1. 24 Jul, 2013 9 commits
    • oliver@apple.com's avatar
      fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds · 211b3bec
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117906
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      This does the obvious thing, but also makes sure that out-of-bounds accesses
      don't fall off into a C call, but try to do the fast thing if the prototype
      chain is sane. We ought to probably do this for other array accesses in the
      future, as well, since it's so darn easy.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::objectPrototypeIsSane):
      (JSC):
      (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
      (JSC::JSGlobalObject::stringPrototypeChainIsSane):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      
      LayoutTests:
      
      Reviewed by Mark Hahnenberg.
      
      The out-of-bounds benchmark that isn't insane speeds up by 22x in this
      patch.
      
      * fast/js/regress/script-tests/string-get-by-val-out-of-bounds-insane.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-get-by-val-out-of-bounds.js: Added.
      (foo):
      * fast/js/regress/string-get-by-val-out-of-bounds-expected.txt: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds-insane-expected.txt: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds-insane.html: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      211b3bec
    • oliver@apple.com's avatar
      fourthTier: DFG should't exit just because it GetByVal'd a big character · 63af2d44
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117899
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
      Previously it would fail due to canExit() but now we can also fail because
      GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
      a very explicit way.
      
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      
      LayoutTests:
      
      Reviewed by Mark Hahnenberg.
      
      This benchmark speeds up by 3x.
      
      * fast/js/regress/script-tests/string-get-by-val-big-char.js: Added.
      (foo):
      * fast/js/regress/string-get-by-val-big-char-expected.txt: Added.
      * fast/js/regress/string-get-by-val-big-char.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153241 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      63af2d44
    • oliver@apple.com's avatar
      fourthTier: FTL should support SwitchChar · 39478946
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117849
      
      Reviewed by Geoffrey Garen.
      
      This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
      SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
      support for calling slow paths, and we avoided adding coverage that would require
      that. Well, this patch adds the ability to call slow paths and just uses that for
      resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
      so I did that, too.
      
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::addCodeOrigin):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGNode.cpp:
      (WTF):
      (WTF::printInternal):
      * dfg/DFGNode.h:
      (WTF):
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::int16Type):
      (JSC::FTL::constInt):
      * ftl/FTLAbstractHeapRepository.h:
      (FTL):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLCommonValues.cpp:
      (JSC::FTL::CommonValues::CommonValues):
      * ftl/FTLCommonValues.h:
      (CommonValues):
      * ftl/FTLIntrinsicRepository.cpp:
      (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
      (FTL):
      * ftl/FTLIntrinsicRepository.h:
      (FTL):
      (IntrinsicRepository):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::lower):
      (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
      (JSC::FTL::LowerDFGToLLVM::compileJump):
      (JSC::FTL::LowerDFGToLLVM::compileBranch):
      (JSC::FTL::LowerDFGToLLVM::compileSwitch):
      (JSC::FTL::LowerDFGToLLVM::buildSwitch):
      (LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::lowString):
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::isObject):
      (JSC::FTL::LowerDFGToLLVM::isNotString):
      (JSC::FTL::LowerDFGToLLVM::isString):
      (JSC::FTL::LowerDFGToLLVM::isNotObject):
      (JSC::FTL::LowerDFGToLLVM::speculateObject):
      (JSC::FTL::LowerDFGToLLVM::speculateString):
      (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
      (JSC::FTL::LowerDFGToLLVM::vmCall):
      (JSC::FTL::LowerDFGToLLVM::callPreflight):
      (JSC::FTL::LowerDFGToLLVM::callCheck):
      (JSC::FTL::LowerDFGToLLVM::lowBlock):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::constBool):
      (JSC::FTL::Output::constInt8):
      (JSC::FTL::Output::constInt32):
      (JSC::FTL::Output::constIntPtr):
      (JSC::FTL::Output::constInt64):
      (JSC::FTL::Output::load16):
      (JSC::FTL::Output::isNull):
      (JSC::FTL::Output::notNull):
      (JSC::FTL::Output::testIsZero32):
      (JSC::FTL::Output::testNonZero32):
      (Output):
      (JSC::FTL::Output::operation):
      (JSC::FTL::Output::crash):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153235 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      39478946
    • oliver@apple.com's avatar
      fourthTier: DFG should support op_switch_imm · 9b7647ba
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117559
      
      Reviewed by Oliver Hunt.
      
      Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
      threshold for using op_switch.
      
      Also get rid of edge code support, since we haven't used it in the year since
      I introduced it. It was supposed to allow us to break critical edges late in
      the backend, thus enabling global register allocation from an SSA-form graph.
      But we aren't doing that so I figure we should just kill the code for now. It
      would have made implementing switch harder.
      
      * assembler/AbstractMacroAssembler.h:
      (JSC::AbstractMacroAssembler::timesPtr):
      * assembler/MacroAssemblerCodeRef.h:
      (JSC::MacroAssemblerCodePtr::dumpWithName):
      (MacroAssemblerCodePtr):
      (JSC::MacroAssemblerCodePtr::dump):
      (MacroAssemblerCodeRef):
      (JSC::MacroAssemblerCodeRef::dump):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/JumpTable.h:
      (SimpleJumpTable):
      (JSC::SimpleJumpTable::clear):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::linkBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGCommon.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::determineReachability):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::JITCompiler):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JITCompiler):
      (JSC::DFG::JITCompiler::blockHeads):
      * dfg/DFGNode.h:
      (DFG):
      (JSC::DFG::SwitchCase::SwitchCase):
      (SwitchCase):
      (SwitchData):
      (JSC::DFG::SwitchData::SwitchData):
      (Node):
      (JSC::DFG::Node::isSwitch):
      (JSC::DFG::Node::isTerminal):
      (JSC::DFG::Node::switchData):
      (JSC::DFG::Node::numSuccessors):
      (JSC::DFG::Node::successor):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::createOSREntries):
      (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
      (DFG):
      (JSC::DFG::SpeculativeJIT::emitSwitchImm):
      (JSC::DFG::SpeculativeJIT::emitSwitch):
      (JSC::DFG::SpeculativeJIT::linkBranches):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::branchDouble):
      (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
      (JSC::DFG::SpeculativeJIT::branch32):
      (JSC::DFG::SpeculativeJIT::branchTest32):
      (JSC::DFG::SpeculativeJIT::branch64):
      (JSC::DFG::SpeculativeJIT::branchPtr):
      (JSC::DFG::SpeculativeJIT::branchTestPtr):
      (JSC::DFG::SpeculativeJIT::branchTest8):
      (JSC::DFG::SpeculativeJIT::jump):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * parser/Nodes.h:
      (CaseBlockNode):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153228 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9b7647ba
    • oliver@apple.com's avatar
      fourthTier: DFG should support op_in and it should use patching to make it fast · b3e5acbf
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117385
      
      Source/JavaScriptCore:
      
      Reviewed by Geoffrey Garen.
      
      Implement op_in in the DFG and give it patching. The code we generate is just
      a jump on the hot path, and the slow paths generate stubs and link the jump to
      them. I didn't want to bother with patching structures and load offsets and
      the like, although I probably could have.
      
      This is a ginormous speed-up on microbenchmarks for "in", obviously.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpAssumingJITType):
      (JSC::CodeBlock::resetStubInternal):
      (JSC::structureStubInfoLessThan):
      (JSC):
      (JSC::CodeBlock::sortStructureStubInfos):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/StructureStubInfo.cpp:
      (JSC::StructureStubInfo::deref):
      (JSC::StructureStubInfo::visitWeakReferences):
      * bytecode/StructureStubInfo.h:
      (JSC::isInAccess):
      (JSC):
      (StructureStubInfo):
      (JSC::StructureStubInfo::initInList):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupResults):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGPRInfo.h:
      (JSC::DFG::JSValueRegs::payloadOnly):
      (JSValueRegs):
      (JSC::DFG::JSValueRegs::JSValueRegs):
      (JSC::DFG::JSValueRegs::operator!):
      (JSC::DFG::JSValueSource::operator!):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::InRecord::InRecord):
      (InRecord):
      (DFG):
      (JITCompiler):
      (JSC::DFG::JITCompiler::addIn):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryRepatchIn):
      (DFG):
      (JSC::DFG::dfgRepatchIn):
      (JSC::DFG::dfgResetIn):
      * dfg/DFGRepatch.h:
      (DFG):
      (JSC::DFG::dfgResetIn):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
      (JSC::DFG::CallSlowPathGenerator::tearDown):
      (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
      (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
      (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
      (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
      (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
      (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileIn):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::extractResult):
      (DFG):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
      (JSC::DFG::SpeculativeJIT::appendCallSetResult):
      (JSC::DFG::JSValueOperand::tagGPR):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      * runtime/JSString.h:
      (JSString):
      (JSC::JSString::tryGetValueImpl):
      (JSC):
      * runtime/Operations.h:
      (JSC::normalizePrototypeChainForChainAccess):
      
      Source/WTF:
      
      Reviewed by Geoffrey Garen.
      
      Now if you pass a null StringImpl* then something will still get printed instead
      of crashing. I figure that this is broadly useful for debug code, and I make use
      of it in the JSC portion of this patch.
      
      * wtf/PrintStream.cpp:
      (WTF::printInternal):
      
      LayoutTests:
      
      Reviewed by Geoffrey Garen.
      
      Test coverage for op_in performance.
      
      * fast/js/regress/in-four-cases-expected.txt: Added.
      * fast/js/regress/in-four-cases.html: Added.
      * fast/js/regress/in-one-case-false-expected.txt: Added.
      * fast/js/regress/in-one-case-false.html: Added.
      * fast/js/regress/in-one-case-true-expected.txt: Added.
      * fast/js/regress/in-one-case-true.html: Added.
      * fast/js/regress/in-two-cases-expected.txt: Added.
      * fast/js/regress/in-two-cases.html: Added.
      * fast/js/regress/script-tests/in-four-cases.js: Added.
      (foo):
      (bar):
      * fast/js/regress/script-tests/in-one-case-false.js: Added.
      (foo):
      (bar):
      * fast/js/regress/script-tests/in-one-case-true.js: Added.
      (foo):
      (bar):
      * fast/js/regress/script-tests/in-two-cases.js: Added.
      (foo):
      (bar):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153225 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b3e5acbf
    • oliver@apple.com's avatar
      fourthTier: Re-worked non-local variable resolution · 58c86752
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117375
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore:
      
      This patch has two goals:
      
      (1) Simplicity.
      
          * Net removes 15 opcodes.
          * Net removes 2,000 lines of code.
          * Removes setPair() from the DFG: All DFG nodes have 1 result register now.
      
      (2) Performance.
      
          * 2%-3% speedup on SunSpider (20% in LLInt and Baseline JIT)
          * 2% speedup on v8-spider
          * 10% speedup on js-regress-hashmap*
          * Amusing 2X speedup on js-regress-poly-stricteq
      
      The bytecode now separates the scope chain resolution opcode from the
      scope access opcode.
      
          OLD:
              get_scoped_var  r0, 1, 0
              inc             r0
              put_scoped_var  1, 0, r0
      
          NEW:
              resolve_scope   r0, x(@id0)
              get_from_scope  r1, r0, x(@id0)
              inc             r1
              put_to_scope    r0, x(@id0), r1
      
      Also, we link non-local variable resolution opcodes at CodeBlock link
      time instead of time of first opcode execution.
      
      This means that we can represent all possible non-local variable
      resolutions using just three opcodes, and any optimizations in these
      opcodes naturally apply across-the-board.
      
      * API/JSCTestRunnerUtils.cpp:
      (JSC::numberOfDFGCompiles):
      * GNUmakefile.list.am:
      * JavaScriptCore.gypi:
      * JavaScriptCore.order:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri: Build!
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode): Updated for removed things.
      
      (JSC::CodeBlock::CodeBlock): Always provide the full scope chain when
      creating a CodeBlock, so we can perform non-local variable resolution.
      
      Added code to perform linking for these opcodes. This is where we figure
      out which non-local variable resolutions are optimizable, and how.
      
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::noticeIncomingCall):
      (JSC::CodeBlock::optimizeAfterWarmUp):
      (JSC::CodeBlock::optimizeAfterLongWarmUp):
      (JSC::CodeBlock::optimizeSoon): Updated for removed things.
      
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::needsActivation):
      (JSC::GlobalCodeBlock::GlobalCodeBlock):
      (JSC::ProgramCodeBlock::ProgramCodeBlock):
      (JSC::EvalCodeBlock::EvalCodeBlock):
      (JSC::FunctionCodeBlock::FunctionCodeBlock):
      * bytecode/EvalCodeCache.h:
      (JSC::EvalCodeCache::getSlow): Updated for interface changes.
      
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor): Treat global object access as
      optimizable even though the global object has a custom property access
      callback. This is what we've always done since, otherwise, we can't
      optimize globals. (In future, we probably want to figure out a more
      targeted policy than "any property access callback means no
      optimization".)
      
      * bytecode/GlobalResolveInfo.h: Removed.
      * bytecode/Instruction.h:
      * bytecode/Opcode.h:
      (JSC::padOpcodeName):
      
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor): Like GetByIdStatus.
      
      * bytecode/ResolveGlobalStatus.cpp: Removed.
      * bytecode/ResolveGlobalStatus.h: Removed.
      * bytecode/ResolveOperation.h: Removed.
      
