1. 05 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      Reduce the verbosity of referring to QNaN in JavaScriptCore · 3494d02f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=101174
      
      Reviewed by Geoffrey Garen.
      
      Introduces a #define QNaN in JSValue.h, and replaces all previous uses of
      std::numeric_limits<double>::quiet_NaN() with QNaN.
      
      * API/JSValueRef.cpp:
      (JSValueMakeNumber):
      (JSValueToNumber):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitFloatTypedArrayGetByVal):
      * runtime/CachedTranscendentalFunction.h:
      (JSC::CachedTranscendentalFunction::initialize):
      * runtime/DateConstructor.cpp:
      (JSC::constructDate):
      * runtime/DateInstanceCache.h:
      (JSC::DateInstanceData::DateInstanceData):
      (JSC::DateInstanceCache::reset):
      * runtime/ExceptionHelpers.cpp:
      (JSC::InterruptedExecutionError::defaultValue):
      (JSC::TerminatedExecutionError::defaultValue):
      * runtime/JSCell.h:
      (JSC::JSValue::getPrimitiveNumber):
      * runtime/JSDateMath.cpp:
      (JSC::parseDateFromNullTerminatedCharacters):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::resetDateCache):
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::parseInt):
      (JSC::jsStrDecimalLiteral):
      (JSC::toDouble):
      (JSC::jsToNumber):
      (JSC::parseFloat):
      * runtime/JSValue.cpp:
      (JSC::JSValue::toNumberSlowCase):
      * runtime/JSValue.h:
      (JSC):
      * runtime/JSValueInlineMethods.h:
      (JSC::jsNaN):
      * runtime/MathObject.cpp:
      (JSC::mathProtoFuncMax):
      (JSC::mathProtoFuncMin):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133493 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3494d02f
  2. 02 Nov, 2012 1 commit
  3. 01 Nov, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG optimized string access code should be enabled · a387b6a3
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=100825
      
      Reviewed by Oliver Hunt.
      
      - Removes prediction checks from the parser.
              
      - Fixes the handling of array mode refinement for strings. I.e. we don't do
        any refinement - we already know it's going to be a string. We could
        revisit this in the future, but for now the DFG lacks the ability to
        handle any array modes other than Array::String for string intrinsics, so
        this is as good as it gets.
              
      - Removes uses of isBlahSpeculation for checking if a mode is already
        checked. isBlahSpeculation implicitly checks if the SpeculatedType is not
        BOTTOM ("empty"), which breaks for checking if a mode is already checked
        since a mode may already be "checked" in the sense that we've proven that
        the code is unreachable.
              
      ~1% speed-up on V8v7, mostly from a speed-up on crypto, which uses string
      intrinsics in one of the hot functions.
      
      * bytecode/SpeculatedType.h:
      (JSC::speculationChecked):
      (JSC):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::alreadyChecked):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133135 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a387b6a3
  4. 28 Oct, 2012 2 commits
    • fpizlo@apple.com's avatar
      DFG should be able to emit effectful structure checks · 99f3762d
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99260
      
      Reviewed by Oliver Hunt.
      
      This change allows us to find out if an array access that has gone polymorphic
      is operating over known structures - i.e. the primordial array structures of the
      global object that the code block containing the array access belongs to. We
      term this state "OriginalArray" for short. The fact that the access has gone
      polymorphic means that the array profile will not be able to report the set of
      structures it had seen - but if it can tell us that all of the structures were
      primordial then it just so happens that we can deduce what the structure set
      would have been by just querying the code block's global object. This allows us
      to emit an ArrayifyToStructure instead of an Arrayify if we find that we need to
      do conversions. The fast path of an ArrayifyToStructure is exactly like the fast
      path of a CheckStructure and is mostly subject to the same optimizations. It
      also burns one fewer registers.
              
      Essentially the notion of OriginalArray is a super cheap way of getting the
      array profile to tell us a structure set instead of a singleton structure.
      Currently, the array profile can only tell us the structure seen at an array
      access if there was exactly one structure. If there were multiple structures, it
      won't tell us anything other than the array modes and other auxiliary profiling
      data (whether there were stores to holes, for example). With OriginalArray, we
      cheaply get a structure set if all of the structures were primordial for the
      code block's global object, since in that case the array mode set (ArrayModes)
      can directly tell us the structure set. In the future, we might consider adding
      complete structure sets to the array profiles, but I suspect that we would hit
      diminishing returns if we did so - it would only help if we have array accesses
      that are both polymorphic and are cross-global-object accesses (rare) or if the
      arrays had named properties or other structure transitions that are unrelated to
      indexing type (also rare).
              
      This also does away with Arrayify (and the new ArrayifyToStructure) returning
      the butterfly pointer. This turns out to be faster and easier to CSE.
              
      And, this also changes constant folding to be able to eliminate CheckStructure,
      ForwardCheckStructure, and ArrayifyToStructure in addition to being able to
      transform them into structure transition watchpoints. This is great for
      ArrayifyToStructure because then CSE and CFA know that there is no side effect.
      Converting CheckStructure and ForwardCheckStructure to also behave this way is
      just a matter of elegance.
              
      This has no performance impact right now. It's intended to alleviate some of the
      regressions seen in the early implementation of
      https://bugs.webkit.org/show_bug.cgi?id=98606.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::ArrayProfile::ArrayProfile):
      (ArrayProfile):
      (JSC::ArrayProfile::usesOriginalArrayStructures):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayClassToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::ArrayMode::withProfile):
      (JSC::DFG::ArrayMode::isJSArray):
      (ArrayMode):
      (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasStructure):
      (JSC::DFG::Node::hasArrayMode):
      (JSC::DFG::Node::arrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::isOriginalArrayStructure):
      * runtime/Structure.cpp:
      (JSC::Structure::nonPropertyTransition):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132759 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      99f3762d
    • fpizlo@apple.com's avatar
      DFG::Array::Mode needs to be cleaned up · 34d1f08b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=100599
      
      Reviewed by Oliver Hunt.
      
      Turn the previous massive Array::Mode enum into a class that contains four
      fields, the type, whether it's a JSArray, the level of speculation, and the
      kind of conversion to perform.
              
      No performance or behavioral change.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::fromObserved):
      (JSC::DFG::ArrayMode::refine):
      (JSC::DFG::ArrayMode::alreadyChecked):
      (JSC::DFG::arrayTypeToString):
      (JSC::DFG::arrayClassToString):
      (DFG):
      (JSC::DFG::arraySpeculationToString):
      (JSC::DFG::arrayConversionToString):
      (JSC::DFG::ArrayMode::toString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (ArrayMode):
      (JSC::DFG::ArrayMode::ArrayMode):
      (JSC::DFG::ArrayMode::type):
      (JSC::DFG::ArrayMode::arrayClass):
      (JSC::DFG::ArrayMode::speculation):
      (JSC::DFG::ArrayMode::conversion):
      (JSC::DFG::ArrayMode::asWord):
      (JSC::DFG::ArrayMode::fromWord):
      (JSC::DFG::ArrayMode::withSpeculation):
      (JSC::DFG::ArrayMode::usesButterfly):
      (JSC::DFG::ArrayMode::isJSArray):
      (JSC::DFG::ArrayMode::isInBounds):
      (JSC::DFG::ArrayMode::mayStoreToHole):
      (JSC::DFG::ArrayMode::isOutOfBounds):
      (JSC::DFG::ArrayMode::isSlowPut):
      (JSC::DFG::ArrayMode::canCSEStorage):
      (JSC::DFG::ArrayMode::lengthNeedsStorage):
      (JSC::DFG::ArrayMode::modeForPut):
      (JSC::DFG::ArrayMode::isSpecific):
      (JSC::DFG::ArrayMode::supportsLength):
      (JSC::DFG::ArrayMode::benefitsFromStructureCheck):
      (JSC::DFG::ArrayMode::doesConversion):
      (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
      (JSC::DFG::ArrayMode::operator==):
      (JSC::DFG::ArrayMode::operator!=):
      (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::lengthNeedsStorage):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::arrayMode):
      (JSC::DFG::Node::setArrayMode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132745 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      34d1f08b
  5. 26 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      Forward OSR calculation is wrong in the presence of multiple SetLocals, or a... · 83182168
      fpizlo@apple.com authored
      Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms
      https://bugs.webkit.org/show_bug.cgi?id=100461
      
      Reviewed by Oliver Hunt and Gavin Barraclough.
      
      This does a couple of things. First, it removes the part of the change in r131822 that made the forward
      OSR exit calculator capable of handling multiple SetLocals. That change was wrong, because it would
      blindly assume that all SetLocals had the same ValueRecovery, and would ignore the possibility that if
      there is no value recovery then a ForwardCheckStructure on the first SetLocal would not know how to
      recover the state associated with the second SetLocal. Then, it introduces the invariant that any bytecode
      op that decomposes into multiple SetLocals must first emit dead SetLocals as hints and then emit a second
      set of SetLocals to actually do the setting of the locals. This means that if a ForwardCheckStructure (or
      any other hoisted forward speculation) is inserted, it will always be inserted on the second set of
      SetLocals (since hoisting only touches the live ones), at which point OSR will already know about the
      mov hints implied by the first set of (dead) SetLocals. This gives us the behavior we wanted, namely, that
      a ForwardCheckStructure applied to a variant set by a resolve_with_base-like operation can correctly do a
      forward exit while also ensuring that prior to exiting we set the appropriate locals.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132701 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      83182168
  6. 22 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions · a0ec0599
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=100052
      
      Reviewed by Oliver Hunt.
      
      No functional change, just renaming. It's a clearer name that more accurately
      reflects the meaning, and it eliminates the namespace confusion that will happen
      with the Undecided indexing type in https://bugs.webkit.org/show_bug.cgi?id=98606
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::refineArrayMode):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::modeIsSpecific):
      (JSC::DFG::modeSupportsLength):
      (JSC::DFG::benefitsFromStructureCheck):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132162 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a0ec0599
  7. 20 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should have some facility for recognizing redundant CheckArrays and Arrayifies · 372c6d51
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99287
      
      Reviewed by Mark Hahnenberg.
      
      Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which
      then enables us to fold away CheckArray's and Arrayify's that are redundant.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::arrayModesToString):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::mergeArrayModes):
      (JSC::arrayModesAlreadyChecked):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::arrayModesFromStructures):
      (StructureSet):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (AbstractValue):
      (JSC::DFG::AbstractValue::setMostSpecific):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::filterArrayModes):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      (JSC::DFG::AbstractValue::clobberArrayModes):
      (JSC::DFG::AbstractValue::clobberArrayModesSlow):
      (JSC::DFG::AbstractValue::setFuturePossibleStructure):
      (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::modeAlreadyChecked):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::arrayModesFor):
      (DFG):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131982 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      372c6d51
  8. 19 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      Baseline array profiling should be less accurate, and DFG OSR exit should... · 44e9ef42
      fpizlo@apple.com authored
      Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure
      https://bugs.webkit.org/show_bug.cgi?id=99261
      
      Reviewed by Oliver Hunt.
      
