1. 20 Sep, 2012 1 commit
    • fpizlo@apple.com's avatar
      CHECK_ARRAY_CONSISTENCY isn't being used or tested, so we should remove it · 658e5ebd
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97260
      
      Rubber stamped by Geoffrey Garen.
              
      Supporting it will become difficult as we add more indexing types. It makes more
      sense to kill, especially since we don't appear to use it or test it, ever.
      
      * runtime/ArrayConventions.h:
      (JSC):
      * runtime/ArrayPrototype.cpp:
      (JSC::arrayProtoFuncSplice):
      * runtime/ArrayStorage.h:
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (ArrayStorage):
      * runtime/FunctionPrototype.cpp:
      (JSC::functionProtoFuncBind):
      * runtime/JSArray.cpp:
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSArray):
      (JSC::createArrayButterfly):
      (JSC::JSArray::tryCreateUninitialized):
      (JSC::constructArray):
      * runtime/JSObject.cpp:
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC):
      * runtime/JSObject.h:
      (JSC::JSObject::initializeIndex):
      (JSObject):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      658e5ebd
  2. 19 Sep, 2012 1 commit
  3. 18 Sep, 2012 5 commits
    • fpizlo@apple.com's avatar
      DFG should not call out to C++ every time that it tries to put to an object... · 497c7515
      fpizlo@apple.com authored
      DFG should not call out to C++ every time that it tries to put to an object that doesn't yet have array storage
      https://bugs.webkit.org/show_bug.cgi?id=96983
      
      Reviewed by Oliver Hunt.
      
      Introduce more polymorphism into the DFG's array mode support. Use that to
      introduce the notion of effectul array modes, where the check for the mode
      will perform actions necessary to ensure that we have the mode we want, if
      the object is not already in that mode. Also added profiling support for
      checking if an object is of a type that would not allow us to create array
      storage (like a typed array or a string for example).
              
      This is a ~2x speed-up on loops that transform an object that did not have
      indexed storage into one that does.
      
      * JSCTypedArrayStubs.h:
      (JSC):
      * bytecode/ArrayProfile.cpp:
      (JSC::ArrayProfile::computeUpdatedPrediction):
      * bytecode/ArrayProfile.h:
      (JSC::ArrayProfile::ArrayProfile):
      (JSC::ArrayProfile::mayInterceptIndexedAccesses):
      (ArrayProfile):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (DFG):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::isSlowPutAccess):
      (JSC::DFG::benefitsFromStructureCheck):
      (JSC::DFG::isEffectful):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getArrayMode):
      (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasArrayMode):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::arrayify):
      (DFG):
      * dfg/DFGSpeculativeJIT.h:
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Arguments.h:
      (Arguments):
      * runtime/JSNotAnObject.h:
      (JSNotAnObject):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::ensureArrayStorage):
      * runtime/JSString.h:
      (JSC::JSString::createStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128957 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      497c7515
    • fpizlo@apple.com's avatar
      REGRESSION(r128802): It made some JS tests crash · beed79ae
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=97001
      
      Reviewed by Mark Hahnenberg.
      
      IndexingHeaderInlineMethods was incorrectly assuming that if the HasArrayStorage bit is clear, then that means that indexing payload capacity is zero.
      
      * runtime/IndexingHeaderInlineMethods.h:
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128928 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      beed79ae
    • mhahnenberg@apple.com's avatar
      Use WTF::HasTrivialDestructor instead of compiler-specific versions in JSC::NeedsDestructor · 53d40648
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96980
      
      Reviewed by Benjamin Poulain.
      