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::generateFunctionCodeBlock):
      (JSC::UnlinkedFunctionExecutable::codeBlockFor):
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h: Don't provide a scope chain to unlinked
      code blocks. Giving a scope to an unscoped compilation unit invites
      programming errors.
      
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::addressOfIsInvalidated):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolveCallee):
      (JSC::BytecodeGenerator::local):
      (JSC::BytecodeGenerator::constLocal):
      (JSC::BytecodeGenerator::resolveType):
      (JSC::BytecodeGenerator::emitResolveScope):
      (JSC::BytecodeGenerator::emitGetFromScope):
      (JSC::BytecodeGenerator::emitPutToScope):
      (JSC::BytecodeGenerator::emitInstanceOf):
      (JSC::BytecodeGenerator::emitPushWithScope):
      (JSC::BytecodeGenerator::emitPopScope):
      (JSC::BytecodeGenerator::pushFinallyContext):
      (JSC::BytecodeGenerator::emitComplexPopScopes):
      (JSC::BytecodeGenerator::popTryAndEmitCatch):
      (JSC::BytecodeGenerator::emitPushNameScope):
      (JSC::BytecodeGenerator::isArgumentNumber):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::Local::Local):
      (JSC::Local::operator bool):
      (JSC::Local::get):
      (JSC::Local::isReadOnly):
      (JSC::BytecodeGenerator::scopeDepth):
      (JSC::BytecodeGenerator::shouldOptimizeLocals):
      (JSC::BytecodeGenerator::canOptimizeNonLocals): Refactored the bytecode
      generator to resolve all variables within local scope, as if there
      were no non-local scope. This helps provide a separation of concerns:
      unlinked bytecode is always scope-free, and the linking stage links
      in the provided scope.
      
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::ResolveNode::emitBytecode):
      (JSC::EvalFunctionCallNode::emitBytecode):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::DeleteResolveNode::emitBytecode):
      (JSC::TypeOfResolveNode::emitBytecode):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode): A bunch of this codegen is no longer
      necessary, since it's redundant with the linking stage.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::ByteCodeParser):
      (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
      (JSC::DFG::ByteCodeParser::handlePutByOffset):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock): Updated for interface changes.
      Notably, we can reuse existing DFG nodes -- but the mapping between
      bytecode and DFG nodes has changed, and some nodes and corner cases have
      been removed.
      
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::scopedVarLoadElimination):
      (JSC::DFG::CSEPhase::varInjectionWatchpointElimination):
      (JSC::DFG::CSEPhase::globalVarStoreElimination):
      (JSC::DFG::CSEPhase::scopedVarStoreElimination):
      (JSC::DFG::CSEPhase::getLocalLoadElimination):
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      (JSC::DFG::CSEPhase::performNodeCSE): Added CSE for var injection
      watchpoints. Even though watchpoints are "free", they're quite common
      inside code that's subject to var injection, so I figured we'd save a
      little memory.
      
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGCapabilities.h: Removed detection for old forms.
      
      * dfg/DFGDriver.h:
      (JSC::DFG::tryCompile):
      (JSC::DFG::tryCompileFunction):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCode.cpp:
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
      (JSC::DFG::Node::hasVarNumber):
      (JSC::DFG::Node::hasIdentifierNumberForCheck):
      (JSC::DFG::Node::hasRegisterPointer):
      (JSC::DFG::Node::hasHeapPrediction):
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.h:
      (JSC::DFG::dfgResetGetByID):
      (JSC::DFG::dfgResetPutByID):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation): Removed some unneeded things,
      and updated for renames.
      
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): The two primary changes here are:
      
      (1) Use a watchpoint for var injection instead of looping over the scope
      chain and checking. This is more efficient and much easier to model in
      code generation.
      
      (2) I've eliminated the notion of an optimized global assignment that
      needs to check for whether it should fire a watchpiont. Instead, we
      fire pre-emptively at the point of optimization. This removes a bunch
      of edge cases, and it seems like a more honest representation of
      the fact that our new optimization contradicts our old one.
      
      * dfg/DFGTypeCheckHoistingPhase.cpp:
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
      (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
      * heap/DFGCodeBlocks.cpp:
      (JSC::DFGCodeBlocks::jettison):
      * interpreter/CallFrame.h:
      (JSC::ExecState::trueCallFrame): Removed stuff that's unused now, and
      fixed the build.
      
      * interpreter/Interpreter.cpp:
      (JSC::eval):
      (JSC::getBytecodeOffsetForCallFrame):
      (JSC::getCallerInfo):
      (JSC::Interpreter::throwException): Updated exception scope tracking
      to match the rest of our linking strategy: The unlinked bytecode compiles
      exception scope as if non-local scope did not exist, and we add in
      non-local scope at link time. This means that we can restore the right
      scope depth based on a simple number, without checking the contents of
      the scope chain.
      
      (JSC::Interpreter::execute): Make sure to establish the full scope chain
      before linking eval code. We now require the full scope chain at link
      time, in order to link non-local variable resolution opcodes.
      
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      * jit/JITArithmetic.cpp:
      (JSC::JIT::emit_op_add):
      * jit/JITCode.cpp:
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emitSlow_op_bitxor):
      (JSC::JIT::emitSlow_op_bitor):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emitSlow_op_to_primitive):
      (JSC::JIT::emit_op_strcat):
      (JSC::JIT::emitSlow_op_create_this):
      (JSC::JIT::emitSlow_op_to_this):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitVarInjectionCheck):
      (JSC::JIT::emitResolveClosure):
      (JSC::JIT::emit_op_resolve_scope):
      (JSC::JIT::emitSlow_op_resolve_scope):
      (JSC::JIT::emitLoadWithStructureCheck):
      (JSC::JIT::emitGetGlobalProperty):
      (JSC::JIT::emitGetGlobalVar):
      (JSC::JIT::emitGetClosureVar):
      (JSC::JIT::emit_op_get_from_scope):
      (JSC::JIT::emitSlow_op_get_from_scope):
      (JSC::JIT::emitPutGlobalProperty):
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emitPutClosureVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      (JSC::JIT::emit_op_init_global_const):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitVarInjectionCheck):
      (JSC::JIT::emitResolveClosure):
      (JSC::JIT::emit_op_resolve_scope):
      (JSC::JIT::emitSlow_op_resolve_scope):
      (JSC::JIT::emitLoadWithStructureCheck):
      (JSC::JIT::emitGetGlobalProperty):
      (JSC::JIT::emitGetGlobalVar):
      (JSC::JIT::emitGetClosureVar):
      (JSC::JIT::emit_op_get_from_scope):
      (JSC::JIT::emitSlow_op_get_from_scope):
      (JSC::JIT::emitPutGlobalProperty):
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emitPutClosureVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      (JSC::JIT::emit_op_init_global_const):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h: Re-wrote baseline JIT codegen for our new variable
      resolution model.
      
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions):
      * llint/LLIntSlowPaths.cpp:
      * llint/LLIntSlowPaths.h:
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter.cpp:
      (JSC::CLoop::execute):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Ditto for LLInt.
      
      * offlineasm/x86.rb: Fixed a pre-existing encoding bug for a syntactic
      form that we never used before.
      
      * runtime/ArrayPrototype.cpp:
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncToLocaleString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncConcat):
      (JSC::arrayProtoFuncPop):
      (JSC::arrayProtoFuncPush):
      (JSC::arrayProtoFuncReverse):
      (JSC::arrayProtoFuncShift):
      (JSC::arrayProtoFuncSlice):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncUnShift):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      (JSC::arrayProtoFuncIndexOf):
      (JSC::arrayProtoFuncLastIndexOf): Fixed some pre-existing bugs in
      'this' value conversion, which I made much more common by removing
      special cases in bytecode generation.
      
      These functions need to invoke toThis() because they observe the 'this'
      value. Also, toLocaleString() is specified to accept non-array 'this'
      values.
      
      (Most other host functions don't need this fix because they perform
      strict 'this' checking, which never coerces unexpected types.)
      
      * runtime/CodeCache.cpp:
      (JSC::CodeCache::getCodeBlock):
      (JSC::CodeCache::getProgramCodeBlock):
      (JSC::CodeCache::getEvalCodeBlock):
      * runtime/CodeCache.h: Don't supply a scope to the unlinked code cache.
      Unlinked code is supposed to be scope-free, so let's have the compiler
      help verify that.
      
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/CommonSlowPaths.h:
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::create):
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::compileForCallInternal):
      (JSC::FunctionExecutable::compileForConstructInternal):
      * runtime/Executable.h:
      (JSC::EvalExecutable::numVariables):
      (JSC::EvalExecutable::numberOfFunctionDecls):
      * runtime/ExecutionHarness.h:
      (JSC::prepareForExecutionImpl):
      (JSC::prepareFunctionForExecutionImpl):
      (JSC::installOptimizedCode): Fiddled with executable initialization so
      that we can always generate a full scope chain before we go to link a
      code block. We need this because code block linking now depends on the
      scope chain to link non-local variable resolution opcodes.
      
      * runtime/JSActivation.h:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::JSGlobalObject):
      (JSC::JSGlobalObject::createEvalCodeBlock):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::varInjectionWatchpoint):
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
      * runtime/JSNameScope.h:
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      (JSC::JSScope::objectAtScope):
      (JSC::JSScope::depth):
      (JSC::JSScope::resolve):
      (JSC::JSScope::abstractResolve): Updated to match changes explained above.
      
      * runtime/JSScope.h:
      (JSC::makeType):
      (JSC::needsVarInjectionChecks):
      (JSC::ResolveOp::ResolveOp):
      (JSC::ResolveModeAndType::ResolveModeAndType):
      (JSC::ResolveModeAndType::mode):
      (JSC::ResolveModeAndType::type):
      (JSC::ResolveModeAndType::operand): Removed the old variable resolution
      state machine, since it's unused now. Added logic for performing abstract
      variable resolution at link time. This is used by codeblock linking.
      
      * runtime/ObjectPrototype.cpp:
      (JSC::objectProtoFuncValueOf):
      (JSC::objectProtoFuncHasOwnProperty):
      (JSC::objectProtoFuncIsPrototypeOf):
      (JSC::objectProtoFuncDefineGetter):
      (JSC::objectProtoFuncDefineSetter):
      (JSC::objectProtoFuncLookupGetter):
      (JSC::objectProtoFuncLookupSetter):
      (JSC::objectProtoFuncPropertyIsEnumerable):
      (JSC::objectProtoFuncToLocaleString):
      (JSC::objectProtoFuncToString): Fixed some pre-existing bugs in
      'this' value conversion, which I made much more common by removing
      special cases in bytecode generation.
      
      These functions need to invoke toThis() because they observe the 'this'
      value.
      
      * runtime/StringPrototype.cpp:
      (JSC::checkObjectCoercible):
      (JSC::stringProtoFuncReplace):
      (JSC::stringProtoFuncCharAt):
      (JSC::stringProtoFuncCharCodeAt):
      (JSC::stringProtoFuncConcat):
      (JSC::stringProtoFuncIndexOf):
      (JSC::stringProtoFuncLastIndexOf):
      (JSC::stringProtoFuncMatch):
      (JSC::stringProtoFuncSearch):
      (JSC::stringProtoFuncSlice):
      (JSC::stringProtoFuncSplit):
      (JSC::stringProtoFuncSubstr):
      (JSC::stringProtoFuncSubstring):
      (JSC::stringProtoFuncToLowerCase):
      (JSC::stringProtoFuncToUpperCase):
      (JSC::stringProtoFuncLocaleCompare):
      (JSC::stringProtoFuncBig):
      (JSC::stringProtoFuncSmall):
      (JSC::stringProtoFuncBlink):
      (JSC::stringProtoFuncBold):
      (JSC::stringProtoFuncFixed):
      (JSC::stringProtoFuncItalics):
      (JSC::stringProtoFuncStrike):
      (JSC::stringProtoFuncSub):
      (JSC::stringProtoFuncSup):
      (JSC::stringProtoFuncFontcolor):
      (JSC::stringProtoFuncFontsize):
      (JSC::stringProtoFuncAnchor):
      (JSC::stringProtoFuncLink):
      (JSC::trimString): Fixed some pre-existing bugs in
      'this' value conversion, which I made much more common by removing
      special cases in bytecode generation.
      
      These functions need to invoke toThis() because they observe the 'this'
      value.
      
      * runtime/StructureRareData.cpp:
      * runtime/VM.cpp:
      (JSC::VM::~VM):
      
      * runtime/WriteBarrier.h:
      (JSC::WriteBarrierBase::slot): Modified to reduce casting in client code.
      
      LayoutTests:
      
      This patch removed special-case 'this' resolution from bytecode, making
      some pre-existing edge cases in 'this' value treatment much more common.
      
      I updated the test results below, and added some tests, to match bug
      fixes for these cases.
      
      * fast/js/script-tests/array-functions-non-arrays.js:
      * fast/js/array-functions-non-arrays-expected.txt: As specified, it's
      not an error to pass a non-array to toLocaleString. Our new result
      matches Firefox and Chrome.
      
      * fast/js/array-prototype-properties-expected.txt: Updated for slightly
      clearer error message.
      
      * fast/js/basic-strict-mode-expected.txt: Updated for slightly more
      standard error message.
      