      This makes array profiling stochastic, like value profiling. The point is to avoid
      noticing one-off indexing types that we'll never see again, but instead to:
              
      Notice the big ones: We want the DFG to compile based on the things that happen with
      high probability. So, this change makes array profiling do like value profiling and
      only notice a random subsampling of indexing types that flowed through an array
      access. Prior to this patch array profiles noticed all indexing types and weighted
      them identically.
              
      Bias the recent: Often an array access will see awkward indexing types during the
      first handful of executions because of artifacts of program startup. So, we want to
      bias towards the indexing types that we saw most recently. With this change, array
      profiling does like value profiling and usually tells use a random sampling that
      is biased to what happened recently.
              
      Have a backup plan: The above two things don't work by themselves because our
      randomness is not that random (nor do we care enough to make it more random), and
      because some procedures will have a <1/10 probability event that we must handle
      without bailing because it dominates a hot loop. So, like value profiling, this
      patch makes array profiling use OSR exits to tell us why we are bailing out, so
      that we don't make the same mistake again in the future.
              
      This change also makes the way that the 32-bit OSR exit compiler snatches scratch
      registers more uniform. We don't need a scratch buffer when we can push and pop.
      
      * bytecode/DFGExitProfile.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitArrayProfilingSite):
      * llint/LowLevelInterpreter.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      44e9ef42
  9. 18 Oct, 2012 2 commits
    • yuqiang.xian@intel.com's avatar
      Refactor MacroAssembler interfaces to differentiate the pointer operands from... · 5b1cb734
      yuqiang.xian@intel.com authored
      Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
      https://bugs.webkit.org/show_bug.cgi?id=99154
      
      Reviewed by Gavin Barraclough.
      
      In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
      the X64 platform), we assume that the JSValue size is same to the
      pointer size, and thus EncodedJSValue is simply type defined as a
      "void*". In the JIT compiler, we also take this assumption and invoke
      the same macro assembler interfaces for both JSValue and pointer
      operands. We need to differentiate the operations on pointers from the
      operations on JSValues, and let them invoking different macro
      assembler interfaces. For example, we now use the interface of
      "loadPtr" to load either a pointer or a JSValue, and we need to switch
      to using "loadPtr" to load a pointer and some new "load64" interface
      to load a JSValue. This would help us supporting other JSVALUE64
      platforms where pointer size is not necessarily 64-bits, for example
      x32 (bug #99153).
      
      The major modification I made is to introduce the "*64" interfaces in
      the MacroAssembler for those operations on JSValues, keep the "*Ptr"
      interfaces for those operations on real pointers, and go through all
      the JIT compiler code to correct the usage.
      
      This is the second part of the work, i.e, to correct the usage of the
      new MacroAssembler interfaces in the JIT compilers, which also means
      that now EncodedJSValue is defined as a 64-bit integer, and the "*64"
      interfaces are used for it.
      
      * assembler/MacroAssembler.h: JSValue immediates should be in Imm64 instead of ImmPtr.
      (MacroAssembler):
      (JSC::MacroAssembler::shouldBlind):
      * dfg/DFGAssemblyHelpers.cpp: Correct the JIT compilers usage of the new interfaces.
      (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
      (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
      (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
      (JSC::DFG::AssemblyHelpers::branchIfNotCell):
      (JSC::DFG::AssemblyHelpers::debugCall):
      (JSC::DFG::AssemblyHelpers::boxDouble):
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (CCallHelpers):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      * dfg/DFGScratchRegisterAllocator.h:
      (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
      (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentSpill):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::spill):
      (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::branch64):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::fillDouble):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::convertToDouble):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGThunks.cpp:
      (JSC::DFG::osrExitGenerationThunkGenerator):
      (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
      (JSC::DFG::slowPathFor):
      (JSC::DFG::virtualForThunkGenerator):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::dumpRegisters):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JIT):
      * jit/JITArithmetic.cpp:
      (JSC::JIT::emit_op_negate):
      (JSC::JIT::emitSlow_op_negate):
      (JSC::JIT::emit_op_rshift):
      (JSC::JIT::emitSlow_op_urshift):
      (JSC::JIT::emit_compareAndJumpSlow):
      (JSC::JIT::emit_op_bitand):
      (JSC::JIT::compileBinaryArithOpSlowCase):
      (JSC::JIT::emit_op_div):
      * jit/JITCall.cpp:
      (JSC::JIT::compileLoadVarargs):
      (JSC::JIT::compileCallEval):
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCall):
      * jit/JITInlineMethods.h: Have some clean-up work as well.
      (JSC):
      (JSC::JIT::emitPutCellToCallFrameHeader):
      (JSC::JIT::emitPutIntToCallFrameHeader):
      (JSC::JIT::emitPutToCallFrameHeader):
      (JSC::JIT::emitGetFromCallFrameHeader32):
      (JSC::JIT::emitGetFromCallFrameHeader64):
      (JSC::JIT::emitAllocateJSArray):
      (JSC::JIT::emitValueProfilingSite):
      (JSC::JIT::emitGetJITStubArg):
      (JSC::JIT::emitGetVirtualRegister):
      (JSC::JIT::emitPutVirtualRegister):
      (JSC::JIT::emitInitRegister):
      (JSC::JIT::emitJumpIfJSCell):
      (JSC::JIT::emitJumpIfBothJSCells):
      (JSC::JIT::emitJumpIfNotJSCell):
      (JSC::JIT::emitLoadInt32ToDouble):
      (JSC::JIT::emitJumpIfImmediateInteger):
      (JSC::JIT::emitJumpIfNotImmediateInteger):
      (JSC::JIT::emitJumpIfNotImmediateIntegers):
      (JSC::JIT::emitFastArithReTagImmediate):
      (JSC::JIT::emitFastArithIntToImmNoCheck):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::privateCompileCTINativeCall):
      (JSC::JIT::emit_op_mov):
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emit_op_is_undefined):
      (JSC::JIT::emit_op_is_boolean):
      (JSC::JIT::emit_op_is_number):
      (JSC::JIT::emit_op_tear_off_activation):
      (JSC::JIT::emit_op_not):
      (JSC::JIT::emit_op_jfalse):
      (JSC::JIT::emit_op_jeq_null):
      (JSC::JIT::emit_op_jneq_null):
      (JSC::JIT::emit_op_jtrue):
      (JSC::JIT::emit_op_bitxor):
      (JSC::JIT::emit_op_bitor):
      (JSC::JIT::emit_op_get_pnames):
      (JSC::JIT::emit_op_next_pname):
      (JSC::JIT::compileOpStrictEq):
      (JSC::JIT::emit_op_catch):
      (JSC::JIT::emit_op_throw_reference_error):
      (JSC::JIT::emit_op_eq_null):
      (JSC::JIT::emit_op_neq_null):
      (JSC::JIT::emit_op_create_activation):
      (JSC::JIT::emit_op_create_arguments):
      (JSC::JIT::emit_op_init_lazy_reg):
      (JSC::JIT::emitSlow_op_convert_this):
      (JSC::JIT::emitSlow_op_not):
      (JSC::JIT::emit_op_get_argument_by_val):
      (JSC::JIT::emit_op_put_to_base):
      (JSC::JIT::emit_resolve_operations):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_get_by_pname):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitIntTypedArrayGetByVal):
      (JSC::JIT::emitFloatTypedArrayGetByVal):
      (JSC::JIT::emitFloatTypedArrayPutByVal):
      * jit/JITStubCall.h:
      (JITStubCall):
      (JSC::JITStubCall::JITStubCall):
      (JSC::JITStubCall::addArgument):
      (JSC::JITStubCall::call):
      (JSC::JITStubCall::callWithValueProfiling):
      * jit/JSInterfaceJIT.h:
      (JSC::JSInterfaceJIT::emitJumpIfImmediateNumber):
      (JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber):
      (JSC::JSInterfaceJIT::emitLoadJSCell):
      (JSC::JSInterfaceJIT::emitLoadInt32):
      (JSC::JSInterfaceJIT::emitLoadDouble):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::returnDouble):
      (JSC::SpecializedThunkJIT::tagReturnAsInt32):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/JSValue.h: Define JSVALUE64 EncodedJSValue as int64_t, which is also unified with JSVALUE32_64.
      (JSC):
      * runtime/JSValueInlineMethods.h: New implementation of some JSValue methods to make them more conformant
      with the new rule that "JSValue is a 64-bit integer rather than a pointer" for JSVALUE64 platforms.
      (JSC):
      (JSC::JSValue::JSValue):
      (JSC::JSValue::operator bool):
      (JSC::JSValue::operator==):
      (JSC::JSValue::operator!=):
      (JSC::reinterpretDoubleToInt64):
      (JSC::reinterpretInt64ToDouble):
      (JSC::JSValue::asDouble):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131858 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5b1cb734
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · c909f5f5
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      Basic browsing seems to work.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canInlineResolveOperations):
      (DFG):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131822 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c909f5f5
  10. 17 Oct, 2012 3 commits
    • oliver@apple.com's avatar
      Roll out r131645 as it causes random site crashes. · 6d0087f5
      oliver@apple.com authored
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131676 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6d0087f5
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · 909fa319
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/GlobalResolveInfo.h: Removed.
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Added.
        The new types and logic we use to perform the cached lookups.
      (JSC):
      (ResolveOperation):
      (JSC::ResolveOperation::getAndReturnScopedVar):
      (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
      (JSC::ResolveOperation::getAndReturnGlobalVar):
      (JSC::ResolveOperation::getAndReturnGlobalProperty):
      (JSC::ResolveOperation::resolveFail):
      (JSC::ResolveOperation::skipTopScopeNode):
      (JSC::ResolveOperation::skipScopes):
      (JSC::ResolveOperation::returnGlobalObjectAsBase):
      (JSC::ResolveOperation::setBaseToGlobal):
      (JSC::ResolveOperation::setBaseToUndefined):
      (JSC::ResolveOperation::setBaseToScope):
      (JSC::ResolveOperation::returnScopeAsBase):
      (JSC::PutToBaseOperation::PutToBaseOperation):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileResolveOperations):
      (DFG):
      (JSC::DFG::canCompilePutToBaseOperation):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131645 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      909fa319
    • ossy@webkit.org's avatar
      Unreviewed, rolling out r131516 and r131550. · 04bfe7a7
      ossy@webkit.org authored
      http://trac.webkit.org/changeset/131516
      http://trac.webkit.org/changeset/131550
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      It caused zillion different problem on different platforms
      
