: (getTestCases.array.item.new.TestCase): (getTestCases): 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch method checks https://bugs.webkit.org/show_bug.cgi?id=83958 Reviewed by Oliver Hunt. * bytecode/StructureStubInfo.h: - Add fields for the method check info. * jit/JIT.cpp: (JSC::PropertyStubCompilationInfo::copyToStubInfo): - Store the offsets on the stub info, instead of asserting. * jit/JIT.h: - Delete all the method check related offsets. * jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto): - Use the offset from the stubInfo. * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): - Pass the stubInfo to patchMethodCallProto. 2012-04-13 Gavin Barraclough Don't rely on fixed offsets to patch get_by_id/put_by_id https://bugs.webkit.org/show_bug.cgi?id=83924 Reviewed by Oliver Hunt. Store offsets in the structure stub info, as we do for the DFG JIT. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::differenceBetween): - this method can be static (now used from PropertyStubCompilationInfo::copyToStubInfo, will be removed soon!) * bytecode/StructureStubInfo.h: - added new fields for baseline JIT offsets. * jit/JIT.cpp: (JSC::PropertyStubCompilationInfo::copyToStubInfo): - moved out from JIT::privateCompile. (JSC::JIT::privateCompile): - moved out code to PropertyStubCompilationInfo::copyToStubInfo. * jit/JIT.h: (PropertyStubCompilationInfo): - added helper functions to initializae PropertyStubCompilationInfo, state to store more offset info. - removed many offsets. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::patchGetByIdSelf): (JSC::JIT::patchPutByIdReplace): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::resetPatchGetById): (JSC::JIT::resetPatchPutById): - changed code generation to use new interface to store info on PropertyStubCompilationInfo. - changed repatch functions to read offsets from the structure stub info. * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::patchGetByIdSelf): (JSC::JIT::patchPutByIdReplace): (JSC::JIT::privateCompilePatchGetArrayLength): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::resetPatchGetById): (JSC::JIT::resetPatchPutById): - changed code generation to use new interface to store info on PropertyStubCompilationInfo. - changed repatch functions to read offsets from the structure stub info. 2012-04-13 Rob Buis Fix some compiler warnings (miscellaneous) https://bugs.webkit.org/show_bug.cgi?id=80790 Reviewed by Antonio Gomes. Fix signed/unsigned comparison warning. * parser/Lexer.cpp: (JSC::::record16): 2012-04-12 Benjamin Poulain Improve replaceUsingStringSearch() for case of a single character searchValue https://bugs.webkit.org/show_bug.cgi?id=83738 Reviewed by Geoffrey Garen. This patch improves replaceUsingStringSearch() with the following: -Add a special case for single character search, taking advantage of the faster WTF::find(). -Inline replaceUsingStringSearch(). -Use StringImpl::create() instead of UString::substringSharingImpl() since we know we are in the bounds by definition. This gives less than 1% improvement for the multicharacter replace. The single character search show about 9% improvement. * runtime/StringPrototype.cpp: (JSC::replaceUsingStringSearch): 2012-04-12 Michael Saboff StructureStubInfo::reset() causes leaks of PolymorphicAccessStructureList and ExecutableMemoryHandle objects https://bugs.webkit.org/show_bug.cgi?id=83823 Reviewed by Gavin Barraclough. Put the clearing of the accessType to after the call to deref() so that deref() can use the accessType to delete referenced objects as needed. * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::reset): 2012-04-12 Balazs Kelemen [Qt] Fix WebKit1 build with V8 https://bugs.webkit.org/show_bug.cgi?id=83322 Reviewed by Adam Barth. * yarr/yarr.pri: 2012-04-12 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=83821 Move dfg repatching properties of structure stub info into a union Reviewed by Oliver Hunt. We want to be able to have similar properties for the baseline JIT, some restructuring to prepare for this. * bytecode/StructureStubInfo.h: (StructureStubInfo): * dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link): * dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchByIdSelfAccess): (JSC::DFG::linkRestoreScratch): (JSC::DFG::generateProtoChainAccessStub): (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDList): (JSC::DFG::tryBuildGetByIDProtoList): (JSC::DFG::emitPutReplaceStub): (JSC::DFG::emitPutTransitionStub): (JSC::DFG::tryCachePutByID): (JSC::DFG::tryBuildPutByIdList): (JSC::DFG::dfgResetGetByID): (JSC::DFG::dfgResetPutByID): 2012-04-12 Gavin Barraclough Delete a bunch of unused, copy & pasted values in JIT.h https://bugs.webkit.org/show_bug.cgi?id=83822 Reviewed by Oliver Hunt. The only architecture we support the JSVALUE64 JIT on is x86-64, all the patch offsets for other architectures are just nonsense. * jit/JIT.h: (JIT): 2012-04-12 Csaba Osztrogonác [Qt][ARM] Buildfix after r113934. Reviewed by Zoltan Herczeg. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compare8): (MacroAssemblerARM): 2012-04-11 Filip Pizlo It is incorrect to short-circuit Branch(LogicalNot(@a)) if boolean speculations on @a may fail https://bugs.webkit.org/show_bug.cgi?id=83744 Reviewed by Andy Estes. This does the conservative thing: it only short-circuits Branch(LogicalNot(@a)) if @a is a node that is statically known to return boolean results. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): 2012-04-11 Michael Saboff Invalid Union Reference in StructureStubInfo.{cpp.h} https://bugs.webkit.org/show_bug.cgi?id=83735 Reviewed by Filip Pizlo. Changed the references to u.getByIdProtoList and u.getByIdSelfList to be consistent. * bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::visitWeakReferences): * bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::initGetByIdSelfList): 2012-04-11 Filip Pizlo Unreviewed attempting to make Qt's eccentric hardware work. * assembler/MacroAssemblerARM.h: (JSC::MacroAssemblerARM::compare8): (MacroAssemblerARM): * assembler/MacroAssemblerMIPS.h: (JSC::MacroAssemblerMIPS::compare8): (MacroAssemblerMIPS): * assembler/MacroAssemblerSH4.h: (JSC::MacroAssemblerSH4::compare8): (MacroAssemblerSH4): 2012-04-11 Filip Pizlo op_is_foo should be optimized https://bugs.webkit.org/show_bug.cgi?id=83666 Reviewed by Gavin Barraclough. This implements inlining of op_is_undefined, op_is_string, op_is_number, and op_is_boolean in LLInt and the baseline JIT. op_is_object and op_is_function are not inlined because they are quite a bit more complex. This also implements all of the op_is_foo opcodes in the DFG, but it does not do any type profiling based optimizations, yet. * assembler/MacroAssemblerARMv7.h: (JSC::MacroAssemblerARMv7::compare8): (MacroAssemblerARMv7): * assembler/MacroAssemblerX86Common.h: (JSC::MacroAssemblerX86Common::compare8): (MacroAssemblerX86Common): * assembler/MacroAssemblerX86_64.h: (MacroAssemblerX86_64): (JSC::MacroAssemblerX86_64::testPtr): * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGCCallHelpers.h: (JSC::DFG::CCallHelpers::setupArguments): (CCallHelpers): * dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): * dfg/DFGNodeType.h: (DFG): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): (JSC::DFG::SpeculativeJIT::appendCallSetResult): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): * jit/JIT.h: (JIT): * jit/JITOpcodes.cpp: (JSC::JIT::emit_op_is_undefined): (JSC): (JSC::JIT::emit_op_is_boolean): (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_is_string): * jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_is_undefined): (JSC): (JSC::JIT::emit_op_is_boolean): (JSC::JIT::emit_op_is_number): (JSC::JIT::emit_op_is_string): * jit/JITStubs.cpp: (JSC): * llint/LLIntSlowPaths.cpp: (LLInt): * llint/LLIntSlowPaths.h: (LLInt): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter32_64.