      * fast/js/object-prototype-toString-expected.txt: Added.
      * fast/js/object-prototype-toString.html: Added. This test demonstrates
      why we now fail a Sputnik test below, while Firefox and Chrome pass it.
      (The test doesn't test what it thinks it tests, and this test verifies
      that we get right what it does think it tests.)
      
      * fast/js/string-prototype-function-this-expected.txt: Added.
      * fast/js/string-prototype-function-this.html: Added. This test shows
      that we CheckObjectCoercible in string prototype functions. (We used
      to get this wrong, but Sputnik tests made it seem like we got it right
      because they didn't test the dynamic scope case.)
      
      * sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.3_Array_prototype_toLocaleString/S15.4.4.3_A2_T1-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
      * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:
      
      Updated to show failing results. Firefox and Chrome also fail these
      tests, and the ES5 spec seems to mandate failure. Because these tests
      resolve a String.prototype function at global scope, the 'this' value
      for the call is an environment record. Logically, an environment record
      converts to 'undefined' at the call site, and should then fail the
      CheckObjectCoercible test.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153221 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      58c86752
    • oliver@apple.com's avatar
      fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists · 73823ba8
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117377
      
      Source/JavaScriptCore:
      
      Reviewed by Geoffrey Garen.
      
      Previously if you did self accesses and then wanted to do a prototype access, you'd
      have a bad time: the prototype accesses would be forced to take slow path because
      the self list wouldn't allow prototype accesses. Likewise if you did prototype (or
      chain) accesses and then wanted to do a self access, similar stupidity would ensue.
      
      This fixes the stupidity.
      
      I believe that this was introduced way back in the days of the old interpreter,
      where distinguishing between self lists, proto lists, and chain lists was meaningful
      for interpreter performance: it meant fewer branches to evaluate those lists. Then
      it got mostly carried over to the old JIT since the old JIT was just initially an
      optimized version of the old interpreter, and then later it got carried over to the
      DFG because I didn't know any better at the time. Now I do know better and I'm
      fixing it.
      
      * bytecode/PolymorphicAccessStructureList.h:
      (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
      * bytecode/StructureStubInfo.h:
      (JSC::StructureStubInfo::initGetByIdSelfList):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::getPolymorphicStructureList):
      (DFG):
      (JSC::DFG::patchJumpToGetByIdStub):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::dfgBuildGetByIDList):
      
      LayoutTests:
      
      Reviewed by Geoffrey Garen.
      
      Add tests that show why this is important. These tests speed up by more than 3x.
      
      * fast/js/regress/get-by-id-proto-or-self-expected.txt: Added.
      * fast/js/regress/get-by-id-proto-or-self.html: Added.
      * fast/js/regress/get-by-id-self-or-proto-expected.txt: Added.
      * fast/js/regress/get-by-id-self-or-proto.html: Added.
      * fast/js/regress/script-tests/get-by-id-proto-or-self.js: Added.
      (foo):
      (bar):
      (Foo):
      * fast/js/regress/script-tests/get-by-id-self-or-proto.js: Added.
      (foo):
      (bar):
      (Foo):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153217 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      73823ba8
    • oliver@apple.com's avatar
      fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes · e2fe4ceb
      oliver@apple.com authored
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore:
      
          Rationalized 'this' value conversion
          https://bugs.webkit.org/show_bug.cgi?id=115542
      
          This fixes a bunch of Sputnik tests, and some bad pointer access.
      
          The new model is that the callee always performs 'this' value conversion.
      
          My ultimate goal is to break up resolve_with_this into single-result
          opcodes. This step avoids having to add a special form of convert_this
          that distinguishes callers vs callees.
      
          Only the callee knows whether it uses 'this' and/or whether 'this'
          conversion should use StrictMode, so it's most natural to perform
          convert_this in the callee.
      
          * API/JSCallbackFunction.cpp:
          (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
          our callee, since it may observe 'this'.
      
          * API/JSCallbackObjectFunctions.h:
          (JSC::::call): Ditto.
      
          * API/JSContextRef.cpp:
          (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
          even when we're not in the browser. This eliminates some odd cases where
          API clients used to be able to get a direct reference to an environment
          record. Now, any reference to an environment record unambiguously means
          that the VM resolved that record in the scope chain.
      
          (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
          participates in the proxy 'this' object scheme, the behavior is not
          WebCore-only.
      
          * API/JSObjectRef.cpp:
          (JSObjectSetPrototype):
          (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
          caller; the callee will do it if needed.
      
          * JavaScriptCore.order: Order!
      
          * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
          * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
          What are the chances that this will work?
      
          * bytecode/CodeBlock.cpp:
          (JSC::CodeBlock::dumpBytecode):
          (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
          other conversion opcodes.
      
          * bytecode/CodeOrigin.h:
          (CodeOrigin):
          (InlineCallFrame):
          (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
          executable, so compilation can discover where we're in strict mode.
      
          * bytecode/Opcode.h:
          (JSC::padOpcodeName): Updated for rename.
      
          * bytecompiler/BytecodeGenerator.cpp:
          (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
          'this' is in use -- strict mode still needs to convert environment
          records to 'undefined'.
      
          * dfg/DFGAbstractState.cpp:
          (JSC::DFG::AbstractState::executeEffects):
          * dfg/DFGByteCodeParser.cpp:
          (JSC::DFG::ByteCodeParser::parseBlock):
          * dfg/DFGCapabilities.h:
          (JSC::DFG::canCompileOpcode): Updated for renames.
      
          * dfg/DFGFixupPhase.cpp:
          (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
          strict mode (a new requirement) and to consider the global object (which
          was always a requirement).
      
          * dfg/DFGGraph.h:
          (JSC::DFG::Graph::globalThisObjectFor):
          (JSC::DFG::Graph::executableFor):
          * dfg/DFGNodeType.h:
          * dfg/DFGOperations.cpp:
          * dfg/DFGOperations.h:
          * dfg/DFGPredictionPropagationPhase.cpp:
          (JSC::DFG::PredictionPropagationPhase::propagate):
          * dfg/DFGSpeculativeJIT32_64.cpp:
          (JSC::DFG::SpeculativeJIT::compile):
          * dfg/DFGSpeculativeJIT64.cpp:
          (JSC::DFG::SpeculativeJIT::compile): Ditto.
      
          * interpreter/Interpreter.cpp:
          (JSC::eval):
          (JSC::Interpreter::execute):
          (JSC::Interpreter::executeCall):
          * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
          to fix it up if needed.
      
          * jit/JIT.cpp:
          (JSC::JIT::privateCompileMainPass):
          (JSC::JIT::privateCompileSlowCases):
          * jit/JIT.h:
          (JIT):
          * jit/JITOpcodes.cpp:
          (JSC::JIT::emit_op_to_this):
          (JSC::JIT::emitSlow_op_to_this):
          * jit/JITOpcodes32_64.cpp:
          (JSC::JIT::emit_op_to_this):
          (JSC::JIT::emitSlow_op_to_this):
          * jit/JITStubs.cpp:
          (JSC::DEFINE_STUB_FUNCTION):
          * jit/JITStubs.h: Removed special-case code for various kinds of
          conversions. The baseline fast path is now final objects only. It hurt
          my brain to think through how to keep the other fast paths working, and
          our benchmarks do not object.
      
          * llint/LLIntData.cpp:
          (JSC::LLInt::Data::performAssertions):
          * llint/LLIntSlowPaths.cpp:
          (JSC::LLInt::LLINT_SLOW_PATH_DECL):
          * llint/LLIntSlowPaths.h:
          (LLInt):
          * llint/LowLevelInterpreter.asm:
          * llint/LowLevelInterpreter32_64.asm:
          * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
          special case code, as in the JIT above.
      
          * profiler/ProfileGenerator.cpp:
          (JSC::ProfileGenerator::addParentForConsoleStart):
          * runtime/CallData.cpp:
          (JSC::call):
          * runtime/ClassInfo.h:
          (MethodTable):
          * runtime/Completion.cpp:
          (JSC::evaluate):
          * runtime/DatePrototype.cpp:
          (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
          the caller.
      
          * runtime/GetterSetter.cpp:
          (JSC::callGetter):
          (JSC::callSetter):
          * runtime/GetterSetter.h: Added helper functions for invoking getters
          and setters from C++ code, since this was duplicated in a bunch of
          places.
      
          * runtime/JSActivation.cpp:
          (JSC::JSActivation::toThis):
          * runtime/JSActivation.h:
          (JSActivation):
          * runtime/JSCJSValue.cpp:
          (JSC::JSValue::toThisSlowCase):
          (JSC::JSValue::putToPrimitive):
          * runtime/JSCJSValue.h:
          (JSValue):
          * runtime/JSCJSValueInlines.h:
          (JSC::JSValue::toThis):
          * runtime/JSCell.cpp:
          (JSC::JSCell::toThis):
          * runtime/JSCell.h:
          (JSCell):
          * runtime/JSGlobalObject.cpp:
          (JSC::JSGlobalObject::toThis):
          * runtime/JSGlobalObject.h:
          (JSGlobalObject): Filled out runtime support for converting 'this'
          values as needed, according to the appropriate strictness, using
          helper functions where getter/setter code was duplicated.
      
          * runtime/JSGlobalObjectFunctions.cpp:
          (JSC::globalFuncProtoGetter):
          (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
          observe 'this'.
      
          * runtime/JSNameScope.cpp:
          (JSC::JSNameScope::toThis):
          * runtime/JSNameScope.h:
          (JSNameScope): Same as JSActivation.
      
          * runtime/JSObject.cpp:
          (JSC::JSObject::put):
          (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
          'this' value conversion in this helper function. The __proto__
          setter does this for us, since it's the function that logically observes
          'this' -- and we can ASSERT so. Also, the previous code used
          "globalExec()->thisValue()", which is a read past the beginning of a
          buffer! I don't think this ever worked on purpose.
      
          (JSC::JSObject::toThis):
          (JSC::JSObject::fillGetterPropertySlot):
          * runtime/JSObject.h:
          (JSC::JSObject::inlineGetOwnPropertySlot):
          * runtime/JSScope.cpp:
          (JSC::JSScope::resolveWithThis):
          * runtime/JSString.cpp:
          (JSC::JSString::toThis):
          * runtime/JSString.h:
          (JSString):
          * runtime/PropertySlot.cpp:
          (JSC::PropertySlot::functionGetter):
          * runtime/PropertySlot.h:
          (JSC):
          (JSC::PropertySlot::setGetterSlot):
          (JSC::PropertySlot::setCacheableGetterSlot):
          * runtime/SparseArrayValueMap.cpp:
          (JSC::SparseArrayEntry::get):
          (JSC::SparseArrayEntry::put):
          * runtime/StrictEvalActivation.cpp:
          (JSC::StrictEvalActivation::toThis):
          * runtime/StrictEvalActivation.h:
          (StrictEvalActivation): Ditto.
      
      Source/WebCore:
      
          Rationalized 'this' value conversion
          https://bugs.webkit.org/show_bug.cgi?id=115542
      
      Source/WebKit/mac:
      
          Rationalized 'this' value conversion
          https://bugs.webkit.org/show_bug.cgi?id=115542
      
      Source/WebKit2:
      
          Rationalized 'this' value conversion
          https://bugs.webkit.org/show_bug.cgi?id=115542
      
      LayoutTests:
      
          Rationalized 'this' value conversion
          https://bugs.webkit.org/show_bug.cgi?id=115542
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e2fe4ceb
    • oliver@apple.com's avatar
      fourthTier: DFG tries to ref/deref StringImpls in a ton of places · 02039469
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=115300
      
      Source/JavaScriptCore:
      
      Reviewed by Geoffrey Garen.
      
      Change any code transitively called from DFG compilation to use StringImpl*
      directly instead of String, Identifier, or PropertyName. I use the convention
      of passing "StringImpl* uid" instead of an Identifier or PropertyName.
      
      Switch over any code transitively called from DFG compilation to use CStrings
      whenever possible for all of its debug dumping.
      