      Source/JavaScriptCore:
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC):
      (JSC::isGlobalResolve):
      (JSC::instructionOffsetForNth):
      (JSC::printGlobalResolveInfo):
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset):
      (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::addGlobalResolveInstruction):
      (JSC::CodeBlock::addGlobalResolveInfo):
      (JSC::CodeBlock::globalResolveInfo):
      (JSC::CodeBlock::numberOfGlobalResolveInfos):
      (JSC::CodeBlock::globalResolveInfoCount):
      * bytecode/GlobalResolveInfo.h: Copied from Source/JavaScriptCore/bytecode/ResolveGlobalStatus.cpp.
      (JSC):
      (JSC::GlobalResolveInfo::GlobalResolveInfo):
      (GlobalResolveInfo):
      (JSC::getGlobalResolveInfoBytecodeOffset):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC):
      (JSC::computeForStructure):
      (JSC::computeForLLInt):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Removed.
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC::ResolveResult::registerPointer):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBase):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetStaticVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutStaticVar):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (JSC::ResolveResult::lexicalResolve):
      (JSC::ResolveResult::indexedGlobalResolve):
      (JSC::ResolveResult::dynamicIndexedGlobalResolve):
      (JSC::ResolveResult::globalResolve):
      (JSC::ResolveResult::dynamicGlobalResolve):
      (JSC::ResolveResult::type):
      (JSC::ResolveResult::index):
      (JSC::ResolveResult::depth):
      (JSC::ResolveResult::globalObject):
      (ResolveResult):
      (JSC::ResolveResult::isStatic):
      (JSC::ResolveResult::isIndexed):
      (JSC::ResolveResult::isScoped):
      (JSC::ResolveResult::isGlobal):
      (JSC::ResolveResult::ResolveResult):
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (DFG):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      (JSC):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      (JSC::JIT::emit_op_get_global_var_watchable):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve):
      (JSC):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emit_op_resolve_skip):
      (JSC::JIT::emit_op_resolve_global):
      (JSC::JIT::emitSlow_op_resolve_global):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emit_op_resolve_global_dynamic):
      (JSC::JIT::emitSlow_op_resolve_global_dynamic):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_resolve):
      (JSC):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emit_op_resolve_skip):
      (JSC::JIT::emit_op_resolve_global):
      (JSC::JIT::emitSlow_op_resolve_global):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      (JSC::JIT::emit_op_get_global_var):
      (JSC::JIT::emit_op_put_global_var):
      (JSC::JIT::emit_op_put_global_var_check):
      (JSC::JIT::emitSlow_op_put_global_var_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC):
      (JSC::JIT::emit_op_put_scoped_var):
      (JSC::JIT::emit_op_get_global_var):
      (JSC::JIT::emit_op_put_global_var):
      (JSC::JIT::emit_op_put_global_var_check):
      (JSC::JIT::emitSlow_op_put_global_var_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveSkip):
      (JSC::JSScope::resolveGlobal):
      (JSC::JSScope::resolveGlobalDynamic):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      * runtime/JSVariableObject.h:
      * runtime/Structure.h:
      
      LayoutTests:
      
      * fast/workers/resources/worker-event-listener.js:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131552 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      04bfe7a7
  11. 16 Oct, 2012 1 commit
    • oliver@apple.com's avatar
      Bytecode should not have responsibility for determining how to perform non-local resolves · c4da761e
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99349
      
      Reviewed by Gavin Barraclough.
      
      This patch removes lexical analysis from the bytecode generation.  This allows
      us to delay lookup of a non-local variables until the lookup is actually necessary,
      and simplifies a lot of the resolve logic in BytecodeGenerator.
      
      Once a lookup is performed we cache the lookup information in a set of out-of-line
      buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
      etc, and allows the respective JITs to recreated optimal lookup code.
      
      This is currently still a performance regression in LLInt, but most of the remaining
      regression is caused by a lot of indirection that I'll remove in future work, as well
      as some work necessary to allow LLInt to perform in line instruction repatching.
      We will also want to improve the behaviour of the baseline JIT for some of the lookup
      operations, however this patch was getting quite large already so I'm landing it now
      that we've reached the bar of "performance-neutral".
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printStructures):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::visitStructures):
      (JSC):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::addResolve):
      (JSC::CodeBlock::addPutToBase):
      (CodeBlock):
      (JSC::CodeBlock::resolveOperations):
      (JSC::CodeBlock::putToBaseOperation):
      (JSC::CodeBlock::numberOfResolveOperations):
      (JSC::CodeBlock::numberOfPutToBaseOperations):
      (JSC::CodeBlock::addPropertyAccessInstruction):
      (JSC::CodeBlock::globalObjectConstant):
      (JSC::CodeBlock::setGlobalObjectConstant):
      * bytecode/GlobalResolveInfo.h: Removed.
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC::computeForStructure):
      (JSC::ResolveGlobalStatus::computeFor):
      * bytecode/ResolveGlobalStatus.h:
      (JSC):
      (ResolveGlobalStatus):
      * bytecode/ResolveOperation.h: Added.
        The new types and logic we use to perform the cached lookups.
      (JSC):
      (ResolveOperation):
      (JSC::ResolveOperation::getAndReturnScopedVar):
      (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
      (JSC::ResolveOperation::getAndReturnGlobalVar):
      (JSC::ResolveOperation::getAndReturnGlobalProperty):
      (JSC::ResolveOperation::resolveFail):
      (JSC::ResolveOperation::skipTopScopeNode):
      (JSC::ResolveOperation::skipScopes):
      (JSC::ResolveOperation::returnGlobalObjectAsBase):
      (JSC::ResolveOperation::setBaseToGlobal):
      (JSC::ResolveOperation::setBaseToUndefined):
      (JSC::ResolveOperation::setBaseToScope):
      (JSC::ResolveOperation::returnScopeAsBase):
      (JSC::PutToBaseOperation::PutToBaseOperation):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::ResolveResult::checkValidity):
      (JSC):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::resolve):
      (JSC::BytecodeGenerator::resolveConstDecl):
      (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
      (JSC::BytecodeGenerator::emitResolve):
      (JSC::BytecodeGenerator::emitResolveBase):
      (JSC::BytecodeGenerator::emitResolveBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
      (JSC::BytecodeGenerator::emitResolveWithThis):
      (JSC::BytecodeGenerator::emitGetLocalVar):
      (JSC::BytecodeGenerator::emitInitGlobalConst):
      (JSC::BytecodeGenerator::emitPutToBase):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::ResolveResult::registerResolve):
      (JSC::ResolveResult::dynamicResolve):
      (ResolveResult):
      (JSC::ResolveResult::ResolveResult):
      (JSC):
      (NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
      (JSC::NonlocalResolveInfo::resolved):
      (JSC::NonlocalResolveInfo::put):
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::getResolveOperations):
      (JSC::BytecodeGenerator::getResolveWithThisOperations):
      (JSC::BytecodeGenerator::getResolveBaseOperations):
      (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
      (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
      (JSC::BytecodeGenerator::getPutToBaseOperation):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::ResolveNode::isPure):
      (JSC::FunctionCallResolveNode::emitBytecode):
      (JSC::PostfixNode::emitResolve):
      (JSC::PrefixNode::emitResolve):
      (JSC::ReadModifyResolveNode::emitBytecode):
      (JSC::AssignResolveNode::emitBytecode):
      (JSC::ConstDeclNode::emitCodeSingle):
      (JSC::ForInNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (DFG):
      (JSC::DFG::ByteCodeParser::parseResolveOperations):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileResolveOperations):
      (DFG):
      (JSC::DFG::canCompilePutToBaseOperation):
      (JSC::DFG::canCompileOpcode):
      (JSC::DFG::canInlineOpcode):
      * dfg/DFGGraph.h:
      (ResolveGlobalData):
      (ResolveOperationData):
      (DFG):
      (PutToBaseOperationData):
      (Graph):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasIdentifier):
      (JSC::DFG::Node::resolveOperationsDataIndex):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      (OSRExit):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::resolveOperations):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putToBaseOperation):
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JIT):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      (JSC::JIT::emit_resolve_operations):
      (JSC::JIT::emitSlow_link_resolve_operations):
      (JSC::JIT::emit_op_resolve):
      (JSC::JIT::emitSlow_op_resolve):
      (JSC::JIT::emit_op_resolve_base):
      (JSC::JIT::emitSlow_op_resolve_base):
      (JSC::JIT::emit_op_resolve_with_base):
      (JSC::JIT::emitSlow_op_resolve_with_base):
      (JSC::JIT::emit_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_resolve_with_this):
      (JSC::JIT::emitSlow_op_put_to_base):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_put_to_base):
      (JSC):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_init_global_const):
      (JSC::JIT::emit_op_init_global_const_check):
      (JSC::JIT::emitSlow_op_init_global_const_check):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC):
      * jit/JITStubs.h:
      * llint/LLIntSlowPaths.cpp:
      (LLInt):
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSScope.cpp:
      (JSC::LookupResult::base):
      (JSC::LookupResult::value):
      (JSC::LookupResult::setBase):
      (JSC::LookupResult::setValue):
      (LookupResult):
      (JSC):
      (JSC::setPutPropertyAccessOffset):
      (JSC::executeResolveOperations):
      (JSC::JSScope::resolveContainingScopeInternal):
      (JSC::JSScope::resolveContainingScope):
      (JSC::JSScope::resolve):
      (JSC::JSScope::resolveBase):
      (JSC::JSScope::resolveWithBase):
      (JSC::JSScope::resolveWithThis):
      (JSC::JSScope::resolvePut):
      (JSC::JSScope::resolveGlobal):
      * runtime/JSScope.h:
      (JSScope):
      * runtime/JSVariableObject.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/Structure.h:
      (JSC::Structure::propertyAccessesAreCacheable):
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131516 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c4da761e
  12. 14 Oct, 2012 2 commits
    • fpizlo@apple.com's avatar
      DFG should handle polymorphic array modes by eagerly transforming arrays into... · e07b17b1
      fpizlo@apple.com authored
      DFG should handle polymorphic array modes by eagerly transforming arrays into the most general applicable form
      https://bugs.webkit.org/show_bug.cgi?id=99269
      
      Reviewed by Geoffrey Garen.
      
      This kills off a bunch of code for "polymorphic" array modes in the DFG. It should
      also be a performance win for code that uses a lot of array storage arrays.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::mayStoreToTail):
      (JSC::DFG::mayStoreToHole):
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::modeSupportsLength):
      (JSC::DFG::benefitsFromStructureCheck):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e07b17b1
    • fpizlo@apple.com's avatar
      IndexingType should not have a bit for each type · b9aa7ba0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98997
      
      Reviewed by Oliver Hunt.
      
      Somewhat incidentally, the introduction of butterflies led to each indexing
      type being represented by a unique bit. This is superficially nice since it
      allows you to test if a structure corresponds to a particular indexing type
      by saying !!(structure->indexingType() & TheType). But the downside is that
      given the 8 bits we have for the m_indexingType field, that leaves only a
      small number of possible indexing types if we have one per bit.
              
