1. 26 Sep, 2012 3 commits
    • barraclough@apple.com's avatar
      Generalize JSGlobalThis as JSProxy · 4aef7247
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97716
      
      Reviewed by Oliver Hunt.
      
      ../JavaScriptCore: 
      
      Generalize JSGlobalThis as JSProxy and move proxying functionality up from the window shell into JSProxy.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::toThisObject):
          - Hoist toThisObject from WebCore.
      (JSC):
      * runtime/JSGlobalObject.h:
          - removed include.
      (JSC::JSGlobalObject::finishCreation):
          - JSGlobalThis -> JSObject
      (JSGlobalObject):
          - Hoist toThisObject from WebCore.
      * runtime/JSGlobalThis.cpp: Removed.
      * runtime/JSGlobalThis.h: Removed.
      * runtime/JSObject.cpp:
          - removed include.
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::isProxy):
          - isGlobalThis -> isProxy
          - GlobalThisType -> ProxyType
      * runtime/JSProxy.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.cpp.
      (JSC):
      (JSC::JSProxy::visitChildren):
      (JSC::JSProxy::setTarget):
      (JSC::JSProxy::className):
      (JSC::JSProxy::getOwnPropertySlot):
      (JSC::JSProxy::getOwnPropertySlotByIndex):
      (JSC::JSProxy::getOwnPropertyDescriptor):
      (JSC::JSProxy::put):
      (JSC::JSProxy::putByIndex):
      (JSC::JSProxy::putDirectVirtual):
      (JSC::JSProxy::defineOwnProperty):
      (JSC::JSProxy::deleteProperty):
      (JSC::JSProxy::deletePropertyByIndex):
      (JSC::JSProxy::getPropertyNames):
      (JSC::JSProxy::getOwnPropertyNames):
          - Class cretaed from JSGlobalThis, JSDOMWindowShell.
      * runtime/JSProxy.h: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.h.
      (JSC::JSProxy::create):
      (JSC::JSProxy::createStructure):
      (JSProxy):
      (JSC::JSProxy::target):
      (JSC::JSProxy::JSProxy):
          - Class cretaed from JSGlobalThis, JSDOMWindowShell.
      * runtime/JSType.h:
          - GlobalThisType -> ProxyType
      
      ../WebCore: 
      
      This patch moves window shell functionality up to JSC::JSProxy.
      
      * ForwardingHeaders/runtime/JSGlobalThis.h: Removed.
      * ForwardingHeaders/runtime/JSProxy.h: Copied from Source/WebCore/ForwardingHeaders/runtime/JSGlobalThis.h.
      * bindings/js/JSDOMGlobalObject.cpp:
      (WebCore::JSDOMGlobalObject::finishCreation):
          - JSGlobalThis -> JSObject
      * bindings/js/JSDOMGlobalObject.h:
      (JSDOMGlobalObject):
          - JSGlobalThis -> JSObject
      * bindings/js/JSDOMWindowBase.cpp:
      (WebCore):
          - Hoist toThisObject up into JSC.
      * bindings/js/JSDOMWindowBase.h:
      (JSDOMWindowBase):
          - Hoist toThisObject up into JSC.
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore):
          - JSGlobalThis -> JSProxy
          - moved JSObject callbacks to JSProxy
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
          - JSGlobalThis -> JSProxy
          - moved JSObject callbacks to JSProxy
      (WebCore::JSDOMWindowShell::window):
          - unwrappedObject() -> target()
      (WebCore::JSDOMWindowShell::setWindow):
          - setUnwrappedObject() -> setTarget()
      (WebCore::JSDOMWindowShell::createStructure):
          - GlobalThisType -> ProxyType
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129685 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4aef7247
    • msaboff@apple.com's avatar
      Add ability for JSArray::unshiftCount to unshift in middle of an array · a1c33e2b
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97691
      
      Reviewed by Filip Pizlo.
      
      Changed JSArray::unshiftCount and unshiftCountSlowCase to handle unshifting from the middle of an
      array.  Depending on where the unshift point is, either the front part of the array will be moved
      "left" or the back part will be moved right.  Given that unshiftCount only works on contiguous
      arrays it is safe to use memmove for the moves.
      
      This change is worth 25% performance improvement on pdfjs.  It doesn't seem to have any impact on
      any other benchmarks.
      
      * runtime/ArrayPrototype.cpp:
      (JSC::unshift):
      * runtime/JSArray.cpp:
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::unshiftCount):
      * runtime/JSArray.h:
      (JSArray):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129676 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a1c33e2b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r129592. · 9ab98ef6
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/129592
      https://bugs.webkit.org/show_bug.cgi?id=97670
      
      Failures in Chromium security tests (Requested by schenney on
      #webkit).
      
      Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-09-26
      
      Source/JavaScriptCore:
      
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
      
      LayoutTests:
      
      * fast/js/eval-cross-window-expected.txt:
      * fast/js/eval-cross-window.html:
      * http/tests/security/cross-frame-access-call-expected.txt:
      * http/tests/security/cross-frame-access-call.html:
      * http/tests/security/resources/xss-eval2.html:
      * http/tests/security/resources/xss-eval3.html:
      * http/tests/security/xss-eval-expected.txt:
      * http/tests/security/xss-eval.html:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129629 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9ab98ef6
  2. 25 Sep, 2012 9 commits
    • barraclough@apple.com's avatar
      REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms · b364bcbe
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97529
      
      Reviewed by Filip Pizlo.
      
      A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
      
      Source/JavaScriptCore: 
      
      JSC currently throws an EvalError if you try to call eval with a this object that doesn't
      match the given eval function. This does not match other browsers, which generally just
      ignore the this value that was passed, and eval the string in the eval function's environment.
      
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
          - Remove EvalError, ignore passed this value.
      
      LayoutTests: 
      
      * fast/js/eval-cross-window-expected.txt:
      * fast/js/eval-cross-window.html:
          - Changed not to expect EvalErrors (this matches other browsers), and modified testThis
            to check that the this object is always set to the global object.
      * http/tests/security/resources/xss-eval2.html:
      * http/tests/security/resources/xss-eval3.html:
      * http/tests/security/xss-eval-expected.txt:
      * http/tests/security/xss-eval.html:
          - Updated. Access via the global environment is not a security risk, since the eval is
            accessing it's own document's informantion. Access via the shell attempts to access
            the navigated pages document, tripping an access check & throwing a TypeError.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129592 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b364bcbe
    • fpizlo@apple.com's avatar
      DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly · e0480cf1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97535
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      LayoutTests: 
      
      Rubber stamped by Oliver Hunt.
      
      * fast/js/dfg-array-pop-side-effects-expected.txt: Added.
      * fast/js/dfg-array-pop-side-effects.html: Added.
      * fast/js/dfg-array-push-bad-time-expected.txt: Added.
      * fast/js/dfg-array-push-bad-time.html: Added.
      * fast/js/dfg-array-push-slow-put-expected.txt: Added.
      * fast/js/dfg-array-push-slow-put.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-array-pop-side-effects.js: Added.
      (foo):
      (.b):
      * fast/js/script-tests/dfg-array-push-bad-time.js: Added.
      * fast/js/script-tests/dfg-array-push-slow-put.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129588 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e0480cf1
    • ggaren@apple.com's avatar
      JSC should dump object size inference statistics · def139e9
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97618
      
      Reviewed by Filip Pizlo.
      
      Added an option to dump object size inference statistics.
      
      To see statistics on live objects:
      
          jsc --showHeapStatistics=1
      
      To see cumulative statistics on all objects ever allocated:
      
          jsc --showHeapStatistics=1 --objectsAreImmortal=1
      
          (This is useful for showing GC churn caused by over-allocation.)
      
      To support this second mode, I refactored Zombies to separate out their
      immortality feature so I could reuse it.
      
      * heap/Heap.cpp:
      (JSC::MarkObject): Helper for making things immortal. We have to checked
      for being zapped because blocks start out in this state.
      
      (JSC::StorageStatistics): Gather statistics by walking the heap. Ignore
      arrays and hash tables for now because they're not our focus. (We'll
      remove these exceptions in future.)
      
      (JSC::Heap::collect): Moved zombify to the end so it wouldn't interfere
      with statistics gathering.
      
      (JSC::Heap::showStatistics):
      (JSC::Heap::markAllObjects): Factored out helper, so statistics could
      take advantage of immortal objects.
      
      (Zombify): Don't mark immortal objects -- that's another class's job now.
      
      (JSC::Zombify::operator()):
      (JSC::Heap::zombifyDeadObjects): Take advantage of forEachDeadCell instead
      of rolling our own.
      
      * heap/Heap.h:
      (Heap):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::forEachDeadCell): Added, so clients don't have to do
      the iteration logic themselves.
      
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h: New options, listed above. Make sure to initialize
      based on environment variable first, so we can override with specific settings.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129586 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      def139e9
    • fpizlo@apple.com's avatar
      We shouldn't use the optimized versions of shift/unshift if the user is doing... · 8fd5e34c
      fpizlo@apple.com authored
      We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
      https://bugs.webkit.org/show_bug.cgi?id=97603
      <rdar://problem/12370864>
      
      Reviewed by Gavin Barraclough.
      
      You changed the length behind our backs? No optimizations for you then!
      
      * runtime/ArrayPrototype.cpp:
      (JSC::shift):
      (JSC::unshift):
      * runtime/JSArray.cpp:
      (JSC::JSArray::shiftCount):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129577 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8fd5e34c
    • fpizlo@apple.com's avatar
      JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode · 7ebfaed1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95610
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      Add better support for quickly accessing the indexed storage from bindings.
      
      * runtime/JSObject.h:
      (JSC::JSObject::tryGetIndexQuickly):
      (JSObject):
      (JSC::JSObject::getDirectIndex):
      (JSC::JSObject::getIndex):
      
      Source/WebCore: 
      
      Fix all of the cases I found where we were using getIndexQuickly(), which was wrong
      if we were in sparse mode.
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (CloneSerializer):
      (WebCore::CloneSerializer::serialize):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129574 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7ebfaed1
    • fpizlo@apple.com's avatar
      Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify · 3d94f71e
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97537
      
      Reviewed by Mark Hahnenberg.
      