      Source/JavaScriptCore:
      
      * runtime/JSCell.h:
      (JSC):
      (NeedsDestructor):
      
      Source/WTF:
      
      * wtf/TypeTraits.h:
      (WTF):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128900 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      53d40648
    • fpizlo@apple.com's avatar
      Unreviewed, fix sloppy English in comment. · 5d985e06
      fpizlo@apple.com authored
      * runtime/JSGlobalObject.cpp:
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128857 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5d985e06
    • ossy@webkit.org's avatar
      Unreviewed, rolling out r128826 and r128813. · 7c7e4274
      ossy@webkit.org authored
      Source/JavaScriptCore:
      
      * API/JSCallbackConstructor.cpp:
      (JSC):
      (JSC::JSCallbackConstructor::JSCallbackConstructor):
      * API/JSCallbackConstructor.h:
      (JSCallbackConstructor):
      * API/JSCallbackObject.cpp:
      (JSC):
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSC::JSCallbackObject::create):
      (JSCallbackObject):
      * API/JSClassRef.cpp:
      (OpaqueJSClass::prototype):
      * API/JSObjectRef.cpp:
      (JSObjectMake):
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp:
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp:
      * GNUmakefile.list.am:
      * JSCTypedArrayStubs.h:
      (JSC):
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * heap/Heap.cpp:
      (JSC::Heap::isSafeToSweepStructures):
      (JSC):
      * heap/Heap.h:
      (JSC::Heap::allocatorForObjectWithDestructor):
      (Heap):
      (JSC::Heap::allocateWithDestructor):
      (JSC::Heap::allocateStructure):
      (JSC):
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC::IncrementalSweeper::sweepNextBlock):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::willFinishSweeping):
      (JSC::IncrementalSweeper::structuresCanBeSwept):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::cellsNeedDestruction):
      (JSC::MarkedAllocator::onlyContainsStructures):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC):
      (MarkedBlock):
      (JSC::MarkedBlock::cellsNeedDestruction):
      (JSC::MarkedBlock::onlyContainsStructures):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (Subspace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::destructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithDestructor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC::MarkedSpace::forEachBlock):
      * heap/SlotVisitor.cpp:
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSArray):
      * jsc.cpp:
      (GlobalObject::create):
      * runtime/Arguments.cpp:
      (JSC):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::Arguments):
      * runtime/ErrorPrototype.cpp:
      (JSC):
      * runtime/Executable.h:
      * runtime/InternalFunction.cpp:
      (JSC):
      (JSC::InternalFunction::InternalFunction):
      * runtime/InternalFunction.h:
      (InternalFunction):
      * runtime/JSCell.h:
      (JSC):
      (JSC::allocateCell):
      * runtime/JSDestructibleObject.h: Removed.
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::createRareDataIfNeeded):
      (JSC::JSGlobalObject::create):
      * runtime/JSGlobalThis.h:
      (JSGlobalThis):
      (JSC::JSGlobalThis::JSGlobalThis):
      * runtime/JSPropertyNameIterator.h:
      * runtime/JSScope.cpp:
      (JSC):
      * runtime/JSString.h:
      (JSC):
      * runtime/JSWrapperObject.h:
      (JSWrapperObject):
      (JSC::JSWrapperObject::JSWrapperObject):
      * runtime/MathObject.cpp:
      (JSC):
      * runtime/NameInstance.h:
      (NameInstance):
      * runtime/RegExp.h:
      * runtime/RegExpObject.cpp:
      (JSC):
      * runtime/SparseArrayValueMap.h:
      * runtime/Structure.h:
      (JSC::Structure):
      (JSC::JSCell::classInfo):
      (JSC):
      * runtime/StructureChain.h:
      * runtime/SymbolTable.h:
      * testRegExp.cpp:
      (GlobalObject::create):
      
      Source/WebCore:
      
      * ForwardingHeaders/runtime/JSDestructibleObject.h: Removed.
      * bindings/js/JSDOMWrapper.h:
      (WebCore::JSDOMWrapper::JSDOMWrapper):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      * bridge/objc/objc_runtime.h:
      (ObjcFallbackObjectImp):
      * bridge/objc/objc_runtime.mm:
      (Bindings):
      (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
      * bridge/runtime_array.cpp:
      (JSC):
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      * bridge/runtime_object.cpp:
      (Bindings):
      (JSC::Bindings::RuntimeObject::RuntimeObject):
      * bridge/runtime_object.h:
      (RuntimeObject):
      
      Source/WebKit2:
      
      * WebProcess/Plugins/Netscape/JSNPObject.cpp:
      (WebKit):
      (WebKit::JSNPObject::JSNPObject):
      * WebProcess/Plugins/Netscape/JSNPObject.h:
      (JSNPObject):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128851 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7c7e4274
  4. 17 Sep, 2012 4 commits
    • ggaren@apple.com's avatar
      Refactored the arguments object so it doesn't dictate closure layout · af710d81
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96955
      
      Reviewed by Oliver Hunt.
      