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/armv7.rb: * offlineasm/instructions.rb: * offlineasm/x86.rb: 2012-04-11 Filip Pizlo If you use an IntegerOperand and want to return it with integerResult, you need to zero extend to get rid of the box https://bugs.webkit.org/show_bug.cgi?id=83734 Reviewed by Oliver Hunt. * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillInteger): (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): 2012-04-11 Filip Pizlo SpeculativeJIT::fillStorage() should work with all the states that a cell may be in https://bugs.webkit.org/show_bug.cgi?id=83722 Reviewed by Gavin Barraclough. It's now possible to do StorageOperand on a cell, in the case that the storage is inline. But this means that fillStorage() must be able to handle all of the states that a cell might be in. Previously it didn't. With this change, it now does handle all of the states, and moreover, it does so by preserving the DataFormat of cells and performing all of the cell speculations that should be performed if you're using a cell as storage. But if you use this on something that is known to be storage already then it behaves as it did before. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillStorage): 2012-04-11 Filip Pizlo Global variable predictions should not be coalesced unnecessarily https://bugs.webkit.org/show_bug.cgi?id=83678 Reviewed by Geoff Garen. Removed the PredictionTracker and everyone who used it. Converted GetGlobalVar to have a heapPrediction like a civilized DFG opcode ought to. No performance effect. * GNUmakefile.list.am: * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CodeBlock.h: * bytecode/PredictionTracker.h: Removed. * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGGenerationInfo.h: * dfg/DFGGraph.cpp: (JSC::DFG::Graph::dump): * dfg/DFGGraph.h: (Graph): * dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): 2012-04-11 Benjamin Poulain Optimize String.split() for 1 character separator https://bugs.webkit.org/show_bug.cgi?id=83546 Reviewed by Gavin Barraclough. This patch adds a serie of optimizations to make stringProtoFuncSplit() faster in the common case where the separator is a single character. The two main gains are: -Use of the find() function with a single character instead of doing a full string matching. -Use of WTF::find() instead of UString::find() to avoid branching on is8Bit() and have a simpler inline function. The code is also changed to avoid making unnecessary allocations by converting the 8bit string to 16bits. This makes String.split() faster by about 13% in that particular case. * runtime/StringPrototype.cpp: (JSC): (JSC::splitStringByOneCharacterImpl): (JSC::stringProtoFuncSplit): 2012-04-10 Carlos Garcia Campos Unreviewed. Fix make distcheck issues. * GNUmakefile.list.am: Ad missing files. 2012-04-10 Mark Rowe Attempt to fix the Windows build. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 2012-04-10 Patrick Gansterer Cleanup wtf/Platform.h and config.h files https://bugs.webkit.org/show_bug.cgi?id=83431 Reviewed by Eric Seidel. The ENABLE() and USE() macros take care about the case when the flag isn't defined. So there is no need to define anything with 0. Also move duplicated code from the config.h files to Platform.h and merge a few preprocessor commands to make the file more readable. * config.h: 2012-04-10 Filip Pizlo DFG should flush SetLocals to arguments https://bugs.webkit.org/show_bug.cgi?id=83554 Reviewed by Gavin Barraclough. This is necessary to match baseline JIT argument capture behavior. But to make this work right we need to have a story for arguments into which we store values of different formats. This patch introduces the notion of an ArgumentPosition - i.e. an argument in a particular inline call frame - and forces unification of all data pertinent to selecting the argument's data format. Also fixed an amusing bug in the handling of OSR on SetLocals if there was any insertion/deletion of nodes in the basic block. This is benign for now but won't be eventually since the DFG is getting smarter. So better fix it now. Also fixed an amusing bug in the handling of OSR on SetLocals if they are immediately followed by a Flush. I think this bug might have always been there but now it'll happen more commonly, and it's covered by the run-javascriptcore-tests. * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::execute): * dfg/DFGArgumentPosition.h: Added. (DFG): (ArgumentPosition): (JSC::DFG::ArgumentPosition::ArgumentPosition): (JSC::DFG::ArgumentPosition::addVariable): (JSC::DFG::ArgumentPosition::mergeArgumentAwareness): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::setArgument): (InlineStackEntry): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGDoubleFormatState.h: Added. (DFG): (JSC::DFG::mergeDoubleFormatStates): (JSC::DFG::mergeDoubleFormatState): (JSC::DFG::doubleFormatStateToString): * dfg/DFGGraph.h: (Graph): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGVariableAccessData.h: (JSC::DFG::VariableAccessData::VariableAccessData): (JSC::DFG::VariableAccessData::predict): (JSC::DFG::VariableAccessData::argumentAwarePrediction): (VariableAccessData): (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): (JSC::DFG::VariableAccessData::doubleFormatState): (JSC::DFG::VariableAccessData::shouldUseDoubleFormat): (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): (JSC::DFG::VariableAccessData::mergeDoubleFormatState): (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): 2012-04-10 Adam Klein Remove unused NonNullPassRefPtr from WTF https://bugs.webkit.org/show_bug.cgi?id=82389 Reviewed by Kentaro Hara. * JavaScriptCore.order: Remove nonexistent symbols referencing NonNullPassRefPtr. 2012-04-10 Darin Adler Remove unused data member from Lexer class https://bugs.webkit.org/show_bug.cgi?id=83429 Reviewed by Kentaro Hara. I noticed that m_delimited was "write-only", so I deleted it. * parser/Lexer.cpp: (JSC::Lexer::setCode): Removed code to set m_delimited. (JSC::Lexer::parseIdentifier): Ditto. (JSC::Lexer::parseIdentifierSlowCase): Ditto. (JSC::Lexer::lex): Ditto. * parser/Lexer.h: Deleted m_delimited. 2012-04-10 Patrick Gansterer [CMake] Enable USE_FOLDERS property https://bugs.webkit.org/show_bug.cgi?id=83571 Reviewed by Daniel Bates. Setting the FOLDER property on targets gives more structure to the generated Visual Studio solutions. This does not affect other CMake generators. * CMakeLists.txt: * shell/CMakeLists.txt: 2012-04-10 Filip Pizlo It should be possible to see why a code block was not compiled by the DFG https://bugs.webkit.org/show_bug.cgi?id=83553 Reviewed by Geoff Garen. If DFG_ENABLE(DEBUG_VERBOSE) and a code block is rejected, then print the opcode that caused the rejection. * dfg/DFGCapabilities.cpp: (JSC::DFG::debugFail): (DFG): (JSC::DFG::canHandleOpcodes): 2012-04-09 Gavin Barraclough If a callback constructor returns a C++ null, throw a type error. https://bugs.webkit.org/show_bug.cgi?id=83537 Rubber Stamped by Geoff Garen. * API/JSCallbackConstructor.cpp: (JSC::constructJSCallback): - If a callback constructor returns a C++ null, throw a type error. * API/tests/testapi.c: (Base_returnHardNull): * API/tests/testapi.js: - Add a test case for callback constructors that return a C++ null. 2012-04-09 Gavin Barraclough If a callback function returns a C++ null, convert to undefined. https://bugs.webkit.org/show_bug.cgi?id=83534 Reviewed by Geoff Garen. * API/JSCallbackFunction.cpp: - If a callback function returns a C++ null, convert to undefined. (JSC::JSCallbackFunction::call): * API/tests/testapi.c: (Base_returnHardNull): * API/tests/testapi.js: - Add a test case for callback functions that return a C++ null. 2012-04-09 Filip Pizlo Classic interpreter's GC hooks shouldn't attempt to scan instructions for code blocks that are currently being generated https://bugs.webkit.org/show_bug.cgi?id=83531 Reviewed by Gavin Barraclough. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::stronglyVisitStrongReferences): 2012-04-09 Filip Pizlo Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks. * dfg/DFGOperations.cpp: (JSC): * offlineasm/armv7.rb: 2012-04-09 Patrick Gansterer Remove HAVE_STDINT_H https://bugs.webkit.org/show_bug.cgi?id=83434 Reviewed by Kentaro Hara. HAVE_STDINT_H is defined with 1 all the time and we us stdint.h without HAVE(STDINT_H) already. * config.h: 2012-04-08 Filip Pizlo DFG should not load the property storage if it is inline. https://bugs.webkit.org/show_bug.cgi?id=83455 Reviewed by Gavin Barraclough. We had previously decided to have all