      No tests because if we use Arrayify then we also use PutByVal(BlankToXYZ), and the latter is
      already known to be side-effecting. So this bug shouldn't have had any symptoms, as far as I
      can tell.
      
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129553 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3d94f71e
    • barraclough@apple.com's avatar
      Regression: put beyond vector length prefers prototype setters to sparse properties · 544a81b8
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97593
      
      Reviewed by Geoff Garen & Filip Pizlo.
      
      Source/JavaScriptCore: 
      
      * runtime/JSObject.cpp:
      (JSC::JSObject::putByIndexBeyondVectorLength):
          - Check for self properties in the sparse map - if present, don't examine the protochain.
      
      LayoutTests: 
      
      * fast/js/script-tests/array-defineOwnProperty.js:
      (Object.defineProperty):
      (set Object.defineProperty):
          - Added test case.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129548 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      544a81b8
    • barraclough@apple.com's avatar
      https://bugs.webkit.org/show_bug.cgi?id=97530 · fb498f4b
      barraclough@apple.com authored
      Regression, freeze applied to numeric properties of non-array objects
      
      Reviewed by Filip Pizlo.
      
      Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
      For now, just fall back to the generic implementation if the object has numeric properties.
      
      Source/JavaScriptCore: 
      
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorFreeze):
          - fallback if the object has a non-zero indexed property vector length.
      
      LayoutTests: 
      
      * fast/js/preventExtensions-expected.txt:
      * fast/js/script-tests/preventExtensions.js:
          - Added a test case for freezing an object with a numeric property.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129461 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      fb498f4b
    • barraclough@apple.com's avatar
      Bug in numeric accessors on global environment · bedfae14
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97526
      
      Reviewed by Geoff Garen.
      
      I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
      The sparsemap is failing to map back from the global object to the window shell.
      A test case would need to resolve a numeric property name against the global environment.
      
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::put):
          - Add missing toThisObject calls.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129458 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bedfae14
  3. 24 Sep, 2012 10 commits
    • fpizlo@apple.com's avatar
      SerializedScriptValue isn't aware of indexed storage, but should be · 904bab81
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97515
      <rdar://problem/12361874>
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      Export a method that WebCore now uses.
      
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * runtime/JSObject.h:
      (JSObject):
      
      Source/WebCore: 
      
      New test: fast/js/post-message-numeric-property.html
      
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::putProperty):
      
      LayoutTests: 
      
      * fast/js/post-message-numeric-property-expected.txt: Added.
      * fast/js/post-message-numeric-property.html: Added.
      * fast/js/script-tests/post-message-numeric-property.js: Added.
      (window.onmessage):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129457 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      904bab81
    • barraclough@apple.com's avatar
      Remove JSObject::unwrappedGlobalObject(), JSObject::unwrappedObject() · 51bdc905
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97519
      
      Reviewed by Geoff Garen.
      
      ../JavaScriptCore: 
      
      unwrappedGlobalObject() was only needed because globalObject() doesn't always return a helpful result -
      specifically for WebCore's window shell the structure's globalObject is set to null. We can fix this by
      simply keeping the structure up to date as the window navigates, obviating the need for this function.
      
      The only other use of unwrappedObject() came from globalFuncEval(), and this can be trivially removed
      by flipping the way we perform this globalObject check (which we may also be able to remove!) - instead
      of getting the globalObject from the provided this value & comparing to the expected globalObject, we
      can get the this value from the expected globalObject, and compare to that provided.
      
      * runtime/JSGlobalObject.cpp:
          - Call globalObject() instead of unwrappedGlobalObject().
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::globalFuncEval):
          - Changed to compare this object values, instead of globalObjects -
            this means we only need to be able to map globalObject -> this,
            and not vice versa.
      * runtime/JSObject.cpp:
      (JSC::JSObject::allowsAccessFrom):
      (JSC::JSObject::createInheritorID):
          - Call globalObject() instead of unwrappedGlobalObject().
      * runtime/JSObject.h:
      (JSObject):
          - Removed unwrappedGlobalObject(), unwrappedObject().
      
      ../WebCore: 
      
      JSDOMWindowShell::setWindow should update the structure's globalObject.
      