      This changeset changes the indexing type to be:
              
      Bit #1: Tells you if you're an array.
              
      Bits #2 - #5: 16 possible indexing types, including the blank type for
          objects that don't have indexed properties.
              
      Bits #6-8: Auxiliary bits that we could use for other things. Currently we
          just use one of those bits, for MayHaveIndexedAccessors.
              
      This is performance-neutral, and is primarily intended to give us more
      breathing room for introducing new inferred array modes.
      
      * assembler/AbstractMacroAssembler.h:
      (JSC::AbstractMacroAssembler::JumpList::jumps):
      * assembler/MacroAssembler.h:
      (MacroAssembler):
      (JSC::MacroAssembler::patchableBranch32):
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::patchableBranch32):
      (MacroAssemblerARMv7):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::modeAlreadyChecked):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculationCheck):
      (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
      (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
      (DFG):
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateJSArray):
      (JSC::JIT::chooseArrayMode):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasIndexedProperties):
      (JSC::hasContiguous):
      (JSC::hasFastArrayStorage):
      (JSC::hasArrayStorage):
      (JSC::shouldUseSlowPut):
      * runtime/JSGlobalObject.cpp:
      (JSC):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131276 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b9aa7ba0
  13. 12 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      Contiguous array allocation should always be inlined · 1bc68481
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98608
      
      Reviewed by Oliver Hunt and Mark Hahnenberg.
      
      This inlines contiguous array allocation in the most obvious way possible.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::branchSubPtr):
      (MacroAssembler):
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::branchSubPtr):
      (MacroAssemblerX86_64):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGCCallHelpers.h:
      (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
      (CCallHelpers):
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: Added.
      (DFG):
      (CallArrayAllocatorSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
      (CallArrayAllocatorWithVariableSizeSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131249 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1bc68481
  14. 11 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      UInt32ToNumber and OSR exit should be aware of copy propagation and correctly... · 617c3793
      fpizlo@apple.com authored
      UInt32ToNumber and OSR exit should be aware of copy propagation and correctly recover both versions of a variable that was subject to a UInt32ToNumber cast
      https://bugs.webkit.org/show_bug.cgi?id=99100
      <rdar://problem/12480955>
      
      Reviewed by Michael Saboff and Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      Fixed by forcing UInt32ToNumber to use a different register. This "undoes" the copy propagation that we
      would have been doing, since it has no performance effect in this case and has the benefit of making the
      OSR exit compiler a lot simpler.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
      
      LayoutTests: 
      
      * fast/js/dfg-uint32-to-number-in-middle-of-copy-propagation-expected.txt: Added.
      * fast/js/dfg-uint32-to-number-in-middle-of-copy-propagation.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131097 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      617c3793
  15. 09 Oct, 2012 3 commits
    • fpizlo@apple.com's avatar
      Typed arrays should not be 20x slower in the baseline JIT than in the DFG JIT · c14c8d32
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=98605
      
      Reviewed by Oliver Hunt and Gavin Barraclough.
      
      This adds typed array get_by_val/put_by_val patching to the baseline JIT. It's
      a big (~40%) win on benchmarks that have trouble staying in the DFG JIT. Even
      if we fix those benchmarks, this functionality gives us the insurance that we
      typically desire with all speculative optimizations: even if we bail to
      baseline, we're still reasonably performant.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/MacroAssembler.cpp: Added.
      (JSC):
      * assembler/MacroAssembler.h:
      (MacroAssembler):
      (JSC::MacroAssembler::patchableBranchPtr):
      * assembler/MacroAssemblerARMv7.h:
      (MacroAssemblerARMv7):
      (JSC::MacroAssemblerARMv7::moveDoubleToInts):
      (JSC::MacroAssemblerARMv7::moveIntsToDouble):
      (JSC::MacroAssemblerARMv7::patchableBranchPtr):
      * assembler/MacroAssemblerX86.h:
      (MacroAssemblerX86):
      (JSC::MacroAssemblerX86::moveDoubleToInts):
      (JSC::MacroAssemblerX86::moveIntsToDouble):
      * bytecode/ByValInfo.h:
      (JSC::hasOptimizableIndexingForClassInfo):
      (JSC):
      (JSC::hasOptimizableIndexing):
      (JSC::jitArrayModeForClassInfo):
      (JSC::jitArrayModeForStructure):
      (JSC::ByValInfo::ByValInfo):
      (ByValInfo):
      * dfg/DFGAssemblyHelpers.cpp:
      (DFG):
      * dfg/DFGAssemblyHelpers.h:
      (AssemblyHelpers):
      (JSC::DFG::AssemblyHelpers::boxDouble):
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * jit/JIT.h:
      (JIT):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      (JSC::JIT::emitIntTypedArrayGetByVal):
      (JSC):
      (JSC::JIT::emitFloatTypedArrayGetByVal):
      (JSC::JIT::emitIntTypedArrayPutByVal):
      (JSC::JIT::emitFloatTypedArrayPutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * runtime/JSCell.h:
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      (JSC::JSGlobalData::typedArrayDescriptor):
      * runtime/TypedArrayDescriptor.h: Added.
      (JSC):
      (JSC::TypedArrayDescriptor::TypedArrayDescriptor):
      (TypedArrayDescriptor):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130839 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c14c8d32
    • fpizlo@apple.com's avatar
      JSC should infer when indexed storage is contiguous, and optimize for it · 0e9910a8
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97288
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      This introduces a new kind of indexed property storage called Contiguous,
      which has the following properties:
              
      - No header bits beyond IndexedHeader. This results in a 16 byte reduction
        in memory usage per array versus an ArrayStorage array. It also means
        that the total memory usage for an empty array is now just 3 * 8 on both
        32-bit and 64-bit. Of that, only 8 bytes are array-specific; the rest is
        our standard object header overhead.
              
      - No need for hole checks on store. This results in a ~4% speed-up on
        Kraken and a ~1% speed-up on V8v7.
              
      - publicLength <= vectorLength. This means that doing new Array(blah)
        immediately allocates room for blah elements.
              
      - No sparse map or index bias.
              
      If you ever do things to an array that would require publicLength >
      vectorLength, a sparse map, or index bias, then we switch to ArrayStorage
      mode. This seems to never happen in any benchmark we track, and is unlikely
      to happen very frequently on any website.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * assembler/AbstractMacroAssembler.h:
      (JSC::AbstractMacroAssembler::JumpList::append):
      * assembler/MacroAssembler.h:
      (MacroAssembler):
      (JSC::MacroAssembler::patchableBranchTest32):
      * bytecode/ByValInfo.h: Added.
      (JSC):
      (JSC::isOptimizableIndexingType):
      (JSC::jitArrayModeForIndexingType):
      (JSC::ByValInfo::ByValInfo):
      (ByValInfo):
      (JSC::getByValInfoBytecodeIndex):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      (JSC::CodeBlock::getByValInfo):
      (JSC::CodeBlock::setNumberOfByValInfos):
      (JSC::CodeBlock::numberOfByValInfos):
      (JSC::CodeBlock::byValInfo):
      * bytecode/SamplingTool.h:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::mayStoreToTail):
      (JSC::DFG::mayStoreToHole):
      (JSC::DFG::modeIsPolymorphic):
      (JSC::DFG::polymorphicIncludesContiguous):
      (JSC::DFG::polymorphicIncludesArrayStorage):
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::modeSupportsLength):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (DFG):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
      (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
      (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
      (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
      (JSC::DFG::SpeculativeJIT::compile):
      * interpreter/Interpreter.cpp:
      (SamplingScope):
      (JSC::SamplingScope::SamplingScope):
      (JSC::SamplingScope::~SamplingScope):
      (JSC):
      (JSC::Interpreter::execute):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileSlowCases):
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC::ByValCompilationInfo::ByValCompilationInfo):
      (ByValCompilationInfo):
      (JSC):
      (JIT):
      (JSC::JIT::compileGetByVal):
      (JSC::JIT::compilePutByVal):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateJSArray):
      (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
      (JSC):
      (JSC::arrayProfileSaw):
      (JSC::JIT::chooseArrayMode):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      (JSC::JIT::privateCompileGetByVal):
      (JSC::JIT::privateCompilePutByVal):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC):
      (JSC::JIT::emitContiguousGetByVal):
      (JSC::JIT::emitArrayStorageGetByVal):
      (JSC::JIT::emitSlow_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::emitContiguousPutByVal):
      (JSC::JIT::emitArrayStoragePutByVal):
      (JSC::JIT::emitSlow_op_put_by_val):
      * jit/JITStubs.cpp:
      (JSC::getByVal):
      (JSC):
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC::putByVal):
      * jit/JITStubs.h:
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/ArrayConventions.h:
      (JSC::isDenseEnoughForVector):
      * runtime/ArrayPrototype.cpp:
      (JSC):
      (JSC::shift):
      (JSC::unshift):
      (JSC::arrayProtoFuncPush):
      (JSC::arrayProtoFuncShift):
      (JSC::arrayProtoFuncSplice):
      (JSC::arrayProtoFuncUnShift):
      * runtime/Butterfly.h:
      (Butterfly):
      (JSC::Butterfly::fromPointer):
      (JSC::Butterfly::pointer):
      (JSC::Butterfly::publicLength):
      (JSC::Butterfly::vectorLength):
      (JSC::Butterfly::setPublicLength):
      (JSC::Butterfly::setVectorLength):
      (JSC::Butterfly::contiguous):
      (JSC::Butterfly::fromContiguous):
      * runtime/ButterflyInlineMethods.h:
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.cpp: Added.
      (JSC):
      (JSC::indexingTypeToString):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasContiguous):
      * runtime/JSArray.cpp:
      (JSC::JSArray::setLengthWithArrayStorage):
      (JSC::JSArray::setLength):
      (JSC):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCountWithArrayStorage):
      (JSC::JSArray::shiftCountWithAnyIndexingType):
      (JSC::JSArray::unshiftCountWithArrayStorage):
      (JSC::JSArray::unshiftCountWithAnyIndexingType):
      (JSC::JSArray::sortNumericVector):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sortCompactedVector):
      (JSC::JSArray::sort):
      (JSC::JSArray::sortVector):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC::JSArray::shiftCountForShift):
      (JSC::JSArray::shiftCountForSplice):
      (JSArray):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCountForShift):
      (JSC::JSArray::unshiftCountForSplice):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::isLengthWritable):
      (JSC::createContiguousArrayButterfly):
      (JSC):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::arrayStructureWithArrayStorage):
      (JSC::JSGlobalObject::addressOfArrayStructureWithArrayStorage):
      (JSC::constructEmptyArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createInitialContiguous):
      (JSC):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::convertContiguousToArrayStorage):
      (JSC::JSObject::ensureContiguousSlow):
      (JSC::JSObject::ensureArrayStorageSlow):
      (JSC::JSObject::ensureIndexedStorageSlow):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::setPrototype):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::putByIndexBeyondVectorLengthContiguousWithoutAttributes):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::countElementsInContiguous):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::ensureContiguousLengthSlow):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::tryGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::canSetIndexQuicklyForPutDirect):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::hasSparseMap):
      (JSC::JSObject::inSparseIndexingMode):
      (JSObject):
      (JSC::JSObject::ensureContiguous):
      (JSC::JSObject::ensureIndexedStorage):
      (JSC::JSObject::ensureContiguousLength):
      (JSC::JSObject::indexingData):
      (JSC::JSObject::relevantLength):
      * runtime/JSValue.cpp:
      (JSC::JSValue::description):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Structure.cpp:
      (JSC::Structure::needsSlowPutIndexing):
      (JSC):
      (JSC::Structure::suggestedArrayStorageTransition):
      * runtime/Structure.h:
      (Structure):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      Source/WTF: 
      
      Moved out this helpful math utility to MathExtras, since we now use it in
      multiple places.
      