      * bytecode/CodeBlock.h:
      (JSC::ExecState::argumentAfterCapture): Helper function for accessing an
      argument that has been moved for capture.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Generate metadata for arguments
      that are captured. We don't move any arguments yet, but we do use this
      metadata to tell the arguments object if an argument is stored in the
      activation.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile): Updated for the arguments object not
      malloc'ing a separate backing store, and for a rename from deletedArguments
      to slowArguments.
      
      * interpreter/CallFrame.h:
      (ExecState):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::unwindCallFrame):
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL): Updated for small interface changes.
      
      * runtime/Arguments.cpp:
      (JSC::Arguments::visitChildren):
      (JSC::Arguments::copyToArguments):
      (JSC::Arguments::fillArgList):
      (JSC::Arguments::getOwnPropertySlotByIndex):
      (JSC::Arguments::createStrictModeCallerIfNecessary):
      (JSC::Arguments::createStrictModeCalleeIfNecessary):
      (JSC::Arguments::getOwnPropertySlot):
      (JSC::Arguments::getOwnPropertyDescriptor):
      (JSC::Arguments::getOwnPropertyNames):
      (JSC::Arguments::putByIndex):
      (JSC::Arguments::put):
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::deleteProperty):
      (JSC::Arguments::defineOwnProperty):
      (JSC::Arguments::tearOff): Moved all data inline into the object, for speed,
      and refactored all internal argument accesses to use helper functions, so
      we can change the implementation without changing lots of code.
      
      (JSC::Arguments::didTearOffActivation): This function needs to account
      for arguments that were moved by the activation object. We do this accounting
      through a side vector that tells us where our arguments will be in the
      activation.
      
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::length):
      (JSC::Arguments::isTornOff):
      (JSC::Arguments::Arguments):
      (JSC::Arguments::allocateSlowArguments):
      (JSC::Arguments::tryDeleteArgument):
      (JSC::Arguments::trySetArgument):
      (JSC::Arguments::tryGetArgument):
      (JSC::Arguments::isDeletedArgument):
      (JSC::Arguments::isArgument):
      (JSC::Arguments::argument):
      (JSC::Arguments::finishCreation):
      
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      (JSActivation):
      (JSC::JSActivation::captureStart):
      (JSC::JSActivation::storageSize):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::isValid): The activation object is no longer responsible
      for copying extra arguments provided by the caller. The argumnents object
      does this instead. This means we can allocate and initialize an activation
      without worrying about the call frame's argument count.
      
      * runtime/SymbolTable.h:
      (JSC::SlowArgument::SlowArgument):
      (SlowArgument):
      (JSC):
      (JSC::SharedSymbolTable::parameterCount):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::slowArguments):
      (JSC::SharedSymbolTable::setSlowArguments): Added data structures to back
      the algorithms above.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128832 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      af710d81
    • fpizlo@apple.com's avatar
      We don't have a bad enough time if an object's prototype chain crosses global objects · b9840ea0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96962
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      * runtime/JSGlobalObject.cpp:
      (JSC):
      
      LayoutTests: 
      
      * fast/js/cross-frame-really-bad-time-expected.txt: Added.
      * fast/js/cross-frame-really-bad-time-with-__proto__-expected.txt: Added.
      * fast/js/cross-frame-really-bad-time-with-__proto__.html: Added.
      * fast/js/cross-frame-really-bad-time.html: Added.
      * fast/js/script-tests/cross-frame-really-bad-time-with-__proto__.js: Added.
      (foo):
      (evil):
      (bar):
      (done):
      * fast/js/script-tests/cross-frame-really-bad-time.js: Added.
      (Cons):
      (foo):
      (evil):
      (bar):
      (done):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128816 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b9840ea0
    • mhahnenberg@apple.com's avatar
      Delayed structure sweep can leak structures without bound · 013fd88d
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96546
      
      Reviewed by Gavin Barraclough.
      