      * bindings/js/JSDOMWindowShell.h:
      (WebCore::JSDOMWindowShell::setWindow):
          - Update the JSDOMWindowShell's structure's globalObject when the
            window changes.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129456 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      51bdc905
    • mark.lam@apple.com's avatar
      Deleting the classic interpreter and cleaning up some build options. · 74a9e837
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96969.
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::stronglyVisitStrongReferences):
      (JSC):
      * bytecode/Instruction.h:
      (JSC::Instruction::Instruction):
      * interpreter/AbstractPC.cpp:
      (JSC::AbstractPC::AbstractPC):
      * interpreter/AbstractPC.h:
      (AbstractPC):
      * interpreter/CallFrame.h:
      (ExecState):
      * interpreter/Interpreter.cpp:
      (JSC):
      (JSC::Interpreter::Interpreter):
      (JSC::Interpreter::~Interpreter):
      (JSC::Interpreter::initialize):
      (JSC::Interpreter::isOpcode):
      (JSC::Interpreter::unwindCallFrame):
      (JSC::getLineNumberForCallFrame):
      (JSC::getCallerInfo):
      (JSC::getSourceURLFromCallFrame):
      (JSC::Interpreter::execute):
      (JSC::Interpreter::executeCall):
      (JSC::Interpreter::executeConstruct):
      (JSC::Interpreter::retrieveArgumentsFromVMCode):
      (JSC::Interpreter::retrieveCallerFromVMCode):
      (JSC::Interpreter::retrieveLastCaller):
      * interpreter/Interpreter.h:
      (JSC::Interpreter::getOpcodeID):
      (Interpreter):
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
      * offlineasm/asm.rb:
      * offlineasm/offsets.rb:
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::compileForCallInternal):
      (JSC::FunctionExecutable::compileForConstructInternal):
      * runtime/Executable.h:
      (JSC::NativeExecutable::create):
      (NativeExecutable):
      (JSC::NativeExecutable::finishCreation):
      * runtime/JSGlobalData.cpp:
      (JSC):
      (JSC::JSGlobalData::JSGlobalData):
      (JSC::JSGlobalData::getHostFunction):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      (JSC::JSGlobalData::canUseJIT):
      (JSC::JSGlobalData::canUseRegExpJIT):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      
      Source/WebKit/blackberry: 
      
      * WebCoreSupport/AboutDataEnableFeatures.in:
      
      Source/WTF: 
      
      * wtf/OSAllocatorPosix.cpp:
      (WTF::OSAllocator::reserveAndCommit):
      * wtf/Platform.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129453 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      74a9e837
    • fpizlo@apple.com's avatar
      Nested try/finally should not confuse the finally unpopper in... · 84c256c3
      fpizlo@apple.com authored
      Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
      https://bugs.webkit.org/show_bug.cgi?id=97508
      <rdar://problem/12361132>
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
      contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
      (like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
      context stack afterwards.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitComplexJumpScopes):
      
      LayoutTests: 
      
      * fast/js/jsc-test-list:
      * fast/js/script-tests/try-try-return-finally-finally.js: Added.
      (foo):
      * fast/js/try-try-return-finally-finally-expected.txt: Added.
      * fast/js/try-try-return-finally-finally.html: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129440 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      84c256c3
    • fpizlo@apple.com's avatar
      ValueToInt32 bool case does bad things to registers · 7539f5a7
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97505
      <rdar://problem/12356331>
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      
      LayoutTests: 
      
      * fast/js/dfg-bool-to-int32-reuse-expected.txt: Added.
      * fast/js/dfg-bool-to-int32-reuse.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129435 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7539f5a7
    • mark.lam@apple.com's avatar
      Add cloopDo instruction for debugging the llint C++ backend. · 9cc5df7d
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97502.
      
      Reviewed by Geoffrey Garen.
      
      * offlineasm/cloop.rb:
      * offlineasm/instructions.rb:
      * offlineasm/parser.rb:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129434 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9cc5df7d
    • fpizlo@apple.com's avatar
      JSArray::putByIndex asserts with readonly property on prototype · 44e841ff
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97435
      <rdar://problem/12357084>
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      Boy, there were some problems:
              
      - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
        in SlowPut mode, since that's the whole point of PutDirect.
              
      - We should have a fast path for putByIndex().
              
      - The LiteralParser should not use push(), since that may throw if we're having a bad time.
      
      * interpreter/Interpreter.cpp:
      (JSC::eval):
      * runtime/JSObject.h:
      (JSC::JSObject::putByIndexInline):
      (JSObject):
      (JSC::JSObject::putDirectIndex):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      
      LayoutTests: 
      
      * fast/js/concat-while-having-a-bad-time.html: Added.
      * fast/js/concat-while-having-a-bad-time-expected.txt: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/concat-while-having-a-bad-time.js: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      44e841ff
    • mark.lam@apple.com's avatar
      Added a missing "if VALUE_PROFILER" around an access to ArrayProfile record. · a39652e1
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97496.
      
      Reviewed by Filip Pizlo.
      
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129428 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a39652e1
    • ggaren@apple.com's avatar
      Inlined activation tear-off in the DFG · cd57a712
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97487
      
      Reviewed by Filip Pizlo.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h: Activation tear-off is always inlined now, so I
      removed its out-of-line implementation.
      
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Inlined the variable copy and update
      of JSVariableObject::m_registers. This usually turns into < 10 instructions,
      which is close to pure win as compared to the operation function call.
      