      * wtf/MathExtras.h:
      (timesThreePlusOneDividedByTwo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e9910a8
    • mark.lam@apple.com's avatar
      Renamed RegisterFile to JSStack, and removed prototype of the · 4fbb9c33
      mark.lam@apple.com authored
      previously deleted Interpreter::privateExecute().
      https://bugs.webkit.org/show_bug.cgi?id=98717.
      
      Reviewed by Filip Pizlo.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.order:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/BytecodeConventions.h:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::nameForRegister):
      * bytecode/CodeBlock.h:
      (CodeBlock):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStack):
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt32):
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedCell):
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedBoolean):
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedDouble):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dump):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::resolveCallee):
      (JSC::BytecodeGenerator::emitCall):
      (JSC::BytecodeGenerator::emitConstruct):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::registerFor):
      * dfg/DFGAbstractState.h:
      (AbstractState):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
      (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
      (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGGenerationInfo.h:
      (GenerationInfo):
      (JSC::DFG::GenerationInfo::needsSpill):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::compileEntry):
      (JSC::DFG::JITCompiler::compileFunction):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::beginCall):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryBuildGetByIDList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::spill):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillInteger):
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGThunks.cpp:
      (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
      (JSC::DFG::slowPathFor):
      (JSC::DFG::virtualForThunkGenerator):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::isInJSStack):
      (JSC::DFG::ValueSource::forSpeculation):
      (JSC::DFG::ValueSource::isInJSStack):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * heap/Heap.cpp:
      (JSC::Heap::stack):
      (JSC::Heap::getConservativeRegisterRoots):
      (JSC::Heap::markRoots):
      * heap/Heap.h:
      (JSC):
      (Heap):
      * interpreter/CallFrame.cpp:
      (JSC::CallFrame::stack):
      * interpreter/CallFrame.h:
      (JSC::ExecState::calleeAsValue):
      (JSC::ExecState::callee):
      (JSC::ExecState::codeBlock):
      (JSC::ExecState::scope):
      (JSC::ExecState::callerFrame):
      (JSC::ExecState::returnPC):
      (JSC::ExecState::hasReturnPC):
      (JSC::ExecState::clearReturnPC):
      (JSC::ExecState::bytecodeOffsetForNonDFGCode):
      (JSC::ExecState::setBytecodeOffsetForNonDFGCode):
      (JSC::ExecState::inlineCallFrame):
      (JSC::ExecState::codeOriginIndexForDFG):
      (JSC::ExecState::currentVPC):
      (JSC::ExecState::setCurrentVPC):
      (JSC::ExecState::setCallerFrame):
      (JSC::ExecState::setScope):
      (JSC::ExecState::init):
      (JSC::ExecState::argumentCountIncludingThis):
      (JSC::ExecState::offsetFor):
      (JSC::ExecState::setArgumentCountIncludingThis):
      (JSC::ExecState::setCallee):
      (JSC::ExecState::setCodeBlock):
      (JSC::ExecState::setReturnPC):
      (JSC::ExecState::setInlineCallFrame):
      (ExecState):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::slideRegisterWindowForCall):
      (JSC::eval):
      (JSC::loadVarargs):
      (JSC::Interpreter::dumpRegisters):
      (JSC::Interpreter::throwException):
      (JSC::Interpreter::execute):
      (JSC::Interpreter::executeCall):
      (JSC::Interpreter::executeConstruct):
      (JSC::Interpreter::prepareForRepeatCall):
      (JSC::Interpreter::endRepeatCall):
      * interpreter/Interpreter.h:
      (JSC::Interpreter::stack):
      (Interpreter):
      (JSC::Interpreter::execute):
      (JSC):
      * interpreter/JSStack.cpp: Copied from Source/JavaScriptCore/interpreter/RegisterFile.cpp.
      (JSC::stackStatisticsMutex):
      (JSC::JSStack::~JSStack):
      (JSC::JSStack::growSlowCase):
      (JSC::JSStack::gatherConservativeRoots):
      (JSC::JSStack::releaseExcessCapacity):
      (JSC::JSStack::initializeThreading):
      (JSC::JSStack::committedByteCount):
      (JSC::JSStack::addToCommittedByteCount):
      * interpreter/JSStack.h: Copied from Source/JavaScriptCore/interpreter/RegisterFile.h.
      (JSStack):
      (JSC::JSStack::JSStack):
      (JSC::JSStack::shrink):
      (JSC::JSStack::grow):
      * interpreter/RegisterFile.cpp: Removed.
      * interpreter/RegisterFile.h: Removed.
      * interpreter/VMInspector.cpp:
      (JSC::VMInspector::dumpFrame):
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC):
      (JIT):
      * jit/JITCall.cpp:
      (JSC::JIT::compileLoadVarargs):
      (JSC::JIT::compileCallEval):
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCall):
      * jit/JITCall32_64.cpp:
      (JSC::JIT::emit_op_ret):
      (JSC::JIT::emit_op_ret_object_or_this):
      (JSC::JIT::compileLoadVarargs):
      (JSC::JIT::compileCallEval):
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCall):
      * jit/JITCode.h:
      (JSC):
      (JSC::JITCode::execute):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitPutToCallFrameHeader):
      (JSC::JIT::emitPutCellToCallFrameHeader):
      (JSC::JIT::emitPutIntToCallFrameHeader):
      (JSC::JIT::emitPutImmediateToCallFrameHeader):
      (JSC::JIT::emitGetFromCallFrameHeaderPtr):
      (JSC::JIT::emitGetFromCallFrameHeader32):
      (JSC::JIT::updateTopCallFrame):
      (JSC::JIT::unmap):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::privateCompileCTINativeCall):
      (JSC::JIT::emit_op_end):
      (JSC::JIT::emit_op_ret):
      (JSC::JIT::emit_op_ret_object_or_this):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emit_op_get_arguments_length):
      (JSC::JIT::emit_op_get_argument_by_val):
      (JSC::JIT::emit_op_resolve_global_dynamic):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::privateCompileCTINativeCall):
      (JSC::JIT::emit_op_end):
      (JSC::JIT::emit_op_create_this):
      (JSC::JIT::emit_op_get_arguments_length):
      (JSC::JIT::emit_op_get_argument_by_val):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC::JIT::emit_op_put_scoped_var):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_scoped_var):
      (JSC::JIT::emit_op_put_scoped_var):
      * jit/JITStubs.cpp:
      (JSC::ctiTrampoline):
      (JSC::JITThunks::JITThunks):
      (JSC):
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
      (JSC):
      (JITStackFrame):
      * jit/JSInterfaceJIT.h:
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
      (JSC::SpecializedThunkJIT::returnJSValue):
      (JSC::SpecializedThunkJIT::returnDouble):
      (JSC::SpecializedThunkJIT::returnInt32):
      (JSC::SpecializedThunkJIT::returnJSCell):
      * llint/LLIntData.cpp:
      (JSC::LLInt::Data::performAssertions):
      * llint/LLIntOffsetsExtractor.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      (JSC::LLInt::genericCall):
      * llint/LLIntSlowPaths.h:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/CommonSlowPaths.h:
      (JSC::CommonSlowPaths::arityCheckFor):
      * runtime/InitializeThreading.cpp:
      (JSC::initializeThreadingOnce):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::visitChildren):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::globalExec):
      * runtime/JSGlobalObject.h:
      (JSC):
      (JSGlobalObject):
      * runtime/JSLock.cpp:
      (JSC):
      * runtime/JSVariableObject.h:
      (JSVariableObject):
      * runtime/MemoryStatistics.cpp:
      (JSC::globalMemoryStatistics):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130726 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4fbb9c33
  16. 24 Sep, 2012 1 commit
  17. 21 Sep, 2012 2 commits
    • barraclough@apple.com's avatar
      Eeeep - broke early boyer in bug#97382 · c1b7f46b
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97383
      
      Rubber stamped by Sam Weinig.
      
      missed a child3 -> child2!
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c1b7f46b
    • barraclough@apple.com's avatar
      Remove redundant argument to op_instanceof · 094dbd98
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97382
      
      Reviewed by Geoff Garen.
      
      No longer needed after my last change.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitInstanceOf):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::InstanceOfNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      094dbd98
  18. 18 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should not call out to C++ every time that it tries to put to an object... · 497c7515
      fpizlo@apple.com authored
      DFG should not call out to C++ every time that it tries to put to an object that doesn't yet have array storage
      https://bugs.webkit.org/show_bug.cgi?id=96983
      
      Reviewed by Oliver Hunt.
      
      Introduce more polymorphism into the DFG's array mode support. Use that to
      introduce the notion of effectul array modes, where the check for the mode
      will perform actions necessary to ensure that we have the mode we want, if
      the object is not already in that mode. Also added profiling support for
      checking if an object is of a type that would not allow us to create array
      storage (like a typed array or a string for example).
              
      This is a ~2x speed-up on loops that transform an object that did not have
      indexed storage into one that does.
      
      * JSCTypedArrayStubs.h:
      (JSC):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (ArrayProfile):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (DFG):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::isSlowPutAccess):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Arguments.h:
      (Arguments):
      * runtime/JSNotAnObject.h:
      (JSNotAnObject):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::ensureArrayStorage):
      * runtime/JSString.h:
      (JSC::JSString::createStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128957 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      497c7515
  19. 17 Sep, 2012 2 commits
    • ggaren@apple.com's avatar
      Refactored the arguments object so it doesn't dictate closure layout · af710d81
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96955
      
      Reviewed by Oliver Hunt.
      
      * bytecode/CodeBlock.h:
      (JSC::ExecState::argumentAfterCapture): Helper function for accessing an
      argument that has been moved for capture.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Generate metadata for arguments
      that are captured. We don't move any arguments yet, but we do use this
      metadata to tell the arguments object if an argument is stored in the
      activation.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Updated for the arguments object not
      malloc'ing a separate backing store, and for a rename from deletedArguments
      to slowArguments.
      