      This makes it possible to compile things without hitting the ref/deref
      assertion in StringImpl.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::inferredName):
      (JSC::CodeBlock::sourceCodeForTools):
      (JSC::CodeBlock::sourceCodeOnOneLine):
      (JSC::constantName):
      (JSC::idName):
      (JSC::CodeBlock::registerName):
      (JSC::regexpToSourceString):
      (JSC::regexpName):
      (JSC::pointerToSourceString):
      (JSC::CodeBlock::printUnaryOp):
      (JSC::CodeBlock::printBinaryOp):
      (JSC::CodeBlock::printConditionalJump):
      (JSC::CodeBlock::printGetByIdOp):
      (JSC::dumpStructure):
      (JSC::CodeBlock::printCallOp):
      (JSC::CodeBlock::printPutByIdOp):
      (JSC::CodeBlock::printStructure):
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dumpBytecode):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/CodeBlockHash.cpp:
      (JSC::CodeBlockHash::CodeBlockHash):
      * bytecode/CodeOrigin.cpp:
      (JSC::InlineCallFrame::inferredName):
      * bytecode/CodeOrigin.h:
      (InlineCallFrame):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFromLLInt):
      (JSC::GetByIdStatus::computeForChain):
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h:
      (JSC):
      (GetByIdStatus):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFromLLInt):
      (JSC::PutByIdStatus::computeFor):
      * bytecode/PutByIdStatus.h:
      (JSC):
      (PutByIdStatus):
      * bytecode/ReduceWhitespace.cpp:
      (JSC::reduceWhitespace):
      * bytecode/ReduceWhitespace.h:
      (JSC):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGDesiredIdentifiers.cpp: Added.
      (DFG):
      (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
      (JSC::DFG::DesiredIdentifiers::~DesiredIdentifiers):
      (JSC::DFG::DesiredIdentifiers::addLazily):
      (JSC::DFG::DesiredIdentifiers::reallyAdd):
      * dfg/DFGDesiredIdentifiers.h: Added.
      (DFG):
      (DesiredIdentifiers):
      (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
      (JSC::DFG::DesiredIdentifiers::at):
      (JSC::DFG::DesiredIdentifiers::operator[]):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryBuildGetByIDList):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::identifierUID):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * parser/SourceCode.cpp: Added.
      (JSC):
      (JSC::SourceCode::toUTF8):
      * parser/SourceCode.h:
      (SourceCode):
      * profiler/ProfilerBytecodes.cpp:
      (JSC::Profiler::Bytecodes::toJS):
      * profiler/ProfilerBytecodes.h:
      (JSC::Profiler::Bytecodes::inferredName):
      (JSC::Profiler::Bytecodes::sourceCode):
      (Bytecodes):
      * runtime/Identifier.h:
      (JSC::Identifier::utf8):
      (JSC):
      * runtime/Structure.cpp:
      (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
      (JSC::Structure::addPropertyTransitionToExistingStructure):
      (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
      (JSC::Structure::getConcurrently):
      (JSC::Structure::prototypeChainMayInterceptStoreTo):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      * runtime/StructureInlines.h:
      (JSC::Structure::getConcurrently):
      
      Source/WTF:
      
      Reviewed by Geoffrey Garen.
      
      Make it possible to do more things directly to StringImpl*'s, including being
      able to directly do utf8 conversion on a substring without creating the
      substring first.
      
      Add assertions to StringImpl that it isn't being ref/deref'd from the
      compilation thread.
      
      * wtf/PrintStream.cpp:
      (WTF::printInternal):
      (WTF):
      * wtf/PrintStream.h:
      (WTF):
      (WTF::printInternal):
      * wtf/StringPrintStream.h:
      (WTF):
      (WTF::toCString):
      * wtf/text/StringImpl.cpp:
      (WTF::StringImpl::utf8ForRange):
      (WTF::StringImpl::utf8):
      (WTF):
      * wtf/text/StringImpl.h:
      (StringImpl):
      (WTF::StringImpl::hasAtLeastOneRef):
      (WTF::StringImpl::ref):
      (WTF::StringImpl::deref):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      02039469
  2. 17 Jul, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG assumes that NewFunction will never pass its input through · 507dca16
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=118798
      
      Source/JavaScriptCore: 
      
      Reviewed by Sam Weinig.
              
      Previously the DFG was assuming that NewFunction always returns a function. That's not
      the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.
              
      This fact needed to be wired through the compiler.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::makeTop):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      LayoutTests: 
      
      Reviewed by Sam Weinig.
      
      * fast/js/dfg-use-function-as-variable-expected.txt: Added.
      * fast/js/dfg-use-function-as-variable-merge-structure-expected.txt: Added.
      * fast/js/dfg-use-function-as-variable-merge-structure.html: Added.
      * fast/js/dfg-use-function-as-variable-not-constant-expected.txt: Added.
      * fast/js/dfg-use-function-as-variable-not-constant.html: Added.
      * fast/js/dfg-use-function-as-variable-with-closure-expected.txt: Added.
      * fast/js/dfg-use-function-as-variable-with-closure.html: Added.
      * fast/js/dfg-use-function-as-variable.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-use-function-as-variable-merge-structure.js: Added.
      (.x):
      (run_tests):
      * fast/js/script-tests/dfg-use-function-as-variable-not-constant.js: Added.
      (run_tests.x):
      (run_tests):
      * fast/js/script-tests/dfg-use-function-as-variable-with-closure.js: Added.
      (run_tests.x):
      (run_tests.y):
      (run_tests):
      * fast/js/script-tests/dfg-use-function-as-variable.js: Added.
      (run_tests.x):
      (run_tests):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@152813 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      507dca16
  3. 30 Apr, 2013 1 commit
    • rniwa@webkit.org's avatar
      Unreviewed, rolling out r149349 and r149354. · 3b9e15c9
      rniwa@webkit.org authored
      http://trac.webkit.org/changeset/149349
      http://trac.webkit.org/changeset/149354
      https://bugs.webkit.org/show_bug.cgi?id=115444
      
       The Thumb version of compileSoftModulo make invalid use of
      registers (Requested by benjaminp on #webkit).
      
      
      Source/JavaScriptCore:
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/ARMv7Assembler.h:
      (ARMv7Assembler):
      * assembler/AbstractMacroAssembler.h:
      (JSC::isARMv7s):
      (JSC):
      * assembler/MacroAssemblerARMv7.cpp: Removed.
      * assembler/MacroAssemblerARMv7.h:
      (MacroAssemblerARMv7):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileSoftModulo):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      Source/WTF:
      
      * wtf/Platform.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149395 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3b9e15c9
  4. 29 Apr, 2013 1 commit
    • commit-queue@webkit.org's avatar
      [ARM] Expand the use of integer division · 867a6d44
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=115138
      
      Patch by Cosmin Truta <ctruta@blackberry.com> on 2013-04-29
      Reviewed by Benjamin Poulain.
      
      Source/JavaScriptCore:
      
      If availability of hardware integer division isn't known at compile
      time, check the CPU flags and decide at runtime whether to fall back
      to software. Currently, this OS-specific check is implemented on QNX.
      
      Moreover, use operator % instead of fmod() in the calculation of the
      software modulo. Even when it's software-emulated, operator % is faster
      than fmod(): on ARM v7 QNX, without hardware division, we noticed
      >3% speedup on SunSpider.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::sdiv): Did not compile conditionally.
      (JSC::ARMv7Assembler::udiv): Ditto.
      * assembler/AbstractMacroAssembler.h:
      (JSC::isARMv7s): Removed.
      * assembler/MacroAssemblerARMv7.cpp: Added.
      (JSC::isIntegerDivSupported): Added.
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added.
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case.
      * dfg/DFGOperations.cpp:
      (JSC::DFG::operationModOnInts): Added.
      * dfg/DFGOperations.h:
      (JSC::DFG::Z_DFGOperation_ZZ): Added.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen
      from the common implementation; used operationModOnInts on ARM.
      (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7.
      (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM.
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments.
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM.
      
      Source/WTF:
      
      * wtf/Platform.h: Added ENABLE_ARM_INTEGER_DIV.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149349 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      867a6d44
  5. 09 Apr, 2013 1 commit
    • commit-queue@webkit.org's avatar
      Adds fromCharCode intrinsic support. · aa31a5ed
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=104807
      
      Patch by Vahag Vardanyan <vaag@ispras.ru> on 2013-04-08
      Reviewed by Oliver Hunt.
      
      Switch to using fromCharCode intrinsic instead of call operation in some cases.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileFromCharCode):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/StringConstructor.cpp:
      (JSC::stringFromCharCode):
      (JSC):
      * runtime/StringConstructor.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147985 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      aa31a5ed
  6. 08 Apr, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should be able to inline string equality comparisons · ee10e452
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=114224
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      Inline 8-bit string equality, go to slow path for 16-bit strings. 2x speed-up for string equality
      comparisons on 8-bit strings. 20-50% speed-up on JSRegress/HashMap tests. 30% speed-up on
      string-fasta. 2% speed-up on SunSpider overall. Some small speed-ups elsewhere.
      
      This is a gnarly change but we have loads of test coverage already between the HashMap tests and
      preexisting DFG string equality tests (which appear to have been designed to test OSR exits, but
      also give us good overall coverage on string equality behavior).
      
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileStringEquality):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * fast/js/regress/script-tests/string-equality.js: Added.
      (foo):
      * fast/js/regress/string-equality-expected.txt: Added.
      * fast/js/regress/string-equality.html: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147965 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ee10e452
  7. 20 Mar, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG implementation of op_strcat should inline rope allocations · 4463e44f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112780
      
      Reviewed by Oliver Hunt.
              
      This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
      take either two or three operands, and allocates a rope string with either two or
      three fibers. (The magic choice of three children for non-VarArg nodes happens to
      match exactly with the magic choice of three fibers for rope strings.)
              
      ValueAdd on KnownString is replaced with MakeRope with two children.
              
      StrCat gets replaced by an appropriate sequence of MakeRope's.
              
      MakeRope does not do the dynamic check to see if its children are empty strings.
      This is replaced by a static check, instead. The downside is that we may use more
      memory if the strings passed to MakeRope turn out to dynamically be empty. The
      upside is that we do fewer checks in the cases where either the strings are not
      empty, or where the strings are statically known to be empty. I suspect both of
      those cases are more common, than the case where the string is dynamically empty.
              
      This also results in some badness for X86. MakeRope needs six registers if it is
      allocating a three-rope. We don't have six registers to spare on X86. Currently,
      the code side-steps this problem by just never usign three-ropes in optimized
      code on X86. All other architectures, including X86_64, don't have this problem.
              
      This is a shocking speed-up. 9% progressions on both V8/splay and
      SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
      on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAdjacencyList.h:
      (AdjacencyList):
      (JSC::DFG::AdjacencyList::removeEdge):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
      * dfg/DFGBackwardsPropagationPhase.cpp:
      (JSC::DFG::BackwardsPropagationPhase::propagate):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::createToString):
      (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
      (JSC::DFG::FixupPhase::convertStringAddUse):
      (FixupPhase):
      (JSC::DFG::FixupPhase::convertToMakeRope):
      (JSC::DFG::FixupPhase::fixupMakeRope):
      (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileMakeRope):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
      (JSC::DFG::SpeculateCellOperand::gpr):
      (JSC::DFG::SpeculateCellOperand::use):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSString.h:
      (JSRopeString):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146382 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4463e44f
  8. 18 Mar, 2013 2 commits
    • fpizlo@apple.com's avatar
      DFG should inline binary string concatenations (i.e. ValueAdd with string children) · 8d225914
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112599
      
      Reviewed by Oliver Hunt.
              
      This does as advertised: if you do x + y where x and y are strings, you'll get
      a fast inlined JSRopeString allocation (along with whatever checks are necessary).
      It also does good things if either x or y (or both) are StringObjects, or some
      other thing like StringOrStringObject. It also lays the groundwork for making this
      fast if either x or y are numbers, or some other reasonably-cheap-to-convert
      value.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::isStringObjectUse):
      (JSC::DFG::FixupPhase::convertStringAddUse):
      (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileAdd):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
      * runtime/JSString.h:
      (JSC::JSString::offsetOfFlags):
      (JSString):
      (JSRopeString):
      (JSC::JSRopeString::offsetOfFibers):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146164 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8d225914
    • fpizlo@apple.com's avatar
      DFG string conversions and allocations should be inlined · 0e6e1542
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=112376
      
      Source/JavaScriptCore: 
      
      Reviewed by Geoffrey Garen.
              
      This turns new String(), String(), String.prototype.valueOf(), and
      String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
      conversions from StringObject to JSString and vice-versa, and also gives it the
      ability to handle cases where a variable may be either a StringObject or a JSString.
      To do this, I added StringObject to value profiling (and removed the stale
      distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
      handling, using some of the new functionality but also taking advantage of the
      existence of Identity(String:@a).
              
      This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
      On microbenchmarks that stress new String() this is a 14x speed-up.
      
      * CMakeLists.txt:
      * DerivedSources.make:
      * DerivedSources.pri:
      * GNUmakefile.list.am:
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::hasExitSite):
      (JSC):
      * bytecode/DFGExitProfile.cpp:
      (JSC::DFG::ExitProfile::hasExitSite):
      (DFG):
      * bytecode/DFGExitProfile.h:
      (ExitProfile):
      (JSC::DFG::ExitProfile::hasExitSite):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromClassInfo):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isStringObjectSpeculation):
      (JSC::isStringOrStringObjectSpeculation):
      * create_hash_table:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGAbstractState.h:
      (JSC::DFG::AbstractState::filterEdgeByUse):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
      (DFG):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGEdge.h:
      (JSC::DFG::Edge::shift):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
      (FixupPhase):
      (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::hasGlobalExitSite):
      (Graph):
      (JSC::DFG::Graph::hasExitSite):
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToToString):
      (Node):
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::shouldSpeculateStringObject):
      (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileNewStringObject):
      (JSC::DFG::SpeculativeJIT::speculateObject):
      (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
      (JSC::DFG::SpeculativeJIT::speculateString):
      (JSC::DFG::SpeculativeJIT::speculateStringObject):
      (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      * interpreter/CallFrame.h:
      (JSC::ExecState::regExpPrototypeTable):
      * runtime/CommonIdentifiers.h:
      * runtime/Intrinsic.h:
      * runtime/JSDestructibleObject.h:
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfoOffset):
      * runtime/JSGlobalData.cpp:
      (JSC):
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::~JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      * runtime/JSWrapperObject.h:
      (JSC::JSWrapperObject::allocationSize):
      (JSWrapperObject):
      (JSC::JSWrapperObject::internalValueOffset):
      (JSC::JSWrapperObject::internalValueCellOffset):
      * runtime/StringPrototype.cpp:
      (JSC):
      (JSC::StringPrototype::finishCreation):
      (JSC::StringPrototype::create):
      * runtime/StringPrototype.h:
      (StringPrototype):
      
      LayoutTests: 
      
      Reviewed by Geoffrey Garen.
      