property storage accesses go through the property storage pointer even if they don't "really" have to, because we were thinking this would help GC barriers somehow. Well, we never ended up doing anything with that. Hence, doing these wasted loads of the property storage pointer when the storage is inline is just a waste of CPU cycles. This change makes the DFG's inline property accesses (GetByOffset and PutByOffset) go directly to the inline property storage if the structure(s) tell us that it's OK. This looks like an across-the-board 1% win. * bytecode/StructureSet.h: (JSC): (JSC::StructureSet::allAreUsingInlinePropertyStorage): (StructureSet): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillStorage): 2012-04-08 Filip Pizlo Command-line jsc's exception handling should be rationalized https://bugs.webkit.org/show_bug.cgi?id=83437 Reviewed by Dan Bernstein. - If an exception is thrown during run() execution, it is now propagated, so that it will terminate program execution unless it is caught. - If program execution terminates with an exception, the exception is now always printed. - When printing the exception, the backtrace is now also printed if one is available. It will only not be available if you use something akin to my favorite line of code, 'throw "error"', since primitives don't have properties and hence we cannot attach a "stack" property to them. * jsc.cpp: (functionRun): (runWithScripts): 2012-04-04 Filip Pizlo Forced OSR exits should lead to recompilation based on count, not rate https://bugs.webkit.org/show_bug.cgi?id=83247 Reviewed by Geoff Garen. Track which OSR exits happen because of inadequate coverage. Count them separately. If the count reaches a threshold, immediately trigger reoptimization. This is in contrast to the recompilation trigger for all other OSR exits. Normally recomp is triggered when the exit rate exceeds a certain ratio. Looks like a slight V8 speedup (sub 1%). * bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): * bytecode/CodeBlock.h: (JSC::CodeBlock::forcedOSRExitCounter): (JSC::CodeBlock::addressOfForcedOSRExitCounter): (JSC::CodeBlock::offsetOfForcedOSRExitCounter): (JSC::CodeBlock::shouldReoptimizeNow): (JSC::CodeBlock::shouldReoptimizeFromLoopNow): (CodeBlock): * bytecode/DFGExitProfile.h: (JSC::DFG::exitKindToString): * dfg/DFGOSRExitCompiler.cpp: (JSC::DFG::OSRExitCompiler::handleExitCounts): (DFG): * dfg/DFGOSRExitCompiler.h: (OSRExitCompiler): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOperations.cpp: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/Options.cpp: (Options): (JSC::Options::initializeOptions): * runtime/Options.h: (Options): 2012-04-06 Benjamin Poulain Do not abuse ArrayStorage's m_length for testing array consistency https://bugs.webkit.org/show_bug.cgi?id=83403 Reviewed by Geoffrey Garen. Array creation from a list of values is a 3 steps process: -JSArray::tryCreateUninitialized() -JSArray::initializeIndex() for each values -JSArray::completeInitialization() Previously, the attribute m_length was not set to the final size JSArray::tryCreateUninitialized() because it was used to test the array consistency JSArray::initializeIndex(). This caused the initialization loop using JSArray::initializeIndex() maintain two counters: -index of the loop -storage->m_length++ This patch fixes this by using the index of the initialization loop for the indinces of JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex is introduced if CHECK_ARRAY_CONSISTENCY is defined. The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined. This improves the performance of JSArray creation from literals by 8%. * runtime/JSArray.cpp: (JSC::JSArray::tryFinishCreationUninitialized): (JSC::JSArray::checkConsistency): * runtime/JSArray.h: (ArrayStorage): (JSC::JSArray::initializeIndex): (JSC::JSArray::completeInitialization): 2012-04-06 Jon Lee Build fix for Windows bots. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export missing symbol. 