GitLab

https://bugs.webkit.org/show_bug.cgi?id=125430

Reviewed by Oliver Hunt and Mark Hahnenberg.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160328 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125395

Reviewed by Oliver Hunt.
        
This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
storage pointers. Previously, you might have separate nodes for the same storage
pointer and this would cause some bad register pressure in the DFG. Note that this
was really a theoretical problem and not, to my knowledge a practical one - so this
patch is basically just a clean-up.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::constantStoragePointerCSE):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToConstantStoragePointer):
(JSC::DFG::Node::hasStoragePointer):
(JSC::DFG::Node::storagePointer):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
(JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
(JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160295 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125275

Source/JavaScriptCore: 

Reviewed by Michael Saboff.
        
Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
sometimes even fixed, some interesting things:
        
- The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
  vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
        
- That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
  better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
  all of its callers (err, its one-and-only caller), and it's more likely to take
  fast path. This patch kills branchTruncateDoubleToUint32.
        
- "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
  operation - like an array access with 'i' being an integer index and we're not
  having a bad time. Now does this change v? CSE assumes that it doesn't. That's
  wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
  this can be a truncating cast. For example 'v' could be a double and 'a' could be
  an integer array.
        
- "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
  is no. You could have a different arrayMode in each access. I know this sounds
  weird, but with concurrent JIT that might happen.
        
This patch adds tests for all of this stuff, except for the first issue (it's weird
but probably doesn't matter) and the last issue (it's too much of a freakshow).

* assembler/MacroAssemblerARM64.h:
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerX86Common.h:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
* ftl/FTLAbbreviations.h:
(JSC::FTL::vectorType):
(JSC::FTL::getUndef):
(JSC::FTL::buildInsertElement):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::doubleToInt32):
(JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
(JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
* ftl/FTLOutput.h:
(JSC::FTL::Output::insertElement):
(JSC::FTL::Output::hasSensibleDoubleToInt):
(JSC::FTL::Output::sensibleDoubleToInt):

LayoutTests: 

Reviewed by Michael Saboff.

* js/regress/double-to-int32-typed-array-expected.txt: Added.
* js/regress/double-to-int32-typed-array-no-inline-expected.txt: Added.
* js/regress/double-to-int32-typed-array-no-inline.html: Added.
* js/regress/double-to-int32-typed-array.html: Added.
* js/regress/double-to-uint32-typed-array-expected.txt: Added.
* js/regress/double-to-uint32-typed-array-no-inline-expected.txt: Added.
* js/regress/double-to-uint32-typed-array-no-inline.html: Added.
* js/regress/double-to-uint32-typed-array.html: Added.
* js/regress/script-tests/double-to-int32-typed-array-no-inline.js: Added.
(foo):
(test):
* js/regress/script-tests/double-to-int32-typed-array.js: Added.
(foo):
(test):
* js/regress/script-tests/double-to-uint32-typed-array-no-inline.js: Added.
(foo):
(test):
* js/regress/script-tests/double-to-uint32-typed-array.js: Added.
(foo):
(test):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160205 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=125025

Rubber stamped by Sam Weinig.
        
This removes a bunch of unused and untested insanity.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::tallyFrequentExitSites):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
(JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
(JSC::DFG::parse):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::convertToJump):
(JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::endIndexForPureCSE):
(JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::eliminate):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCommon.h:
(JSC::DFG::verboseCompilationEnabled):
(JSC::DFG::logCompilationChanges):
(JSC::DFG::shouldDumpGraphAtEachPhase):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileBody):
(JSC::DFG::JITCompiler::link):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::run):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::propagateForward):
(JSC::DFG::PredictionPropagationPhase::propagateBackward):
(JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
* dfg/DFGScoreBoard.h:
(JSC::DFG::ScoreBoard::use):
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::SlowPathGenerator::generate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
(JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
(JSC::DFG::SpeculativeJIT::dump):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVariableEventStream.h:
(JSC::DFG::VariableEventStream::appendAndLog):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159886 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=124812

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This detects JSActivations that are created only once. The JSActivation pointer is then
baked into the machine code.
        
This takes advantage of the one-time scope inference to reduce the number of
indirections needed to get to a closure variable in case where the scope is only
allocated once. This isn't really a speed-up since in the common case the total number
of instruction bytes needed to load the scope from the stack is about equal to the
number of instruction bytes needed to materialize the absolute address of a scoped
variable. But, this is a necessary prerequisite to
https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/Instruction.h:
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::notifyWrite):
(JSC::InlineWatchpointSet::notifyWrite):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitResolveScope):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):
(JSC::DFG::CSEPhase::getLocalLoadElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetRegisters):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::varNumber):
(JSC::DFG::Node::hasSymbolTable):
(JSC::DFG::Node::symbolTable):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSActivation.h:
(JSC::JSActivation::create):
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::abstractResolve):
* runtime/JSScope.h:
(JSC::ResolveOp::ResolveOp):
* runtime/JSVariableObject.h:
(JSC::JSVariableObject::registers):
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
* runtime/SymbolTable.h:

LayoutTests: 

Reviewed by Oliver Hunt.

* js/regress/infer-one-time-closure-expected.txt: Added.
* js/regress/infer-one-time-closure-ten-vars-expected.txt: Added.
* js/regress/infer-one-time-closure-ten-vars.html: Added.
* js/regress/infer-one-time-closure-two-vars-expected.txt: Added.
* js/regress/infer-one-time-closure-two-vars.html: Added.
* js/regress/infer-one-time-closure.html: Added.
* js/regress/infer-one-time-deep-closure-expected.txt: Added.
* js/regress/infer-one-time-deep-closure.html: Added.
* js/regress/script-tests/infer-one-time-closure-ten-vars.js: Added.
* js/regress/script-tests/infer-one-time-closure-two-vars.js: Added.
* js/regress/script-tests/infer-one-time-closure.js: Added.
* js/regress/script-tests/infer-one-time-deep-closure.js: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159834 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Restructure global variable constant inference so that it could work for any kind of symbol table variable
https://bugs.webkit.org/show_bug.cgi?id=124760

Reviewed by Oliver Hunt.
        
This changes the way global variable constant inference works so that it can be reused
for closure variable constant inference. Some of the premises that originally motivated
this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
that we'll be able to fix those premises in the future. The main point of this patch is
to make it easy to reuse global variable constant inference for closure variable
constant inference, and this will be possible provided we can also either (a) infer
one-shot closures (easy) or (b) infer closure variables that are always assigned prior
to first use.
        
One of the things that this patch is meant to enable is constant inference for closure
variables that may be part of a multi-shot closure. Closure variables may be
instantiated multiple times, like:
        
    function foo() {
        var WIDTH = 45;
        function bar() {
            ... use WIDTH ...
        }
        ...
    }
        
Even if foo() is called many times and WIDTH is assigned to multiple times, that
doesn't change the fact that it's a constant. The goal of closure variable constant
inference is to catch any case where a closure variable has been assigned at least once
and its value has never changed. This patch doesn't implement that, but it does change
global variable constant inference to have most of the powers needed to do that. Note
that most likely we will use this functionality only to implement constant inference
for one-shot closures, but the resulting machinery is still simpler than what we had
before.
        
This involves three changes:
        
    - The watchpoint object now contains the inferred value. This involves creating a
      new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
      for closure variables.
        
    - Writing to a variable that is watchpointed still involves these three states that
      we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
      now, the Initialized->Invalidated state transition only happens if we change the
      variable's value, rather than store to the variable. Repeatedly storing the same
      value won't change the variable's state.
        
    - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
      need fancy fencing to get a consistent view of the watchpoint in the JIT. The
      state of the VariableWatchpointSet for the purposes of constant folding is
      entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
      JSValue() then you cannot fold (either because the set is uninitialized or
      because it's invalidated - doesn't matter which); on the other hand if the value
      is anything other than JSValue() then you can fold, and that's the value you fold
      to. Simple!
        
This also changes the way that DFG IR deals with variable watchpoints. It's now
oblivious to global variables. You install a watchpoint using VariableWatchpoint and
you notify write using NotifyWrite. Easy!
        
Note that this will requires some more tweaks because of the fact that op_enter will
store Undefined into every captured variable. Hence it won't even work for one-shot
closures. One-shot closures are easily fixed by introducing another state (so we'll
have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
require static analysis. One-shot closures are clearly a higher priority.

* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/Instruction.h:
* bytecode/VariableWatchpointSet.h: Added.
(JSC::VariableWatchpointSet::VariableWatchpointSet):
(JSC::VariableWatchpointSet::~VariableWatchpointSet):
(JSC::VariableWatchpointSet::inferredValue):
(JSC::VariableWatchpointSet::notifyWrite):
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
(JSC::VariableWatchpointSet::addressOfInferredValue):
* bytecode/Watchpoint.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasRegisterPointer):
(JSC::DFG::Node::hasVariableWatchpointSet):
(JSC::DFG::Node::variableWatchpointSet):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMod):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
* jit/JIT.h:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitPutGlobalVar):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitPutGlobalVar):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):
* runtime/JSGlobalObject.h:
* runtime/JSScope.h:
(JSC::ResolveOp::ResolveOp):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::inferredValue):
(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::addWatchpoint):
(JSC::SymbolTableEntry::notifyWriteSlow):
(JSC::SymbolTable::visitChildren):
(JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
(JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
(JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::watchpointSet):
(JSC::SymbolTableEntry::notifyWrite):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159798 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123574

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.
        
This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
we gain the "overhead" of actually computing sin and cos but we lose the overhead of
going through the native call thunks.
        
Caching transcendental functions is a really ugly idea. It works for SunSpider because
that benchmark makes very predictable calls into Math.sin. But I don't believe that this
is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
that this was doing was adding more call overhead and some hashing overhead.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOperations.h:
* runtime/CachedTranscendentalFunction.h: Removed.
* runtime/DateInstanceCache.h:
* runtime/Intrinsic.h:
* runtime/MathObject.cpp:
(JSC::MathObject::finishCreation):
(JSC::mathProtoFuncCos):
(JSC::mathProtoFuncSin):
* runtime/VM.h:

Tools: 

Reviewed by Mark Hahnenberg.

Make it easier to see that a test doesn't have an -expected file.

* Scripts/run-jsc-stress-tests:

LayoutTests: 

Reviewed by Mark Hahnenberg.

* js/dfg-cos-constant-expected.txt: Added.
* js/dfg-cos-constant.html: Added.
* js/dfg-sin-constant-expected.txt: Added.
* js/dfg-sin-constant.html: Added.
* js/script-tests/dfg-cos-constant.js: Added.
(foo):
* js/script-tests/dfg-sin-constant.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158384 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123047

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
to array construct.  This required a new PutByValDirect node to be introduced to
the DFG.  The current implementation simply changes the slow path function that
is called, but in future this could be made faster as it does not need to check
the prototype chain.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectPutByVal):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getArrayLengthElimination):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::clobbersWorld):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::putByVal):
(JSC::DFG::operationPutByValInternal):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
(JSC::JIT::compileDirectPutByVal):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompilePutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:

LayoutTests:

Add a new testcase for the setter case.  run-javascriptcore-tests hits this with
the llint, baseline, and dfg.

* js/basic-spread-expected.txt:
* js/script-tests/basic-spread.js:
(Array):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157656 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=123040

Reviewed by Andreas Kling.

Source/JavaScriptCore:

* API/JSCallbackObject.cpp:
(JSC::::create):
* API/JSObjectRef.cpp:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DFGExitProfile.h:
* bytecode/EvalCodeCache.h:
* bytecode/Operands.h:
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::constantRegisters):
* bytecode/Watchpoint.h:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/StaticPropertyAnalysis.h:
* bytecompiler/StaticPropertyAnalyzer.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
* dfg/DFGBlockInsertionSet.h:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::performCSE):
(JSC::DFG::performStoreElimination):
* dfg/DFGCommonData.h:
* dfg/DFGDesiredStructureChains.h:
* dfg/DFGDesiredWatchpoints.h:
* dfg/DFGJITCompiler.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGWorklist.h:
* heap/BlockAllocator.h:
(JSC::CopiedBlock):
(JSC::MarkedBlock):
(JSC::WeakBlock):
(JSC::MarkStackSegment):
(JSC::CopyWorkListSegment):
(JSC::HandleBlock):
* heap/Heap.h:
* heap/Local.h:
* heap/MarkedBlock.h:
* heap/Strong.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::decodedCodeMapFor):
* jit/AssemblyHelpers.h:
* jit/SpecializedThunkJIT.h:
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::::parseIfStatement):
* parser/Parser.h:
(JSC::Scope::copyCapturedVariablesToVector):
(JSC::parse):
* parser/ParserArena.h:
* parser/SourceProviderCacheItem.h:
* profiler/LegacyProfiler.cpp:
(JSC::dispatchFunctionToProfiles):
* profiler/LegacyProfiler.h:
(JSC::LegacyProfiler::currentProfiles):
* profiler/ProfileNode.h:
(JSC::ProfileNode::children):
* profiler/ProfilerDatabase.h:
* runtime/Butterfly.h:
(JSC::Butterfly::contiguousInt32):
(JSC::Butterfly::contiguous):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::::create):
* runtime/Identifier.h:
(JSC::Identifier::add):
* runtime/JSPromise.h:
* runtime/PropertyMapHashTable.h:
* runtime/PropertyNameArray.h:
* runtime/RegExpCache.h:
* runtime/SparseArrayValueMap.h:
* runtime/SymbolTable.h:
* runtime/VM.h:
* tools/CodeProfile.cpp:
(JSC::truncateTrace):
* tools/CodeProfile.h:
* yarr/YarrInterpreter.cpp:
* yarr/YarrInterpreter.h:
(JSC::Yarr::BytecodePattern::BytecodePattern):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
(JSC::Yarr::YarrGenerator::opCompileBody):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
(JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
* yarr/YarrPattern.h:

Source/WebCore:

* Modules/encryptedmedia/MediaKeySession.h:
* Modules/encryptedmedia/MediaKeys.h:
* Modules/geolocation/Geolocation.h:
* Modules/geolocation/GeolocationController.cpp:
(WebCore::GeolocationController::positionChanged):
(WebCore::GeolocationController::errorOccurred):
* Modules/geolocation/GeolocationController.h:
* Modules/indexeddb/IDBCallbacks.h:
* Modules/indexeddb/IDBDatabase.h:
* Modules/indexeddb/IDBDatabaseBackendInterface.h:
* Modules/indexeddb/IDBEventDispatcher.cpp:
(WebCore::IDBEventDispatcher::dispatch):
* Modules/indexeddb/IDBEventDispatcher.h:
* Modules/indexeddb/IDBKey.h:
* Modules/indexeddb/IDBObjectStore.h:
* Modules/indexeddb/IDBPendingTransactionMonitor.cpp:
* Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::dispatchEvent):
* Modules/indexeddb/IDBRequest.h:
(WebCore::IDBRequest::onSuccessWithPrefetch):
* Modules/indexeddb/IDBTransaction.cpp:
(WebCore::IDBTransaction::dispatchEvent):
* Modules/indexeddb/IDBTransaction.h:
* Modules/mediacontrols/MediaControlsHost.cpp:
(WebCore::MediaControlsHost::sortedTrackListForMenu):
* Modules/mediacontrols/MediaControlsHost.h:
* Modules/mediasource/MediaSource.cpp:
(WebCore::MediaSource::activeRanges):
* Modules/mediasource/MediaSource.h:
* Modules/mediasource/MediaSourceBase.cpp:
(WebCore::MediaSourceBase::buffered):
* Modules/mediasource/MediaSourceBase.h:
* Modules/mediasource/MediaSourceRegistry.cpp:
(WebCore::MediaSourceRegistry::unregisterURL):
* Modules/mediasource/MediaSourceRegistry.h:
* Modules/mediasource/SourceBufferList.h:
* Modules/mediasource/WebKitMediaSource.cpp:
(WebCore::WebKitMediaSource::activeRanges):
* Modules/mediasource/WebKitMediaSource.h:
* Modules/mediasource/WebKitSourceBufferList.h:
* Modules/mediastream/MediaStream.cpp:
(WebCore::MediaStream::scheduledEventTimerFired):
* Modules/mediastream/MediaStream.h:
* Modules/mediastream/MediaStreamRegistry.h:
* Modules/mediastream/MediaStreamTrack.h:
* Modules/mediastream/RTCDTMFSender.cpp:
(WebCore::RTCDTMFSender::scheduledEventTimerFired):
* Modules/mediastream/RTCDTMFSender.h:
* Modules/mediastream/RTCDataChannel.cpp:
(WebCore::RTCDataChannel::scheduledEventTimerFired):
* Modules/mediastream/RTCDataChannel.h:
* Modules/mediastream/RTCPeerConnection.cpp:
(WebCore::RTCPeerConnection::stop):
(WebCore::RTCPeerConnection::scheduledEventTimerFired):
* Modules/mediastream/RTCPeerConnection.h:
* Modules/mediastream/RTCStatsResponse.h:
(WebCore::RTCStatsResponse::result):
* Modules/notifications/Notification.h:
* Modules/notifications/NotificationCenter.h:
* Modules/speech/SpeechSynthesis.cpp:
(WebCore::SpeechSynthesis::getVoices):
* Modules/speech/SpeechSynthesis.h:
* Modules/webaudio/AudioBuffer.h:
* Modules/webaudio/AudioNode.h:
* Modules/webaudio/AudioNodeOutput.h:
* Modules/webaudio/MediaStreamAudioSource.cpp:
(WebCore::MediaStreamAudioSource::setAudioFormat):
(WebCore::MediaStreamAudioSource::consumeAudio):
* Modules/webaudio/PeriodicWave.h:
* Modules/webaudio/ScriptProcessorNode.h:
* Modules/webdatabase/AbstractDatabaseServer.h:
* Modules/webdatabase/DatabaseBackend.h:
* Modules/webdatabase/DatabaseManager.cpp:
(WebCore::DatabaseManager::origins):
* Modules/webdatabase/DatabaseManager.h:
* Modules/webdatabase/DatabaseServer.cpp:
(WebCore::DatabaseServer::origins):
* Modules/webdatabase/DatabaseServer.h:
* Modules/webdatabase/DatabaseThread.h:
* Modules/webdatabase/DatabaseTracker.cpp:
(WebCore::DatabaseTracker::interruptAllDatabasesForContext):
(WebCore::DatabaseTracker::origins):
(WebCore::DatabaseTracker::getOpenDatabases):
(WebCore::DatabaseTracker::deleteAllDatabases):
(WebCore::DatabaseTracker::deleteDatabaseFile):
* Modules/webdatabase/DatabaseTracker.h:
* Modules/webdatabase/SQLStatementBackend.cpp:
* Modules/webdatabase/SQLTransactionBackend.cpp:
* Modules/webdatabase/SQLTransactionBackend.h:
* Modules/webdatabase/SQLTransactionCoordinator.cpp:
(WebCore::SQLTransactionCoordinator::shutdown):
* Modules/webdatabase/SQLTransactionCoordinator.h:
* Modules/websockets/ThreadableWebSocketChannelClientWrapper.cpp:
(WebCore::ThreadableWebSocketChannelClientWrapper::didReceiveBinaryData):
(WebCore::ThreadableWebSocketChannelClientWrapper::processPendingTasks):
(WebCore::ThreadableWebSocketChannelClientWrapper::didReceiveBinaryDataCallback):
* Modules/websockets/ThreadableWebSocketChannelClientWrapper.h:
* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::didReceiveBinaryData):
* Modules/websockets/WebSocket.h:
* Modules/websockets/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::processFrame):
* Modules/websockets/WebSocketChannel.h:
* Modules/websockets/WebSocketChannelClient.h:
(WebCore::WebSocketChannelClient::didReceiveBinaryData):
* Modules/websockets/WebSocketExtensionDispatcher.h:
* Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::workerGlobalScopeDidReceiveBinaryData):
(WebCore::WorkerThreadableWebSocketChannel::Peer::didReceiveBinaryData):
(WebCore::WorkerThreadableWebSocketChannel::mainThreadSendArrayBuffer):
(WebCore::WorkerThreadableWebSocketChannel::Bridge::send):
* Modules/websockets/WorkerThreadableWebSocketChannel.h:
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::~AXObjectCache):
* accessibility/AXObjectCache.h:
* accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::ariaLabeledByText):
* accessibility/AccessibilityObject.h:
(WebCore::AccessibilityText::AccessibilityText):
* bindings/js/DOMWrapperWorld.h:
* bindings/js/JSDOMBinding.h:
(WebCore::toRefPtrNativeArray):
* bindings/js/JSDOMGlobalObject.h:
* bindings/js/JSMutationCallback.cpp:
(WebCore::JSMutationCallback::call):
* bindings/js/JSMutationCallback.h:
* bindings/js/JSWebGLRenderingContextCustom.cpp:
(WebCore::JSWebGLRenderingContext::getAttachedShaders):
* bindings/js/PageScriptDebugServer.h:
* bindings/js/ScheduledAction.h:
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::collectIsolatedContexts):
* bindings/js/ScriptController.h:
* bindings/js/ScriptDebugServer.h:
* bindings/js/ScriptProfile.cpp:
(WebCore::buildInspectorObjectFor):
* bindings/objc/ObjCNodeFilterCondition.h:
* bridge/objc/objc_class.h:
* bridge/runtime_root.cpp:
(JSC::Bindings::RootObject::invalidate):
* bridge/runtime_root.h:
* css/BasicShapeFunctions.cpp:
(WebCore::basicShapeForValue):
* css/CSSBasicShapes.h:
(WebCore::CSSBasicShapePolygon::values):
* css/CSSComputedStyleDeclaration.cpp:
(WebCore::ComputedStyleExtractor::valueForFilter):
* css/CSSFontFace.h:
* css/CSSFontFaceSource.h:
* css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::addFontFaceRule):
(WebCore::CSSFontSelector::getFontFace):
(WebCore::CSSFontSelector::beginLoadTimerFired):
* css/CSSFontSelector.h:
* css/CSSGroupingRule.h:
* css/CSSImageGeneratorValue.h:
* css/CSSParserValues.cpp:
(WebCore::CSSParserSelector::adoptSelectorVector):
* css/CSSParserValues.h:
* css/CSSPropertySourceData.h:
* css/CSSRuleList.h:
(WebCore::StaticCSSRuleList::rules):
* css/CSSSegmentedFontFace.cpp:
(WebCore::CSSSegmentedFontFace::fontLoaded):
* css/CSSSegmentedFontFace.h:
* css/CSSSelectorList.cpp:
(WebCore::CSSSelectorList::adoptSelectorVector):
* css/CSSSelectorList.h:
* css/CSSStyleSheet.h:
* css/CSSValue.h:
(WebCore::compareCSSValueVector):
* css/CSSValuePool.h:
* css/DocumentRuleSets.cpp:
(WebCore::DocumentRuleSets::collectRulesFromUserStyleSheets):
(WebCore::DocumentRuleSets::appendAuthorStyleSheets):
* css/DocumentRuleSets.h:
* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::matchedRuleList):
* css/ElementRuleCollector.h:
* css/FontLoader.h:
* css/InspectorCSSOMWrappers.cpp:
(WebCore::InspectorCSSOMWrappers::collectFromStyleSheetContents):
(WebCore::InspectorCSSOMWrappers::collectFromStyleSheets):
* css/InspectorCSSOMWrappers.h:
* css/MediaList.cpp:
(WebCore::MediaQuerySet::parse):
(WebCore::MediaList::item):
(WebCore::reportMediaQueryWarningIfNeeded):
* css/MediaList.h:
(WebCore::MediaQuerySet::queryVector):
* css/MediaQueryEvaluator.cpp:
(WebCore::MediaQueryEvaluator::eval):
* css/MediaQueryMatcher.h:
* css/PropertySetCSSStyleDeclaration.cpp:
(WebCore::PropertySetCSSStyleDeclaration::cloneAndCacheForCSSOM):
* css/PropertySetCSSStyleDeclaration.h:
* css/RuleSet.cpp:
(WebCore::RuleSet::addToRuleSet):
(WebCore::RuleSet::addRegionRule):
(WebCore::RuleSet::addChildRules):
(WebCore::RuleSet::addRulesFromSheet):
* css/RuleSet.h:
* css/SelectorFilter.h:
* css/StyleInvalidationAnalysis.cpp:
(WebCore::StyleInvalidationAnalysis::analyzeStyleSheet):
* css/StylePropertySet.cpp:
(WebCore::StylePropertySet::getLayeredShorthandValue):
* css/StyleResolver.cpp:
(WebCore::StyleResolver::appendAuthorStyleSheets):
(WebCore::StyleResolver::keyframeStylesForAnimation):
(WebCore::StyleResolver::styleRulesForElement):
(WebCore::StyleResolver::pseudoStyleRulesForElement):
(WebCore::StyleResolver::resolveVariables):
(WebCore::StyleResolver::applyProperty):
(WebCore::StyleResolver::loadPendingSVGDocuments):
(WebCore::StyleResolver::loadPendingShaders):
* css/StyleResolver.h:
* css/StyleRule.cpp:
(WebCore::StyleRule::splitIntoMultipleRulesWithMaximumSelectorComponentCount):
(WebCore::StyleRuleGroup::StyleRuleGroup):
(WebCore::StyleRuleMedia::StyleRuleMedia):
(WebCore::StyleRuleSupports::StyleRuleSupports):
(WebCore::StyleRuleRegion::StyleRuleRegion):
* css/StyleRule.h:
(WebCore::StyleRule::parserAdoptSelectorVector):
(WebCore::StyleRulePage::parserAdoptSelectorVector):
(WebCore::StyleRuleGroup::childRules):
(WebCore::StyleRuleMedia::create):
(WebCore::StyleRuleSupports::create):
(WebCore::StyleRuleRegion::create):
(WebCore::StyleRuleHost::create):
(WebCore::StyleRuleHost::StyleRuleHost):
* css/StyleScopeResolver.h:
* css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::parserAppendRule):
(WebCore::childRulesHaveFailedOrCanceledSubresources):
* css/StyleSheetContents.h:
(WebCore::StyleSheetContents::childRules):
(WebCore::StyleSheetContents::importRules):
* css/StyleSheetList.cpp:
(WebCore::StyleSheetList::styleSheets):
(WebCore::StyleSheetList::item):
* css/StyleSheetList.h:
* css/WebKitCSSKeyframesRule.h:
(WebCore::StyleRuleKeyframes::keyframes):
* dom/CheckedRadioButtons.h:
* dom/ClientRectList.h:
* dom/ContainerNode.h:
(WebCore::ChildNodesLazySnapshot::nextNode):
(WebCore::ChildNodesLazySnapshot::takeSnapshot):
* dom/CrossThreadTask.h:
* dom/Document.cpp:
(WebCore::Document::webkitCancelFullScreen):
(WebCore::Document::webkitExitFullscreen):
(WebCore::Document::fullScreenChangeDelayTimerFired):
(WebCore::Document::didAssociateFormControlsTimerFired):
* dom/Document.h:
* dom/DocumentMarkerController.cpp:
(WebCore::DocumentMarkerController::removeMarkers):
* dom/DocumentMarkerController.h:
* dom/DocumentStyleSheetCollection.cpp:
(WebCore::DocumentStyleSheetCollection::injectedUserStyleSheets):
(WebCore::DocumentStyleSheetCollection::injectedAuthorStyleSheets):
(WebCore::DocumentStyleSheetCollection::collectActiveStyleSheets):
(WebCore::DocumentStyleSheetCollection::analyzeStyleSheetChange):
(WebCore::styleSheetsUseRemUnits):
(WebCore::filterEnabledNonemptyCSSStyleSheets):
(WebCore::collectActiveCSSStyleSheetsFromSeamlessParents):
(WebCore::DocumentStyleSheetCollection::updateActiveStyleSheets):
* dom/DocumentStyleSheetCollection.h:
* dom/Element.cpp:
(WebCore::Element::attrNodeList):
(WebCore::Element::webkitGetRegionFlowRanges):
* dom/Element.h:
* dom/EventListenerMap.h:
* dom/EventSender.h:
(WebCore::EventSender::timerFired):
* dom/IdTargetObserverRegistry.h:
* dom/MutationCallback.h:
* dom/MutationObserver.cpp:
(WebCore::MutationObserver::takeRecords):
(WebCore::MutationObserver::deliver):
(WebCore::MutationObserver::deliverAllMutations):
* dom/MutationObserver.h:
* dom/MutationObserverRegistration.h:
* dom/NamedFlowCollection.cpp:
(WebCore::NamedFlowCollection::namedFlows):
* dom/NamedFlowCollection.h:
* dom/Node.cpp:
(WebCore::Node::didMoveToNewDocument):
(WebCore::Node::mutationObserverRegistry):
(WebCore::Node::registerMutationObserver):
(WebCore::Node::unregisterMutationObserver):
(WebCore::Node::notifyMutationObserversNodeWillDetach):
* dom/Node.h:
* dom/NodeRareData.h:
* dom/Range.cpp:
(WebCore::Range::processContents):
(WebCore::Range::processNodes):
(WebCore::Range::processAncestorsAndTheirSiblings):
* dom/Range.h:
* dom/ScopedEventQueue.h:
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::reportException):
* dom/ScriptExecutionContext.h:
* dom/ScriptedAnimationController.h:
* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyRelativeFontStyleChange):
* editing/BreakBlockquoteCommand.cpp:
(WebCore::BreakBlockquoteCommand::doApply):
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::removeChildrenInRange):
(WebCore::CompositeEditCommand::deleteInsignificantText):
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
* editing/CompositeEditCommand.h:
* editing/EditingStyle.cpp:
(WebCore::htmlElementEquivalents):
(WebCore::EditingStyle::conflictsWithImplicitStyleOfElement):
(WebCore::htmlAttributeEquivalents):
(WebCore::EditingStyle::conflictsWithImplicitStyleOfAttributes):
(WebCore::EditingStyle::extractConflictingImplicitStyleOfAttributes):
(WebCore::EditingStyle::elementIsStyledSpanOrHTMLEquivalent):
(WebCore::EditingStyle::mergeInlineAndImplicitStyleOfElement):
(WebCore::styleFromMatchedRulesForElement):
* editing/Editor.cpp:
(WebCore::Editor::countMatchesForText):
* editing/Editor.h:
* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::getAncestorsInsideBlock):
(WebCore::InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock):
(WebCore::InsertParagraphSeparatorCommand::doApply):
* editing/InsertParagraphSeparatorCommand.h:
* editing/MergeIdenticalElementsCommand.cpp:
(WebCore::MergeIdenticalElementsCommand::doApply):
(WebCore::MergeIdenticalElementsCommand::doUnapply):
* editing/RemoveNodePreservingChildrenCommand.cpp:
(WebCore::RemoveNodePreservingChildrenCommand::doApply):
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplacementFragment::removeUnrenderedNodes):
* editing/SimplifyMarkupCommand.cpp:
(WebCore::SimplifyMarkupCommand::doApply):
(WebCore::SimplifyMarkupCommand::pruneSubsequentAncestorsToRemove):
* editing/SimplifyMarkupCommand.h:
* editing/SpellChecker.h:
* editing/SplitElementCommand.cpp:
(WebCore::SplitElementCommand::executeApply):
(WebCore::SplitElementCommand::doUnapply):
* editing/WrapContentsInDummySpanCommand.cpp:
(WebCore::WrapContentsInDummySpanCommand::executeApply):
(WebCore::WrapContentsInDummySpanCommand::doUnapply):
* editing/mac/AlternativeTextUIController.h:
* fileapi/FileList.h:
* history/BackForwardList.h:
* history/HistoryItem.cpp:
(WebCore::HistoryItem::setRedirectURLs):
* history/HistoryItem.h:
* history/mac/HistoryItemMac.mm:
(WebCore::HistoryItem::setTransientProperty):
* html/FormController.h:
* html/HTMLAnchorElement.cpp:
* html/HTMLCollection.cpp:
(WebCore::HTMLCollection::append):
* html/HTMLCollection.h:
* html/HTMLFormControlElement.cpp:
(WebCore::HTMLFormControlElement::checkValidity):
* html/HTMLFormControlElement.h:
* html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::validateInteractively):
(WebCore::HTMLFormElement::checkValidity):
(WebCore::HTMLFormElement::checkInvalidControlsAndCollectUnhandled):
* html/HTMLFormElement.h:
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::updateActiveTextTrackCues):
(WebCore::HTMLMediaElement::platformTextTracks):
(WebCore::HTMLMediaElement::configureTextTrackGroup):
* html/HTMLMediaElement.h:
* html/HTMLPlugInImageElement.cpp:
* html/HTMLSelectElement.cpp:
(WebCore::HTMLSelectElement::setLength):
* html/MediaController.cpp:
(MediaController::asyncEventTimerFired):
* html/MediaController.h:
* html/MediaFragmentURIParser.h:
* html/ValidationMessage.h:
* html/canvas/WebGLFramebuffer.h:
* html/canvas/WebGLRenderingContext.cpp:
(WebCore::WebGLRenderingContext::getAttachedShaders):
* html/canvas/WebGLRenderingContext.h:
* html/canvas/WebGLTexture.h:
* html/parser/BackgroundHTMLParser.cpp:
(WebCore::BackgroundHTMLParser::BackgroundHTMLParser):
* html/parser/BackgroundHTMLParser.h:
(WebCore::BackgroundHTMLParser::create):
* html/parser/HTMLDocumentParser.cpp:
(WebCore::HTMLDocumentParser::startBackgroundParser):
* html/parser/HTMLDocumentParser.h:
* html/parser/HTMLMetaCharsetParser.h:
* html/parser/HTMLPreloadScanner.cpp:
(WebCore::TokenPreloadScanner::scan):
(WebCore::TokenPreloadScanner::scanCommon):
* html/parser/HTMLResourcePreloader.h:
* html/parser/XSSAuditor.h:
* html/shadow/ContentDistributor.cpp:
(WebCore::ContentDistributor::ensureInsertionPointList):
(WebCore::ContentDistributor::distribute):
(WebCore::ContentDistributor::invalidate):
* html/shadow/ContentDistributor.h:
* html/shadow/MediaControlElements.cpp:
(WebCore::MediaControlClosedCaptionsTrackListElement::rebuildTrackListMenu):
(WebCore::MediaControlTextTrackContainerElement::updateDisplay):
* html/shadow/MediaControlElements.h:
* html/track/InbandGenericTextTrack.h:
* html/track/InbandWebVTTTextTrack.cpp:
(WebCore::InbandWebVTTTextTrack::newCuesParsed):
* html/track/LoadableTextTrack.cpp:
(WebCore::LoadableTextTrack::newCuesAvailable):
(WebCore::LoadableTextTrack::newRegionsAvailable):
* html/track/TextTrackCueList.h:
* html/track/TextTrackList.cpp:
(TextTrackList::invalidateTrackIndexesAfterTrack):
(TextTrackList::remove):
(TextTrackList::contains):
* html/track/TextTrackList.h:
* html/track/TrackListBase.cpp:
(TrackListBase::asyncEventTimerFired):
* html/track/TrackListBase.h:
* html/track/WebVTTParser.cpp:
(WebCore::WebVTTParser::getNewCues):
(WebCore::WebVTTParser::getNewRegions):
* html/track/WebVTTParser.h:
* inspector/ConsoleMessage.cpp:
(WebCore::ConsoleMessage::addToFrontend):
* inspector/ContentSearchUtils.cpp:
(WebCore::ContentSearchUtils::getRegularExpressionMatchesByLines):
(WebCore::ContentSearchUtils::lineEndings):