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::registersOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isTornOff):
      (JSC):
      (JSC::JSActivation::storageOffset):
      (JSC::JSActivation::storage): Tiny bit of refactoring so the JIT can
      share the pointer math helper functions we use internally.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129426 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cd57a712
    • commit-queue@webkit.org's avatar
      MIPS: store8 functions added to MacroAssembler. · 7a3483b4
      commit-queue@webkit.org authored
      MIPS store8 functions
      https://bugs.webkit.org/show_bug.cgi?id=97243
      
      Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2012-09-24
      Reviewed by Oliver Hunt.
      
      Add MIPS store8 functions.
      
      * assembler/MIPSAssembler.h:
      (JSC::MIPSAssembler::lhu): New function.
      (MIPSAssembler):
      (JSC::MIPSAssembler::sb): New function.
      (JSC::MIPSAssembler::sh): New function.
      * assembler/MacroAssemblerMIPS.h:
      (JSC::MacroAssemblerMIPS::store8): New function.
      (MacroAssemblerMIPS):
      (JSC::MacroAssemblerMIPS::store16): New function.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129367 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7a3483b4
  4. 23 Sep, 2012 5 commits
    • ggaren@apple.com's avatar
      PutScopedVar should not be marked as clobbering the world · ed7a6ed8
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97416
      
      Reviewed by Filip Pizlo.
      
      No performance change.
      
      PutScopedVar doesn't have arbitrary side-effects, so it shouldn't be marked
      as such.
      
      * dfg/DFGNodeType.h:
      (DFG):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ed7a6ed8
    • ggaren@apple.com's avatar
      2012-09-23 Geoffrey Garen <ggaren@apple.com> · c5605d8d
      ggaren@apple.com authored
              I accidentally the whole 32-bit :(.
      
              Unbreak the DFG in 32-bit with the 32-bit path I forgot in my last patch.
      
              * dfg/DFGSpeculativeJIT32_64.cpp:
              (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129324 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c5605d8d
    • commit-queue@webkit.org's avatar
      Fix build warnings : -Wunused-parameter, -Wparentheses, -Wuninitialized. · 378318b1
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=97306
      
      Patch by Byungwoo Lee <bw80.lee@gmail.com> on 2012-09-23
      Reviewed by Benjamin Poulain.
      
      Source/JavaScriptCore:
      
      Fix build warning about -Wunused-parameter on MachineStackMarker.cpp,
      LLIntSlowPaths.cpp, DatePrototype.cpp, Options.cpp by using
      UNUSED_PARAM() macro or remove parameter name.
      
      * heap/MachineStackMarker.cpp:
      (JSC::pthreadSignalHandlerSuspendResume):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::entryOSR):
      * runtime/DatePrototype.cpp:
      (JSC::formatLocaleDate):
      * runtime/Options.cpp:
      (JSC::computeNumberOfGCMarkers):
      
      Source/WebCore:
      
      Fix build warning about -Wunused-parameter on ImageBufferCairo.cpp,
      ImageDecoder.h by using ASSERT_UNUSED() macro.
      
      * platform/graphics/cairo/ImageBufferCairo.cpp:
      (WebCore::encodeImage):
      * platform/image-decoders/ImageDecoder.h:
      (WebCore::ImageDecoder::rgbColorProfile):
      (WebCore::ImageDecoder::inputDeviceColorProfile):
      
      Source/WebKit/efl:
      
      Fix build warning about -Wunused-parameter on FrameLoaderClientEfl.cpp
      by using ASSERT_UNUSED() macro.
      Fix build warning aboug -Wparentheses on ewk_frame.cpp by adding
      additional brace for the assign statement.
      
      * WebCoreSupport/FrameLoaderClientEfl.cpp:
      (WebCore::FrameLoaderClientEfl::dispatchDidChangeIcons):
      * ewk/ewk_frame.cpp:
      (ewk_frame_resources_location_get):
      
      Source/WebKit2:
      
      Fix build warning about -Wunused-parameter on Connection.cpp,
      WKEinaSharedString.cpp, ewk_view_loader_client.cpp, WebPage.cpp by
      using ASSERT_UNUSED() macro or removing parameter name.
      Fix build warning about -Wuninitialized on WebEventFactory.cpp by
      continueing the loop at the default switch case not to use the
      uninitialized variable.
      
      * Platform/CoreIPC/Connection.cpp:
      (CoreIPC::Connection::waitForSyncReply):
      * Shared/efl/WebEventFactory.cpp:
      (WebKit::WebEventFactory::createWebTouchEvent):
      * UIProcess/API/cpp/efl/WKEinaSharedString.cpp:
      (WKEinaSharedString::WKEinaSharedString):
      * UIProcess/API/efl/ewk_view_loader_client.cpp:
      (didSameDocumentNavigationForFrame):
      * WebProcess/WebPage/WebPage.cpp:
      (WebKit::WebPage::SandboxExtensionTracker::beginLoad):
      
      Source/WTF:
      
      Fix build warning about -Wunused-parameter on FastMalloc.cpp,
      OSAllocatorPosix.cpp by using UNUSED_PARAM() macro.
      Fix header including order of FastMalloc.cpp.
      