2012-04-06 Geoffrey Garen Renamed WeakHeap => WeakSet HandleHeap => HandleSet Reviewed by Sam Weinig. These sets do have internal allocators, but it's confusing to call them heaps because they're sub-objects of an object called "heap". * heap/HandleHeap.cpp: Removed. * heap/HandleHeap.h: Removed. * heap/HandleSet.cpp: Copied from JavaScriptCore/heap/HandleHeap.cpp. * heap/WeakHeap.cpp: Removed. * heap/WeakHeap.h: Removed. * heap/WeakSet.cpp: Copied from JavaScriptCore/heap/WeakHeap.cpp. * heap/WeakSet.h: Copied from JavaScriptCore/heap/WeakHeap.h. Plus global rename using grep. 2012-04-06 Dan Bernstein HiDPI: Have canvas use a hidpi backing store, but downsample upon access Reviewed by Sam Weinig. * Configurations/FeatureDefines.xcconfig: Added ENABLE_HIGH_DPI_CANVAS. 2012-04-06 Rob Buis Fix cast-align warnings in JSC https://bugs.webkit.org/show_bug.cgi?id=80790 Reviewed by George Staikos. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::computeJumpType): (JSC::ARMv7Assembler::link): * assembler/LinkBuffer.h: (JSC::LinkBuffer::linkCode): * heap/MarkStack.cpp: (JSC::SlotVisitor::copyAndAppend): * runtime/JSArray.cpp: (JSC::JSArray::visitChildren): * wtf/RefCountedArray.h: (WTF::RefCountedArray::Header::payload): 2012-04-06 Darin Adler Streamline strtod and fix some related problems https://bugs.webkit.org/show_bug.cgi?id=82857 Reviewed by Geoffrey Garen. * parser/Lexer.cpp: (JSC::Lexer<>::lex): Use parseDouble. Since we have already scanned the number and we know it has only correct characters, leading spaces, trailing junk, and trailing spaces are not a possibility. No need to add a trailing null character. * runtime/JSGlobalObjectFunctions.cpp: (JSC::parseInt): Changed overflow based 10 case to use parseDouble. No need to allow trailing junk since the code above already allows only numeric digits in the string. This code path is used only in unusual cases, so it's not optimized for 8-bit strings, but easily could be. (JSC::jsStrDecimalLiteral): Removed the allow trailing junk argument to this function template because all the callers are OK with trailing junk. Use the parseDouble function. No need to copy the data into a byte buffer, because parseDouble handles that. (JSC::toDouble): Got rid of the DisallowTrailingJunk argument to the jsStrDecimalLiteral function template. That's OK because this function already checks for trailing junk and handles it appropriately. The old code path was doing it twice. (JSC::parseFloat): Got rid of the AllowTrailingJunk argument to the jsStrDecimalLiteral function template; the template allows junk unconditionally. * runtime/LiteralParser.cpp: (JSC::::Lexer::lexNumber): Use parseDouble. Since we have already scanned the number and we know it has only correct characters, leading spaces, trailing junk, and trailing spaces are not a possibility. No need to add a trailing null character. No need to copy the data into a byte buffer, because parseDouble handles that. We could optimize the UChar case even more because we know all the characters are ASCII, but not doing that at this time. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated. 2012-04-06 Patrick Gansterer Remove JSC dependency from GregorianDateTime https://bugs.webkit.org/show_bug.cgi?id=83290 Reviewed by Geoffrey Garen. This allows us to move it to WTF later. * runtime/DateConstructor.cpp: (JSC::callDate): * runtime/JSDateMath.h: 2012-04-05 Michael Saboff Call Heap::discardAllCompiledCode() in low memory situations https://bugs.webkit.org/show_bug.cgi?id=83335 Reviewed by Geoffrey Garen. Restructured Heap::discardAllCompiledCode() to do the "Is JavaScriptRunning?" check inline so that it can be called directly without this check. * heap/Heap.cpp: (JSC::Heap::discardAllCompiledCode): (JSC::Heap::collectAllGarbage): * heap/Heap.h: Added JS_EXPORT_PRIVATE to discardAllCompiledCode() so it can be called from WebCore. (Heap): * runtime/JSGlobalData.h: Removed unused " void discardAllCompiledCode()" declaration. (JSGlobalData): 2012-04-05 Benjamin Poulain Speed up the conversion from JSValue to String for bulk operations https://bugs.webkit.org/show_bug.cgi?id=83243 Reviewed by Geoffrey Garen. When making operations on primitive types, we loose some time converting values