      This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
      allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
      those objects with destructors and with immortal structures, and those objects with destructors that don't have 
      immortal structures. All of the objects of the third type (destructors without immortal structures) now 
      inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
      the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
      
      Source/JavaScriptCore: 
      
      * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
      (JSC):
      (JSC::JSCallbackConstructor::JSCallbackConstructor):
      * API/JSCallbackConstructor.h:
      (JSCallbackConstructor):
      * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
      JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
      (JSC):
      (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
      the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
      to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
      (JSC::::createStructure):
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      (JSC):
      * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
      (OpaqueJSClass::prototype):
      * API/JSObjectRef.cpp: Ditto.
      (JSObjectMake):
      (JSObjectGetPrivate):
      (JSObjectSetPrivate):
      (JSObjectGetPrivateProperty):
      (JSObjectSetPrivateProperty):
      (JSObjectDeletePrivateProperty):
      * API/JSValueRef.cpp: Ditto.
      (JSValueIsObjectOfClass):
      * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
      * JSCTypedArrayStubs.h:
      (JSC):
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
      * heap/Heap.cpp:
      (JSC):
      * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
      since it's always safe to sweep Structures now.
      (JSC::Heap::allocatorForObjectWithNormalDestructor): 
      (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
      (Heap):
      (JSC::Heap::allocateWithNormalDestructor):
      (JSC):
      (JSC::Heap::allocateWithImmortalStructureDestructor):
      * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
      IncrementalSweeper since it's always safe to sweep Structures now.
      (JSC::IncrementalSweeper::IncrementalSweeper):
      (JSC::IncrementalSweeper::sweepNextBlock):
      (JSC::IncrementalSweeper::startSweeping):
      (JSC::IncrementalSweeper::willFinishSweeping):
      (JSC):
      * heap/IncrementalSweeper.h:
      (IncrementalSweeper):
      * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
      tracking of the specific destructor type of allocator. 
      (JSC::MarkedAllocator::tryAllocateHelper):
      (JSC::MarkedAllocator::allocateBlock):
      * heap/MarkedAllocator.h:
      (JSC::MarkedAllocator::destructorType):
      (MarkedAllocator):
      (JSC::MarkedAllocator::MarkedAllocator):
      (JSC::MarkedAllocator::init):
      * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
      We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
      (JSC::MarkedBlock::create):
      (JSC::MarkedBlock::MarkedBlock):
      (JSC):
      (JSC::MarkedBlock::specializedSweep):
      (JSC::MarkedBlock::sweep):
      (JSC::MarkedBlock::sweepHelper):
      * heap/MarkedBlock.h:
      (JSC):
      (JSC::MarkedBlock::allocator):
      (JSC::MarkedBlock::destructorType):
      * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
      (JSC::MarkedSpace::normalDestructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
      (JSC::MarkedSpace::allocateWithNormalDestructor):
      (JSC::MarkedSpace::forEachBlock):
      * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
      * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateJSFinalObject):
      (JSC::JIT::emitAllocateJSArray):
      * jsc.cpp: 
      (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
      JSDestructibleObject.
      * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
      (JSC):
      * runtime/Arguments.h:
      (Arguments):
      (JSC::Arguments::Arguments):
      * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
      (JSC):
      * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
      (JSC):
      * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
      (JSC):
      (JSC::InternalFunction::InternalFunction):
      * runtime/InternalFunction.h:
      (InternalFunction):
      * runtime/JSCell.h: Added the NEEDS_DESTRUCTOR  macro to make it easier for classes to indicate that instead of being 
      allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the 
      use of a finalizer.
      (JSC):
      (HasImmortalStructure): New template to help us determine at compile-time if a particular class 
      should be allocated in the immortal structure MarkedAllocator. The default value is false. In order 
      to be allocated in the immortal structure allocator, classes must specialize this template. Also added 
      a macro to make it easier for classes to specialize the template.
      (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
      * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
      accessed safely when the object is being destroyed.
      (JSC):
      (JSDestructibleObject):
      (JSC::JSDestructibleObject::classInfo):
      (JSC::JSDestructibleObject::JSDestructibleObject):
      (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
      * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
      of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
      (JSC::JSGlobalObject::reset):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
      for the m_rareData field when it's created.
      (JSC::JSGlobalObject::create):
      (JSC):
      * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
      (JSGlobalThis):
      (JSC::JSGlobalThis::JSGlobalThis):
      * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
      (JSC):
      * runtime/JSScope.cpp:
      (JSC):
      * runtime/JSString.h: Has an immortal Structure.
      (JSC):
      * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
      (JSWrapperObject):
      (JSC::JSWrapperObject::JSWrapperObject):
      * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
      (JSC):
      * runtime/NameInstance.h: Inherit from JSDestructibleObject.
      (NameInstance):
      * runtime/RegExp.h: Has immortal Structure.
      (JSC):
      * runtime/RegExpObject.cpp: Inheritance cleanup.
      (JSC):
      * runtime/SparseArrayValueMap.h: Has immortal Structure.
      (JSC):
      * runtime/Structure.h: Has immortal Structure.
      (JSC):
      * runtime/StructureChain.h: Ditto.
      (JSC):
      * runtime/SymbolTable.h: Ditto.
      (SharedSymbolTable):
      (JSC):
      