      * wtf/FastMalloc.cpp:
      (WTF::fastMallocSize):
      * wtf/OSAllocatorPosix.cpp:
      (WTF::OSAllocator::reserveAndCommit):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129319 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      378318b1
    • barraclough@apple.com's avatar
      Sorting a non-array creates propreties (spec-violation) · 0a429dee
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=25477
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      We're just calling get() to get properties, which is converting missing properties to
      undefined. Hole values should be retained, and moved to the end of the array.
      
      * runtime/ArrayPrototype.cpp:
      (JSC::getOrHole):
          - Helper function, returns JSValue() instead of undefined for missing properties.
      (JSC::arrayProtoFuncSort):
          - Implemented per 15.4.4.11, see comments above.
      
      LayoutTests: 
      
      Added test cases.
      
      * fast/js/array-sort-sparse-expected.txt: Added.
      * fast/js/array-sort-sparse.html: Added.
      * fast/js/script-tests/array-sort-sparse.js: Added.
      (testSort):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129317 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0a429dee
    • ggaren@apple.com's avatar
      CSE for access to closure variables (get_/put_scoped_var) · ce086ca0
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97414
      
      Reviewed by Oliver Hunt.
      
      I separated loading a scope from loading its storage pointer, so we can
      CSE the storage pointer load. Then, I copied the global var CSE and adjusted
      it for closure vars.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute): Renamed GetScopeChain => GetScope to
      reflect renames from a few weeks ago.
      
      Added a case for the storage pointer load, similar to object storage pointer load.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock): Added an independent node for
      the storage pointer.
      
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::scopedVarLoadElimination):
      (CSEPhase):
      (JSC::DFG::CSEPhase::scopedVarStoreElimination):
      (JSC::DFG::CSEPhase::getScopeLoadElimination):
      (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
      (JSC::DFG::CSEPhase::setLocalStoreElimination):
      (JSC::DFG::CSEPhase::performNodeCSE): Copied globalVarLoad/StoreElimination
      and adapted the same logic to closure vars.
      
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasScopeChainDepth):
      (JSC::DFG::Node::scope):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG): GetScopedVar and GetGlobalVar are no longer MustGenerate. I'm not
      sure why they ever were. But these are simple load operations so, if they're
      unused, they're truly dead.
      
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Updated for renames and split-out
      node for getting the storage pointer.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129316 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ce086ca0
  5. 22 Sep, 2012 2 commits
    • ggaren@apple.com's avatar
      Unreviewed, rolled out a line I committed by accident. · 4916468b
      ggaren@apple.com authored
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::execute):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129298 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4916468b
    • ggaren@apple.com's avatar
      Optimized closures that capture arguments · be8ad1fd
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97358
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      Previously, the activation object was responsible for capturing all
      arguments in a way that was convenient for the arguments object. Now,
      we move all captured variables into a contiguous region in the stack,
      allocate an activation for exactly that size, and make the arguments
      object responsible for knowing all the places to which arguments could
      have moved.
      
      This seems like the right tradeoff because
      
          (a) Closures are common and long-lived, so we want them to be small.
      
          (b) Our primary strategy for optimizing the arguments object is to make
          it go away. If you're allocating arguments objects, you're already having
          a bad time.
      
          (c) It's common to use either the arguments object or named argument
          closure, but not both.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::CodeBlock):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::argumentsRegister):
      (JSC::CodeBlock::activationRegister):
      (JSC::CodeBlock::isCaptured):
      (JSC::CodeBlock::argumentIndexAfterCapture): m_numCapturedVars is gone
      now -- we have an explicit range instead.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Move captured arguments
      into the captured region of local variables for space efficiency. Record
      precise data about where they moved for the sake of the arguments object.
      
      Some of this data was previously wrong, but it didn't cause any problems
      because the arguments weren't actually moving.
      
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables): Don't
      assume that captured vars are in any particular location -- always ask
      the CodeBlock. This is better encapsulation.
      
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): I rename things sometimes.
      
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff): Account for a particularly nasty edge case.
      
      (JSC::Arguments::didTearOffActivation): Don't allocate our slow arguments
      data on tear-off. We need to allocate it eagerly instead, since we need
      to know about displaced, captured arguments during access before tear-off.
      
      * runtime/Arguments.h:
      (JSC::Arguments::allocateSlowArguments):
      (JSC::Arguments::argument): Tell our slow arguments array where all arguments
      are, even if they are not captured. This simplifies some things, so we don't
      have to account explicitly for the full matrix of (not torn off, torn off)
      * (captured, not captured).
      
      (JSC::Arguments::finishCreation): Allocate our slow arguments array eagerly
      because we need to know about displaced, captured arguments during access
      before tear-off.
      
      * runtime/Executable.cpp:
      (JSC::FunctionExecutable::FunctionExecutable):
      (JSC::FunctionExecutable::compileForCallInternal):
      (JSC::FunctionExecutable::compileForConstructInternal):
      * runtime/Executable.h:
      (JSC::FunctionExecutable::parameterCount):
      (FunctionExecutable):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::visitChildren):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::create):
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::allocationSize):
      (JSC::JSActivation::isValid): This is really the point of the patch. All
      the pointer math in Activations basically boils away, since we always
      copy a contiguous region of captured variables now.
      