(WebCore::ContentSearchUtils::searchInTextByLines):
* inspector/ContentSearchUtils.h:
* inspector/DOMPatchSupport.cpp:
(WebCore::DOMPatchSupport::patchNode):
(WebCore::DOMPatchSupport::diff):
(WebCore::DOMPatchSupport::innerPatchChildren):
* inspector/DOMPatchSupport.h:
* inspector/InjectedScript.cpp:
(WebCore::InjectedScript::getProperties):
(WebCore::InjectedScript::getInternalProperties):
(WebCore::InjectedScript::wrapCallFrames):
* inspector/InjectedScript.h:
* inspector/InjectedScriptHost.h:
* inspector/InspectorAgent.cpp:
(WebCore::InspectorAgent::enable):
* inspector/InspectorApplicationCacheAgent.cpp:
(WebCore::InspectorApplicationCacheAgent::getFramesWithManifests):
(WebCore::InspectorApplicationCacheAgent::buildArrayForApplicationCacheResources):
* inspector/InspectorApplicationCacheAgent.h:
* inspector/InspectorBaseAgent.h:
* inspector/InspectorCSSAgent.cpp:
(WebCore::SelectorProfile::toInspectorObject):
(WebCore::UpdateRegionLayoutTask::onTimer):
(WebCore::InspectorCSSAgent::getMatchedStylesForNode):
(WebCore::InspectorCSSAgent::getComputedStyleForNode):
(WebCore::InspectorCSSAgent::getAllStyleSheets):
(WebCore::InspectorCSSAgent::getSupportedCSSProperties):
(WebCore::InspectorCSSAgent::getNamedFlowCollection):
(WebCore::InspectorCSSAgent::buildArrayForRuleList):
(WebCore::InspectorCSSAgent::buildArrayForMatchedRuleList):
(WebCore::InspectorCSSAgent::buildArrayForRegions):
(WebCore::InspectorCSSAgent::buildObjectForNamedFlow):
* inspector/InspectorCSSAgent.h:
* inspector/InspectorConsoleAgent.h:
* inspector/InspectorDOMAgent.cpp:
(WebCore::RevalidateStyleAttributeTask::onTimer):
(WebCore::InspectorDOMAgent::pushChildNodesToFrontend):
(WebCore::InspectorDOMAgent::pushNodePathToFrontend):
(WebCore::InspectorDOMAgent::getEventListenersForNode):
(WebCore::InspectorDOMAgent::performSearch):
(WebCore::InspectorDOMAgent::getSearchResults):
(WebCore::InspectorDOMAgent::getAttributes):
(WebCore::InspectorDOMAgent::buildObjectForNode):
(WebCore::InspectorDOMAgent::buildArrayForElementAttributes):
(WebCore::InspectorDOMAgent::buildArrayForContainerChildren):
(WebCore::InspectorDOMAgent::styleAttributeInvalidated):
* inspector/InspectorDOMAgent.h:
* inspector/InspectorDOMStorageAgent.cpp:
(WebCore::InspectorDOMStorageAgent::getDOMStorageItems):
* inspector/InspectorDOMStorageAgent.h:
* inspector/InspectorDatabaseAgent.cpp:
(WebCore::InspectorDatabaseAgent::getDatabaseTableNames):
* inspector/InspectorDatabaseAgent.h:
* inspector/InspectorDebuggerAgent.cpp:
(WebCore::InspectorDebuggerAgent::setBreakpointByUrl):
(WebCore::InspectorDebuggerAgent::searchInContent):
(WebCore::InspectorDebuggerAgent::setScriptSource):
(WebCore::InspectorDebuggerAgent::currentCallFrames):
* inspector/InspectorDebuggerAgent.h:
* inspector/InspectorHeapProfilerAgent.cpp:
(WebCore::InspectorHeapProfilerAgent::getProfileHeaders):
* inspector/InspectorHeapProfilerAgent.h:
* inspector/InspectorHistory.h:
* inspector/InspectorIndexedDBAgent.cpp:
* inspector/InspectorLayerTreeAgent.cpp:
(WebCore::InspectorLayerTreeAgent::layersForNode):
(WebCore::InspectorLayerTreeAgent::gatherLayersUsingRenderObjectHierarchy):
(WebCore::InspectorLayerTreeAgent::gatherLayersUsingRenderLayerHierarchy):
* inspector/InspectorLayerTreeAgent.h:
* inspector/InspectorMemoryAgent.h:
* inspector/InspectorPageAgent.cpp:
(WebCore::buildArrayForCookies):
(WebCore::InspectorPageAgent::getCookies):
(WebCore::InspectorPageAgent::searchInResource):
(WebCore::InspectorPageAgent::searchInResources):
(WebCore::InspectorPageAgent::buildObjectForFrameTree):
* inspector/InspectorPageAgent.h:
* inspector/InspectorProfilerAgent.cpp:
(WebCore::InspectorProfilerAgent::getProfileHeaders):
* inspector/InspectorProfilerAgent.h:
* inspector/InspectorResourceAgent.h:
* inspector/InspectorRuntimeAgent.cpp:
(WebCore::InspectorRuntimeAgent::getProperties):
* inspector/InspectorRuntimeAgent.h:
* inspector/InspectorState.h:
* inspector/InspectorStyleSheet.cpp:
(WebCore::asCSSRuleList):
(WebCore::InspectorStyle::buildArrayForComputedStyle):
(WebCore::InspectorStyle::styleWithProperties):
(WebCore::selectorsFromSource):
(WebCore::InspectorStyleSheet::buildObjectForSelectorList):
(WebCore::InspectorStyleSheet::buildObjectForRule):
(WebCore::InspectorStyleSheet::lineEndings):
(WebCore::InspectorStyleSheet::buildArrayForRuleList):
(WebCore::InspectorStyleSheetForInlineStyle::lineEndings):
* inspector/InspectorStyleSheet.h:
* inspector/InspectorValues.cpp:
(WebCore::InspectorArrayBase::writeJSON):
* inspector/InspectorValues.h:
* inspector/PageRuntimeAgent.cpp:
(WebCore::PageRuntimeAgent::reportExecutionContextCreation):
* inspector/ScriptCallStack.cpp:
(WebCore::ScriptCallStack::buildInspectorArray):
* inspector/ScriptCallStack.h:
* loader/CrossOriginPreflightResultCache.h:
* loader/DocumentLoader.cpp:
(WebCore::cancelAll):
(WebCore::setAllDefersLoading):
(WebCore::DocumentLoader::getSubresources):
* loader/DocumentLoader.h:
* loader/FormState.h:
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
* loader/ProgressTracker.h:
* loader/ResourceLoadScheduler.h:
* loader/TextTrackLoader.cpp:
(WebCore::TextTrackLoader::getNewCues):
(WebCore::TextTrackLoader::getNewRegions):
* loader/TextTrackLoader.h:
* loader/WorkerThreadableLoader.cpp:
(WebCore::workerGlobalScopeDidReceiveData):
(WebCore::WorkerThreadableLoader::MainThreadBridge::didReceiveData):
* loader/appcache/ApplicationCache.cpp:
(WebCore::ApplicationCache::removeResource):
(WebCore::ApplicationCache::dump):
* loader/appcache/ApplicationCache.h:
* loader/appcache/ApplicationCacheStorage.cpp:
(WebCore::ApplicationCacheStorage::getOriginsWithCache):
* loader/archive/Archive.cpp:
(WebCore::Archive::clearAllSubframeArchives):
(WebCore::Archive::clearAllSubframeArchivesImpl):
* loader/archive/Archive.h:
(WebCore::Archive::subresources):
(WebCore::Archive::subframeArchives):
* loader/archive/ArchiveResourceCollection.cpp:
(WebCore::ArchiveResourceCollection::addAllResources):
* loader/archive/ArchiveResourceCollection.h:
* loader/archive/cf/LegacyWebArchive.cpp:
(WebCore::LegacyWebArchive::createPropertyListRepresentation):
(WebCore::LegacyWebArchive::create):
(WebCore::LegacyWebArchive::createFromSelection):
* loader/archive/cf/LegacyWebArchive.h:
* loader/archive/mhtml/MHTMLParser.h:
* loader/cache/CachedResource.h:
* loader/cache/CachedResourceLoader.h:
* loader/cache/MemoryCache.h:
* loader/icon/IconDatabase.cpp:
(WebCore::IconDatabase::notifyPendingLoadDecisions):
* loader/icon/IconDatabase.h:
* page/CaptionUserPreferencesMediaAF.cpp:
(WebCore::CaptionUserPreferencesMediaAF::sortedTrackListForMenu):
* page/CaptionUserPreferencesMediaAF.h:
* page/ChromeClient.h:
(WebCore::ChromeClient::didAssociateFormControls):
* page/Console.h:
* page/ContentSecurityPolicy.h:
* page/DOMWindow.cpp:
(WebCore::DOMWindow::getMatchedCSSRules):
* page/DeviceController.cpp:
(WebCore::DeviceController::dispatchDeviceEvent):
(WebCore::DeviceController::fireDeviceEvent):
* page/DeviceController.h:
* page/EditorClient.h:
* page/EventHandler.cpp:
(WebCore::EventHandler::handleTouchEvent):
* page/EventHandler.h:
* page/FrameView.cpp:
(WebCore::FrameView::serviceScriptedAnimations):
* page/Page.cpp:
(WebCore::Page::findStringMatchingRanges):
* page/Page.h:
* page/PageGroup.h:
* page/Performance.cpp:
(WebCore::Performance::webkitGetEntriesByType):
(WebCore::Performance::webkitGetEntriesByName):
* page/Performance.h:
* page/PerformanceEntryList.cpp:
(WebCore::PerformanceEntryList::appendAll):
* page/PerformanceEntryList.h:
* page/SecurityOriginHash.h:
* page/SecurityPolicy.cpp:
* page/SpeechInputResult.h:
* page/animation/AnimationController.cpp:
(WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle):
* page/animation/AnimationControllerPrivate.h:
* page/animation/CSSPropertyAnimation.cpp:
(WebCore::CSSPropertyAnimationWrapperMap::CSSPropertyAnimationWrapperMap):
* page/animation/CompositeAnimation.h:
* page/scrolling/ScrollingStateNode.cpp:
(WebCore::ScrollingStateNode::appendChild):
* page/scrolling/ScrollingStateNode.h:
(WebCore::ScrollingStateNode::children):
* page/scrolling/ScrollingThread.cpp:
(WebCore::ScrollingThread::dispatchFunctionsFromScrollingThread):
* page/scrolling/ScrollingThread.h:
* page/scrolling/ScrollingTree.cpp:
(WebCore::ScrollingTree::updateTreeFromStateNode):
* page/scrolling/ScrollingTreeNode.cpp:
(WebCore::ScrollingTreeNode::appendChild):
* page/scrolling/ScrollingTreeNode.h:
* page/scrolling/mac/ScrollingCoordinatorMac.mm:
(WebCore::ScrollingCoordinatorMac::syncChildPositions):
* platform/CrossThreadCopier.cpp:
* platform/CrossThreadCopier.h:
* platform/DragData.h:
* platform/MainThreadTask.h:
* platform/PODFreeListArena.h:
(WebCore::PODFreeListArena::freeObject):
(WebCore::PODFreeListArena::allocate):
* platform/PODIntervalTree.h:
* platform/PODRedBlackTree.h:
(WebCore::PODRedBlackTree::PODRedBlackTree):
* platform/PlatformSpeechSynthesizer.cpp:
(WebCore::PlatformSpeechSynthesizer::voiceList):
* platform/PlatformSpeechSynthesizer.h:
* platform/RunLoop.h:
* platform/ScrollView.cpp:
(WebCore::ScrollView::frameRectsChanged):
(WebCore::ScrollView::clipRectChanged):
(WebCore::ScrollView::setParentVisible):
(WebCore::ScrollView::show):
(WebCore::ScrollView::hide):
* platform/ScrollView.h:
* platform/SharedBuffer.h:
* platform/Supplementable.h:
(WebCore::Supplement::provideTo):
(WebCore::Supplementable::provideSupplement):
* platform/URL.cpp:
(WebCore::findHostnamesInMailToURL):
(WebCore::encodeHostnames):
* platform/audio/AudioBus.h:
* platform/audio/AudioDSPKernelProcessor.h:
* platform/audio/AudioResampler.h:
* platform/audio/DynamicsCompressor.h:
* platform/audio/DynamicsCompressorKernel.h:
* platform/audio/HRTFDatabase.h:
* platform/audio/HRTFKernel.h:
* platform/audio/MultiChannelResampler.h:
* platform/audio/Reverb.h:
* platform/audio/ReverbConvolver.h:
* platform/cf/SharedBufferCF.cpp:
(WebCore::SharedBuffer::copyBufferAndClear):
(WebCore::SharedBuffer::copySomeDataFromDataArray):
* platform/graphics/FloatPolygon.cpp:
(WebCore::FloatPolygon::FloatPolygon):
* platform/graphics/FloatPolygon.h:
* platform/graphics/FontCache.cpp:
(WebCore::FontCache::getCachedFontData):
(WebCore::FontCache::purgeInactiveFontData):
* platform/graphics/GlyphMetricsMap.h:
(WebCore::::locatePageSlowCase):
* platform/graphics/GlyphPageTreeNode.h:
* platform/graphics/GraphicsContext3D.h:
* platform/graphics/GraphicsLayer.cpp:
* platform/graphics/GraphicsLayer.h:
* platform/graphics/PlatformTextTrackMenu.h:
* platform/graphics/SimpleFontData.h:
* platform/graphics/WidthCache.h:
* platform/graphics/avfoundation/InbandTextTrackPrivateAVF.h:
* platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
(WebCore::MediaPlayerPrivateAVFoundation::processNewAndRemovedTextTracks):
* platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
* platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
* platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::processLegacyClosedCaptionsTracks):
(WebCore::MediaPlayerPrivateAVFoundationObjC::processMediaSelectionOptions):
* platform/graphics/ca/GraphicsLayerCA.cpp:
(WebCore::GraphicsLayerCA::setFilterAnimationKeyframes):
(WebCore::GraphicsLayerCA::fetchCloneLayers):
* platform/graphics/ca/GraphicsLayerCA.h:
* platform/graphics/ca/PlatformCAAnimation.h:
* platform/graphics/ca/PlatformCALayer.h:
* platform/graphics/ca/mac/LayerPool.h:
* platform/graphics/ca/mac/PlatformCAAnimationMac.mm:
(PlatformCAAnimation::setValues):
* platform/graphics/ca/mac/TileController.h:
* platform/graphics/cg/SubimageCacheWithTimer.h:
* platform/graphics/filters/CustomFilterParameterList.h:
* platform/graphics/filters/FilterEffect.h:
* platform/graphics/filters/FilterOperations.h:
(WebCore::FilterOperations::operations):
* platform/graphics/gpu/Texture.cpp:
(WebCore::Texture::Texture):
(WebCore::Texture::create):
* platform/graphics/gpu/Texture.h:
* platform/graphics/mac/ComplexTextController.h:
* platform/graphics/mac/SimpleFontDataCoreText.cpp:
(WebCore::SimpleFontData::getCFStringAttributes):
* platform/graphics/transforms/TransformOperations.h:
(WebCore::TransformOperations::operations):
* platform/ios/PasteboardIOS.mm:
(WebCore::documentFragmentWithRTF):
* platform/mac/PlatformSpeechSynthesizerMac.mm:
(-[WebSpeechSynthesisWrapper speakUtterance:WebCore::]):
* platform/mediastream/MediaStreamDescriptor.h:
* platform/mediastream/MediaStreamSource.h:
* platform/mediastream/RTCConfiguration.h:
* platform/network/BlobRegistryImpl.h:
* platform/network/HTTPHeaderMap.h:
* platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseBase::parseCacheControlDirectives):
(WebCore::parseCacheHeader):
* platform/network/cf/ResourceHandleCFNet.cpp:
(WebCore::clientCerts):
(WebCore::ResourceHandle::createCFURLConnection):
* platform/text/cf/HyphenationCF.cpp:
(WebCore::::createValueForNullKey):
(WebCore::::createValueForKey):
(WebCore::cfLocaleCache):
* plugins/PluginMainThreadScheduler.h:
* rendering/HitTestResult.h:
* rendering/InlineFlowBox.h:
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::paintContinuationOutlines):
(WebCore::RenderBlock::removeFromTrackedRendererMaps):
* rendering/RenderBlock.h:
* rendering/RenderButton.h:
* rendering/RenderCounter.cpp:
* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::GridIterator::GridIterator):
* rendering/RenderGrid.h:
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::updateDescendantsAreContiguousInStackingOrder):
(WebCore::RenderLayer::rebuildZOrderLists):
(WebCore::RenderLayer::collectLayers):
* rendering/RenderLayer.h:
* rendering/RenderNamedFlowThread.cpp:
(WebCore::RenderNamedFlowThread::getRanges):
* rendering/RenderNamedFlowThread.h:
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::getRanges):
* rendering/RenderRegion.h:
* rendering/RenderView.cpp:
(WebCore::RenderView::selectionBounds):
(WebCore::RenderView::setSelection):
* rendering/RootInlineBox.h:
* rendering/shapes/PolygonShape.cpp:
(WebCore::computeShapePaddingBounds):
(WebCore::computeShapeMarginBounds):
* rendering/shapes/PolygonShape.h:
(WebCore::PolygonShape::PolygonShape):
* rendering/shapes/Shape.cpp:
(WebCore::createPolygonShape):
(WebCore::Shape::createShape):
* rendering/shapes/ShapeInfo.h:
* rendering/shapes/ShapeInterval.h:
* rendering/style/QuotesData.cpp:
(WebCore::QuotesData::create):
(WebCore::QuotesData::QuotesData):
* rendering/style/QuotesData.h:
* rendering/style/RenderStyle.cpp:
(WebCore::requireTransformOrigin):
(WebCore::RenderStyle::applyTransform):
* rendering/style/StyleGridData.h:
* rendering/svg/RenderSVGResourceGradient.h:
* rendering/svg/RenderSVGResourcePattern.h:
* rendering/svg/SVGResourcesCache.h:
* storage/StorageEventDispatcher.cpp:
(WebCore::StorageEventDispatcher::dispatchSessionStorageEvents):
(WebCore::StorageEventDispatcher::dispatchLocalStorageEvents):
(WebCore::StorageEventDispatcher::dispatchSessionStorageEventsToFrames):
(WebCore::StorageEventDispatcher::dispatchLocalStorageEventsToFrames):
* storage/StorageEventDispatcher.h:
* storage/StorageNamespaceImpl.h:
* storage/StorageThread.h:
* storage/StorageTracker.cpp:
(WebCore::StorageTracker::origins):
* storage/StorageTracker.h:
* svg/SVGAnimatedPath.cpp:
(WebCore::SVGAnimatedPathAnimator::startAnimValAnimation):
* svg/SVGAnimatedTypeAnimator.cpp:
(WebCore::SVGElementAnimatedProperties::SVGElementAnimatedProperties):
(WebCore::SVGAnimatedTypeAnimator::findAnimatedPropertiesForAttributeName):
* svg/SVGAnimatedTypeAnimator.h:
* svg/SVGDocumentExtensions.cpp:
(WebCore::SVGDocumentExtensions::startAnimations):
(WebCore::SVGDocumentExtensions::dispatchSVGLoadEventToOutermostSVGElements):
(WebCore::SVGDocumentExtensions::addPendingResource):
(WebCore::SVGDocumentExtensions::isElementPendingResources):
(WebCore::SVGDocumentExtensions::removeElementFromPendingResources):
(WebCore::SVGDocumentExtensions::setOfElementsReferencingTarget):
(WebCore::SVGDocumentExtensions::addElementReferencingTarget):
(WebCore::SVGDocumentExtensions::rebuildAllElementReferencesForTarget):
* svg/SVGDocumentExtensions.h:
* svg/SVGFontElement.h:
* svg/SVGGlyphMap.h:
* svg/SVGMarkerElement.cpp:
(WebCore::SVGMarkerElement::orientTypeAnimated):
* svg/SVGMarkerElement.h:
* svg/SVGPathSegList.h:
* svg/animation/SMILTimeContainer.h:
* svg/graphics/SVGImageCache.h:
* svg/graphics/filters/SVGFilterBuilder.h:
(WebCore::SVGFilterBuilder::addBuiltinEffects):
* svg/properties/SVGAnimatedEnumerationPropertyTearOff.h:
(WebCore::SVGAnimatedEnumerationPropertyTearOff::create):
* svg/properties/SVGAnimatedListPropertyTearOff.h:
(WebCore::SVGAnimatedListPropertyTearOff::create):
* svg/properties/SVGAnimatedPropertyTearOff.h:
(WebCore::SVGAnimatedPropertyTearOff::create):
* svg/properties/SVGAnimatedStaticPropertyTearOff.h:
(WebCore::SVGAnimatedStaticPropertyTearOff::create):
* svg/properties/SVGAttributeToPropertyMap.cpp:
(WebCore::SVGAttributeToPropertyMap::animatedPropertiesForAttribute):
* svg/properties/SVGAttributeToPropertyMap.h:
* svg/properties/SVGStaticListPropertyTearOff.h:
(WebCore::SVGStaticListPropertyTearOff::create):
* svg/properties/SVGTransformListPropertyTearOff.h:
(WebCore::SVGTransformListPropertyTearOff::create):
(WebCore::SVGTransformListPropertyTearOff::createSVGTransformFromMatrix):
(WebCore::SVGTransformListPropertyTearOff::consolidate):
* workers/DefaultSharedWorkerRepository.h:
* workers/WorkerMessagingProxy.h:
* xml/XMLHttpRequestProgressEventThrottle.cpp:
(WebCore::XMLHttpRequestProgressEventThrottle::dispatchDeferredEvents):
* xml/XMLHttpRequestProgressEventThrottle.h:
* xml/XPathNodeSet.cpp:
(WebCore::XPath::NodeSet::sort):
(WebCore::XPath::NodeSet::traversalSort):
* xml/XSLStyleSheet.h:
* xml/parser/XMLDocumentParserLibxml2.cpp:

Source/WebKit/mac:

* History/WebHistory.mm:
(-[WebHistoryPrivate rebuildHistoryByDayIfNeeded:]):
* History/WebHistoryItem.mm:
(-[WebHistoryItem initFromDictionaryRepresentation:]):
* Plugins/Hosted/NetscapePluginHostProxy.h:
* Plugins/Hosted/NetscapePluginInstanceProxy.h:
* Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::idForObject):
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::retain):
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::release):
(WebKit::NetscapePluginInstanceProxy::LocalObjectMap::forget):
(WebKit::NetscapePluginInstanceProxy::stopAllStreams):
* Plugins/WebNetscapePluginView.h:
* Plugins/WebNetscapePluginView.mm:
(-[WebNetscapePluginView destroyPlugin]):
* Storage/WebDatabaseManager.mm:
(-[WebDatabaseManager origins]):
* Storage/WebStorageManager.mm:
(-[WebStorageManager origins]):
* WebCoreSupport/WebApplicationCache.mm:
(+[WebApplicationCache originsWithCache]):
* WebCoreSupport/WebEditorClient.h:
* WebCoreSupport/WebEditorClient.mm:
(WebEditorClient::getClientPasteboardDataForRange):
(WebEditorClient::documentFragmentFromAttributedString):
* WebCoreSupport/WebFrameLoaderClient.h:
* WebCoreSupport/WebNotificationClient.h:
* WebCoreSupport/WebNotificationClient.mm:
(WebNotificationClient::show):
(WebNotificationClient::clearNotifications):
* WebView/WebArchive.mm:
(-[WebArchive initWithMainResource:subresources:subframeArchives:]):
(-[WebArchive subresources]):
(-[WebArchive subframeArchives]):
* WebView/WebDataSource.mm:
(-[WebDataSource subresources]):
* WebView/WebViewData.h:

Source/WebKit2:

* UIProcess/mac/WebColorPickerMac.h:
* WebProcess/InjectedBundle/API/mac/WKWebProcessPlugIn.mm:
* WebProcess/WebProcess.cpp:
(WebKit::WebProcess::setProcessSuppressionEnabled):

Source/WTF:

* wtf/AVLTree.h:
* wtf/CheckedArithmetic.h:
* wtf/Compression.h:
* wtf/Functional.h:
(WTF::R):
* wtf/HashFunctions.h:
* wtf/HashIterators.h:
* wtf/HashSet.h:
(WTF::::contains):
* wtf/ListHashSet.h:
(WTF::::contains):
* wtf/RefCountedLeakCounter.cpp:
* wtf/RetainPtr.h:
* wtf/SentinelLinkedList.h:
(WTF::::remove):
* wtf/SizeLimits.cpp:
* wtf/StreamBuffer.h:
* wtf/Vector.h:
* wtf/VectorTraits.h:
* wtf/WeakPtr.h:
(WTF::WeakReference::create):
(WTF::WeakReference::createUnbound):
(WTF::WeakPtr::WeakPtr):
(WTF::WeakPtrFactory::WeakPtrFactory):
* wtf/text/AtomicString.cpp:
(WTF::AtomicString::add):
(WTF::findString):
* wtf/text/StringConcatenate.h:
* wtf/text/StringImpl.h:
* wtf/text/StringOperators.h:
(WTF::operator+):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157653 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=122248

Reviewed by Michael Saboff.
        
This makes it possible to have the DFG use different registers than the other engines
for things like activation and arguments.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setLocalStoreElimination):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::activationRegister):
(JSC::DFG::Graph::uncheckedActivationRegister):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::baselineArgumentsRegisterFor):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156817 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures
https://bugs.webkit.org/show_bug.cgi?id=122047

Reviewed by Oliver Hunt.
        
Currently we have the DFG reserve space for inline call frames at exactly the same stack
offsets that you would have gotten if the baseline interpreter/JIT had made the calls.
We need to get rid of that. One of the weirder parts of this is that we have special DFG
operations for accessing these inlined call frame headers. It's really hard for any
analysis of DFG IR to see what the liveness of any of those frame header "variables" is;
the liveness behaves like flushed arguments (it's all live until end of the inlinee) but
we don't have anything like a Flush node for those special variables.
        
This patch gets rid of the special operations for accessing inline call frame headers.
GetMyScope and GetCallee still remain, and are only for accessing the machine call
frame's scope/callee entries. The inline call frame's scope/callee now behave like
normal variables, and have Flush behavior just like inline arguments.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getDirect):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::setDirect):
(JSC::DFG::ByteCodeParser::set):
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::getScope):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getCalleeLoadElimination):
(JSC::DFG::CSEPhase::getMyScopeLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156594 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121064

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
programs that have local int32 overflows but where a larger int representation can
prevent us from having to convert all the way up to double.
        
It's a small speed-up for now. But we're just supporting Int52 for a handful of
operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
the groundwork for adding Int52 to JSValue, which will probably be a bigger
speed-up.
        
The basic approach is:
        
- We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
  or HeapTop - i.e. it doesn't arise from JSValues.
        
- DFG treats Int52 as being part of its FullTop and will treat it as being a
  subtype of double unless instructed otherwise.
        
- Prediction propagator creates Int52s whenever we have a node going doubly but due
  to large values rather than fractional values, and that node is known to be able
  to produce Int52 natively in the DFG backend.
        
- Fixup phase converts edges to MachineIntUses in nodes that are known to be able
  to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
  input.
        
- The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
  are left-shifted by 16 (great for overflow checks) and ones that are
  sign-extended. Both backends know how to convert between Int52s and the other
  representations.

* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::mul64):
(JSC::MacroAssemblerX86_64::branchMul64):
(JSC::MacroAssemblerX86_64::branchNeg64):
(JSC::MacroAssemblerX86_64::convertInt64ToDouble):
* assembler/X86Assembler.h:
(JSC::X86Assembler::imulq_rr):
(JSC::X86Assembler::cvtsi2sdq_rr):
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt52Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt52AsDoubleSpeculation):
(JSC::isBytecodeRealNumberSpeculation):
(JSC::isFullRealNumberSpeculation):
(JSC::isBytecodeNumberSpeculation):
(JSC::isFullNumberSpeculation):
(JSC::isBytecodeNumberSpeculationExpectingDefined):
(JSC::isFullNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::boxInt52):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
(JSC::DFG::enableInt52):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt52):
(JSC::DFG::GenerationInfo::initStrictInt52):
(JSC::DFG::GenerationInfo::isFormat):
(JSC::DFG::GenerationInfo::isInt52):
(JSC::DFG::GenerationInfo::isStrictInt52):
(JSC::DFG::GenerationInfo::fillInt52):
(JSC::DFG::GenerationInfo::fillStrictInt52):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt52):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeCanSpeculateInt52):
* dfg/DFGNodeType.h:
(JSC::DFG::permitsOSRBackwardRewiring):
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int52Result):
(JSC::DFG::SpeculativeJIT::strictInt52Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
(JSC::DFG::SpeculativeJIT::generationInfo):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::edge):
(JSC::DFG::SpeculateInt52Operand::node):
(JSC::DFG::SpeculateInt52Operand::gpr):
(JSC::DFG::SpeculateInt52Operand::use):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::edge):
(JSC::DFG::SpeculateStrictInt52Operand::node):
(JSC::DFG::SpeculateStrictInt52Operand::gpr):
(JSC::DFG::SpeculateStrictInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::edge):
(JSC::DFG::SpeculateWhicheverInt52Operand::node):
(JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
(JSC::DFG::SpeculateWhicheverInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::format):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileInt52Compare):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::inJSStackAsInt52):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
(JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
(JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::setStrictInt52):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::addWithOverflow64):
(JSC::FTL::Output::subWithOverflow64):
(JSC::FTL::Output::mulWithOverflow64):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
(JSC::Register::unboxedInt52):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt):
(JSC::JSValue::asMachineInt):

Source/WTF: 

Reviewed by Oliver Hunt.

* wtf/PrintStream.h:
(WTF::ValueIgnoringContext::ValueIgnoringContext):
(WTF::ValueIgnoringContext::dump):
(WTF::ignoringContext):

Tools: 

Reviewed by Oliver Hunt.

* Scripts/run-jsc-stress-tests:

LayoutTests: 

Reviewed by Oliver Hunt.

* js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
* js/regress/large-int-captured-expected.txt: Added.
* js/regress/large-int-captured.html: Added.
* js/regress/large-int-expected.txt: Added.
* js/regress/large-int-neg-expected.txt: Added.
* js/regress/large-int-neg.html: Added.
* js/regress/large-int.html: Added.
* js/regress/marsaglia-larger-ints-expected.txt: Added.
* js/regress/marsaglia-larger-ints.html: Added.
* js/regress/script-tests/large-int-captured.js: Added.
(.bar):
(foo):
* js/regress/script-tests/large-int-neg.js: Added.
(foo):
* js/regress/script-tests/large-int.js: Added.
(foo):
* js/regress/script-tests/marsaglia-larger-ints.js: Added.
(uint):
(marsaglia):
* js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/156019
http://trac.webkit.org/changeset/156020
https://bugs.webkit.org/show_bug.cgi?id=121540

Broke tests (Requested by ap on #webkit).

Source/JavaScriptCore:

* assembler/MacroAssemblerX86_64.h:
* assembler/X86Assembler.h:
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt48Speculation):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isInt48AsDoubleSpeculation):
(JSC::isRealNumberSpeculation):
(JSC::isNumberSpeculation):
(JSC::isNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::unboxDouble):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::canonicalize):
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt32):
(JSC::DFG::GenerationInfo::fillInt32):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
(JSC::DFG::Node::canSpeculateInt48):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeCanSpeculateInt48):
* dfg/DFGNodeType.h:
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSRExitCompiler.cpp:
(JSC::DFG::shortOperandsDump):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int32Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt32):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::mulWithOverflow32):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:

Source/WTF:

* wtf/PrintStream.h:

Tools:

* Scripts/run-jsc-stress-tests:

LayoutTests:

* js/regress/large-int-captured-expected.txt: Removed.
* js/regress/large-int-captured.html: Removed.
* js/regress/large-int-expected.txt: Removed.
* js/regress/large-int-neg-expected.txt: Removed.
* js/regress/large-int-neg.html: Removed.
* js/regress/large-int.html: Removed.
* js/regress/marsaglia-larger-ints-expected.txt: Removed.
* js/regress/marsaglia-larger-ints.html: Removed.
* js/regress/script-tests/large-int-captured.js: Removed.
* js/regress/script-tests/large-int-neg.js: Removed.
* js/regress/script-tests/large-int.js: Removed.
* js/regress/script-tests/marsaglia-larger-ints.js: Removed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=121064

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
programs that have local int32 overflows but where a larger int representation can
prevent us from having to convert all the way up to double.
        
It's a small speed-up for now. But we're just supporting Int52 for a handful of
operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
the groundwork for adding Int52 to JSValue, which will probably be a bigger
speed-up.
        
The basic approach is:
        
- We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
  or HeapTop - i.e. it doesn't arise from JSValues.
        
- DFG treats Int52 as being part of its FullTop and will treat it as being a
  subtype of double unless instructed otherwise.
        
- Prediction propagator creates Int52s whenever we have a node going doubly but due
  to large values rather than fractional values, and that node is known to be able
  to produce Int52 natively in the DFG backend.
        
- Fixup phase converts edges to MachineIntUses in nodes that are known to be able
  to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
  input.
        
- The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
  are left-shifted by 16 (great for overflow checks) and ones that are
  sign-extended. Both backends know how to convert between Int52s and the other
  representations.

* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::rshift64):
(JSC::MacroAssemblerX86_64::mul64):
(JSC::MacroAssemblerX86_64::branchMul64):
(JSC::MacroAssemblerX86_64::branchNeg64):
(JSC::MacroAssemblerX86_64::convertInt64ToDouble):
* assembler/X86Assembler.h:
(JSC::X86Assembler::imulq_rr):
(JSC::X86Assembler::cvtsi2sdq_rr):
* bytecode/DataFormat.h:
(JSC::dataFormatToString):
* bytecode/OperandsInlines.h:
(JSC::::dumpInContext):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isBytecodeRealNumberSpeculation):
(JSC::isFullRealNumberSpeculation):
(JSC::isBytecodeNumberSpeculation):
(JSC::isFullNumberSpeculation):
(JSC::isBytecodeNumberSpeculationExpectingDefined):
(JSC::isFullNumberSpeculationExpectingDefined):
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
(JSC::ValueRecovery::inGPR):
(JSC::ValueRecovery::displacedInJSStack):
(JSC::ValueRecovery::isAlreadyInJSStack):
(JSC::ValueRecovery::gpr):
(JSC::ValueRecovery::virtualRegister):
(JSC::ValueRecovery::dumpInContext):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::needsTypeCheck):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::boxInt52):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
(JSC::DFG::enableInt52):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGFlushFormat.cpp:
(WTF::printInternal):
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::initInt52):
(JSC::DFG::GenerationInfo::initStrictInt52):
(JSC::DFG::GenerationInfo::isFormat):
(JSC::DFG::GenerationInfo::isInt52):
(JSC::DFG::GenerationInfo::isStrictInt52):
(JSC::DFG::GenerationInfo::fillInt52):
(JSC::DFG::GenerationInfo::fillStrictInt52):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateMachineInt):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::reconstruct):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
* dfg/DFGNodeFlags.h:
* dfg/DFGNodeType.h:
(JSC::DFG::forwardRewiringSelectionScore):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSilentRegisterSavePlan.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::canReuse):
(JSC::DFG::SpeculativeJIT::isFilled):
(JSC::DFG::SpeculativeJIT::isFilledDouble):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::int52Result):
(JSC::DFG::SpeculativeJIT::strictInt52Result):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isInteger):
(JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
(JSC::DFG::SpeculativeJIT::generationInfo):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
(JSC::DFG::SpeculateInt52Operand::edge):
(JSC::DFG::SpeculateInt52Operand::node):
(JSC::DFG::SpeculateInt52Operand::gpr):
(JSC::DFG::SpeculateInt52Operand::use):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::edge):
(JSC::DFG::SpeculateStrictInt52Operand::node):
(JSC::DFG::SpeculateStrictInt52Operand::gpr):
(JSC::DFG::SpeculateStrictInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::edge):
(JSC::DFG::SpeculateWhicheverInt52Operand::node):
(JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
(JSC::DFG::SpeculateWhicheverInt52Operand::use):
(JSC::DFG::SpeculateWhicheverInt52Operand::format):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileInt52Compare):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dump):
* dfg/DFGValueSource.h:
(JSC::DFG::dataFormatToValueSourceKind):
(JSC::DFG::valueSourceKindToDataFormat):
(JSC::DFG::ValueSource::forFlushFormat):
(JSC::DFG::ValueSource::valueRecovery):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCArgumentGetter.cpp:
(JSC::FTL::CArgumentGetter::loadNextAndBox):
* ftl/FTLCArgumentGetter.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::inJSStackAsInt52):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileAdd):
(JSC::FTL::LowerDFGToLLVM::compileArithSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareLess):
(JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
(JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
(JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
(JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
(JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::setStrictInt52):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::addWithOverflow64):
(JSC::FTL::Output::subWithOverflow64):
(JSC::FTL::Output::mulWithOverflow64):
* ftl/FTLValueFormat.cpp:
(WTF::printInternal):
* ftl/FTLValueFormat.h:
* ftl/FTLValueSource.cpp:
(JSC::FTL::ValueSource::dump):
* ftl/FTLValueSource.h:
* interpreter/Register.h:
(JSC::Register::unboxedInt52):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOffForInlineCallFrame):
* runtime/IndexingType.cpp:
(JSC::leastUpperBoundOfIndexingTypeAndType):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt):
(JSC::JSValue::asMachineInt):

Source/WTF: 

Reviewed by Oliver Hunt.

* wtf/PrintStream.h:
(WTF::ValueIgnoringContext::ValueIgnoringContext):
(WTF::ValueIgnoringContext::dump):
(WTF::ignoringContext):

Tools: 

Reviewed by Oliver Hunt.

* Scripts/run-jsc-stress-tests:

LayoutTests: 

Reviewed by Oliver Hunt.

* js/regress/large-int-captured-expected.txt: Added.
* js/regress/large-int-captured.html: Added.
* js/regress/large-int-expected.txt: Added.
* js/regress/large-int-neg-expected.txt: Added.
* js/regress/large-int-neg.html: Added.
* js/regress/large-int.html: Added.
* js/regress/marsaglia-larger-ints-expected.txt: Added.
* js/regress/marsaglia-larger-ints.html: Added.
* js/regress/script-tests/large-int-captured.js: Added.
(.bar):
(foo):
* js/regress/script-tests/large-int-neg.js: Added.
(foo):
* js/regress/script-tests/large-int.js: Added.
(foo):
* js/regress/script-tests/marsaglia-larger-ints.js: Added.
(uint):
(marsaglia):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc

VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted
https://bugs.webkit.org/show_bug.cgi?id=121142

Reviewed by Geoffrey Garen.
        
Make everyone rely on VariableAccessData::flushFormat() instead of trying to
compute that information from scratch. The FTL already used flushFormat(), now
the DFG does, too.

* dfg/DFGArgumentPosition.h:
(JSC::DFG::ArgumentPosition::someVariable):
(JSC::DFG::ArgumentPosition::flushFormat):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValueSource.h:
(JSC::DFG::ValueSource::forFlushFormat):
* dfg/DFGVariableAccessDataDump.cpp:
(JSC::DFG::VariableAccessDataDump::dump):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155564 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=120022

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
Adds inlining of typed array allocations in the DFG. Any operation of the
form:
        
    new foo(blah)
        
or:
        
    foo(blah)
        
where 'foo' is a typed array constructor and 'blah' is exactly one argument,
is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
is predicted integer, we generate inline code for an allocation. Otherwise
it turns into a call to an operation that behaves like the constructor would
if it was passed one argument (i.e. it may wrap a buffer or it may create a
copy or another array, or it may allocate an array of that length).

* bytecode/SpeculatedType.cpp:
(JSC::speculationFromTypedArrayType):
(JSC::speculationFromClassInfo):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTypedArrayType):
(JSC::DFG::Node::typedArrayType):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
(JSC::DFG::newTypedArrayWithOneArgument):
* dfg/DFGOperations.h:
(JSC::DFG::operationNewTypedArrayWithSizeForType):
(JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewTypedArray):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
* runtime/JSArray.h:
(JSC::JSArray::allocationSize):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::allocationSize):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
* runtime/JSObject.h:
(JSC::JSFinalObject::allocationSize):
* runtime/TypedArrayType.cpp:
(JSC::constructorClassInfoForType):
* runtime/TypedArrayType.h:
(JSC::indexToTypedArrayType):

LayoutTests: 

Reviewed by Oliver Hunt.

* fast/js/regress/Float64Array-alloc-long-lived-expected.txt: Added.
* fast/js/regress/Float64Array-alloc-long-lived.html: Added.
* fast/js/regress/Int16Array-alloc-long-lived-expected.txt: Added.
* fast/js/regress/Int16Array-alloc-long-lived.html: Added.
* fast/js/regress/Int8Array-alloc-long-lived-expected.txt: Added.
* fast/js/regress/Int8Array-alloc-long-lived.html: Added.
* fast/js/regress/script-tests/Float64Array-alloc-long-lived.js: Added.
* fast/js/regress/script-tests/Int16Array-alloc-long-lived.js: Added.
* fast/js/regress/script-tests/Int32Array-alloc-long-lived.js:
* fast/js/regress/script-tests/Int8Array-alloc-long-lived.js: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154403 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=120033

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.
        
If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
then we should bail attempts to CSE.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):

LayoutTests: 

Reviewed by Mark Hahnenberg.
        
Add the test that actually failed as a JSRegress test. We should track its
performance anyway.
        
Add a regression test for the actual failure.
        
Add .html and -expected.txt files for a JSRegress test that is already in
the repo.

* fast/js/dfg-get-closure-var-put-closure-var-interference.html: Added.
* fast/js/dfg-get-closure-var-put-closure-var-interference-expected.txt: Added.
* fast/js/regress/array-nonarray-polymorhpic-access-expected.txt: Added.
* fast/js/regress/array-nonarray-polymorhpic-access.html: Added.
* fast/js/regress/emscripten-cube2hash-expected.txt: Added.
* fast/js/regress/emscripten-cube2hash.html: Added.
* fast/js/regress/script-tests/emscripten-cube2hash.js: Added.
(.Module.string_appeared_here):
(else.Module.string_appeared_here):
(else.else.Module.string_appeared_here):
(else.else):
(globalEval):
(Runtime.stackSave):
(Runtime.stackRestore):
(Runtime.forceAlign):
(Runtime.isNumberType):
(Runtime.isPointerType):
(Runtime.isStructType):
(or64):
(and64):
(xor64):
(getNativeTypeSize):
(getNativeFieldSize):
(dedup):
(.set var):
(getAlignSize):
(calculateStructAlignment):
(.else.alignment):
(generateStructInfo):
(dynCall):
(addFunction):
(removeFunction):
(warnOnce):
(.Runtime.funcWrappers.func):
(getFuncWrapper):
(UTF8Processor.this.processCChar):
(UTF8Processor.this.processJSString):
(UTF8Processor):
(stackAlloc):
(staticAlloc):
(dynamicAlloc):
(alignMemory):
(makeBigInt):
(assert):
(ccall):
(getCFunc):
(.toC):
(.fromC):
(ccallFunc):
(setValue):
(getValue):
(.set else):
(.set return):
(allocate):
(Pointer_stringify):
(alignMemoryPage):
(enlargeMemory):
(callRuntimeCallbacks):
(preRun):
(ensureInitRuntime):
(preMain):
(exitRuntime):
(postRun):
(addOnPreRun):
(addOnInit):
(addOnPreMain):
(addOnExit):
(addOnPostRun):
(intArrayFromString):
(intArrayToString):
(writeStringToMemory):
(writeArrayToMemory):
(unSign):
(reSign):
(Math.string_appeared_here):
(addRunDependency):
(removeRunDependency):
(loadMemoryInitializer.applyData):
(loadMemoryInitializer.set addOnPreRun):
(__ATINIT__.push):
(STATIC_BASE):
(copyTempDouble):
(___setErrNo):
(PATH.splitPath):
(PATH.normalizeArray):
(PATH.normalize.join):
(PATH.normalize):
(PATH.dirname):
(PATH.basename):
(PATH.join):
(PATH.trim):
(PATH.relative):
(TTY.register):
(TTY.stream_ops.open):
(TTY.stream_ops.close):
(TTY.stream_ops.read):
(TTY.stream_ops.write):
(TTY.default_tty_ops.get_char):
(TTY.default_tty_ops.put_char):
(TTY.default_tty1_ops.put_char):
(MEMFS.mount):
(MEMFS.create_node):
(MEMFS.node_ops.getattr):
(MEMFS.node_ops.setattr):
(MEMFS.node_ops.lookup):
(MEMFS.node_ops.mknod):
(MEMFS.node_ops.rename):
(MEMFS.node_ops.unlink):
(MEMFS.node_ops.rmdir):
(MEMFS.node_ops.readdir):
(MEMFS.node_ops.symlink):
(MEMFS.node_ops.readlink):
(MEMFS.stream_ops.set else):
(MEMFS.stream_ops.read):
(MEMFS.stream_ops.write):
(MEMFS.stream_ops.llseek):
(MEMFS.stream_ops.allocate):
(MEMFS.stream_ops.set return):
(MEMFS.stream_ops.mmap):
(_fflush):
(FS.ErrnoError):
(FS.handleFSError):
(FS.hashName):
(FS.hashAddNode):
(FS.hashRemoveNode):
(FS.lookupNode):
(FS.):
(FS.destroyNode):
(FS.isRoot):
(FS.isMountpoint):
(FS.isFile):
(FS.isDir):
(FS.isLink):
(FS.isChrdev):
(FS.isBlkdev):
(FS.isFIFO):
(FS.cwd):
(FS.var):
(FS.lookupPath):
(FS.getPath):
(FS.modeStringToFlags):
(FS.flagsToPermissionString):
(FS.nodePermissions):
(FS.mayLookup):
(FS.mayMknod):
(FS.mayCreate):
(FS.mayDelete):
(FS.mayOpen):
(FS.chrdev_stream_ops.open):
(FS.chrdev_stream_ops.llseek):
(FS.major):
(FS.minor):
(FS.makedev):
(FS.registerDevice):
(FS.getDevice):
(FS.nextfd):
(FS.getStream):
(FS.closeStream):
(FS.getMode):
(FS.joinPath):
(FS.absolutePath):
(FS.standardizePath):
(FS.findObject):
(FS.analyzePath):
(FS.createFolder):
(FS.createPath):
(FS.createFile):
(FS.createDataFile):
(FS.createDevice):
(FS.createLink):
(FS.forceLoadFile):
(FS.LazyUint8Array):
(FS.LazyUint8Array.prototype.get if):
(FS.LazyUint8Array.prototype):
(FS.LazyUint8Array.prototype.setDataGetter):
(FS.LazyUint8Array.prototype.cacheLength.doXHR):
(FS.LazyUint8Array.prototype.cacheLength):
(FS.get Object):
(FS.get var):
(FS.keys.forEach):
(FS.processData.finish):
(FS.processData):
(FS.else):
(FS.createPreloadedFile):
(FS.createDefaultDirectories):
(FS.createDefaultDevices.):
(FS.createDefaultDevices):
(FS.createStandardStreams):
(FS.staticInit):
(FS.init):
(FS.quit):
(FS.mount):
(FS.lookup):
(FS.mknod):
(FS.create):
(FS.mkdir):
(FS.mkdev):
(FS.symlink):
(FS.rename):
(FS.rmdir):
(FS.readdir):
(FS.unlink):
(FS.readlink):
(FS.stat):
(FS.lstat):
(FS.chmod):
(FS.lchmod):
(FS.fchmod):
(FS.chown):
(FS.lchown):
(FS.fchown):
(FS.truncate):
(FS.ftruncate):
(FS.utime):
(FS.open):
(FS.close):
(FS.llseek):
(FS.read):
(FS.write):
(FS.allocate):
(FS.mmap):
(_send):
(_pwrite):
(_write):
(_fwrite):
(__reallyNegative):
(.getNextArg):
(.switch.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.break):
(.switch.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.case.string_appeared_here.break):
(_fprintf):
(_printf):
(_fputs):
(_fputc):
(_puts):
(_abort):
(___errno_location):
(_sbrk.Runtime.dynamicAlloc):
(_sbrk):
(_sysconf):
(_time):
(Browser.mainLoop.pause):
(Browser.mainLoop.resume):
(Browser.mainLoop.updateStatus):
(Browser.init.imagePlugin.string_appeared_here):
(Browser.init.img.onload):
(Browser.init.img.onerror):
(Browser.init.audioPlugin.string_appeared_here):
(Browser.init.finish):
(Browser.init.fail):
(Browser.init.audio.onerror.encode64):
(Browser.init.audio.onerror):
(Browser.init.audio):
(Browser.init.else):
(Browser.init.pointerLockChange):
(Browser.init.canvas):
(Browser.init):
(Browser.destroyContext):
(Browser.fullScreenChange):
(Browser.requestFullScreen):
(Browser.requestAnimationFrame):
(Browser.safeRequestAnimationFrame):
(Browser.safeSetTimeout):
(Browser.safeSetInterval):
(Browser.getMimetype):
(Browser.getUserMedia):
(Browser.getMovementX):
(Browser.getMovementY):
(Browser.calculateMouseEvent):
(Browser.xhr.onload):
(Browser.xhrLoad):
(Browser.updateResizeListeners):
(Browser.setCanvasSize):
(Browser.setFullScreenCanvasSize):
(Browser.setWindowedCanvasSize):
(__ATINIT__.unshift):
(__ATMAIN__.push):
(__ATEXIT__.push):
(Module.string_appeared_here):
(invoke_ii):
(invoke_v):
(invoke_iii):
(invoke_vi):
(asmPrintInt):
(asmPrintFloat):
(asm):
(Runtime.stackAlloc):
(i64Math):
(i64Math.):
(Module.string_appeared_here.Module.callMain.callMain.pad):
(Module.string_appeared_here.Module.callMain):
(run.doRun):
(run.else):
(run):
(exit):
(abort):
* fast/js/script-tests/dfg-get-closure-var-put-closure-var-interference.js: Added.
(foo):
(thingy.return.bar):
(thingy.return.baz):
(thingy):
(runIt):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154344 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=119962

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This adds a new node, GetTypedArrayByteOffset, which inlines
typedArray.byteOffset.
        
Also, I improved a bunch of the clobbering logic related to typed arrays
and clobbering in general. For example, PutByOffset/PutStructure are not
clobber-world so they can be handled by most default cases in CSE. Also,
It's better to use the 'Class_field' notation for typed arrays now that
they no longer involve magical descriptor thingies.

* bytecode/SpeculatedType.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGArrayMode.h:
(JSC::DFG::neverNeedsStorage):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
(JSC::DFG::FixupPhase::convertToGetArrayLength):
(JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
* runtime/ArrayBuffer.h:
(JSC::ArrayBuffer::offsetOfData):
* runtime/Butterfly.h:
(JSC::Butterfly::offsetOfArrayBuffer):
* runtime/IndexingHeader.h:
(JSC::IndexingHeader::offsetOfArrayBuffer):

LayoutTests: 

Reviewed by Oliver Hunt.

* fast/js/dfg-byteOffset-neuter.html: Added.
* fast/js/dfg-byteOffset-neuter-expected.txt: Added.
* fast/js/regress/ArrayBuffer-Int32Array-byteOffset-expected.txt: Added.
* fast/js/regress/ArrayBuffer-Int32Array-byteOffset.html: Added.
* fast/js/regress/script-tests/ArrayBuffer-Int32Array-byteOffset.js: Added.
* fast/js/script-tests/dfg-byteOffset-neuter.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154305 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118956

Reviewed by Sam Weinig.