      Source/WebCore: 
      
      No new tests.
      
      * ForwardingHeaders/runtime/JSDestructableObject.h: Added.
      * bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.
      (JSDOMWrapper):
      (WebCore::JSDOMWrapper::JSDOMWrapper):
      * bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,
      e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to use the NEEDS_DESTRUCTOR macro.
      (GenerateHeader):
      * bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.
      (ObjcFallbackObjectImp):
      * bridge/objc/objc_runtime.mm:
      (Bindings):
      (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
      * bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.
      (JSC):
      (JSC::RuntimeArray::destroy):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::create):
      (JSC):
      * bridge/runtime_object.cpp: Inherit from JSDestructibleObject.
      (Bindings):
      (JSC::Bindings::RuntimeObject::RuntimeObject):
      * bridge/runtime_object.h:
      (RuntimeObject):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128813 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      013fd88d
    • fpizlo@apple.com's avatar
      If a prototype has indexed setters and its instances have indexed storage,... · 1c4a32c9
      fpizlo@apple.com authored
      If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
      https://bugs.webkit.org/show_bug.cgi?id=96596
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      Added comprehensive support for accessors and read-only indexed properties on the
      prototype chain. This is done without any performance regression on benchmarks that
      we're aware of, by having the entire VM's strategy with respect to arrays tilted
      heavily in favor of:
              
      - The prototype chain of JSArrays never having any accessors or read-only indexed
        properties. If that changes, you're going to have a bad time.
              
      - Prototypes of non-JSArray objects either having no indexed accessors or read-only
        indexed properties, or, having those indexed accessor thingies inserted before
        any instance object (i.e. object with that prototype as its prototype) is created.
        If you add indexed accessors or read-only indexed properties to an object that is
        already used as a prototype, you're going to have a bad time.
              
      See below for the exact definition of having a bad time.
              
      Put another way, "fair" uses of indexed accessors and read-only indexed properties
      are:
              
      - Put indexed accessors and read-only indexed properties on an object that is never
        used as a prototype. This will slow down accesses to that object, but will not
        have any effect on any other object.
              
      - Put those indexed accessor thingies on an object before it is used as a prototype
        and then start instantiating objects that claim that object as their prototype.
        This will slightly slow down indexed stores to the instance objects, and greatly
        slow down all indexed accesses to the prototype, but will have no other effect.
              