      * interpreter/CallFrame.h:
      (ExecState):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::unwindCallFrame):
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL): Updated for small interface changes.
      
      * runtime/Arguments.cpp:
      (JSC::Arguments::visitChildren):
      (JSC::Arguments::copyToArguments):
      (JSC::Arguments::fillArgList):
      (JSC::Arguments::getOwnPropertySlotByIndex):
      (JSC::Arguments::createStrictModeCallerIfNecessary):
      (JSC::Arguments::createStrictModeCalleeIfNecessary):
      (JSC::Arguments::getOwnPropertySlot):
      (JSC::Arguments::getOwnPropertyDescriptor):
      (JSC::Arguments::getOwnPropertyNames):
      (JSC::Arguments::putByIndex):
      (JSC::Arguments::put):
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::deleteProperty):
      (JSC::Arguments::defineOwnProperty):
      (JSC::Arguments::tearOff): Moved all data inline into the object, for speed,
      and refactored all internal argument accesses to use helper functions, so
      we can change the implementation without changing lots of code.
      
      (JSC::Arguments::didTearOffActivation): This function needs to account
      for arguments that were moved by the activation object. We do this accounting
      through a side vector that tells us where our arguments will be in the
      activation.
      
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::length):
      (JSC::Arguments::isTornOff):
      (JSC::Arguments::Arguments):
      (JSC::Arguments::allocateSlowArguments):
      (JSC::Arguments::tryDeleteArgument):
      (JSC::Arguments::trySetArgument):
      (JSC::Arguments::tryGetArgument):
      (JSC::Arguments::isDeletedArgument):
      (JSC::Arguments::isArgument):
      (JSC::Arguments::argument):
      (JSC::Arguments::finishCreation):
      
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      (JSActivation):
      (JSC::JSActivation::captureStart):
      (JSC::JSActivation::storageSize):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::isValid): The activation object is no longer responsible
      for copying extra arguments provided by the caller. The argumnents object
      does this instead. This means we can allocate and initialize an activation
      without worrying about the call frame's argument count.
      
      * runtime/SymbolTable.h:
      (JSC::SlowArgument::SlowArgument):
      (SlowArgument):
      (JSC):
      (JSC::SharedSymbolTable::parameterCount):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::slowArguments):
      (JSC::SharedSymbolTable::setSlowArguments): Added data structures to back
      the algorithms above.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128832 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      af710d81
    • fpizlo@apple.com's avatar
      If a prototype has indexed setters and its instances have indexed storage,... · 1c4a32c9
      fpizlo@apple.com authored
      If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
      https://bugs.webkit.org/show_bug.cgi?id=96596
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      Added comprehensive support for accessors and read-only indexed properties on the
      prototype chain. This is done without any performance regression on benchmarks that
      we're aware of, by having the entire VM's strategy with respect to arrays tilted
      heavily in favor of:
              
      - The prototype chain of JSArrays never having any accessors or read-only indexed
        properties. If that changes, you're going to have a bad time.
              
      - Prototypes of non-JSArray objects either having no indexed accessors or read-only
        indexed properties, or, having those indexed accessor thingies inserted before
        any instance object (i.e. object with that prototype as its prototype) is created.
        If you add indexed accessors or read-only indexed properties to an object that is
        already used as a prototype, you're going to have a bad time.
              
      See below for the exact definition of having a bad time.
              
      Put another way, "fair" uses of indexed accessors and read-only indexed properties
      are:
              
      - Put indexed accessors and read-only indexed properties on an object that is never
        used as a prototype. This will slow down accesses to that object, but will not
        have any effect on any other object.
              
      - Put those indexed accessor thingies on an object before it is used as a prototype
        and then start instantiating objects that claim that object as their prototype.
        This will slightly slow down indexed stores to the instance objects, and greatly
        slow down all indexed accesses to the prototype, but will have no other effect.
              
      In short, "fair" uses only affect the object itself and any instance objects. But
      if you start using indexed accessors in more eclectic ways, you're going to have
      a bad time.
              
      Specifically, if an object that may be used as a prototype has an indexed accessor
      added, the VM performs a whole-heap scan to find all objects that belong to the
      same global object as the prototype you modified. If any of those objects has
      indexed storage, their indexed storage is put into slow-put mode, just as if their
      prototype chain had indexed accessors. This will happen even for objects that do
      not currently have indexed accessors in their prototype chain. As well, all JSArray
      allocations are caused to create arrays with slow-put storage, and all future
      allocations of indexed storage for non-JSArray objects are also flipped to slow-put
      mode. Note there are two aspects to having a bad time: (i) the whole-heap scan and
      (ii) the poisoning of all indexed storage in the entire global object. (i) is
      necessary for correctness. If we detect that an object that may be used as a
      prototype has had an indexed accessor or indexed read-only property inserted into
      it, then we need to ensure that henceforth all instances of that object inspect
      the prototype chain whenever an indexed hole is stored to. But by default, indexed
      stores do no such checking because doing so would be unnecessarily slow. So, we must
      find all instances of the affected object and flip them into a different array
      storage mode that omits all hole optimizations. Since prototypes never keep a list
      of instance objects, the only way to find those objects is a whole-heap scan. But
      (i) alone would be a potential disaster, if a program frequently allocated an
      object without indexed accessors, then allocated a bunch of objects that used that
      one as their prototype, and then added indexed accessors to the prototype. So, to
      prevent massive heap scan storms in such awkward programs, having a bad time also
      implies (ii): henceforth *all* objects belonging to that global object will use
      slow put indexed storage, so that we don't ever have to scan the heap again. Note
      that here we are using the global object as just an approximation of a program
      module; it may be worth investigating in the future if other approximations can be
      used instead.
      
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::isSlowPutAccess):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::finishCreation):
      (JSC::arrayProtoFuncSort):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasIndexedProperties):
      (JSC::hasIndexingHeader):
      (JSC::hasArrayStorage):
      (JSC::shouldUseSlowPut):
      * runtime/JSArray.cpp:
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      * runtime/JSArray.h:
      (JSC::JSArray::createStructure):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::JSGlobalObject):
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::addressOfArrayStructure):
      (JSC::JSGlobalObject::havingABadTimeWatchpoint):
      (JSC::JSGlobalObject::isHavingABadTime):
      * runtime/JSObject.cpp:
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::notifyPresenceOfIndexedAccessors):
      (JSC):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::setPrototype):
      (JSC::JSObject::resetInheritorID):
      (JSC::JSObject::inheritorID):
      (JSC::JSObject::allowsAccessFrom):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::unwrappedGlobalObject):
      (JSC::JSObject::notifyUsedAsPrototype):
      (JSC::JSObject::createInheritorID):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
      (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::mayBeUsedAsPrototype):
      (JSObject):
      (JSC::JSObject::mayInterceptIndexedAccesses):
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrNull):
      (JSC::JSObject::ensureArrayStorage):
      (JSC):
      (JSC::JSValue::putByIndex):
      * runtime/JSValue.cpp:
      (JSC::JSValue::putToPrimitive):
      (JSC::JSValue::putToPrimitiveByIndex):
      (JSC):
      * runtime/JSValue.h:
      (JSValue):
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::finishCreation):
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayEntry::put):
      (JSC):
      * runtime/SparseArrayValueMap.h:
      (JSC):
      (SparseArrayEntry):
      * runtime/Structure.cpp:
      (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses):
      (JSC):
      (JSC::Structure::suggestedIndexingTransition):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::mayInterceptIndexedAccesses):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      LayoutTests: 
      
      Removed failing expectation for primitive-property-access-edge-cases, and
      added more tests to cover the numerical-setter-on-prototype cases.
      
      * fast/js/array-bad-time-expected.txt: Added.
      * fast/js/array-bad-time.html: Added.
      * fast/js/array-slow-put-expected.txt: Added.
      * fast/js/array-slow-put.html: Added.
      * fast/js/cross-frame-bad-time-expected.txt: Added.
      * fast/js/cross-frame-bad-time.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/object-bad-time-expected.txt: Added.
      * fast/js/object-bad-time.html: Added.
      * fast/js/object-slow-put-expected.txt: Added.
      * fast/js/object-slow-put.html: Added.
      * fast/js/script-tests/array-bad-time.js: Added.
      * fast/js/script-tests/array-slow-put.js: Added.
      (foo):
      * fast/js/script-tests/cross-frame-bad-time.js: Added.
      (foo):
      * fast/js/script-tests/object-bad-time.js: Added.
      (Cons):
      * fast/js/script-tests/object-slow-put.js: Added.
      (Cons):
      (foo):
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128802 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1c4a32c9
  20. 13 Sep, 2012 2 commits
    • ggaren@apple.com's avatar
      Refactored the DFG to make fewer assumptions about variable capture · 81c360ed
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96680
      
      Reviewed by Gavin Barraclough.
      
      A variable capture optimization patch I'm working on broke DFG
      correctness and the arguments simplification optimization phase, so I've
      refactored both to make fewer assumptions about variable capture.
      
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::isCaptured): This is the new One True Way to find out
      if a variable was captured. This gives us a single point of maintenance
      as we chagne capture behavior.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::clobberCapturedVars): Don't assume that captured
      variables have any particular location. Instead, ask the One True Function.
      
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): Mechanical
      changes to separate being captured from being 'arguments'. What used
      to be
              if (captured)
                      if (arguments)
                              x
                      y
      is now
              if (arguments)
                      x
                      y
              else if (captured)
                      y
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Use the One True Function.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128544 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      81c360ed
    • fpizlo@apple.com's avatar
      Testing whether indexing type is ArrayWithArrayStorage should not compare... · 6f88333e
      fpizlo@apple.com authored
      Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
      https://bugs.webkit.org/show_bug.cgi?id=96611
      
      Reviewed by Gavin Barraclough.
      
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128425 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6f88333e
  21. 12 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      JSC should have property butterflies · d8dd0535
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=91933
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This changes the JSC object model. Previously, all objects had fast lookup for
      named properties. Integer indexed properties were only fast if you used a
      JSArray. With this change, all objects have fast indexed properties. This is
      accomplished without any space overhead by using a bidirectional object layout,
      aka butterflies. Each JSObject has a m_butterfly pointer where previously it
      had a m_outOfLineStorage pointer. To the left of the location pointed to by
      m_butterfly, we place all named out-of-line properties. To the right, we place
      all indexed properties along with indexing meta-data. Though, some indexing
      meta-data is placed in the 8-byte word immediately left of the pointed-to
      location; this is in anticipation of the indexing meta-data being small enough
      in the common case that m_butterfly always points to the first indexed
      property.
              
      This is performance neutral, except on tests that use indexed properties on
      plain objects, where the speed-up is in excess of an order of magnitude.
              