We had two way of expressing that something exits forward: the NodeExitsForward
flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
makes it just be a flag.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::int32ToDoubleCSE):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasChild):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(JSC::DFG::Node::hasStructureSet):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
(JSC::DFG::needsOSRForwardRewiring):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::run):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153292 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118940

Reviewed by Geoffrey Garen.

This is asymptomatic right now, but we should fix it.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGEdgeUsesStructure.h: Added.
(DFG):
(EdgeUsesStructure):
(JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
(JSC::DFG::EdgeUsesStructure::operator()):
(JSC::DFG::EdgeUsesStructure::result):
(JSC::DFG::edgesUseStructure):
* dfg/DFGUseKind.h:
(DFG):
(JSC::DFG::usesStructure):

Conflicts:
	Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153287 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118774

Reviewed by Oliver Hunt.

- Clearing of replacements is now done in Graph::clearReplacements().

- New nodes now have replacement set to 0.

- Node::replacement is now part of a 'misc' union. I'll be putting at least
  one other field into that union as part of LICM work (see
  https://bugs.webkit.org/show_bug.cgi?id=118749).

* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::run):
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::performBlockCSE):
* dfg/DFGGraph.cpp:
(DFG):
(JSC::DFG::Graph::clearReplacements):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::performSubstitutionForEdge):
(Graph):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153278 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118452

Reviewed by Sam Weinig.

Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
clearAndDerefChild() was necessary back when we did eager reference counting. We
don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
any reference counting, so it was badly named to begin with.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(Graph):
* dfg/DFGNode.h:
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153269 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=118339

Reviewed by Michael Saboff.

This accomplishes two goals:

1) Simplifies a bunch of code. You can now much more directly get to a successor
   or predecessor, since you just get the pointer directly. The backend(s) always
   hold onto a pointer to the block they're on, so you don't have to do work to
   get the block from the index.

2) It allows for the possibility of inserting blocks into the program.
   Previously, if you did that, you'd have to edit all references to blocks since
   those references would have outdated indexing after an insertion. Now, if you
   change the indexing, you just have to invalidate some analyses and make sure
   that you change each block's BasicBlock::index accordingly.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::initialize):
(JSC::DFG::AbstractState::endBasicBlock):
(JSC::DFG::AbstractState::mergeToSuccessors):
* dfg/DFGAbstractState.h:
(AbstractState):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::run):
* dfg/DFGBasicBlock.h:
(DFG):
(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::size):
(JSC::DFG::BasicBlock::isEmpty):
(JSC::DFG::BasicBlock::at):
(JSC::DFG::BasicBlock::operator[]):
(JSC::DFG::BasicBlock::last):
(JSC::DFG::BasicBlock::resize):
(JSC::DFG::BasicBlock::grow):
(BasicBlock):
(JSC::DFG::BasicBlock::append):
(JSC::DFG::BasicBlock::numSuccessors):
(JSC::DFG::BasicBlock::successor):
(JSC::DFG::BasicBlock::successorForCondition):
(JSC::DFG::BasicBlock::dump):
(UnlinkedBlock):
(JSC::DFG::UnlinkedBlock::UnlinkedBlock):
(JSC::DFG::getBytecodeBeginForBlock):
(JSC::DFG::blockForBytecodeOffset):
* dfg/DFGByteCodeParser.cpp:
(ByteCodeParser):
(InlineStackEntry):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
(JSC::DFG::CFAPhase::performForwardCFA):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::convertToJump):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
(JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
(JSC::DFG::CPSRethreadingPhase::propagatePhis):
(CPSRethreadingPhase):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* dfg/DFGDisassembler.cpp:
(JSC::DFG::Disassembler::Disassembler):
(JSC::DFG::Disassembler::createDumpList):
* dfg/DFGDisassembler.h:
(JSC::DFG::Disassembler::setForBlockIndex):
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::compute):
(JSC::DFG::Dominators::iterateForBlock):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::dominates):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::handleSuccessor):
(JSC::DFG::Graph::determineReachability):
(JSC::DFG::Graph::resetReachability):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::numBlocks):
(JSC::DFG::Graph::block):
(JSC::DFG::Graph::lastBlock):
(Graph):
(JSC::DFG::Graph::appendBlock):
(JSC::DFG::Graph::killBlock):
(DFG):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::JITCompiler):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::setForBlockIndex):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoop::dump):
(JSC::DFG::NaturalLoops::compute):
(JSC::DFG::NaturalLoops::loopsOf):
* dfg/DFGNaturalLoops.h:
(JSC::DFG::NaturalLoop::NaturalLoop):
(JSC::DFG::NaturalLoop::addBlock):
(JSC::DFG::NaturalLoop::header):
(JSC::DFG::NaturalLoop::at):
(JSC::DFG::NaturalLoop::operator[]):
(JSC::DFG::NaturalLoop::contains):
(NaturalLoop):
(JSC::DFG::NaturalLoops::headerOf):
(NaturalLoops):
* dfg/DFGNode.h:
(DFG):
(JSC::DFG::SwitchCase::SwitchCase):
(JSC::DFG::SwitchCase::withBytecodeIndex):
(SwitchCase):
(JSC::DFG::SwitchCase::targetBytecodeIndex):
(JSC::DFG::SwitchData::SwitchData):
(JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
(JSC::DFG::SwitchData::fallThroughBytecodeIndex):
(SwitchData):
(JSC::DFG::Node::setTakenBlock):
(JSC::DFG::Node::setNotTakenBlock):
(JSC::DFG::Node::takenBlock):
(JSC::DFG::Node::notTakenBlock):
(JSC::DFG::Node::successor):
(JSC::DFG::Node::successorForCondition):
* dfg/DFGPredictionInjectionPhase.cpp:
(JSC::DFG::PredictionInjectionPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagateForward):
(JSC::DFG::PredictionPropagationPhase::propagateBackward):
(JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
(JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::createOSREntries):
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::compileRegExpExec):
(JSC::DFG::SpeculativeJIT::addBranch):
(JSC::DFG::SpeculativeJIT::linkBranches):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::nextBlock):
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
(JSC::DFG::SpeculativeJIT::branchDouble):
(JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
(JSC::DFG::SpeculativeJIT::branch32):
(JSC::DFG::SpeculativeJIT::branchTest32):
(JSC::DFG::SpeculativeJIT::branch64):
(JSC::DFG::SpeculativeJIT::branch8):
(JSC::DFG::SpeculativeJIT::branchPtr):
(JSC::DFG::SpeculativeJIT::branchTestPtr):
(JSC::DFG::SpeculativeJIT::branchTest8):
(JSC::DFG::SpeculativeJIT::jump):
(JSC::DFG::SpeculativeJIT::addBranch):
(JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
(StringSwitchCase):
(JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
(BranchRecord):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::run):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
(JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
* dfg/DFGUnificationPhase.cpp:
(JSC::DFG::UnificationPhase::run):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::checkOperand):
(JSC::DFG::Validate::reportValidationContext):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileJump):
(JSC::FTL::LowerDFGToLLVM::compileBranch):
(JSC::FTL::LowerDFGToLLVM::lowBlock):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153267 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=117905

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Adds MakeRope to the CSE phase and removes the comment that says that
we could do it but aren't doing it.

Also fixed SpeculatedType dumping so that if you have a Cell type then
it just prints "Cell" and if you just have Object then it just prints
"Object", instead of printing the long list of types.

* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):

LayoutTests:

Reviewed by Geoffrey Garen.

This benchmark speeds up by 50%.

* fast/js/regress/make-rope-cse-expected.txt: Added.
* fast/js/regress/make-rope-cse.html: Added.
* fast/js/regress/script-tests/make-rope-cse.js: Added.
(foo):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153242 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=117899

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
Previously it would fail due to canExit() but now we can also fail because
GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
a very explicit way.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):

LayoutTests:

Reviewed by Mark Hahnenberg.

This benchmark speeds up by 3x.

* fast/js/regress/script-tests/string-get-by-val-big-char.js: Added.
(foo):
* fast/js/regress/string-get-by-val-big-char-expected.txt: Added.
* fast/js/regress/string-get-by-val-big-char.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=117375

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch has two goals:

(1) Simplicity.

    * Net removes 15 opcodes.
    * Net removes 2,000 lines of code.
    * Removes setPair() from the DFG: All DFG nodes have 1 result register now.

(2) Performance.

    * 2%-3% speedup on SunSpider (20% in LLInt and Baseline JIT)
    * 2% speedup on v8-spider
    * 10% speedup on js-regress-hashmap*
    * Amusing 2X speedup on js-regress-poly-stricteq

The bytecode now separates the scope chain resolution opcode from the
scope access opcode.

    OLD:
        get_scoped_var  r0, 1, 0
        inc             r0
        put_scoped_var  1, 0, r0

    NEW:
        resolve_scope   r0, x(@id0)
        get_from_scope  r1, r0, x(@id0)
        inc             r1
        put_to_scope    r0, x(@id0), r1

Also, we link non-local variable resolution opcodes at CodeBlock link
time instead of time of first opcode execution.

This means that we can represent all possible non-local variable
resolutions using just three opcodes, and any optimizations in these
opcodes naturally apply across-the-board.

* API/JSCTestRunnerUtils.cpp:
(JSC::numberOfDFGCompiles):
* GNUmakefile.list.am:
* JavaScriptCore.gypi:
* JavaScriptCore.order:
* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri: Build!

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode): Updated for removed things.

(JSC::CodeBlock::CodeBlock): Always provide the full scope chain when
creating a CodeBlock, so we can perform non-local variable resolution.

Added code to perform linking for these opcodes. This is where we figure
out which non-local variable resolutions are optimizable, and how.

(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::noticeIncomingCall):
(JSC::CodeBlock::optimizeAfterWarmUp):
(JSC::CodeBlock::optimizeAfterLongWarmUp):
(JSC::CodeBlock::optimizeSoon): Updated for removed things.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::needsActivation):
(JSC::GlobalCodeBlock::GlobalCodeBlock):
(JSC::ProgramCodeBlock::ProgramCodeBlock):
(JSC::EvalCodeBlock::EvalCodeBlock):
(JSC::FunctionCodeBlock::FunctionCodeBlock):
* bytecode/EvalCodeCache.h:
(JSC::EvalCodeCache::getSlow): Updated for interface changes.

* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor): Treat global object access as
optimizable even though the global object has a custom property access
callback. This is what we've always done since, otherwise, we can't
optimize globals. (In future, we probably want to figure out a more
targeted policy than "any property access callback means no
optimization".)

* bytecode/GlobalResolveInfo.h: Removed.
* bytecode/Instruction.h:
* bytecode/Opcode.h:
(JSC::padOpcodeName):

* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor): Like GetByIdStatus.

* bytecode/ResolveGlobalStatus.cpp: Removed.
* bytecode/ResolveGlobalStatus.h: Removed.
* bytecode/ResolveOperation.h: Removed.

* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::codeBlockFor):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
* bytecode/UnlinkedCodeBlock.h: Don't provide a scope chain to unlinked
code blocks. Giving a scope to an unscoped compilation unit invites
programming errors.

* bytecode/Watchpoint.h:
(JSC::WatchpointSet::addressOfIsInvalidated):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::resolveCallee):
(JSC::BytecodeGenerator::local):
(JSC::BytecodeGenerator::constLocal):
(JSC::BytecodeGenerator::resolveType):
(JSC::BytecodeGenerator::emitResolveScope):
(JSC::BytecodeGenerator::emitGetFromScope):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitInstanceOf):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPopScope):
(JSC::BytecodeGenerator::pushFinallyContext):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::popTryAndEmitCatch):
(JSC::BytecodeGenerator::emitPushNameScope):
(JSC::BytecodeGenerator::isArgumentNumber):
* bytecompiler/BytecodeGenerator.h:
(JSC::Local::Local):
(JSC::Local::operator bool):
(JSC::Local::get):
(JSC::Local::isReadOnly):
(JSC::BytecodeGenerator::scopeDepth):
(JSC::BytecodeGenerator::shouldOptimizeLocals):
(JSC::BytecodeGenerator::canOptimizeNonLocals): Refactored the bytecode
generator to resolve all variables within local scope, as if there
were no non-local scope. This helps provide a separation of concerns:
unlinked bytecode is always scope-free, and the linking stage links
in the provided scope.

* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::isPure):
(JSC::ResolveNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::DeleteResolveNode::emitBytecode):
(JSC::TypeOfResolveNode::emitBytecode):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode): A bunch of this codegen is no longer
necessary, since it's redundant with the linking stage.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock): Updated for interface changes.
Notably, we can reuse existing DFG nodes -- but the mapping between
bytecode and DFG nodes has changed, and some nodes and corner cases have
been removed.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::varInjectionWatchpointElimination):
(JSC::DFG::CSEPhase::globalVarStoreElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):
(JSC::DFG::CSEPhase::getLocalLoadElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE): Added CSE for var injection
watchpoints. Even though watchpoints are "free", they're quite common
inside code that's subject to var injection, so I figured we'd save a
little memory.

* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGCapabilities.h: Removed detection for old forms.

* dfg/DFGDriver.h:
(JSC::DFG::tryCompile):
(JSC::DFG::tryCompileFunction):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGJITCode.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
(JSC::DFG::Node::hasVarNumber):
(JSC::DFG::Node::hasIdentifierNumberForCheck):
(JSC::DFG::Node::hasRegisterPointer):
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGRepatch.h:
(JSC::DFG::dfgResetGetByID):
(JSC::DFG::dfgResetPutByID):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): Removed some unneeded things,
and updated for renames.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile): The two primary changes here are:

(1) Use a watchpoint for var injection instead of looping over the scope
chain and checking. This is more efficient and much easier to model in
code generation.

(2) I've eliminated the notion of an optimized global assignment that
needs to check for whether it should fire a watchpiont. Instead, we
fire pre-emptively at the point of optimization. This removes a bunch
of edge cases, and it seems like a more honest representation of
the fact that our new optimization contradicts our old one.

* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* heap/DFGCodeBlocks.cpp:
(JSC::DFGCodeBlocks::jettison):
* interpreter/CallFrame.h:
(JSC::ExecState::trueCallFrame): Removed stuff that's unused now, and
fixed the build.

* interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::getBytecodeOffsetForCallFrame):
(JSC::getCallerInfo):
(JSC::Interpreter::throwException): Updated exception scope tracking
to match the rest of our linking strategy: The unlinked bytecode compiles
exception scope as if non-local scope did not exist, and we add in
non-local scope at link time. This means that we can restore the right
scope depth based on a simple number, without checking the contents of
the scope chain.

(JSC::Interpreter::execute): Make sure to establish the full scope chain
before linking eval code. We now require the full scope chain at link
time, in order to link non-local variable resolution opcodes.

* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_add):
* jit/JITCode.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_bitxor):
(JSC::JIT::emitSlow_op_bitor):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_to_primitive):
(JSC::JIT::emit_op_strcat):
(JSC::JIT::emitSlow_op_create_this):
(JSC::JIT::emitSlow_op_to_this):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitGetGlobalProperty):
(JSC::JIT::emitGetGlobalVar):
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitPutGlobalProperty):
(JSC::JIT::emitPutGlobalVar):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_init_global_const):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* jit/JITStubs.h: Re-wrote baseline JIT codegen for our new variable
resolution model.

* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm: Ditto for LLInt.

* offlineasm/x86.rb: Fixed a pre-existing encoding bug for a syntactic
form that we never used before.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncFilter):
(JSC::arrayProtoFuncMap):
(JSC::arrayProtoFuncEvery):
(JSC::arrayProtoFuncForEach):
(JSC::arrayProtoFuncSome):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value. Also, toLocaleString() is specified to accept non-array 'this'
values.

(Most other host functions don't need this fix because they perform
strict 'this' checking, which never coerces unexpected types.)

* runtime/CodeCache.cpp:
(JSC::CodeCache::getCodeBlock):
(JSC::CodeCache::getProgramCodeBlock):
(JSC::CodeCache::getEvalCodeBlock):
* runtime/CodeCache.h: Don't supply a scope to the unlinked code cache.
Unlinked code is supposed to be scope-free, so let's have the compiler
help verify that.

* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/Executable.cpp:
(JSC::EvalExecutable::create):
(JSC::EvalExecutable::compileInternal):
(JSC::ProgramExecutable::compileInternal):
(JSC::FunctionExecutable::produceCodeBlockFor):
(JSC::FunctionExecutable::compileForCallInternal):
(JSC::FunctionExecutable::compileForConstructInternal):
* runtime/Executable.h:
(JSC::EvalExecutable::numVariables):
(JSC::EvalExecutable::numberOfFunctionDecls):
* runtime/ExecutionHarness.h:
(JSC::prepareForExecutionImpl):
(JSC::prepareFunctionForExecutionImpl):
(JSC::installOptimizedCode): Fiddled with executable initialization so
that we can always generate a full scope chain before we go to link a
code block. We need this because code block linking now depends on the
scope chain to link non-local variable resolution opcodes.

* runtime/JSActivation.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createEvalCodeBlock):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::varInjectionWatchpoint):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncEval):
* runtime/JSNameScope.h:
* runtime/JSScope.cpp:
(JSC::abstractAccess):
(JSC::JSScope::objectAtScope):
(JSC::JSScope::depth):
(JSC::JSScope::resolve):
(JSC::JSScope::abstractResolve): Updated to match changes explained above.

* runtime/JSScope.h:
(JSC::makeType):
(JSC::needsVarInjectionChecks):
(JSC::ResolveOp::ResolveOp):
(JSC::ResolveModeAndType::ResolveModeAndType):
(JSC::ResolveModeAndType::mode):
(JSC::ResolveModeAndType::type):
(JSC::ResolveModeAndType::operand): Removed the old variable resolution
state machine, since it's unused now. Added logic for performing abstract
variable resolution at link time. This is used by codeblock linking.

* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

* runtime/StringPrototype.cpp:
(JSC::checkObjectCoercible):
(JSC::stringProtoFuncReplace):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::stringProtoFuncMatch):
(JSC::stringProtoFuncSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplit):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::trimString): Fixed some pre-existing bugs in
'this' value conversion, which I made much more common by removing
special cases in bytecode generation.

These functions need to invoke toThis() because they observe the 'this'
value.

* runtime/StructureRareData.cpp:
* runtime/VM.cpp:
(JSC::VM::~VM):

* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase::slot): Modified to reduce casting in client code.

LayoutTests:

This patch removed special-case 'this' resolution from bytecode, making
some pre-existing edge cases in 'this' value treatment much more common.

I updated the test results below, and added some tests, to match bug
fixes for these cases.

* fast/js/script-tests/array-functions-non-arrays.js:
* fast/js/array-functions-non-arrays-expected.txt: As specified, it's
not an error to pass a non-array to toLocaleString. Our new result
matches Firefox and Chrome.

* fast/js/array-prototype-properties-expected.txt: Updated for slightly
clearer error message.

* fast/js/basic-strict-mode-expected.txt: Updated for slightly more
standard error message.

* fast/js/object-prototype-toString-expected.txt: Added.
* fast/js/object-prototype-toString.html: Added. This test demonstrates
why we now fail a Sputnik test below, while Firefox and Chrome pass it.
(The test doesn't test what it thinks it tests, and this test verifies
that we get right what it does think it tests.)

* fast/js/string-prototype-function-this-expected.txt: Added.
* fast/js/string-prototype-function-this.html: Added. This test shows
that we CheckObjectCoercible in string prototype functions. (We used
to get this wrong, but Sputnik tests made it seem like we got it right
because they didn't test the dynamic scope case.)

* sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.4_Array/15.4.4/15.4.4.3_Array_prototype_toLocaleString/S15.4.4.3_A2_T1-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
* sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:

Updated to show failing results. Firefox and Chrome also fail these
tests, and the ES5 spec seems to mandate failure. Because these tests
resolve a String.prototype function at global scope, the 'this' value
for the call is an environment record. Logically, an environment record
converts to 'undefined' at the call site, and should then fail the
CheckObjectCoercible test.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153221 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=116353

Source/JavaScriptCore:

Performance neutral. This will be more important when we start depending on CheckArray for flat arrays.

Reviewed by Filip Pizlo.

* dfg/DFGAbstractState.cpp: Add ForwardCheckArray to wherever we had a CheckArray before.
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::isContravenedByStructure): Checks if the ArrayMode derived from a specific Structure
would contradict the ArrayModes that would be filtered by the current ArrayMode. This is used to detect
if any specific CheckStructures would contradict our CheckArray so that we can defer to the CheckStructure's
judgment.
* dfg/DFGByteCodeParser.cpp: Fill in checkArrayHoistingFailed where we previously exited due to a BadIndexingType.
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h: New ForwardCheckArray node type.
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp: Refactored most of TypeCheckHoistingPhase into separate functions, some
of which are now generic to both CheckStructure and CheckArray hoisting while others are specific to one or the
other. Both of the non-zero CheckBallot values must be 1 because we use them as an index into an array of
length 2 inside the VariableAccessData.
(CheckData): Moved structure outside of TypeCheckHoistingPhase so that ArrayTypeCheck and StructureTypeCheck
can access it. Also added new fields for tracking ArrayModes. We need the m_arrayModeIsValid because there
isn't a good sentinel value for "this ArrayMode is invalid and meaningless" like there is for m_structure.
We need m_arrayModeHoistingOkay for when we want to permanently disable hoisting for that particular variable.
(JSC::DFG::CheckData::CheckData):
(JSC::DFG::CheckData::disableCheckArrayHoisting): Helper function for disabling CheckArray hoisting for a
specific CheckData.
(JSC::DFG::TypeCheckHoistingPhase::run): We now do both CheckStructure and CheckArray hoisting, although we prefer
CheckStructure hoisting when given the possibility to do both.
(TypeCheckHoistingPhase):
(JSC::DFG::TypeCheckHoistingPhase::clearVariableVotes): Clears all of the VariableAccessData votes since they
can only have two types of votes at any particular time.
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): Very similar to identifyRedundantStructureChecks,
but with a few different nodes that are important, namely CheckArray (instead of CheckStructure) and the Arrayify-like
nodes always disable hoisting since they always change the IndexingType.
(JSC::DFG::TypeCheckHoistingPhase::disableHoistingForVariablesWithInsufficientVotes):
(JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
(JSC::DFG::TypeCheckHoistingPhase::disableCheckArrayHoisting): Helper that looks up the CheckData for the
specified variable and disables CheckArray hoisting on it.
(JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
(JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
(JSC::DFG::TypeCheckHoistingPhase::noticeCheckArray):
(JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): We want to take CheckStructure nodes
into account when hoisting CheckArrays, so we make sure that if we contradict what a CheckStructure says then we
give up on hoisting the CheckArray.
(JSC::DFG::ArrayTypeCheck::isValidToHoist):
(ArrayTypeCheck): Structure that houses some of the specifics on how to hoist CheckArrays. This structure
is used a template argument to allow some of the very similar code to statically parameterized and reused
for both CheckStructure and CheckArray hoisting.
(JSC::DFG::ArrayTypeCheck::disableHoisting):
(JSC::DFG::ArrayTypeCheck::isContravenedByValue):
(JSC::DFG::ArrayTypeCheck::hasEnoughVotesToHoist):
(JSC::DFG::ArrayTypeCheck::hoistingPreviouslyFailed):
(JSC::DFG::StructureTypeCheck::isValidToHoist):
(StructureTypeCheck): Same as ArrayTypeCheck, but specific to CheckStructure hoisting.
(JSC::DFG::StructureTypeCheck::disableHoisting):
(JSC::DFG::StructureTypeCheck::isContravenedByValue):
(JSC::DFG::StructureTypeCheck::hasEnoughVotesToHoist):
(JSC::DFG::StructureTypeCheck::hoistingPreviouslyFailed):
* dfg/DFGUnificationPhase.cpp: Added merging of whether or not CheckArray hoisting failed.
(JSC::DFG::UnificationPhase::run):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::VariableAccessData):
(JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
(VariableAccessData):
(JSC::DFG::VariableAccessData::checkArrayHoistingFailed):
* runtime/Options.h:

LayoutTests:

Added a microbenchmark to JSRegress that specifically targets CheckArray hoisting.
We get a 25% improvement on it.

Reviewed by Filip Pizlo.

* fast/js/regress/check-array-hoisting-expected.txt: Added.
* fast/js/regress/check-array-hoisting.html: Added.
* fast/js/regress/script-tests/check-array-hoisting.js: Added.
(f):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153167 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=115143

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Add support for Math.imul, a thunk generator for Math.imul,
and an intrinsic.

Fairly self explanatory set of changes, DFG intrinsics simply
leverages the existing ValueToInt32 nodes.

* create_hash_table:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithIMul):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/ThunkGenerators.cpp:
(JSC::imulThunkGenerator):
(JSC):
* jit/ThunkGenerators.h:
(JSC):
* runtime/Intrinsic.h:
* runtime/MathObject.cpp:
(JSC):
(JSC::mathProtoFuncIMul):
* runtime/VM.cpp:
(JSC::thunkGeneratorForIntrinsic):

LayoutTests:

Add a bunch of tests for Math.imul

* fast/js/Object-getOwnPropertyNames-expected.txt:
* fast/js/imul-expected.txt: Added.
* fast/js/imul.html: Added.
* fast/js/regress/imul-double-only-expected.txt: Added.
* fast/js/regress/imul-double-only.html: Added.
* fast/js/regress/imul-int-only-expected.txt: Added.
* fast/js/regress/imul-int-only.html: Added.
* fast/js/regress/imul-mixed-expected.txt: Added.
* fast/js/regress/imul-mixed.html: Added.
* fast/js/regress/script-tests/imul-double-only.js: Added.
(f):
* fast/js/regress/script-tests/imul-int-only.js: Added.
(f):
* fast/js/regress/script-tests/imul-mixed.js: Added.
(f):
* fast/js/script-tests/Object-getOwnPropertyNames.js:
* fast/js/script-tests/imul.js: Added.
(testIMul):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149159 268f45cc-cd09-0410-ab3c-d52691b4dbfc

I realized that we have to be super careful about aliasing of typed arrays.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getByValLoadElimination):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147290 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=112780

Reviewed by Oliver Hunt.
        
This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
take either two or three operands, and allocates a rope string with either two or
three fibers. (The magic choice of three children for non-VarArg nodes happens to
match exactly with the magic choice of three fibers for rope strings.)
        
ValueAdd on KnownString is replaced with MakeRope with two children.
        
StrCat gets replaced by an appropriate sequence of MakeRope's.
        
MakeRope does not do the dynamic check to see if its children are empty strings.
This is replaced by a static check, instead. The downside is that we may use more
memory if the strings passed to MakeRope turn out to dynamically be empty. The
upside is that we do fewer checks in the cases where either the strings are not
empty, or where the strings are statically known to be empty. I suspect both of
those cases are more common, than the case where the string is dynamically empty.
        
This also results in some badness for X86. MakeRope needs six registers if it is
allocating a three-rope. We don't have six registers to spare on X86. Currently,
the code side-steps this problem by just never usign three-ropes in optimized
code on X86. All other architectures, including X86_64, don't have this problem.
        
This is a shocking speed-up. 9% progressions on both V8/splay and
SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGAdjacencyList.h:
(AdjacencyList):
(JSC::DFG::AdjacencyList::removeEdge):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::createToString):
(JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
(JSC::DFG::FixupPhase::convertStringAddUse):
(FixupPhase):
(JSC::DFG::FixupPhase::convertToMakeRope):
(JSC::DFG::FixupPhase::fixupMakeRope):
(JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(DFG):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):
(JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
(JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
(JSC::DFG::SpeculateCellOperand::gpr):
(JSC::DFG::SpeculateCellOperand::use):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* runtime/JSString.h:
(JSRopeString):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146382 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=112376

Source/JavaScriptCore: 

Reviewed by Geoffrey Garen.
        
This turns new String(), String(), String.prototype.valueOf(), and
String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
conversions from StringObject to JSString and vice-versa, and also gives it the
ability to handle cases where a variable may be either a StringObject or a JSString.
To do this, I added StringObject to value profiling (and removed the stale
distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
handling, using some of the new functionality but also taking advantage of the
existence of Identity(String:@a).
        
This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
On microbenchmarks that stress new String() this is a 14x speed-up.

* CMakeLists.txt:
* DerivedSources.make:
* DerivedSources.pri:
* GNUmakefile.list.am:
* bytecode/CodeBlock.h:
(CodeBlock):
(JSC::CodeBlock::hasExitSite):
(JSC):
* bytecode/DFGExitProfile.cpp:
(JSC::DFG::ExitProfile::hasExitSite):
(DFG):
* bytecode/DFGExitProfile.h:
(ExitProfile):
(JSC::DFG::ExitProfile::hasExitSite):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromClassInfo):
* bytecode/SpeculatedType.h:
(JSC):
(JSC::isStringObjectSpeculation):
(JSC::isStringOrStringObjectSpeculation):
* create_hash_table:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGAbstractState.h:
(JSC::DFG::AbstractState::filterEdgeByUse):
* dfg/DFGByteCodeParser.cpp:
(ByteCodeParser):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
(DFG):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::putStructureStoreElimination):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::shift):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
(FixupPhase):
(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::hasGlobalExitSite):
(Graph):
(JSC::DFG::Graph::hasExitSite):
(JSC::DFG::Graph::clobbersWorld):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToToString):
(Node):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::Node::shouldSpeculateStringObject):
(JSC::DFG::Node::shouldSpeculateStringOrStringObject):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
(DFG):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::speculateObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):
(JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
(DFG):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* interpreter/CallFrame.h:
(JSC::ExecState::regExpPrototypeTable):
* runtime/CommonIdentifiers.h:
* runtime/Intrinsic.h:
* runtime/JSDestructibleObject.h:
(JSDestructibleObject):
(JSC::JSDestructibleObject::classInfoOffset):
* runtime/JSGlobalData.cpp:
(JSC):
(JSC::JSGlobalData::JSGlobalData):
(JSC::JSGlobalData::~JSGlobalData):
* runtime/JSGlobalData.h:
(JSGlobalData):
* runtime/JSObject.cpp:
* runtime/JSObject.h:
(JSC):
* runtime/JSWrapperObject.h:
(JSC::JSWrapperObject::allocationSize):
(JSWrapperObject):
(JSC::JSWrapperObject::internalValueOffset):
(JSC::JSWrapperObject::internalValueCellOffset):
* runtime/StringPrototype.cpp:
(JSC):
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
(StringPrototype):

LayoutTests: 

Reviewed by Geoffrey Garen.

* fast/js/dfg-to-string-bad-toString-expected.txt: Added.
* fast/js/dfg-to-string-bad-toString.html: Added.
* fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
* fast/js/dfg-to-string-bad-valueOf.html: Added.
* fast/js/dfg-to-string-int-expected.txt: Added.
* fast/js/dfg-to-string-int-or-string-expected.txt: Added.
* fast/js/dfg-to-string-int-or-string.html: Added.
* fast/js/dfg-to-string-int.html: Added.
* fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
* fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
* fast/js/dfg-to-string-side-effect-expected.txt: Added.
* fast/js/dfg-to-string-side-effect.html: Added.
* fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
* fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
* fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
* fast/js/dfg-to-string-toString-becomes-bad.html: Added.
* fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
* fast/js/dfg-to-string-toString-in-string.html: Added.
* fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
* fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
* fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
* fast/js/dfg-to-string-valueOf-in-string.html: Added.
* fast/js/jsc-test-list:
* fast/js/regress/script-tests/string-concat-object.js: Added.
(foo):
* fast/js/regress/script-tests/string-concat-pair-object.js: Added.
(foo):
* fast/js/regress/script-tests/string-concat-pair-simple.js: Added.
(foo):
* fast/js/regress/script-tests/string-concat-simple.js: Added.
(foo):
* fast/js/regress/script-tests/string-cons-repeat.js: Added.
(foo):
* fast/js/regress/script-tests/string-cons-tower.js: Added.
(foo):
* fast/js/regress/string-concat-object-expected.txt: Added.
* fast/js/regress/string-concat-object.html: Added.
* fast/js/regress/string-concat-pair-object-expected.txt: Added.
* fast/js/regress/string-concat-pair-object.html: Added.
* fast/js/regress/string-concat-pair-simple-expected.txt: Added.
* fast/js/regress/string-concat-pair-simple.html: Added.
* fast/js/regress/string-concat-simple-expected.txt: Added.
* fast/js/regress/string-concat-simple.html: Added.
* fast/js/regress/string-cons-repeat-expected.txt: Added.
* fast/js/regress/string-cons-repeat.html: Added.
* fast/js/regress/string-cons-tower-expected.txt: Added.
* fast/js/regress/string-cons-tower.html: Added.
* fast/js/script-tests/dfg-to-string-bad-toString.js: Added.
(String.prototype.toString):
(foo):
* fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.
(String.prototype.valueOf):
(foo):
* fast/js/script-tests/dfg-to-string-int-or-string.js: Added.
(foo):
* fast/js/script-tests/dfg-to-string-int.js: Added.
(foo):
* fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.
(foo):
* fast/js/script-tests/dfg-to-string-side-effect.js: Added.
(foo):
* fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.
(foo):
(.String.prototype.toString):
* fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.
(foo):
(.String.prototype.toString):
* fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.
(foo):
(.argument.toString):
* fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.
(foo):
(.String.prototype.valueOf):
* fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.
(foo):
(.argument.valueOf):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146089 268f45cc-cd09-0410-ab3c-d52691b4dbfc

DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
https://bugs.webkit.org/show_bug.cgi?id=111536

Reviewed by Oliver Hunt and Mark Hahnenberg.
        
The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
time spent doing load elimination after the fixpoint, since that is just wasted cycles.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::CSEPhase):
(JSC::DFG::CSEPhase::run):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::performBlockCSE):
(JSC::DFG::performCSE):
(DFG):
(JSC::DFG::performStoreElimination):
* dfg/DFGCSEPhase.h:
(DFG):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144973 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=111520

Reviewed by Geoffrey Garen.
        
All nodes are live before DCE. We don't need to check that they aren't, because they
definitely will be.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::pureCSE):
(JSC::DFG::CSEPhase::int32ToDoubleCSE):
(JSC::DFG::CSEPhase::constantCSE):
(JSC::DFG::CSEPhase::weakConstantCSE):
(JSC::DFG::CSEPhase::getCalleeLoadElimination):
(JSC::DFG::CSEPhase::getArrayLengthElimination):
(JSC::DFG::CSEPhase::globalVarLoadElimination):
(JSC::DFG::CSEPhase::scopedVarLoadElimination):
(JSC::DFG::CSEPhase::globalVarWatchpointElimination):
(JSC::DFG::CSEPhase::globalVarStoreElimination):
(JSC::DFG::CSEPhase::scopedVarStoreElimination):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::checkArrayElimination):
(JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::getMyScopeLoadElimination):
(JSC::DFG::CSEPhase::getLocalLoadElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGStructureCheckHoistingPhase.cpp:
(JSC::DFG::StructureCheckHoistingPhase::run):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144939 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=109389

Source/JavaScriptCore: 

Reviewed by Oliver Hunt.
        