      * runtime/SymbolTable.h:
      (JSC::SlowArgument::SlowArgument):
      (SlowArgument):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::captureCount):
      (JSC::SharedSymbolTable::SharedSymbolTable): AllOfTheThings capture mode
      is gone now -- that's the point of the patch. indexIfCaptured gets renamed
      to index because we always have an index, even if not captured. (The only
      time when the index is meaningless is when we're Deleted.)
      
      LayoutTests: 
      
      * fast/js/dfg-arguments-alias-activation-expected.txt:
      * fast/js/dfg-arguments-alias-activation.html:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129297 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      be8ad1fd
  6. 21 Sep, 2012 11 commits
    • barraclough@apple.com's avatar
      Eeeep - broke early boyer in bug#97382 · c1b7f46b
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97383
      
      Rubber stamped by Sam Weinig.
      
      missed a child3 -> child2!
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c1b7f46b
    • barraclough@apple.com's avatar
      Unreviewed windows build fix. · 9d94ff7c
      barraclough@apple.com authored
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129290 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9d94ff7c
    • barraclough@apple.com's avatar
      Pedantic test in Mozilla's JavaScript test suite fails. function-001.js function-001-n.js · 0d681454
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=27219
      
      Reviewed by Sam Weinig.
      
      These tests are just wrong.
      See ECMA 262 A.5, FunctionDelcaration does not require a semicolon.
      
      * tests/mozilla/expected.html:
      * tests/mozilla/js1_2/function/function-001-n.js:
      * tests/mozilla/js1_3/Script/function-001-n.js:
      * tests/mozilla/js1_3/regress/function-001-n.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0d681454
    • barraclough@apple.com's avatar
      Remove redundant argument to op_instanceof · 094dbd98
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97382
      
      Reviewed by Geoff Garen.
      
      No longer needed after my last change.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitInstanceOf):
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::InstanceOfNode::emitBytecode):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      094dbd98
    • barraclough@apple.com's avatar
      Unreviewed windows build fix. · ac6e1891
      barraclough@apple.com authored
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129282 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ac6e1891
    • barraclough@apple.com's avatar
      instanceof should not get the prototype for non-default HasInstance · b46d57b4
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=68656
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      Instanceof is currently implemented as a sequance of three opcodes:
          check_has_instance
          get_by_id(prototype)
          op_instanceof
      There are three interesting types of base value that instanceof can be applied to:
          (A) Objects supporting default instanceof behaviour (functions, other than those created with bind)
          (B) Objects overriding the default instancecof behaviour with a custom one (API objects, bound functions)
          (C) Values that do not respond to the [[HasInstance]] trap.
      Currently check_has_instance handles case (C), leaving the op_instanceof opcode to handle (A) & (B). There are
      two problems with this apporach. Firstly, this is suboptimal for case (A), since we have to check for
      hasInstance support twice (once in check_has_instance, then for default behaviour in op_instanceof). Secondly,
      this means that in cases (B) we also perform the get_by_id, which is both suboptimal and an observable spec
      violation.
      
      The fix here is to move handing of non-default instanceof (cases (B)) to the check_has_instance op, leaving
      op_instanceof to handle only cases (A).
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::customHasInstance):
      * API/JSValueRef.cpp:
      (JSValueIsInstanceOfConstructor):
          - renamed hasInstance to customHasInstance
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
          - added additional parameters to check_has_instance opcode
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
          - added additional parameters to check_has_instance opcode
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitCheckHasInstance):
          - added additional parameters to check_has_instance opcode
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
          - added additional parameters to check_has_instance opcode
      * bytecompiler/NodesCodegen.cpp:
      (JSC::InstanceOfNode::emitBytecode):
          - added additional parameters to check_has_instance opcode
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
          - added additional parameters to check_has_instance opcode
      * interpreter/Interpreter.cpp:
      (JSC::isInvalidParamForIn):
      (JSC::Interpreter::privateExecute):
          - Add handling for non-default instanceof to op_check_has_instance
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex):
          - Fixed no-LLInt no_DFG build
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_check_has_instance):
      (JSC::JIT::emitSlow_op_check_has_instance):
          - check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
          - no need to check for ImplementsDefaultHasInstance.
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_check_has_instance):
      (JSC::JIT::emitSlow_op_check_has_instance):
          - check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
      (JSC::JIT::emit_op_instanceof):
      (JSC::JIT::emitSlow_op_instanceof):
          - no need to check for ImplementsDefaultHasInstance.
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jit/JITStubs.h:
          - Add handling for non-default instanceof to op_check_has_instance
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
          - move check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
          - renamed hasInstance to customHasInstance
      * runtime/CommonSlowPaths.h:
      (CommonSlowPaths):
          - removed opInstanceOfSlow (this was whittled down to one function call!)
      * runtime/JSBoundFunction.cpp:
      (JSC::JSBoundFunction::customHasInstance):
      * runtime/JSBoundFunction.h:
      (JSBoundFunction):
          - renamed hasInstance to customHasInstance, reimplemented.
      * runtime/JSCell.cpp:
      (JSC::JSCell::customHasInstance):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSObject.cpp:
      (JSC::JSObject::hasInstance):
      (JSC):
      (JSC::JSObject::defaultHasInstance):
      * runtime/JSObject.h:
      (JSObject):
      