      One notable aspect of what this change brings is that it allows indexing
      storage to morph over time. Currently this is only used to allow all non-array
      objects to start out without any indexed storage. But it could be used for
      some kinds of array type inference in the future.
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::getOwnPropertySlotByIndex):
      (JSC):
      (JSC::::getOwnNonIndexPropertyNames):
      * API/JSObjectRef.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutById):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (AdjacencyList):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::addNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateBasicStorage):
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::defineOwnProperty):
      * runtime/ArrayConstructor.cpp:
      * runtime/ArrayConventions.h: Added.
      (JSC):
      (JSC::isDenseEnoughForVector):
      (JSC::indexingHeaderForArray):
      (JSC::baseIndexingHeaderForArray):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::create):
      (JSC):
      (JSC::ArrayPrototype::ArrayPrototype):
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/ArrayPrototype.h:
      (ArrayPrototype):
      (JSC::ArrayPrototype::createStructure):
      * runtime/ArrayStorage.h: Added.
      (JSC):
      (ArrayStorage):
      (JSC::ArrayStorage::ArrayStorage):
      (JSC::ArrayStorage::from):
      (JSC::ArrayStorage::butterfly):
      (JSC::ArrayStorage::indexingHeader):
      (JSC::ArrayStorage::length):
      (JSC::ArrayStorage::setLength):
      (JSC::ArrayStorage::vectorLength):
      (JSC::ArrayStorage::setVectorLength):
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (JSC::ArrayStorage::inSparseMode):
      (JSC::ArrayStorage::lengthOffset):
      (JSC::ArrayStorage::vectorLengthOffset):
      (JSC::ArrayStorage::numValuesInVectorOffset):
      (JSC::ArrayStorage::vectorOffset):
      (JSC::ArrayStorage::indexBiasOffset):
      (JSC::ArrayStorage::sparseMapOffset):
      (JSC::ArrayStorage::sizeFor):
      * runtime/Butterfly.h: Added.
      (JSC):
      (Butterfly):
      (JSC::Butterfly::Butterfly):
      (JSC::Butterfly::totalSize):
      (JSC::Butterfly::fromBase):
      (JSC::Butterfly::offsetOfIndexingHeader):
      (JSC::Butterfly::offsetOfPublicLength):
      (JSC::Butterfly::offsetOfVectorLength):
      (JSC::Butterfly::indexingHeader):
      (JSC::Butterfly::propertyStorage):
      (JSC::Butterfly::indexingPayload):
      (JSC::Butterfly::arrayStorage):
      (JSC::Butterfly::offsetOfPropertyStorage):
      (JSC::Butterfly::indexOfPropertyStorage):
      (JSC::Butterfly::base):
      * runtime/ButterflyInlineMethods.h: Added.
      (JSC):
      (JSC::Butterfly::createUninitialized):
      (JSC::Butterfly::create):
      (JSC::Butterfly::createUninitializedDuringCollection):
      (JSC::Butterfly::base):
      (JSC::Butterfly::growPropertyStorage):
      (JSC::Butterfly::growArrayRight):
      (JSC::Butterfly::resizeArray):
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
      * runtime/IndexingHeader.h: Added.
      (JSC):
      (IndexingHeader):
      (JSC::IndexingHeader::offsetOfIndexingHeader):
      (JSC::IndexingHeader::offsetOfPublicLength):
      (JSC::IndexingHeader::offsetOfVectorLength):
      (JSC::IndexingHeader::IndexingHeader):
      (JSC::IndexingHeader::vectorLength):
      (JSC::IndexingHeader::setVectorLength):
      (JSC::IndexingHeader::publicLength):
      (JSC::IndexingHeader::setPublicLength):
      (JSC::IndexingHeader::from):
      (JSC::IndexingHeader::fromEndOf):
      (JSC::IndexingHeader::propertyStorage):
      (JSC::IndexingHeader::arrayStorage):
      (JSC::IndexingHeader::butterfly):
      * runtime/IndexingHeaderInlineMethods.h: Added.
      (JSC):
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.h: Added.
      (JSC):
      (JSC::hasIndexingHeader):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::tearOff):
      * runtime/JSArray.cpp:
      (JSC):
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::defineOwnProperty):
      (JSC::JSArray::getOwnPropertySlot):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::put):
      (JSC::JSArray::deleteProperty):
      (JSC::JSArray::getOwnNonIndexPropertyNames):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC):
      (JSArray):
      (JSC::JSArray::JSArray):
      (JSC::JSArray::length):
      (JSC::JSArray::createStructure):
      (JSC::JSArray::isLengthWritable):
      (JSC::createArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSBoundFunction.cpp:
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      (JSC::JSBoundFunction::finishCreation):
      * runtime/JSCell.cpp:
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnNonIndexPropertyNames):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::visitChildren):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::createInitialArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::putDirectAccessor):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::getOwnNonIndexPropertyNames):
      (JSC::JSObject::preventExtensions):
      (JSC::JSObject::fillGetterPropertySlot):
      (JSC::JSObject::putIndexedDescriptor):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::allocateSparseIndexMap):
      (JSC::JSObject::deallocateSparseIndexMap):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      (JSC::putDescriptor):
      (JSC::JSObject::putDirectMayBeIndex):
      (JSC::JSObject::defineOwnNonIndexProperty):
      (JSC::JSObject::defineOwnProperty):
      (JSC::JSObject::getOwnPropertySlotSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSObject):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::putDirectIndex):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::butterfly):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::indexingShouldBeSparse):
      (JSC::JSObject::butterflyOffset):
      (JSC::JSObject::butterflyAddress):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrZero):
      (JSC::JSObject::ensureArrayStorage):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC):
      (JSC::JSObject::setButterfly):
      (JSC::JSObject::setButterflyWithoutChangingStructure):
      (JSC::JSObject::JSObject):
      (JSC::JSObject::inlineGetOwnPropertySlot):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetInButterfly):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/JSTypeInfo.h:
      (JSC):
      (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
      (JSC::TypeInfo::overridesGetPropertyNames):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::ObjectPrototype):
      (JSC):
      * runtime/ObjectPrototype.h:
      (ObjectPrototype):
      * runtime/PropertyOffset.h:
      (JSC::offsetInOutOfLineStorage):
      * runtime/PropertyStorage.h: Added.
      (JSC):
      * runtime/PutDirectIndexMode.h: Added.
      (JSC):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::RegExpMatchesArray):
      (JSC):
      (JSC::RegExpMatchesArray::create):
      (JSC::RegExpMatchesArray::finishCreation):
      * runtime/RegExpMatchesArray.h:
      (RegExpMatchesArray):
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::getOwnNonIndexPropertyNames):
      * runtime/RegExpObject.h:
      (RegExpObject):
      * runtime/Reject.h: Added.
      (JSC):
      (JSC::reject):
      * runtime/SparseArrayValueMap.cpp: Added.
      (JSC):
      * runtime/SparseArrayValueMap.h: Added.
      (JSC):
      (SparseArrayEntry):
      (JSC::SparseArrayEntry::SparseArrayEntry):
      (SparseArrayValueMap):
      (JSC::SparseArrayValueMap::sparseMode):
      (JSC::SparseArrayValueMap::setSparseMode):
      (JSC::SparseArrayValueMap::lengthIsReadOnly):
      (JSC::SparseArrayValueMap::setLengthIsReadOnly):
      (JSC::SparseArrayValueMap::find):
      (JSC::SparseArrayValueMap::remove):
      (JSC::SparseArrayValueMap::notFound):
      (JSC::SparseArrayValueMap::isEmpty):
      (JSC::SparseArrayValueMap::contains):
      (JSC::SparseArrayValueMap::size):
      (JSC::SparseArrayValueMap::begin):
      (JSC::SparseArrayValueMap::end):
      * runtime/SparseArrayValueMapInlineMethods.h: Added.
      (JSC):
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/StorageBarrier.h: Removed.
      * runtime/StringObject.cpp:
      (JSC::StringObject::putByIndex):
      (JSC):
      (JSC::StringObject::deletePropertyByIndex):
      * runtime/StringObject.h:
      (StringObject):
      * runtime/StringPrototype.cpp:
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::nonPropertyTransition):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::indexingType):
      (JSC::Structure::indexingTypeIncludingHistory):
      (JSC::Structure::indexingTypeOffset):
      (JSC::Structure::create):
      * runtime/StructureTransitionTable.h:
      (JSC):
      (JSC::toAttributes):
      (JSC::newIndexingType):
      (JSC::StructureTransitionTable::Hash::hash):
      * tests/mozilla/js1_6/Array/regress-304828.js:
      
      Source/WebCore: 
      
      Teach the DOM that to intercept get/put on indexed properties, you now have
      to override getOwnPropertySlotByIndex and putByIndex.
      
      No new tests because no new behavior. One test was rebased because indexed
      property iteration order now matches other engines (indexed properties always
      come first).
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMStringMapCustom.cpp:
      (WebCore::JSDOMStringMap::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindow::putByIndex):
      (WebCore::JSDOMWindow::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindowShell::putByIndex):
      (WebCore::JSDOMWindowShell::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSStorageCustom.cpp:
      (WebCore::JSStorage::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::serialize):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateImplementation):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::RuntimeArray):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      (RuntimeArray):
      
      LayoutTests: 
      
      Modify the JSON test to indicate that iterating over properties now returns
      indexed properties first. This is a behavior change that makes us more
      compliant with other implementations.
              
      Also check in new expected file for the edge cases of indexed property access
      with prototype accessors. This changeset introduces a known regression in that
      department, which is tracked here: https://bugs.webkit.org/show_bug.cgi?id=96596
      
      * fast/js/resources/JSON-stringify.js:
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8dd0535
  22. 30 Aug, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Remove uses of ClassInfo in StrictEq and CompareEq in the DFG · 030c9dac
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=93401
      
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore: 
      
      Another incremental step in removing the dependence on ClassInfo pointers in object headers.
      
      * bytecode/SpeculatedType.h:
      (JSC::isCellOrOtherSpeculation):
      (JSC):
      * dfg/DFGAbstractState.cpp: Updated the CFA to reflect the changes to the backend.
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGNode.h:
      (Node):
      (JSC::DFG::Node::shouldSpeculateString): Added this new function since it was conspicuously absent.
      (JSC::DFG::Node::shouldSpeculateNonStringCellOrOther): Also add this function for use in the CFA.
      * dfg/DFGSpeculativeJIT.cpp: Refactored how we handle CompareEq and CompareStrictEq in the DFG. We now just 
      check for Strings by comparing the object's Structure to the global Structure for strings. We only 
      check for MasqueradesAsUndefined if the watchpoint has fired. These changes allow us to remove our 
      uses of the ClassInfo pointer for compiling these nodes.
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp: Same changes for 32 bit as for 64 bit.
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      
      LayoutTests: 
      
      New test to make sure the DFG watchpoint works correctly for these cases.
      