to JSString in order to extract the string. This patch speeds up some basic Array operations by avoiding the creation of intermediary JSString when possible. For the cases where we need to convert a lot of JSValue in a tight loop, an inline conversion is used. * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToString): (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): (JSC::arrayProtoFuncPush): (JSC::arrayProtoFuncSort): * runtime/CommonIdentifiers.h: * runtime/JSArray.cpp: (JSC::JSArray::sort): * runtime/JSString.h: (JSC::JSValue::toUString): (JSC): (JSC::inlineJSValueNotStringtoUString): (JSC::JSValue::toUStringInline): * runtime/JSValue.cpp: (JSC::JSValue::toUStringSlowCase): (JSC): * runtime/JSValue.h: (JSValue): 2012-04-05 Benjamin Poulain Use QuickSort when sorting primitive values by string representation https://bugs.webkit.org/show_bug.cgi?id=83312 Reviewed by Gavin Barraclough. When the value we are sorting are all primitive values, we do not need to ensure a stable sort as two values with equal string representation are indistinguishable from JavaScript. This gives about 16% performance increase when sorting primitive values. * runtime/JSArray.cpp: (JSC::JSArray::sort): 2012-04-05 Oliver Hunt SIGILL in JavaScriptCore on a Geode processor https://bugs.webkit.org/show_bug.cgi?id=82496 Reviewed by Gavin Barraclough. Don't attempt to use the DFG when SSE2 is not available. * dfg/DFGCapabilities.cpp: (JSC::DFG::canCompileOpcodes): 2012-04-05 Oliver Hunt Fix 32-bit build. * API/APICast.h: (toJS): 2012-04-05 Oliver Hunt Replace static_cast with jsCast when casting JSCell subclasses in JSC https://bugs.webkit.org/show_bug.cgi?id=83307 Reviewed by Gavin Barraclough. Replace all usage of static_cast with jsCast<> in JavaScriptCore. This results in assertions when unsafe casts are performed, but simply leaves a static_cast<> in release builds. * API/APICast.h: (toJS): * API/JSCallbackConstructor.cpp: (JSC::constructJSCallback): * API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::call): * API/JSCallbackObjectFunctions.h: (JSC::::asCallbackObject): (JSC::::finishCreation): (JSC::::construct): (JSC::::call): * API/JSObjectRef.cpp: (JSObjectGetPrivate): (JSObjectSetPrivate): (JSObjectGetPrivateProperty): (JSObjectSetPrivateProperty): (JSObjectDeletePrivateProperty): * API/JSValueRef.cpp: (JSValueIsObjectOfClass): * API/JSWeakObjectMapRefPrivate.cpp: * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::resolve): (JSC::BytecodeGenerator::resolveConstDecl): * debugger/DebuggerActivation.cpp: (JSC::DebuggerActivation::finishCreation): * dfg/DFGOperations.cpp: * interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::privateExecute): * jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION): * runtime/Executable.h: (JSC::isHostFunction): * runtime/JSActivation.h: (JSC::asActivation): * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): * runtime/JSArray.h: (JSC::asArray): * runtime/JSBoundFunction.cpp: (JSC::boundFunctionCall): (JSC::boundFunctionConstruct): * runtime/JSByteArray.h: (JSC::asByteArray): * runtime/JSCell.cpp: (JSC::JSCell::toObject): * runtime/JSCell.h: (JSC::jsCast): * runtime/JSGlobalObject.h: (JSC::asGlobalObject): * runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): * runtime/JSObject.cpp: (JSC::JSObject::setPrototypeWithCycleCheck): (JSC::JSObject::allowsAccessFrom): (JSC::JSObject::toThisObject): (JSC::JSObject::unwrappedObject): * runtime/JSObject.h: (JSC::asObject): * runtime/JSPropertyNameIterator.h: (JSC::Register::propertyNameIterator): * runtime/JSString.h: (JSC::asString): (JSC::JSValue::toString): * runtime/StringPrototype.cpp: (JSC::stringProtoFuncSubstr): 2012-04-05 Benjamin Poulain Make something faster than JSStringBuilder for joining an array of JSValue https://bugs.webkit.org/show_bug.cgi?id=83180 Reviewed by Geoffrey Garen. This patch add the class JSStringJoiner optimized for join() operations. This class makes stricter constraints than JSStringBuilder in order avoid memory allocations. In the best case, the class allocate memory only twice: -Allocate an array to keep