This gets rid of all eager reference counting, and does all dead code elimination
in one phase - the DCEPhase. This phase also sets up the node reference counts,
which are then used not just for DCE but also register allocation and stack slot
allocation.
        
Doing this required a number of surgical changes in places that previously relied
on always having liveness information. For example, the structure check hoisting
phase must now consult whether a VariableAccessData is profitable for unboxing to
make sure that it doesn't try to do hoisting on set SetLocals. The arguments
simplification phase employs its own light-weight liveness analysis. Both phases
previously just used reference counts.
        
The largest change is that now, dead nodes get turned into Phantoms. Those
Phantoms will retain those child edges that are not proven. This ensures that any
type checks performed by a dead node remain even after the node is killed. On the
other hand, this Phantom conversion means that we need special handling for
SetLocal. I decided to make the four forms of SetLocal explicit:
        
MovHint(@a, rK): Just indicates that node @a contains the value that would have
     now been placed into virtual register rK. Does not actually cause @a to be
     stored into rK. This would have previously been a dead SetLocal with @a
     being live. MovHints are always dead.
        
ZombieHint(rK): Indicates that at this point, register rK will contain a dead
     value and OSR should put Undefined into it. This would have previously been
     a dead SetLocal with @a being dead also. ZombieHints are always dead.
        
MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
     according to whatever UseKind the edge to @a has. The type check is always a
     forward exit. MovHintAndChecks are always live, since they are
     NodeMustGenerate. Previously this would have been a dead SetLocal with a
     live @a, and the check would have disappeared. This is one of the bugs that
     this patch solves.
        
SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
     live.
        
Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
has a type check and @a's type hasn't been proven to have that type then you get
a MovHintAndCheck. Otherwise you get a MovHint.
        
This is performance neutral.

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
(JSC::DFG::AbstractState::mergeStateAtTail):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
(ArgumentsSimplificationPhase):
(JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
* dfg/DFGBasicBlock.h:
(BasicBlock):
* dfg/DFGBasicBlockInlines.h:
(DFG):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::insertPhiNode):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::run):
(JSC::DFG::CPSRethreadingPhase::addPhiSilently):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCommon.cpp:
(WTF::printInternal):
(WTF):
* dfg/DFGCommon.h:
(WTF):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
(JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
* dfg/DFGDCEPhase.cpp: Added.
(DFG):
(DCEPhase):
(JSC::DFG::DCEPhase::DCEPhase):
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::findTypeCheckRoot):
(JSC::DFG::DCEPhase::countEdge):
(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
(JSC::DFG::performDCE):
* dfg/DFGDCEPhase.h: Added.
(DFG):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::checkArray):
(JSC::DFG::FixupPhase::blessArrayOperation):
(JSC::DFG::FixupPhase::fixIntEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(JSC::DFG::FixupPhase::truncateConstantToInt32):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(DFG):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::changeChild):
(JSC::DFG::Graph::changeEdge):
(JSC::DFG::Graph::compareAndSwap):
(JSC::DFG::Graph::clearAndDerefChild):
(JSC::DFG::Graph::performSubstitution):
(JSC::DFG::Graph::performSubstitutionForEdge):
(Graph):
(JSC::DFG::Graph::substitute):
* dfg/DFGInsertionSet.h:
(InsertionSet):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
(JSC::DFG::Node::convertToConstant):
(JSC::DFG::Node::convertToGetLocalUnlinked):
(JSC::DFG::Node::containsMovHint):
(Node):
(JSC::DFG::Node::hasVariableAccessData):
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
(JSC::DFG::SpeculativeJIT::compileMovHint):
(JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
(DFG):
(JSC::DFG::SpeculativeJIT::compileInlineStart):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureCheckHoistingPhase.cpp:
(JSC::DFG::StructureCheckHoistingPhase::run):
(JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
(StructureCheckHoistingPhase):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):

LayoutTests: 

Reviewed by Oliver Hunt.

* fast/js/dfg-arguments-osr-exit-multiple-blocks-before-exit-expected.txt: Added.
* fast/js/dfg-arguments-osr-exit-multiple-blocks-before-exit.html: Added.
* fast/js/dfg-arguments-osr-exit-multiple-blocks-expected.txt: Added.
* fast/js/dfg-arguments-osr-exit-multiple-blocks.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js: Added.
(baz):
(foo):
(bar):
* fast/js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js: Added.
(baz):
(foo):
(bar):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144862 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=111205

Reviewed by Oliver Hunt.
        
I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
alive by one count rather than being solely responsible for its liveness.

* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::eliminate):
(JSC::DFG::CSEPhase::performNodeCSE):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144481 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=111102

Reviewed by Mark Hahnenberg.
        
This adds a NodeExitsForward flag, which tells you the exit directionality of
type checks performed by the node. Even if you convert the node to a Phantom
and use the Edge UseKind for type checks, you'll still get the same exit
directionality that the original node would have wanted.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGArrayifySlowPathGenerator.h:
(JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::eliminate):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::checkArray):
* dfg/DFGNode.h:
(Node):
(JSC::DFG::Node::setOpAndDefaultNonExitFlags):
(JSC::DFG::Node::convertToPhantom):
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::nodeFlagsAsString):
* dfg/DFGNodeFlags.h:
(DFG):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
(DFG):
(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::speculationWatchpoint):
(JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
(JSC::DFG::SpeculativeJIT::backwardTypeCheck):
(JSC::DFG::SpeculativeJIT::typeCheck):
(JSC::DFG::SpeculativeJIT::forwardTypeCheck):
(JSC::DFG::SpeculativeJIT::fillStorage):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
(JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
(JSC::DFG::SpeculateIntegerOperand::gpr):
(SpeculateIntegerOperand):
(JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
(JSC::DFG::SpeculateDoubleOperand::fpr):
(SpeculateDoubleOperand):
(JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
(JSC::DFG::SpeculateCellOperand::gpr):
(SpeculateCellOperand):
(JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
(JSC::DFG::SpeculateBooleanOperand::gpr):
(SpeculateBooleanOperand):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@144362 268f45cc-cd09-0410-ab3c-d52691b4dbfc

DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
https://bugs.webkit.org/show_bug.cgi?id=109371

Reviewed by Oliver Hunt.
        
FixupPhase now locks in the speculations that each node will do. The DFG then
remembers those speculations, and doesn't change its mind about them even if the
graph is transformed - for example if a node's child is repointed to a different
node as part of CSE, CFG simplification, or folding. Each node ensures that it
executes the speculations promised by its edges. This is true even for Phantom
nodes.
        
This still leaves some craziness on the table for future work, like the
elimination of speculating SetLocal's due to CFG simplification
(webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
        
In all, this allows for a huge simplification of the DFG. Instead of having to
execute the right speculation heuristic each time you want to decide what a node
does (for example Node::shouldSpeculateInteger(child1, child2) &&
node->canSpeculateInteger()), you just ask for the use kinds of its children
(typically node->binaryUseKind() == Int32Use). Because the use kinds are
discrete, you can often just switch over them. This makes many parts of the code
more clear than they were before.
        
Having UseKinds describe the speculations being performed also makes it far
easier to perform analyses that need to know what speculations are done. This is
so far only used to simplify large parts of the CFA.
        
To have a larger vocabulary of UseKinds, this also changes the node allocator to
be able to round up Node sizes to the nearest multiple of 16.
        
This appears to be neutral on benchmarks, except for some goofy speed-ups, like
8% on Octane/box2d.

* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Target.pri:
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::startExecuting):
(DFG):
(JSC::DFG::AbstractState::executeEdges):
(JSC::DFG::AbstractState::verifyEdge):
(JSC::DFG::AbstractState::verifyEdges):
(JSC::DFG::AbstractState::executeEffects):
(JSC::DFG::AbstractState::execute):
* dfg/DFGAbstractState.h:
(AbstractState):
(JSC::DFG::AbstractState::filterEdgeByUse):
(JSC::DFG::AbstractState::filterByType):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::filter):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::AdjacencyList):
(JSC::DFG::AdjacencyList::child):
(JSC::DFG::AdjacencyList::setChild):
(JSC::DFG::AdjacencyList::reset):
(JSC::DFG::AdjacencyList::firstChild):
(JSC::DFG::AdjacencyList::setFirstChild):
(JSC::DFG::AdjacencyList::numChildren):
(JSC::DFG::AdjacencyList::setNumChildren):
(AdjacencyList):
* dfg/DFGAllocator.h:
(DFG):
(Allocator):
(JSC::DFG::Allocator::cellSize):
(JSC::DFG::Allocator::Region::headerSize):
(JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
(JSC::DFG::Allocator::Region::payloadSize):
(JSC::DFG::Allocator::Region::payloadBegin):
(JSC::DFG::Allocator::Region::payloadEnd):
(JSC::DFG::Allocator::Region::isInThisRegion):
(JSC::DFG::::Allocator):
(JSC::DFG::::~Allocator):
(JSC::DFG::::allocate):
(JSC::DFG::::free):
(JSC::DFG::::freeAll):
(JSC::DFG::::reset):
(JSC::DFG::::indexOf):
(JSC::DFG::::allocatorOf):
(JSC::DFG::::bumpAllocate):
(JSC::DFG::::freeListAllocate):
(JSC::DFG::::allocateSlow):
(JSC::DFG::::freeRegionsStartingAt):
(JSC::DFG::::startBumpingIn):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::handleMinMax):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCommon.h:
(DFG):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGEdge.cpp:
(JSC::DFG::Edge::dump):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::useKindUnchecked):
(JSC::DFG::Edge::useKind):
(JSC::DFG::Edge::shift):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::checkArray):
(JSC::DFG::FixupPhase::blessArrayOperation):
(JSC::DFG::FixupPhase::fixIntEdge):
(JSC::DFG::FixupPhase::fixDoubleEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
(FixupPhase):
(JSC::DFG::FixupPhase::truncateConstantToInt32):
(JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
* dfg/DFGGraph.cpp:
(DFG):
(JSC::DFG::Graph::refChildren):
(JSC::DFG::Graph::derefChildren):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::ref):
(JSC::DFG::Graph::deref):
(JSC::DFG::Graph::performSubstitution):
(JSC::DFG::Graph::isPredictedNumerical):
(JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
(DFG):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
(JSC::DFG::Node::convertToGetByOffset):
(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::willHaveCodeGenOrOSR):
(JSC::DFG::Node::child1):
(JSC::DFG::Node::child2):
(JSC::DFG::Node::child3):
(JSC::DFG::Node::binaryUseKind):
(Node):
(JSC::DFG::Node::isBinaryUseKind):
* dfg/DFGNodeAllocator.h:
(DFG):
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::nodeFlagsAsString):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculationCheck):
(DFG):
(JSC::DFG::SpeculativeJIT::speculationWatchpoint):
(JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
(JSC::DFG::SpeculativeJIT::typeCheck):
(JSC::DFG::SpeculativeJIT::forwardTypeCheck):
(JSC::DFG::SpeculativeJIT::fillStorage):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compileArithMod):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateInt32):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateRealNumber):
(JSC::DFG::SpeculativeJIT::speculateBoolean):
(JSC::DFG::SpeculativeJIT::speculateCell):
(JSC::DFG::SpeculativeJIT::speculateObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateNotCell):
(JSC::DFG::SpeculativeJIT::speculateOther):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
(JSC::DFG::SpeculativeJIT::needsTypeCheck):
(JSC::DFG::IntegerOperand::IntegerOperand):
(JSC::DFG::IntegerOperand::edge):
(IntegerOperand):
(JSC::DFG::IntegerOperand::node):
(JSC::DFG::IntegerOperand::gpr):
(JSC::DFG::IntegerOperand::use):
(JSC::DFG::JSValueOperand::JSValueOperand):
(JSValueOperand):
(JSC::DFG::JSValueOperand::edge):
(JSC::DFG::JSValueOperand::node):
(JSC::DFG::JSValueOperand::gpr):
(JSC::DFG::JSValueOperand::fill):
(JSC::DFG::JSValueOperand::use):
(JSC::DFG::StorageOperand::StorageOperand):
(JSC::DFG::StorageOperand::edge):
(StorageOperand):
(JSC::DFG::StorageOperand::node):
(JSC::DFG::StorageOperand::gpr):
(JSC::DFG::StorageOperand::use):
(JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
(SpeculateIntegerOperand):
(JSC::DFG::SpeculateIntegerOperand::edge):
(JSC::DFG::SpeculateIntegerOperand::node):
(JSC::DFG::SpeculateIntegerOperand::gpr):
(JSC::DFG::SpeculateIntegerOperand::use):
(JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
(SpeculateStrictInt32Operand):
(JSC::DFG::SpeculateStrictInt32Operand::edge):
(JSC::DFG::SpeculateStrictInt32Operand::node):
(JSC::DFG::SpeculateStrictInt32Operand::gpr):
(JSC::DFG::SpeculateStrictInt32Operand::use):
(JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
(SpeculateDoubleOperand):
(JSC::DFG::SpeculateDoubleOperand::edge):
(JSC::DFG::SpeculateDoubleOperand::node):
(JSC::DFG::SpeculateDoubleOperand::fpr):
(JSC::DFG::SpeculateDoubleOperand::use):
(JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
(SpeculateCellOperand):
(JSC::DFG::SpeculateCellOperand::edge):
(JSC::DFG::SpeculateCellOperand::node):
(JSC::DFG::SpeculateCellOperand::gpr):
(JSC::DFG::SpeculateCellOperand::use):
(JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
(JSC::DFG::SpeculateBooleanOperand::edge):
(SpeculateBooleanOperand):
(JSC::DFG::SpeculateBooleanOperand::node):
(JSC::DFG::SpeculateBooleanOperand::gpr):
(JSC::DFG::SpeculateBooleanOperand::use):
(DFG):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillInteger):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillInteger):
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt):
(JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureCheckHoistingPhase.cpp:
(JSC::DFG::StructureCheckHoistingPhase::run):
* dfg/DFGUseKind.cpp: Added.
(WTF):
(WTF::printInternal):
* dfg/DFGUseKind.h: Added.
(DFG):
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
(WTF):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::reportValidationContext):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143654 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=110072

Source/JavaScriptCore: 

Reviewed by Geoffrey Garen.
        
ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after
the side-effect would lead to the side-effect re-executing. I got rid of that path
and replaced it with an optimization for the case where the input is speculated
number-or-other. This makes idioms like null|0 and true|0 work as expected, and
get optimized appropriately.
        
Also got rid of DoubleOperand. Replaced all remaining uses of it with
SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse
edge and the remaining uses of DoubleOperand are all for untyped uses, I worked
around the assertion by setting the UseKind to DoubleUse by force. This is sound,
since all existing assertions for DoubleUse are actually asserting that we're not
converting a value to double unexpectedly. But all of these calls to
SpeculateDoubleOperand are when the operand is already known to be represented as
double, so there is no conversion.
        
This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a
little. Mostly, this is intended to delete a bunch of code. DoubleOperand was
equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it
involved a _lot_ more code.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGSpeculativeJIT.cpp:
(DFG):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
(DFG):
(FPRTemporary):
* dfg/DFGSpeculativeJIT32_64.cpp:
(DFG):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(DFG):

LayoutTests: 

Reviewed by Geoffrey Garen.

* fast/js/dfg-value-to-int32-with-side-effect-expected.txt: Added.
* fast/js/dfg-value-to-int32-with-side-effect.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-value-to-int32-with-side-effect.js: Added.
(foo):
(.result.foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=109491

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.
        
Int32ToDouble was being injected after a side-effecting operation and before a SetLocal. Anytime we
inject something just before a SetLocal we should be aware that the previous operation may have been
a side-effect associated with the current code origin. Hence, we should use a forward exit.
Int32ToDouble does not do forward exits by default.
        
This patch adds a forward-exiting form of Int32ToDouble, for use in SetLocal Int32ToDouble injections.
Changed the CSE and other things to treat these nodes identically, but for the exit strategy to be
distinct (Int32ToDouble -> backward, ForwardInt32ToDouble -> forward). The use of the NodeType for
signaling exit direction is not "great" but it's what we use in other places already (like
ForwardCheckStructure).

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::int32ToDoubleCSE):
(CSEPhase):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCommon.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixDoubleEdge):
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):

LayoutTests: 

Reviewed by Mark Hahnenberg.
        
Added one version of the test (dfg-int32-to-double-on-set-local-and-exit) that is based
exactly on Gabor's original test, and another that ought to fail even if I fix other bugs
in the future (see https://bugs.webkit.org/show_bug.cgi?id=109511).

* fast/js/dfg-int32-to-double-on-set-local-and-exit-expected.txt: Added.
* fast/js/dfg-int32-to-double-on-set-local-and-exit.html: Added.
* fast/js/dfg-int32-to-double-on-set-local-and-sometimes-exit-expected.txt: Added.
* fast/js/dfg-int32-to-double-on-set-local-and-sometimes-exit.html: Added.
* fast/js/script-tests/dfg-int32-to-double-on-set-local-and-exit.js: Added.
(checkpoint):
(func1):
(func2):
(func3):
(test):
* fast/js/script-tests/dfg-int32-to-double-on-set-local-and-sometimes-exit.js: Added.
(checkpoint):
(func1):
(func2):
(func3):
(test):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142544 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=109387

Reviewed by Oliver Hunt and Mark Hahnenberg.
        
Lock in the decision to use a non-speculative constant comparison as early as possible
and don't let the CFA change it by folding constants. This might be a performance
penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
the other hand it completely side-steps the unsoundness that the bug speaks of.
        
Rolling back in after adding 32-bit path.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
(ByteCodeParser):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142515 268f45cc-cd09-0410-ab3c-d52691b4dbfc