      LayoutTests: 
      
      * fast/js/function-bind-expected.txt:
          - check in passing result.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129281 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b46d57b4
    • fpizlo@apple.com's avatar
      Unreviewed, fix ARM build. · ba8829bc
      fpizlo@apple.com authored
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::store8):
      (MacroAssemblerARMv7):
      * offlineasm/armv7.rb:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129274 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ba8829bc
    • fpizlo@apple.com's avatar
      REGRESSION (r128400): Opening Google Web Fonts page hangs or crashes · 57fb54da
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97328
      
      Reviewed by Mark Hahnenberg.
      
      It's a bad idea to emit stub code that reallocates property storage when we're in indexed
      storage mode. DFGRepatch.cpp knew this and had the appropriate check in one of the places,
      but it didn't have it in all of the places.
              
      This change also adds some more handy disassembly support, which I used to find the bug.
      
      * assembler/LinkBuffer.h:
      (JSC):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryCachePutByID):
      * jit/JITStubRoutine.h:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129272 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      57fb54da
    • fpizlo@apple.com's avatar
      DFG CSE assumes that a holy PutByVal does not interfere with GetArrayLength, when it clearly does · 687b646a
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97373
      
      Reviewed by Mark Hahnenberg.
      
      Source/JavaScriptCore: 
      
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getArrayLengthElimination):
      (JSC::DFG::CSEPhase::putStructureStoreElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGGraph.h:
      (Graph):
      
      LayoutTests: 
      
      * fast/js/dfg-holy-put-by-val-interferes-with-get-array-length-expected.txt: Added.
      * fast/js/dfg-holy-put-by-val-interferes-with-get-array-length.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/script-tests/dfg-holy-put-by-val-interferes-with-get-array-length.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      687b646a
    • crogers@google.com's avatar
      Add Web Audio support for deprecated/legacy APIs · 143fd02e
      crogers@google.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97050
      
      Reviewed by Eric Carlson.
      
      .:
      
      * Source/cmake/WebKitFeatures.cmake:
      
      Source/JavaScriptCore:
      
      * Configurations/FeatureDefines.xcconfig:
      
      Source/WebCore:
      
      The Web Audio API specification has undergone much review and some small API changes
      have been made (mostly naming-related changes).  This patch adds an ENABLE_LEGACY_WEB_AUDIO
      build option to allow ports to support the old names.
      
      Tests changed:
      audiobuffersource-playbackrate.html
      audiobuffersource.html
      note-grain-on-testing.js
      oscillator-testing.js
      
      * Configurations/FeatureDefines.xcconfig:
      * GNUmakefile.features.am:
      * Modules/webaudio/AudioBufferSourceNode.cpp:
      (WebCore::AudioBufferSourceNode::startGrain):
      (WebCore):
      (WebCore::AudioBufferSourceNode::noteGrainOn):
      * Modules/webaudio/AudioBufferSourceNode.h:
      (AudioBufferSourceNode):
      * Modules/webaudio/AudioBufferSourceNode.idl:
      * Modules/webaudio/AudioScheduledSourceNode.cpp:
      (WebCore::AudioScheduledSourceNode::start):
      (WebCore::AudioScheduledSourceNode::stop):
      (WebCore):
      (WebCore::AudioScheduledSourceNode::noteOn):
      (WebCore::AudioScheduledSourceNode::noteOff):
      * Modules/webaudio/AudioScheduledSourceNode.h:
      * Modules/webaudio/Oscillator.idl:
      * page/FeatureObserver.h:
      
      Source/WebKit/chromium:
      
      * features.gypi:
      
      Source/WebKit/mac:
      
      * Configurations/FeatureDefines.xcconfig:
      
      Source/WebKit2:
      
      * Configurations/FeatureDefines.xcconfig:
      
      Tools:
      
      * Scripts/webkitperl/FeatureList.pm:
      
      LayoutTests:
      
      * webaudio/audiobuffersource-playbackrate.html:
      * webaudio/audiobuffersource.html:
      * webaudio/resources/note-grain-on-testing.js:
      (playGrain):
      * webaudio/resources/oscillator-testing.js:
      (generateExponentialOscillatorSweep):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129260 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      143fd02e
    • barraclough@apple.com's avatar
      Global Math object should be configurable but isn't · dd714578
      barraclough@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=55343
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      This has no performance impact.
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
          - Make 'Math' a regular property.
      
      LayoutTests: 
      
      Added test case.
      
      * fast/js/math-expected.txt:
      * fast/js/script-tests/math.js:
          - Added test case.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129241 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      dd714578