      * fast/js/dfg-to-string-bad-toString-expected.txt: Added.
      * fast/js/dfg-to-string-bad-toString.html: Added.
      * fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
      * fast/js/dfg-to-string-bad-valueOf.html: Added.
      * fast/js/dfg-to-string-int-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string-expected.txt: Added.
      * fast/js/dfg-to-string-int-or-string.html: Added.
      * fast/js/dfg-to-string-int.html: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
      * fast/js/dfg-to-string-side-effect-expected.txt: Added.
      * fast/js/dfg-to-string-side-effect.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
      * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
      * fast/js/dfg-to-string-toString-becomes-bad.html: Added.
      * fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-toString-in-string.html: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
      * fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
      * fast/js/dfg-to-string-valueOf-in-string.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/regress/script-tests/string-concat-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-object.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-pair-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-concat-simple.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-repeat.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-cons-tower.js: Added.
      (foo):
      * fast/js/regress/string-concat-object-expected.txt: Added.
      * fast/js/regress/string-concat-object.html: Added.
      * fast/js/regress/string-concat-pair-object-expected.txt: Added.
      * fast/js/regress/string-concat-pair-object.html: Added.
      * fast/js/regress/string-concat-pair-simple-expected.txt: Added.
      * fast/js/regress/string-concat-pair-simple.html: Added.
      * fast/js/regress/string-concat-simple-expected.txt: Added.
      * fast/js/regress/string-concat-simple.html: Added.
      * fast/js/regress/string-cons-repeat-expected.txt: Added.
      * fast/js/regress/string-cons-repeat.html: Added.
      * fast/js/regress/string-cons-tower-expected.txt: Added.
      * fast/js/regress/string-cons-tower.html: Added.
      * fast/js/script-tests/dfg-to-string-bad-toString.js: Added.
      (String.prototype.toString):
      (foo):
      * fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.
      (String.prototype.valueOf):
      (foo):
      * fast/js/script-tests/dfg-to-string-int-or-string.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-int.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-side-effect.js: Added.
      (foo):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.
      (foo):
      (.String.prototype.toString):
      * fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.
      (foo):
      (.argument.toString):
      * fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.
      (foo):
      (.String.prototype.valueOf):
      * fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.
      (foo):
      (.argument.valueOf):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e6e1542
  9. 18 Feb, 2013 1 commit
  10. 28 Jan, 2013 1 commit
    • ggaren@apple.com's avatar
      Static size inference for JavaScript objects · c862eacf
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=108093
      
      Reviewed by Phil Pizlo.
      
      ../JavaScriptCore: 
      
      * API/JSObjectRef.cpp:
      * JavaScriptCore.order:
      * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
      have an extra inferredInlineCapacity argument. This is the statically
      inferred inline capacity, just from analyzing source text. op_new_object
      also gets a pointer to an allocation profile. (For op_create_this, the
      profile is in the construtor function.)
      
      (JSC::CodeBlock::CodeBlock): Link op_new_object.
      
      (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.
      
      * bytecode/CodeBlock.h:
      (CodeBlock): Removed some dead code. Added object allocation profiles.
      
      * bytecode/Instruction.h:
      (JSC): New union type, since an instruction operand may point to an
      object allocation profile now.
      
      * bytecode/ObjectAllocationProfile.h: Added.
      (JSC):
      (ObjectAllocationProfile):
      (JSC::ObjectAllocationProfile::offsetOfAllocator):
      (JSC::ObjectAllocationProfile::offsetOfStructure):
      (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
      (JSC::ObjectAllocationProfile::isNull):
      (JSC::ObjectAllocationProfile::initialize):
      (JSC::ObjectAllocationProfile::structure):
      (JSC::ObjectAllocationProfile::inlineCapacity):
      (JSC::ObjectAllocationProfile::clear):
      (JSC::ObjectAllocationProfile::visitAggregate):
      (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
      for tracking a prediction about object allocation: structure, inline
      capacity, allocator to use.
      
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName): Updated instruction sizes.
      
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
      (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
      (UnlinkedCodeBlock): Unlinked support for allocation profiles.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
      end of codegen, since this is our last opportunity.
      
      (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
      analyzer to bytecode generation. It tracks initializing assignments and
      makes a guess about how many will happen.
      
      (JSC::BytecodeGenerator::newObjectAllocationProfile):
      (JSC):
      (JSC::BytecodeGenerator::emitProfiledOpcode):
      (JSC::BytecodeGenerator::emitMove):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetById):
      (JSC::BytecodeGenerator::emitPutById):
      (JSC::BytecodeGenerator::emitDirectPutById):
      (JSC::BytecodeGenerator::emitPutGetterSetter):
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
      analyzer, so it can observe allocations and stores.
      
      (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
      function because it was a significant amount of logic, and I wanted to
      add to it.
      
      (JSC::BytecodeGenerator::emitNewObject):
      (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
      (JSC::BytecodeGenerator::emitCall):
      (JSC::BytecodeGenerator::emitCallVarargs):
      (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
      to track their stores, in case a store kills a profiled allocation. Since
      profiled opcodes are basically the only interesting stores we do, this
      is a convenient place to notice any store that might kill an allocation.
      
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator): As above.
      
      * bytecompiler/StaticPropertyAnalysis.h: Added.
      (JSC):
      (StaticPropertyAnalysis):
      (JSC::StaticPropertyAnalysis::create):
      (JSC::StaticPropertyAnalysis::addPropertyIndex):
      (JSC::StaticPropertyAnalysis::record):
      (JSC::StaticPropertyAnalysis::propertyIndexCount):
      (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
      class for tracking allocations and stores.
      
      * bytecompiler/StaticPropertyAnalyzer.h: Added.
      (StaticPropertyAnalyzer):
      (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
      (JSC::StaticPropertyAnalyzer::createThis):
      (JSC::StaticPropertyAnalyzer::newObject):
      (JSC::StaticPropertyAnalyzer::putById):
      (JSC::StaticPropertyAnalyzer::mov):
      (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
      and stores and making an inline capacity guess. The heuristics here are
      intentionally minimal because we don't want this one class to try to
      re-create something like a DFG or a runtime analysis. If we discover that
      we need those kinds of analyses, we should just replace this class with
      something else.
      
      This class tracks multiple registers that alias the same object -- that
      happens a lot, when moving locals into temporary registers -- but it
      doesn't track control flow or multiple objects that alias the same register.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute): Updated for rename.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
      allocation profile.
      
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasInlineCapacity):
      (Node):
      (JSC::DFG::Node::inlineCapacity):
      (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
      inline capacity for an allocation.
      
      * dfg/DFGNodeType.h:
      (DFG): Updated for rename.
      
      * dfg/DFGOperations.cpp: Updated for interface change.
      
      * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
      an argument. This is the simplest way, since it's stored as a bytecode operand.
      
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.
      
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
      appears when doing an inline cached load for property number 64 on a 32-bit
      system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
      offset of the 64bit JSValue -- but we'll actually issue two loads, one for
      the payload at that offset, and one for the tag at that offset + 4. We need
      to ensure that both loads have a compact representation, or we'll corrupt
      the instruction stream.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
      passing an allocator to our allocation function, and/or passing a Structure
      as a register instead of an immediate.
      
      * heap/MarkedAllocator.h:
      (DFG):
      (MarkedAllocator):
      (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
      JIT code generation of allocation from an arbitrary allocator.
      
      * jit/JIT.h:
      (JSC):
      * jit/JITInlines.h:
      (JSC):
      (JSC::JIT::emitAllocateJSObject):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_object):
      (JSC::JIT::emitSlow_op_new_object):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emitSlow_op_create_this):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_new_object):
      (JSC::JIT::emitSlow_op_new_object):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.
      
      * jit/JITStubs.cpp:
      (JSC::tryCacheGetByID): Fixed the same bug mentioned above.
      
      (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.
      
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions): Updated for interface changes.
      
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.
      
      * profiler/ProfilerBytecode.cpp:
      * profiler/ProfilerBytecodes.cpp:
      * profiler/ProfilerCompilation.cpp:
      * profiler/ProfilerCompiledBytecode.cpp:
      * profiler/ProfilerDatabase.cpp:
      * profiler/ProfilerOSRExit.cpp:
      * profiler/ProfilerOrigin.cpp:
      * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
      because that's where createEmptyObject() lives now.
      
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction): Updated for rename.
      
      * runtime/JSCellInlines.h:
      (JSC::allocateCell): Updated to match the allocator selection code in
      the JIT, so it's clearer that both are correct.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::JSFunction):
      (JSC::JSFunction::createAllocationProfile):
      (JSC::JSFunction::visitChildren):
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::put):
      (JSC::JSFunction::defineOwnProperty):
      (JSC::JSFunction::getConstructData):
      * runtime/JSFunction.h:
      (JSC::JSFunction::offsetOfScopeChain):
      (JSC::JSFunction::offsetOfExecutable):
      (JSC::JSFunction::offsetOfAllocationProfile):
      (JSC::JSFunction::allocationProfile):
      (JSFunction):
      (JSC::JSFunction::tryGetAllocationProfile):
      (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
      data member to be an ObjectAllocationProfile, which includes a pointer
      to the desired allocator. This simplifies JIT code, since we don't have
      to compute the allocator on the fly. I verified by code inspection that
      JSFunction is still only 64 bytes.
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
      object structure anymore, because now clients need to specify how much
      inline capacity they want.
      
      * runtime/JSONObject.cpp:
      * runtime/JSObject.h:
      (JSC):
      (JSFinalObject):
      (JSC::JSFinalObject::defaultInlineCapacity):
      (JSC::JSFinalObject::maxInlineCapacity):
      (JSC::JSFinalObject::createStructure): A little refactoring to try to 
      clarify where some of these constants derive from.
      
      (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.
      
      * runtime/JSProxy.cpp:
      (JSC::JSProxy::setTarget): Ugly, but effective.
      
      * runtime/LiteralParser.cpp:
      * runtime/ObjectConstructor.cpp:
      (JSC::constructObject):
      (JSC::constructWithObjectConstructor):
      (JSC::callObjectConstructor):
      (JSC::objectConstructorCreate): Updated for interface changes.
      
      * runtime/ObjectConstructor.h:
      (JSC::constructEmptyObject): Clarified your options for how to allocate
      an empty object, to emphasize what things can actually vary.
      
      * runtime/PropertyOffset.h: These constants have moved because they're
      really higher level concepts to do with the layout of objects and the
      collector. PropertyOffset is just an abstract number line, independent
      of those things.
      
      * runtime/PrototypeMap.cpp:
      (JSC::PrototypeMap::emptyObjectStructureForPrototype):
      (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
      * runtime/PrototypeMap.h:
      (PrototypeMap): The map key is now a pair of prototype and inline capacity,
      since Structure encodes inline capacity.
      
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::addPropertyTransition):
      (JSC::Structure::nonPropertyTransition):
      (JSC::Structure::copyPropertyTableForPinning):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::totalStorageSize):
      (JSC::Structure::transitionCount):
      (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
      up after enabling variable-sized inline capacities: we were passing our
      type info where our inline capacity was expected. The compiler didn't
      notice because both have type int :(.
      
      ../WebCore: 
      
      * ForwardingHeaders/runtime/ObjectConstructor.h: Added.
      
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      * bindings/js/JSSQLResultSetRowListCustom.cpp: Include ObjectConstructor.h because
      that's where createEmptyObject() is located now.
      
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::deserialize): Updated for interface change.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c862eacf
  11. 11 Jan, 2013 1 commit
  12. 08 Jan, 2013 1 commit
    • oliver@apple.com's avatar
      Support op_typeof in the DFG · e722ad0f
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98898
      
      Reviewed by Filip Pizlo.
      
      Adds a TypeOf node to the DFG to support op_typeof.
      
      To avoid adding too much GC horror, this also makes the
      common strings portion of the SmallString cache strongly
      referenced.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
        We try to determine the result early here, and substitute in a constant.
        Otherwise we leave the node intact, and set the result type to SpecString.
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
        Parse op_typeof
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
        TypeOf nodes can be subjected to pure CSE
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
        We can handle typeof.
      * dfg/DFGNodeType.h:
      (DFG):
        Define the node.
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
        Add operationTypeOf to support the non-trivial cases.
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
        Actual codegen
      * runtime/Operations.cpp:
      (JSC::jsTypeStringForValue):
      (JSC):
      * runtime/Operations.h:
      (JSC):
        Some refactoring to allow us to get the type string for an
        object without needing a callframe.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e722ad0f
  13. 19 Dec, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn...,... · 274b6f17
      fpizlo@apple.com authored
      JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object
      https://bugs.webkit.org/show_bug.cgi?id=105468
      
      Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      Changed JSObject::ensure<IndexingType> methods to gracefully handle
      InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning
      null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it
      by entering dictionary indexing mode, which forces the object to behave correctly even if there
      is proxying or weird prototype stuff going on.
              
      Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal
      with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case
      since we'd try to resize a butterfly on a JSString, but JSString has something other than
      m_butterfly at that offset.
              
      Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code
      since those are now redundant.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * runtime/JSObject.cpp:
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::ensureInt32Slow):
      (JSC::JSObject::ensureDoubleSlow):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
      * runtime/JSObject.h:
      (JSObject):
      
      LayoutTests: 
      
      * fast/js/dfg-ensure-array-storage-on-string-expected.txt: Added.
      * fast/js/dfg-ensure-array-storage-on-string.html: Added.
      * fast/js/dfg-ensure-contiguous-on-string-expected.txt: Added.
      * fast/js/dfg-ensure-contiguous-on-string.html: Added.
      * fast/js/jsc-test-list
      * fast/js/script-tests/dfg-ensure-array-storage-on-string.js: Added.
      (foo):
      * fast/js/script-tests/dfg-ensure-contiguous-on-string.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138201 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      274b6f17
  14. 13 Dec, 2012 2 commits
    • fpizlo@apple.com's avatar
      Unreviewed, roll out http://trac.webkit.org/changeset/137683. · 8376f062
      fpizlo@apple.com authored
      It broke gmail.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Operations.cpp:
      (JSC::jsTypeStringForValue):
      (JSC):
      * runtime/Operations.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137699 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8376f062
    • oliver@apple.com's avatar
      Support op_typeof in the DFG · a005d207
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98898
      
      Reviewed by Filip Pizlo.
      
      Adds a TypeOf node to the DFG to support op_typeof.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
        We try to determine the result early here, and substitute in a constant.
        Otherwise we leave the node intact, and set the result type to SpecString.
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
        Parse op_typeof
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
        TypeOf nodes can be subjected to pure CSE
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
        We can handle typeof.
      * dfg/DFGNodeType.h:
      (DFG):
        Define the node.
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
        Add operationTypeOf to support the non-trivial cases.
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
        Actual codegen
      * runtime/Operations.cpp:
      (JSC::jsTypeStringForValue):
      (JSC):
      * runtime/Operations.h:
      (JSC):
        Some refactoring to allow us to get the type string for an
        object without needing a callframe.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137683 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a005d207
  15. 10 Dec, 2012 1 commit
    • fpizlo@apple.com's avatar
      Don't OSR exit just because a string is a rope · 70bb5c55
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=104621
      
      Reviewed by Michael Saboff.
      
      Slight SunSpider speed-up at around the 0.7% level. This patch does the obvious
      thing of calling a slow path to resolve ropes rather than OSR exiting if the
      string is a rope.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::getIndexedPropertyStorageMayTriggerGC):
      (ArrayMode):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137247 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      70bb5c55
  16. 03 Dec, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should trigger rage conversion from double to contiguous if it sees a... · f10d0722
      fpizlo@apple.com authored
      DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
      https://bugs.webkit.org/show_bug.cgi?id=103858
      
      Reviewed by Gavin Barraclough.
      
      A rage conversion from double to contiguous is one where you try to convert each
      double to an int32.
      
      This is probably not the last we'll hear of rage conversion from double to contiguous.
      It may be better to do this right during parsing, which will result in fewer cases of
      Arrayification. But even so, this looks like a straight win already - 1% speed-up on
      Kraken, no major regression anywhere else.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      (JSC::DFG::arrayConversionToString):
      (JSC::DFG::ArrayMode::dump):
      (WTF):
      (WTF::printInternal):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withConversion):
      (ArrayMode):
      (JSC::DFG::ArrayMode::doesConversion):
      (WTF):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupBlock):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (FixupPhase):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGNodeFlags.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::genericConvertDoubleToContiguous):
      (JSC::JSObject::convertDoubleToContiguous):
      (JSC::JSObject::rageConvertDoubleToContiguous):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::rageEnsureContiguousSlow):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::rageEnsureContiguous):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136372 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f10d0722
  17. 20 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should be able to cache closure calls (part 2/2) · 4092e56d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=102662
      
      Reviewed by Gavin Barraclough.
      
      Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
      stay the same. This is accomplished by replacing the branch that compares against a constant
      JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
      and jumps slow directly to the virtual call thunk.
      
      Looks like a 1% win on V8v7.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CallLinkInfo.h:
      (CallLinkInfo):
      (JSC::CallLinkInfo::isLinked):
      (JSC::getCallLinkInfoBytecodeIndex):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC):
      (JSC::CodeBlock::findClosureCallForReturnPC):
      (JSC::CodeBlock::bytecodeOffset):
      (JSC::CodeBlock::codeOriginForReturn):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::getCallLinkInfo):
      (CodeBlock):
      (JSC::CodeBlock::isIncomingCallAlreadyLinked):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::addJSCall):
      (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
      (JSCallRecord):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::linkSlowFor):
      (DFG):
      (JSC::DFG::dfgLinkFor):
      (JSC::DFG::dfgLinkSlowFor):
      (JSC::DFG::dfgLinkClosureCall):
      * dfg/DFGRepatch.h:
      (DFG):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      * dfg/DFGThunks.cpp:
      (DFG):
      (JSC::DFG::linkClosureCallThunkGenerator):
      * dfg/DFGThunks.h:
      (DFG):
      * heap/Heap.h:
      (Heap):
      (JSC::Heap::jitStubRoutines):
      * heap/JITStubRoutineSet.h:
      (JSC::JITStubRoutineSet::size):
      (JSC::JITStubRoutineSet::at):
      (JITStubRoutineSet):
      * jit/ClosureCallStubRoutine.cpp: Added.
      (JSC):
      (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
      (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
      (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
      * jit/ClosureCallStubRoutine.h: Added.
      (JSC):
      (ClosureCallStubRoutine):
      (JSC::ClosureCallStubRoutine::structure):
      (JSC::ClosureCallStubRoutine::executable):
      (JSC::ClosureCallStubRoutine::codeOrigin):
      * jit/GCAwareJITStubRoutine.cpp:
      (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
      * jit/GCAwareJITStubRoutine.h:
      (GCAwareJITStubRoutine):
      (JSC::GCAwareJITStubRoutine::isClosureCall):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@135336 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4092e56d
  18. 14 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG CreateThis should be able to statically account for the structure of the... · f5db15ed
      fpizlo@apple.com authored
      DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
      https://bugs.webkit.org/show_bug.cgi?id=102017
      
      Reviewed by Geoffrey Garen.
      
      This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
      NewObject to take a structure as an operand (previously it implicitly used the owning
      global object's empty object structure). Any GetCallee where the callee is predictable
      is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
      where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
      followed by a NewObject. NewObject already accounts for the structure it uses for object
      creation in the CFA.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::checkFunctionElimination):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasFunction):
      (JSC::DFG::Node::function):
      (JSC::DFG::Node::hasStructure):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction):
      * runtime/JSBoundFunction.cpp:
      (JSC):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::JSFunction):
      (JSC::JSFunction::put):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSC::JSFunction::tryGetKnownInheritorID):
      (JSFunction):
      (JSC::JSFunction::addInheritorIDWatchpoint):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@134555 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f5db15ed
  19. 08 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should infer when indexed storage contains only integers or doubles · 75c91a79
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98606
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      This adds two new indexing types: int32 and double. It also adds array allocation profiling,
      which allows array allocations to converge to allocating arrays using those types to which
      those arrays would have been converted.
              
      20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
      but a performance win overall on all benchmarks we track.
      
      * API/JSObjectRef.cpp:
      (JSObjectMakeArray):
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/AbstractMacroAssembler.h:
      (JumpList):
      (JSC::AbstractMacroAssembler::JumpList::JumpList):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::branchDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::jnp):
      (X86Assembler):
      (JSC::X86Assembler::X86InstructionFormatter::emitRex):
      * bytecode/ArrayAllocationProfile.cpp: Added.
      (JSC):
      (JSC::ArrayAllocationProfile::updateIndexingType):
      * bytecode/ArrayAllocationProfile.h: Added.
      (JSC):
      (ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
      (JSC::ArrayAllocationProfile::selectIndexingType):
      (JSC::ArrayAllocationProfile::updateLastAllocation):
      (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
      (JSC::ArrayAllocationProfile::updateLastAllocationFor):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::updatedObservedArrayModes):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModesInclude):
      (JSC::shouldUseSlowPutArrayStorage):
      (JSC::shouldUseFastArrayStorage):
      (JSC::shouldUseContiguous):
      (JSC::shouldUseDouble):
      (JSC::shouldUseInt32):
      (ArrayProfile):
      * bytecode/ByValInfo.h:
      (JSC::isOptimizableIndexingType):
      (JSC::jitArrayModeForIndexingType):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      (JSC):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      (JSC::CodeBlock::updateAllPredictions):
      (JSC::CodeBlock::shouldOptimizeNow):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::numberOfArrayAllocationProfiles):
      (JSC::CodeBlock::addArrayAllocationProfile):
      (JSC::CodeBlock::updateAllValueProfilePredictions):
      (JSC::CodeBlock::updateAllArrayPredictions):
      * bytecode/DFGExitProfile.h:
      (JSC::DFG::exitKindToString):
      * bytecode/Instruction.h:
      (JSC):
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/SpeculatedType.h:
      (JSC):
      (JSC::isRealNumberSpeculation):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC):
      (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
      (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
      (UnlinkedCodeBlock):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::newArrayAllocationProfile):
      (JSC):
      (JSC::BytecodeGenerator::emitNewArray):
      (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::refine):
      (DFG):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayTypeToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withType):
      (ArrayMode):
      (JSC::DFG::ArrayMode::withTypeAndConversion):
      (JSC::DFG::ArrayMode::usesButterfly):
      (JSC::DFG::ArrayMode::isSpecific):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (CCallHelpers):
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (NewArrayBufferData):
      (JSC::DFG::Node::hasIndexingType):
      (Node):
      (JSC::DFG::Node::indexingType):
      (JSC::DFG::Node::setIndexingType):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (DFG):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (SpeculateIntegerOperand):
      (JSC::DFG::SpeculateIntegerOperand::use):
      (SpeculateDoubleOperand):
      (JSC::DFG::SpeculateDoubleOperand::use):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      (JSC::JIT::emitInt32GetByVal):
      (JIT):
      (JSC::JIT::emitInt32PutByVal):
      (JSC::JIT::emitDoublePutByVal):
      (JSC::JIT::emitContiguousPutByVal):
      * jit/JITExceptions.cpp:
      (JSC::genericThrow):
      * jit/JITInlineMethods.h:
      (JSC::arrayProfileSaw):
      (JSC::JIT::chooseArrayMode):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emit_op_new_array_with_size):
      (JSC::JIT::emit_op_new_array_buffer):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitDoubleGetByVal):
      (JSC):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitGenericContiguousPutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
      (JSC):
      * jsc.cpp:
      (GlobalObject::finishCreation):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::jitCompileAndSetHeuristics):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/x86.rb:
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/ArrayConstructor.h:
      (JSC):
      * runtime/ArrayPrototype.cpp:
      (JSC::arrayProtoFuncConcat):
      (JSC::arrayProtoFuncSlice):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      * runtime/Butterfly.h:
      (JSC::Butterfly::contiguousInt32):
      (JSC::Butterfly::contiguousDouble):
      (JSC::Butterfly::fromContiguous):
      * runtime/ButterflyInlineMethods.h:
      (JSC::Butterfly::createUninitializedDuringCollection):
      * runtime/FunctionPrototype.cpp:
      (JSC::functionProtoFuncBind):
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypes):
      (JSC):
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      (JSC::leastUpperBoundOfIndexingTypeAndValue):
      (JSC::indexingTypeToString):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasUndecided):
      (JSC::hasInt32):
      (JSC::hasDouble):
      * runtime/JSArray.cpp:
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCountWithAnyIndexingType):
      (JSC::JSArray::unshiftCountWithAnyIndexingType):
      (JSC::compareNumbersForQSortWithInt32):
      (JSC):
      (JSC::compareNumbersForQSortWithDouble):
      (JSC::JSArray::sortNumericVector):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sortCompactedVector):
      (JSC::JSArray::sort):
      (JSC::JSArray::sortVector):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSArray):
      (JSC::createContiguousArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
      (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
      (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
      (JSC::JSGlobalObject::isOriginalArrayStructure):
      (JSC::constructEmptyArray):
      (JSC::constructArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::copyButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createInitialIndexedStorage):
      (JSC):
      (JSC::JSObject::createInitialUndecided):
      (JSC::JSObject::createInitialInt32):
      (JSC::JSObject::createInitialDouble):
      (JSC::JSObject::createInitialContiguous):
      (JSC::JSObject::convertUndecidedToInt32):
      (JSC::JSObject::convertUndecidedToDouble):
      (JSC::JSObject::convertUndecidedToContiguous):
      (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
      (JSC::JSObject::convertUndecidedToArrayStorage):
      (JSC::JSObject::convertInt32ToDouble):
      (JSC::JSObject::convertInt32ToContiguous):
      (JSC::JSObject::convertInt32ToArrayStorage):
      (JSC::JSObject::convertDoubleToContiguous):
      (JSC::JSObject::convertDoubleToArrayStorage):
      (JSC::JSObject::convertContiguousToArrayStorage):
      (JSC::JSObject::convertUndecidedForValue):
      (JSC::JSObject::convertInt32ForValue):
      (JSC::JSObject::setIndexQuicklyToUndecided):
      (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
      (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
      (JSC::JSObject::ensureInt32Slow):
      (JSC::JSObject::ensureDoubleSlow):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::countElements):
      (JSC::JSObject::ensureLengthSlow):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      (JSObject):
      (JSC::JSObject::ensureInt32):
      (JSC::JSObject::ensureDouble):
      (JSC::JSObject::ensureLength):
      (JSC::JSObject::indexingData):
      (JSC::JSObject::currentIndexingData):
      (JSC::JSObject::getHolyIndexQuickly):
      (JSC::JSObject::relevantLength):
      (JSC::JSObject::currentRelevantLength):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      * runtime/StringPrototype.cpp:
      (JSC::stringProtoFuncMatch):
      (JSC::stringProtoFuncSplit):
      * runtime/Structure.cpp:
      (JSC::Structure::nonPropertyTransition):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      Source/WebCore: 
      
      Just refactoring WebCore to pass 0 for the ArrayAllocationProfile*.
      