a list of UString to join. -Allocate the final string. We also avoid the conversion from 8bits strings to 16bits strings since they are costly and unlikly to help for subsequent calls. * CMakeLists.txt: * GNUmakefile.list.am: * JavaScriptCore.gypi: * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: * JavaScriptCore.xcodeproj/project.pbxproj: * Target.pri: * runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncToLocaleString): (JSC::arrayProtoFuncJoin): * runtime/JSStringJoiner.cpp: Added. (JSC): (JSC::appendStringToData): (JSC::joinStrings): (JSC::JSStringJoiner::build): * runtime/JSStringJoiner.h: Added. (JSC): (JSStringJoiner): (JSC::JSStringJoiner::JSStringJoiner): (JSC::JSStringJoiner::append): 2012-04-05 Gavin Barraclough https://bugs.webkit.org/show_bug.cgi?id=77293 [Un]Reserve 'let' Rubber stamped by Oliver Hunt. Revert r106198. This does break the web - e.g. https://bvi.bnc.ca/index/bnc/indexen.html If we're going to reserve let, we're going to have to do so in a more circumspect fashion. * parser/Keywords.table: 2012-04-05 Michael Saboff Rolling out http://trac.webkit.org/changeset/113262. Original code was fine. Rubber-stamped by Oliver Hunt. * assembler/MacroAssembler.h: (JSC::MacroAssembler::additionBlindedConstant): 2012-04-05 Patrick Gansterer [WinCE] Remove unnecessary function decleration https://bugs.webkit.org/show_bug.cgi?id=83155 Reviewed by Kentaro Hara. * runtime/JSDateMath.cpp: 2012-04-04 Patrick Gansterer Add WTF::getCurrentLocalTime() https://bugs.webkit.org/show_bug.cgi?id=83164 Reviewed by Alexey Proskuryakov. Replace the calls to WTF::getLocalTime() with time(0) with the new function. This allows us to use Win32 API on windows to get the same result in a next step. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: * runtime/DateConstructor.cpp: (JSC::callDate): 2012-04-04 Oliver Hunt Parser fails to revert some state after parsing expression and object literals. https://bugs.webkit.org/show_bug.cgi?id=83236 Reviewed by Gavin Barraclough. Reset left hand side counter after parsing the literals. * parser/Parser.cpp: (JSC::::parseObjectLiteral): (JSC::::parseStrictObjectLiteral): (JSC::::parseArrayLiteral): 2012-04-04 Filip Pizlo DFG InstanceOf should not uselessly speculate cell https://bugs.webkit.org/show_bug.cgi?id=83234 Reviewed by Oliver Hunt. If InstanceOf is the only user of its child then don't speculate cell, since the not-cell case is super easy to handle. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInstanceOf): 2012-04-04 Michael Saboff Fixed minor error: "& 3" should be "& 2". Rubber-stamped by Oliver Hunt. * assembler/MacroAssembler.h: (JSC::MacroAssembler::additionBlindedConstant): 2012-04-04 Michael Saboff Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP https://bugs.webkit.org/show_bug.cgi?id=83191 Reviewed by Oliver Hunt. Make are that blinded constant pairs are similarly aligned to the original immediate values so that instructions that expect that alignment work correctly. One example is ARMv7 add/sub imm to SP. * assembler/ARMv7Assembler.h: (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned. (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned. (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned. * assembler/MacroAssembler.h: (JSC::MacroAssembler::additionBlindedConstant): 2012-04-04 Filip Pizlo DFG should short-circuit Branch(LogicalNot(...)) https://bugs.webkit.org/show_bug.cgi?id=83181 Reviewed by Geoff Garen. Slight (sub 1%) speed-up on V8. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): 2012-04-04 Geoffrey Garen [Qt] REGRESSION(r113141): All tests assert on 32 bit debug mode https://bugs.webkit.org/show_bug.cgi?id=83139 Reviewed by Sam Weinig. * heap/PassWeak.h: (JSC::::get): 32-bit JSValue treats JSValue(nullptr).asCell() as an error, so work around that here. (Long-term, we should make 32-bit and 64-bit agree on the right behavior.) 2012-04-03 Geoffrey Garen Updated JSC expected test results to reflect recent bug fixes . Reviewed by Sam Weinig. * tests/mozilla/expected.html: 2012-03-29 Geoffrey Garen First step toward incremental Weak