      * fast/js/document-all-triggers-masquerades-watchpoint-expected.txt: Added.
      * fast/js/document-all-triggers-masquerades-watchpoint.html: Added.
      * fast/js/script-tests/document-all-triggers-masquerades-watchpoint.js: Added.
      (f):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127189 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      030c9dac
  23. 29 Aug, 2012 1 commit
  24. 27 Aug, 2012 2 commits
  25. 26 Aug, 2012 1 commit
    • fpizlo@apple.com's avatar
      Array type checks and storage accesses should be uniformly represented and available to CSE · 04c1974f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95013
      
      Reviewed by Oliver Hunt.
      
      This uniformly breaks up all array accesses into up to three parts:
              
      1) The type check, using a newly introduced CheckArray node, in addition to possibly
         a CheckStructure node. We were already inserting the CheckStructure prior to this
         patch. The CheckArray node will be automatically eliminated if the thing it was
         checking for had already been checked for, either intentionally (a CheckStructure
         inserted based on the array profile of this access) or accidentally (some checks,
         typically a CheckStructure, inserted for some unrelated operations). The
         CheckArray node may not be inserted if the array type is non-specific (Generic or
         ForceExit).
              
      2) The storage load using GetIndexedPropertyStorage. Previously, this only worked for
         GetByVal. Now it works for all array accesses. The storage load may not be
         inserted if the mode of array access does not permit CSE of storage loads (like
         non-specific modes or Arguments).
              
      3) The access itself: one of GetByVal, PutByVal, PutByValAlias, ArrayPush, ArrayPop,
         GetArrayLength, StringCharAt, or StringCharCodeAt.
              
      This means that the type check can be subjected to CSE even if the CFA isn't smart
      enough to reason about it (yet!). It also means that the storage load can always be
      subjected to CSE; previously CSE on storage load only worked for array loads and not
      other forms of access. Finally, it removes the bizarre behavior that
      GetIndexedPropertyStorage previously had: previously, it was responsible for the type
      check in some cases, but not others; this made reasoning about the CFA really
      confusing.
              
      This change also disables late refinement of array mode, since I decided that
      supporting that feature is both confusing and likely unprofitable. The array modes are
      now locked in in the first fixup run after prediction propagation. Of course,
      refinements from Generic to something else would not have been a problem; we could
      reenable those if we thought we really needed to.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromStructure):
      (DFG):
      (JSC::DFG::refineArrayMode):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::lengthNeedsStorage):
      (JSC::DFG::modeIsSpecific):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::ByteCodeParser):
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::CSEPhase):
      (JSC::DFG::CSEPhase::checkStructureElimination):
      (CSEPhase):
      (JSC::DFG::CSEPhase::checkArrayElimination):
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      (JSC::DFG::performCSE):
      * dfg/DFGCSEPhase.h:
      (DFG):
      * dfg/DFGCommon.h:
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGDriver.cpp:
      (JSC::DFG::compile):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      (FixupPhase):
      (JSC::DFG::FixupPhase::blessArrayOperation):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (DFG):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::collectGarbage):
      * dfg/DFGGraph.h:
      (Graph):
      (JSC::DFG::Graph::vote):
      (JSC::DFG::Graph::substitute):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      (JSC::DFG::Node::setArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGPhase.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::useChildren):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@126715 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      04c1974f
  26. 22 Aug, 2012 1 commit
    • fpizlo@apple.com's avatar
      Array accesses should remember what kind of array they are predicted to access · 7aed8d82
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=94448
      
      Reviewed by Gavin Barraclough.
      
      Introduced the notion of DFG::Array::Mode, stored in node.arrayMode(), which allows nodes
      to remember how they decided to access arrays. This permits the bytecode parser to "lock in"
      the mode of access if it has profiling at its disposal, and it also allows the prediction
      propagator to do a fixup of the array mode later in the optimization fixpoint.
              
      This patch adds a healthy amount of new capability (specifically the ability of the parser
      to lock in an array mode regardless of type predictions) and it also blows away a lot of
      messy code.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGArrayMode.cpp: Added.
      (DFG):
      (JSC::DFG::fromObserved):
      (JSC::DFG::refineArrayMode):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h: Added.
      (DFG):
      (JSC::DFG::canCSEStorage):
      (JSC::DFG::modeForPut):
      (JSC::DFG::modesCompatibleForStorageLoad):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::getArrayModeWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::checkStructureLoadElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
      (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      (JSC::DFG::Graph::clobbersWorld):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      (Node):
      (JSC::DFG::Node::arrayMode):
      (JSC::DFG::Node::setArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculateArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@126387 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7aed8d82
  27. 20 Aug, 2012 1 commit
    • fpizlo@apple.com's avatar
      The relationship between abstract values and structure transition watchpoints... · eb3323dd
      fpizlo@apple.com authored
      The relationship between abstract values and structure transition watchpoints should be rationalized
      https://bugs.webkit.org/show_bug.cgi?id=94205
      
      Reviewed by Geoffrey Garen.
      
      This patch does a number of things related to the handling of the abstract values
      arrising from values with structures known to be watchpointable:
              
      - This rationalizes the relationship between the structure that we know an object
        to have *right now* based on having executed a check against that structure, and
        the structure that we know the object could have *in the future* based on a type
        check executed in the past over a structure that was watchpointable.
              
      - We use the above to assert that structure transition watchpoints are being used
        soundly.
              
      - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
        whenever possible.
              
      - This rationalizes the handling of CFA over constants that appeared in the bytecode.
        If at compile-time the constant has a watchpointable structure, then we can prove
        what structures it may have in the future. The analysis uses this to both assert
        that structure transition watchpoints are being used correctly, and to find
        opportunities for using them more aggressively.
              
      The net effect of all of these changes is that OSR entry should work more smoothly.
      It may also be a slight win due to strength reductions, though most of those strength
      reductions would have already been done by the parser and the structure check hoister.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::beginBasicBlock):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (DFG):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (JSC::DFG::AbstractValue::isTop):
      (JSC::DFG::AbstractValue::setFuturePossibleStructure):
      (AbstractValue):
      (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
      (JSC::DFG::AbstractValue::setMostSpecific):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::filterValueByType):
      (JSC::DFG::AbstractValue::validateType):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::checkStructureLoadElimination):
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
      (Node):
      (JSC::DFG::Node::hasStructure):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
      (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
      (DFG):
      (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
      (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
      (JSC::DFG::SpeculativeJIT::speculateArray):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureAbstractValue.h: Added.
      (DFG):
      (StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::clear):
      (JSC::DFG::StructureAbstractValue::makeTop):
      (JSC::DFG::StructureAbstractValue::top):
      (JSC::DFG::StructureAbstractValue::add):
      (JSC::DFG::StructureAbstractValue::addAll):
      (JSC::DFG::StructureAbstractValue::contains):
      (JSC::DFG::StructureAbstractValue::isSubsetOf):
      (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
      (JSC::DFG::StructureAbstractValue::isSupersetOf):
      (JSC::DFG::StructureAbstractValue::filter):
      (JSC::DFG::StructureAbstractValue::isClear):
      (JSC::DFG::StructureAbstractValue::isTop):
      (JSC::DFG::StructureAbstractValue::isClearOrTop):
      (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
      (JSC::DFG::StructureAbstractValue::size):
      (JSC::DFG::StructureAbstractValue::at):
      (JSC::DFG::StructureAbstractValue::operator[]):
      (JSC::DFG::StructureAbstractValue::last):
      (JSC::DFG::StructureAbstractValue::speculationFromStructures):
      (JSC::DFG::StructureAbstractValue::hasSingleton):
      (JSC::DFG::StructureAbstractValue::singleton):
      (JSC::DFG::StructureAbstractValue::operator==):
      (JSC::DFG::StructureAbstractValue::dump):
      (JSC::DFG::StructureAbstractValue::topValue):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125999 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      eb3323dd
  28. 14 Aug, 2012 1 commit
    • fpizlo@apple.com's avatar
      Array checks should use the structure, not the class info · f24804c6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=93150
      
      Reviewed by Mark Hahnenberg.
      
      This changes all array checks used in array accesses (get, put, get length,
      push, pop) to use the structure, not the class info. Additionally, these
      checks in the LLInt and baseline JIT record the structure in an ArrayProfile,
      so that the DFG can know exactly what structure to check for.
              
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.cpp: Added.
      (JSC):
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h: Added.
      (JSC):
      (JSC::arrayModeFromStructure):
      (ArrayProfile):
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::bytecodeOffset):
      (JSC::ArrayProfile::addressOfLastSeenStructure):
      (JSC::ArrayProfile::observeStructure):
      (JSC::ArrayProfile::expectedStructure):
      (JSC::ArrayProfile::structureIsPolymorphic):
      (JSC::ArrayProfile::hasDefiniteStructure):
      (JSC::ArrayProfile::observedArrayModes):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::getArrayProfile):
      (JSC):
      (JSC::CodeBlock::getOrAddArrayProfile):
      (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::executionEntryCount):
      (JSC::CodeBlock::numberOfArrayProfiles):
      (JSC::CodeBlock::arrayProfiles):
      (JSC::CodeBlock::addArrayProfile):
      (CodeBlock):
      * bytecode/Instruction.h:
      (JSC):
      (JSC::Instruction::Instruction):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::emitGetByVal):
      (JSC::BytecodeGenerator::emitPutByVal):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::hasSingleton):
      (StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::singleton):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculateArray):
      (DFG):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * llint/LLIntOffsetsExtractor.cpp:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::classInfoOffset):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125637 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f24804c6
  29. 02 Aug, 2012 1 commit
    • mhahnenberg@apple.com's avatar
      Remove all uses of ClassInfo for JSStrings in JIT code · 85c200b2
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=92935
      
      Reviewed by Geoffrey Garen.
      
      This is the first step in removing our dependence on in-object ClassInfo pointers
      in JIT code. Most of the changes are to check the Structure, which is unique for 
      JSString primitives.
      
      * bytecode/SpeculatedType.cpp:
      (JSC::speculationFromClassInfo):
      (JSC::speculationFromStructure): Changed to check the TypeInfo in the Structure
      since there wasn't a JSGlobalData immediately available to grab the JSString 
      Structure out of.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitLoadCharacterString):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::privateCompileCTIMachineTrampolines):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emitSlow_op_eq):
      (JSC::JIT::emitSlow_op_neq):
      (JSC::JIT::compileOpStrictEq):
      (JSC::JIT::emit_op_convert_this):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emitSlow_op_get_by_val):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::stringGetByValStubGenerator):
      (JSC::JIT::emitSlow_op_get_by_val):
      * jit/SpecializedThunkJIT.h:
      (JSC::SpecializedThunkJIT::loadJSStringArgument):
      * jit/ThunkGenerators.cpp:
      (JSC::stringCharLoad):
      (JSC::charCodeAtThunkGenerator):
      (JSC::charAtThunkGenerator):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124476 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      85c200b2