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::webkitLineDash):
      * bindings/js/JSClipboardCustom.cpp:
      (WebCore::JSClipboard::types):
      * bindings/js/JSDOMBinding.cpp:
      (WebCore::jsArray):
      * bindings/js/JSDOMBinding.h:
      (WebCore::jsArray):
      * bindings/js/JSInjectedScriptHostCustom.cpp:
      (WebCore::getJSListenerFunctions):
      * bindings/js/JSJavaScriptCallFrameCustom.cpp:
      (WebCore::JSJavaScriptCallFrame::scopeChain):
      * bindings/js/JSMessageEventCustom.cpp:
      (WebCore::JSMessageEvent::ports):
      * bindings/js/JSMutationCallbackCustom.cpp:
      (WebCore::JSMutationCallback::handleEvent):
      * bindings/js/JSWebGLRenderingContextCustom.cpp:
      (WebCore::toJS):
      (WebCore::JSWebGLRenderingContext::getAttachedShaders):
      (WebCore::JSWebGLRenderingContext::getSupportedExtensions):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::deserialize):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133953 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      75c91a79
  20. 18 Oct, 2012 1 commit
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · c909f5f5
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      Basic browsing seems to work.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canInlineResolveOperations):
      (DFG):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131822 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c909f5f5
  21. 17 Oct, 2012 3 commits
    • oliver@apple.com's avatar
      Roll out r131645 as it causes random site crashes. · 6d0087f5
      oliver@apple.com authored
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131676 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6d0087f5
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · 909fa319
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/GlobalResolveInfo.h: Removed.
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Added.
        The new types and logic we use to perform the cached lookups.
      (JSC):
      (ResolveOperation):
      (JSC::ResolveOperation::getAndReturnScopedVar):
      (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
      (JSC::ResolveOperation::getAndReturnGlobalVar):
      (JSC::ResolveOperation::getAndReturnGlobalProperty):
      (JSC::ResolveOperation::resolveFail):
      (JSC::ResolveOperation::skipTopScopeNode):
      (JSC::ResolveOperation::skipScopes):
      (JSC::ResolveOperation::returnGlobalObjectAsBase):
      (JSC::ResolveOperation::setBaseToGlobal):
      (JSC::ResolveOperation::setBaseToUndefined):
      (JSC::ResolveOperation::setBaseToScope):
      (JSC::ResolveOperation::returnScopeAsBase):
      (JSC::PutToBaseOperation::PutToBaseOperation):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileResolveOperations):
      (DFG):
      (JSC::DFG::canCompilePutToBaseOperation):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131645 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      909fa319
    • ossy@webkit.org's avatar
      Unreviewed, rolling out r131516 and r131550. · 04bfe7a7
      ossy@webkit.org authored
      http://trac.webkit.org/changeset/131516
      http://trac.webkit.org/changeset/131550
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      It caused zillion different problem on different platforms
      
      Source/JavaScriptCore:
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC):
      (JSC::isGlobalResolve):
      (JSC::instructionOffsetForNth):
      (JSC::printGlobalResolveInfo):
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset):
      (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::addGlobalResolveInstruction):
      (JSC::CodeBlock::addGlobalResolveInfo):
      (JSC::CodeBlock::globalResolveInfo):
      (JSC::CodeBlock::numberOfGlobalResolveInfos):
      (JSC::CodeBlock::globalResolveInfoCount):
      * bytecode/GlobalResolveInfo.h: Copied from Source/JavaScriptCore/bytecode/ResolveGlobalStatus.cpp.
      (JSC):
      (JSC::GlobalResolveInfo::GlobalResolveInfo):
      (GlobalResolveInfo):
      (JSC::getGlobalResolveInfoBytecodeOffset):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC):
      (JSC::computeForStructure):
      (JSC::computeForLLInt):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Removed.
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC::ResolveResult::registerPointer):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBase):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetStaticVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutStaticVar):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (JSC::ResolveResult::lexicalResolve):
      (JSC::ResolveResult::indexedGlobalResolve):
      (JSC::ResolveResult::dynamicIndexedGlobalResolve):
      (JSC::ResolveResult::globalResolve):
      (JSC::ResolveResult::dynamicGlobalResolve):
      (JSC::ResolveResult::type):
      (JSC::ResolveResult::index):
      (JSC::ResolveResult::depth):
      (JSC::ResolveResult::globalObject):
      (ResolveResult):
      (JSC::ResolveResult::isStatic):
      (JSC::ResolveResult::isIndexed):
      (JSC::ResolveResult::isScoped):
      (JSC::ResolveResult::isGlobal):
      (JSC::ResolveResult::ResolveResult):
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (DFG):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      (JSC):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      (JSC::JIT::emit_op_get_global_var_watchable):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve):
      (JSC):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emit_op_resolve_skip):
      (JSC::JIT::emit_op_resolve_global):
      (JSC::JIT::emitSlow_op_resolve_global):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emit_op_resolve_global_dynamic):
      (JSC::JIT::emitSlow_op_resolve_global_dynamic):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_resolve):
      (JSC):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emit_op_resolve_skip):
      (JSC::JIT::emit_op_resolve_global):
      (JSC::JIT::emitSlow_op_resolve_global):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      (JSC::JIT::emit_op_get_global_var):
      (JSC::JIT::emit_op_put_global_var):
      (JSC::JIT::emit_op_put_global_var_check):
      (JSC::JIT::emitSlow_op_put_global_var_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      (JSC::JIT::emit_op_get_global_var):
      (JSC::JIT::emit_op_put_global_var):
      (JSC::JIT::emit_op_put_global_var_check):
      (JSC::JIT::emitSlow_op_put_global_var_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveSkip):
      (JSC::JSScope::resolveGlobal):
      (JSC::JSScope::resolveGlobalDynamic):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      * runtime/JSVariableObject.h:
      * runtime/Structure.h:
      
      LayoutTests:
      
      * fast/workers/resources/worker-event-listener.js:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131552 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      04bfe7a7
  22. 16 Oct, 2012 1 commit
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · c4da761e
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/GlobalResolveInfo.h: Removed.
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Added.
        The new types and logic we use to perform the cached lookups.
      (JSC):
      (ResolveOperation):
      (JSC::ResolveOperation::getAndReturnScopedVar):
      (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
      (JSC::ResolveOperation::getAndReturnGlobalVar):
      (JSC::ResolveOperation::getAndReturnGlobalProperty):
      (JSC::ResolveOperation::resolveFail):
      (JSC::ResolveOperation::skipTopScopeNode):
      (JSC::ResolveOperation::skipScopes):
      (JSC::ResolveOperation::returnGlobalObjectAsBase):
      (JSC::ResolveOperation::setBaseToGlobal):
      (JSC::ResolveOperation::setBaseToUndefined):
      (JSC::ResolveOperation::setBaseToScope):
      (JSC::ResolveOperation::returnScopeAsBase):
      (JSC::PutToBaseOperation::PutToBaseOperation):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileResolveOperations):
      (DFG):
      (JSC::DFG::canCompilePutToBaseOperation):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131516 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c4da761e
  23. 12 Oct, 2012 1 commit
  24. 11 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should inline code blocks that use new_array_buffer · 68677de9
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98996
      
      Reviewed by Geoffrey Garen.
      
      This adds plumbing to drop in constant buffers from the inlinees to the inliner.
      It's smart about not duplicating buffers needlessly but doesn't try to completely
      hash-cons them, either.
      
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::numberOfConstantBuffers):
      (JSC::CodeBlock::addConstantBuffer):
      (JSC::CodeBlock::constantBufferAsVector):
      (JSC::CodeBlock::constantBuffer):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ConstantBufferKey):
      (JSC::DFG::ConstantBufferKey::ConstantBufferKey):
      (JSC::DFG::ConstantBufferKey::operator==):
      (JSC::DFG::ConstantBufferKey::hash):
      (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue):
      (JSC::DFG::ConstantBufferKey::codeBlock):
      (JSC::DFG::ConstantBufferKey::index):
      (DFG):
      (JSC::DFG::ConstantBufferKeyHash::hash):
      (JSC::DFG::ConstantBufferKeyHash::equal):
      (ConstantBufferKeyHash):
      (WTF):
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131087 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      68677de9
  25. 09 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should infer when indexed storage is contiguous, and optimize for it · 0e9910a8
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97288
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      This introduces a new kind of indexed property storage called Contiguous,
      which has the following properties:
              
      - No header bits beyond IndexedHeader. This results in a 16 byte reduction
        in memory usage per array versus an ArrayStorage array. It also means
        that the total memory usage for an empty array is now just 3 * 8 on both
        32-bit and 64-bit. Of that, only 8 bytes are array-specific; the rest is
        our standard object header overhead.
              
      - No need for hole checks on store. This results in a ~4% speed-up on
        Kraken and a ~1% speed-up on V8v7.
              
      - publicLength <= vectorLength. This means that doing new Array(blah)
        immediately allocates room for blah elements.
              
      - No sparse map or index bias.
              
      If you ever do things to an array that would require publicLength >
      vectorLength, a sparse map, or index bias, then we switch to ArrayStorage
      mode. This seems to never happen in any benchmark we track, and is unlikely
      to happen very frequently on any website.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/AbstractMacroAssembler.h:
      (JSC::AbstractMacroAssembler::JumpList::append):
      * assembler/MacroAssembler.h:
      (MacroAssembler):
      (JSC::MacroAssembler::patchableBranchTest32):
      * bytecode/ByValInfo.h: Added.
      (JSC):
      (JSC::isOptimizableIndexingType):
      (JSC::jitArrayModeForIndexingType):
      (JSC::ByValInfo::ByValInfo):
      (ByValInfo):
      (JSC::getByValInfoBytecodeIndex):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::getByValInfo):
      (JSC::CodeBlock::setNumberOfByValInfos):
      (JSC::CodeBlock::numberOfByValInfos):
      (JSC::CodeBlock::byValInfo):
      * bytecode/SamplingTool.h:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::mayStoreToTail):
      (JSC::DFG::mayStoreToHole):
      (JSC::DFG::modeIsPolymorphic):
      (JSC::DFG::polymorphicIncludesContiguous):
      (JSC::DFG::polymorphicIncludesArrayStorage):
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::modeSupportsLength):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (DFG):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * interpreter/Interpreter.cpp:
      (SamplingScope):
      (JSC::SamplingScope::SamplingScope):
      (JSC::SamplingScope::~SamplingScope):
      (JSC):
      (JSC::Interpreter::execute):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileSlowCases):
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC::ByValCompilationInfo::ByValCompilationInfo):
      (ByValCompilationInfo):
      (JSC):
      (JIT):
      (JSC::JIT::compileGetByVal):
      (JSC::JIT::compilePutByVal):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateJSArray):
      (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
      (JSC):
      (JSC::arrayProfileSaw):
      (JSC::JIT::chooseArrayMode):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::getByVal):
      (JSC):
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC::putByVal):
      * jit/JITStubs.h:
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/ArrayConventions.h:
      (JSC::isDenseEnoughForVector):
      * runtime/ArrayPrototype.cpp:
      (JSC):
      (JSC::shift):
      (JSC::unshift):
      (JSC::arrayProtoFuncPush):
      (JSC::arrayProtoFuncShift):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncUnShift):
      * runtime/Butterfly.h:
      (Butterfly):
      (JSC::Butterfly::fromPointer):
      (JSC::Butterfly::pointer):
      (JSC::Butterfly::publicLength):
      (JSC::Butterfly::vectorLength):
      (JSC::Butterfly::setPublicLength):
      (JSC::Butterfly::setVectorLength):
      (JSC::Butterfly::contiguous):
      (JSC::Butterfly::fromContiguous):
      * runtime/ButterflyInlineMethods.h:
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.cpp: Added.
      (JSC):
      (JSC::indexingTypeToString):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasContiguous):
      * runtime/JSArray.cpp:
      (JSC::JSArray::setLengthWithArrayStorage):
      (JSC::JSArray::setLength):
      (JSC):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCountWithArrayStorage):
      (JSC::JSArray::shiftCountWithAnyIndexingType):
      (JSC::JSArray::unshiftCountWithArrayStorage):
      (JSC::JSArray::unshiftCountWithAnyIndexingType):
      (JSC::JSArray::sortNumericVector):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sortCompactedVector):
      (JSC::JSArray::sort):
      (JSC::JSArray::sortVector):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC::JSArray::shiftCountForShift):
      (JSC::JSArray::shiftCountForSplice):
      (JSArray):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCountForShift):
      (JSC::JSArray::unshiftCountForSplice):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::isLengthWritable):
      (JSC::createContiguousArrayButterfly):
      (JSC):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::arrayStructureWithArrayStorage):
      (JSC::JSGlobalObject::addressOfArrayStructureWithArrayStorage):
      (JSC::constructEmptyArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createInitialContiguous):
      (JSC):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::convertContiguousToArrayStorage):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::ensureIndexedStorageSlow):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::setPrototype):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::putByIndexBeyondVectorLengthContiguousWithoutAttributes):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::countElementsInContiguous):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::ensureContiguousLengthSlow):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      (JSObject):
      (JSC::JSObject::ensureContiguous):
      (JSC::JSObject::ensureIndexedStorage):
      (JSC::JSObject::ensureContiguousLength):
      (JSC::JSObject::indexingData):
      (JSC::JSObject::relevantLength):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Structure.cpp:
      (JSC::Structure::needsSlowPutIndexing):
      (JSC):
      (JSC::Structure::suggestedArrayStorageTransition):
      * runtime/Structure.h:
      (Structure):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      Source/WTF: 
      
      Moved out this helpful math utility to MathExtras, since we now use it in
      multiple places.
      
      * wtf/MathExtras.h:
      (timesThreePlusOneDividedByTwo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e9910a8
  26. 24 Sep, 2012 1 commit
    • ggaren@apple.com's avatar
      Inlined activation tear-off in the DFG · cd57a712
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97487
      
      Reviewed by Filip Pizlo.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h: Activation tear-off is always inlined now, so I
      removed its out-of-line implementation.
      
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Inlined the variable copy and update
      of JSVariableObject::m_registers. This usually turns into < 10 instructions,
      which is close to pure win as compared to the operation function call.
      
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::registersOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isTornOff):
      (JSC):
      (JSC::JSActivation::storageOffset):
      (JSC::JSActivation::storage): Tiny bit of refactoring so the JIT can
      share the pointer math helper functions we use internally.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129426 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cd57a712
  27. 18 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should not call out to C++ every time that it tries to put to an object... · 497c7515
      fpizlo@apple.com authored
      DFG should not call out to C++ every time that it tries to put to an object that doesn't yet have array storage
      https://bugs.webkit.org/show_bug.cgi?id=96983
      
      Reviewed by Oliver Hunt.
      
      Introduce more polymorphism into the DFG's array mode support. Use that to
      introduce the notion of effectul array modes, where the check for the mode
      will perform actions necessary to ensure that we have the mode we want, if
      the object is not already in that mode. Also added profiling support for
      checking if an object is of a type that would not allow us to create array
      storage (like a typed array or a string for example).
              
      This is a ~2x speed-up on loops that transform an object that did not have
      indexed storage into one that does.
      
      * JSCTypedArrayStubs.h:
      (JSC):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (ArrayProfile):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (DFG):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::isSlowPutAccess):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Arguments.h:
      (Arguments):
      * runtime/JSNotAnObject.h:
      (JSNotAnObject):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::ensureArrayStorage):
      * runtime/JSString.h:
      (JSC::JSString::createStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128957 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      497c7515
  28. 12 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should have property butterflies · d8dd0535
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=91933
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This changes the JSC object model. Previously, all objects had fast lookup for
      named properties. Integer indexed properties were only fast if you used a
      JSArray. With this change, all objects have fast indexed properties. This is
      accomplished without any space overhead by using a bidirectional object layout,
      aka butterflies. Each JSObject has a m_butterfly pointer where previously it
      had a m_outOfLineStorage pointer. To the left of the location pointed to by
      m_butterfly, we place all named out-of-line properties. To the right, we place
      all indexed properties along with indexing meta-data. Though, some indexing
      meta-data is placed in the 8-byte word immediately left of the pointed-to
      location; this is in anticipation of the indexing meta-data being small enough
      in the common case that m_butterfly always points to the first indexed
      property.
              
      This is performance neutral, except on tests that use indexed properties on
      plain objects, where the speed-up is in excess of an order of magnitude.
              
      One notable aspect of what this change brings is that it allows indexing
      storage to morph over time. Currently this is only used to allow all non-array
      objects to start out without any indexed storage. But it could be used for
      some kinds of array type inference in the future.
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::getOwnPropertySlotByIndex):
      (JSC):
      (JSC::::getOwnNonIndexPropertyNames):
      * API/JSObjectRef.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutById):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (AdjacencyList):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::addNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateBasicStorage):
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::defineOwnProperty):
      * runtime/ArrayConstructor.cpp:
      * runtime/ArrayConventions.h: Added.
      (JSC):
      (JSC::isDenseEnoughForVector):
      (JSC::indexingHeaderForArray):
      (JSC::baseIndexingHeaderForArray):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::create):
      (JSC):
      (JSC::ArrayPrototype::ArrayPrototype):
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/ArrayPrototype.h:
      (ArrayPrototype):
      (JSC::ArrayPrototype::createStructure):
      * runtime/ArrayStorage.h: Added.
      (JSC):
      (ArrayStorage):
      (JSC::ArrayStorage::ArrayStorage):
      (JSC::ArrayStorage::from):
      (JSC::ArrayStorage::butterfly):
      (JSC::ArrayStorage::indexingHeader):
      (JSC::ArrayStorage::length):
      (JSC::ArrayStorage::setLength):
      (JSC::ArrayStorage::vectorLength):
      (JSC::ArrayStorage::setVectorLength):
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (JSC::ArrayStorage::inSparseMode):
      (JSC::ArrayStorage::lengthOffset):
      (JSC::ArrayStorage::vectorLengthOffset):
      (JSC::ArrayStorage::numValuesInVectorOffset):
      (JSC::ArrayStorage::vectorOffset):
      (JSC::ArrayStorage::indexBiasOffset):
      (JSC::ArrayStorage::sparseMapOffset):
      (JSC::ArrayStorage::sizeFor):
      * runtime/Butterfly.h: Added.
      (JSC):
      (Butterfly):
      (JSC::Butterfly::Butterfly):
      (JSC::Butterfly::totalSize):
      (JSC::Butterfly::fromBase):
      (JSC::Butterfly::offsetOfIndexingHeader):
      (JSC::Butterfly::offsetOfPublicLength):
      (JSC::Butterfly::offsetOfVectorLength):
      (JSC::Butterfly::indexingHeader):
      (JSC::Butterfly::propertyStorage):
      (JSC::Butterfly::indexingPayload):
      (JSC::Butterfly::arrayStorage):
      (JSC::Butterfly::offsetOfPropertyStorage):
      (JSC::Butterfly::indexOfPropertyStorage):
      (JSC::Butterfly::base):
      * runtime/ButterflyInlineMethods.h: Added.
      (JSC):
      (JSC::Butterfly::createUninitialized):
      (JSC::Butterfly::create):
      (JSC::Butterfly::createUninitializedDuringCollection):
      (JSC::Butterfly::base):
      (JSC::Butterfly::growPropertyStorage):
      (JSC::Butterfly::growArrayRight):
      (JSC::Butterfly::resizeArray):
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
      * runtime/IndexingHeader.h: Added.
      (JSC):
      (IndexingHeader):
      (JSC::IndexingHeader::offsetOfIndexingHeader):
      (JSC::IndexingHeader::offsetOfPublicLength):
      (JSC::IndexingHeader::offsetOfVectorLength):
      (JSC::IndexingHeader::IndexingHeader):
      (JSC::IndexingHeader::vectorLength):
      (JSC::IndexingHeader::setVectorLength):
      (JSC::IndexingHeader::publicLength):
      (JSC::IndexingHeader::setPublicLength):
      (JSC::IndexingHeader::from):
      (JSC::IndexingHeader::fromEndOf):
      (JSC::IndexingHeader::propertyStorage):
      (JSC::IndexingHeader::arrayStorage):
      (JSC::IndexingHeader::butterfly):
      * runtime/IndexingHeaderInlineMethods.h: Added.
      (JSC):
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.h: Added.
      (JSC):
      (JSC::hasIndexingHeader):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::tearOff):
      * runtime/JSArray.cpp:
      (JSC):
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::defineOwnProperty):
      (JSC::JSArray::getOwnPropertySlot):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::put):
      (JSC::JSArray::deleteProperty):
      (JSC::JSArray::getOwnNonIndexPropertyNames):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC):
      (JSArray):
      (JSC::JSArray::JSArray):
      (JSC::JSArray::length):
      (JSC::JSArray::createStructure):
      (JSC::JSArray::isLengthWritable):
      (JSC::createArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSBoundFunction.cpp:
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      (JSC::JSBoundFunction::finishCreation):
      * runtime/JSCell.cpp:
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnNonIndexPropertyNames):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::visitChildren):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::createInitialArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::putDirectAccessor):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::getOwnNonIndexPropertyNames):
      (JSC::JSObject::preventExtensions):
      (JSC::JSObject::fillGetterPropertySlot):
      (JSC::JSObject::putIndexedDescriptor):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::allocateSparseIndexMap):
      (JSC::JSObject::deallocateSparseIndexMap):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      (JSC::putDescriptor):
      (JSC::JSObject::putDirectMayBeIndex):
      (JSC::JSObject::defineOwnNonIndexProperty):
      (JSC::JSObject::defineOwnProperty):
      (JSC::JSObject::getOwnPropertySlotSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSObject):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::putDirectIndex):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::butterfly):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::indexingShouldBeSparse):
      (JSC::JSObject::butterflyOffset):
      (JSC::JSObject::butterflyAddress):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrZero):
      (JSC::JSObject::ensureArrayStorage):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC):
      (JSC::JSObject::setButterfly):
      (JSC::JSObject::setButterflyWithoutChangingStructure):
      (JSC::JSObject::JSObject):
      (JSC::JSObject::inlineGetOwnPropertySlot):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetInButterfly):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/JSTypeInfo.h:
      (JSC):
      (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
      (JSC::TypeInfo::overridesGetPropertyNames):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::ObjectPrototype):
      (JSC):
      * runtime/ObjectPrototype.h:
      (ObjectPrototype):
      * runtime/PropertyOffset.h:
      (JSC::offsetInOutOfLineStorage):
      * runtime/PropertyStorage.h: Added.
      (JSC):
      * runtime/PutDirectIndexMode.h: Added.
      (JSC):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::RegExpMatchesArray):
      (JSC):
      (JSC::RegExpMatchesArray::create):
      (JSC::RegExpMatchesArray::finishCreation):
      * runtime/RegExpMatchesArray.h:
      (RegExpMatchesArray):
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::getOwnNonIndexPropertyNames):
      * runtime/RegExpObject.h:
      (RegExpObject):
      * runtime/Reject.h: Added.
      (JSC):
      (JSC::reject):
      * runtime/SparseArrayValueMap.cpp: Added.
      (JSC):
      * runtime/SparseArrayValueMap.h: Added.
      (JSC):
      (SparseArrayEntry):
      (JSC::SparseArrayEntry::SparseArrayEntry):
      (SparseArrayValueMap):
      (JSC::SparseArrayValueMap::sparseMode):
      (JSC::SparseArrayValueMap::setSparseMode):
      (JSC::SparseArrayValueMap::lengthIsReadOnly):
      (JSC::SparseArrayValueMap::setLengthIsReadOnly):
      (JSC::SparseArrayValueMap::find):
      (JSC::SparseArrayValueMap::remove):
      (JSC::SparseArrayValueMap::notFound):
      (JSC::SparseArrayValueMap::isEmpty):
      (JSC::SparseArrayValueMap::contains):
      (JSC::SparseArrayValueMap::size):
      (JSC::SparseArrayValueMap::begin):
      (JSC::SparseArrayValueMap::end):
      * runtime/SparseArrayValueMapInlineMethods.h: Added.
      (JSC):
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/StorageBarrier.h: Removed.
      * runtime/StringObject.cpp:
      (JSC::StringObject::putByIndex):
      (JSC):
      (JSC::StringObject::deletePropertyByIndex):
      * runtime/StringObject.h:
      (StringObject):
      * runtime/StringPrototype.cpp:
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::nonPropertyTransition):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::indexingType):
      (JSC::Structure::indexingTypeIncludingHistory):
      (JSC::Structure::indexingTypeOffset):
      (JSC::Structure::create):
      * runtime/StructureTransitionTable.h:
      (JSC):
      (JSC::toAttributes):
      (JSC::newIndexingType):
      (JSC::StructureTransitionTable::Hash::hash):
      * tests/mozilla/js1_6/Array/regress-304828.js:
      
      Source/WebCore: 
      
      Teach the DOM that to intercept get/put on indexed properties, you now have
      to override getOwnPropertySlotByIndex and putByIndex.
      
      No new tests because no new behavior. One test was rebased because indexed
      property iteration order now matches other engines (indexed properties always
      come first).
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMStringMapCustom.cpp:
      (WebCore::JSDOMStringMap::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindow::putByIndex):
      (WebCore::JSDOMWindow::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindowShell::putByIndex):
      (WebCore::JSDOMWindowShell::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSStorageCustom.cpp:
      (WebCore::JSStorage::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::serialize):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateImplementation):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::RuntimeArray):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      (RuntimeArray):
      
      LayoutTests: 
      
      Modify the JSON test to indicate that iterating over properties now returns
      indexed properties first. This is a behavior change that makes us more
      compliant with other implementations.
              
      Also check in new expected file for the edge cases of indexed property access
      with prototype accessors. This changeset introduces a known regression in that
      department, which is tracked here: https://bugs.webkit.org/show_bug.cgi?id=96596
      
      * fast/js/resources/JSON-stringify.js:
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8dd0535