      In short, "fair" uses only affect the object itself and any instance objects. But
      if you start using indexed accessors in more eclectic ways, you're going to have
      a bad time.
              
      Specifically, if an object that may be used as a prototype has an indexed accessor
      added, the VM performs a whole-heap scan to find all objects that belong to the
      same global object as the prototype you modified. If any of those objects has
      indexed storage, their indexed storage is put into slow-put mode, just as if their
      prototype chain had indexed accessors. This will happen even for objects that do
      not currently have indexed accessors in their prototype chain. As well, all JSArray
      allocations are caused to create arrays with slow-put storage, and all future
      allocations of indexed storage for non-JSArray objects are also flipped to slow-put
      mode. Note there are two aspects to having a bad time: (i) the whole-heap scan and
      (ii) the poisoning of all indexed storage in the entire global object. (i) is
      necessary for correctness. If we detect that an object that may be used as a
      prototype has had an indexed accessor or indexed read-only property inserted into
      it, then we need to ensure that henceforth all instances of that object inspect
      the prototype chain whenever an indexed hole is stored to. But by default, indexed
      stores do no such checking because doing so would be unnecessarily slow. So, we must
      find all instances of the affected object and flip them into a different array
      storage mode that omits all hole optimizations. Since prototypes never keep a list
      of instance objects, the only way to find those objects is a whole-heap scan. But
      (i) alone would be a potential disaster, if a program frequently allocated an
      object without indexed accessors, then allocated a bunch of objects that used that
      one as their prototype, and then added indexed accessors to the prototype. So, to
      prevent massive heap scan storms in such awkward programs, having a bad time also
      implies (ii): henceforth *all* objects belonging to that global object will use
      slow put indexed storage, so that we don't ever have to scan the heap again. Note
      that here we are using the global object as just an approximation of a program
      module; it may be worth investigating in the future if other approximations can be
      used instead.
      
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::isSlowPutAccess):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::finishCreation):
      (JSC::arrayProtoFuncSort):
      * runtime/IndexingType.h:
      (JSC):
      (JSC::hasIndexedProperties):
      (JSC::hasIndexingHeader):
      (JSC::hasArrayStorage):
      (JSC::shouldUseSlowPut):
      * runtime/JSArray.cpp:
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      * runtime/JSArray.h:
      (JSC::JSArray::createStructure):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::JSGlobalObject):
      (JSC::JSGlobalObject::reset):
      (JSC):
      (JSC::JSGlobalObject::haveABadTime):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::addressOfArrayStructure):
      (JSC::JSGlobalObject::havingABadTimeWatchpoint):
      (JSC::JSGlobalObject::isHavingABadTime):
      * runtime/JSObject.cpp:
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::notifyPresenceOfIndexedAccessors):
      (JSC):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::switchToSlowPutArrayStorage):
      (JSC::JSObject::setPrototype):
      (JSC::JSObject::resetInheritorID):
      (JSC::JSObject::inheritorID):
      (JSC::JSObject::allowsAccessFrom):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::unwrappedGlobalObject):
      (JSC::JSObject::notifyUsedAsPrototype):
      (JSC::JSObject::createInheritorID):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
      (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::mayBeUsedAsPrototype):
      (JSObject):
      (JSC::JSObject::mayInterceptIndexedAccesses):
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrNull):
      (JSC::JSObject::ensureArrayStorage):
      (JSC):
      (JSC::JSValue::putByIndex):
      * runtime/JSValue.cpp:
      (JSC::JSValue::putToPrimitive):
      (JSC::JSValue::putToPrimitiveByIndex):
      (JSC):
      * runtime/JSValue.h:
      (JSValue):
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::finishCreation):
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayEntry::put):
      (JSC):
      * runtime/SparseArrayValueMap.h:
      (JSC):
      (SparseArrayEntry):
      * runtime/Structure.cpp:
      (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses):
      (JSC):
      (JSC::Structure::suggestedIndexingTransition):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::mayInterceptIndexedAccesses):
      * runtime/StructureTransitionTable.h:
      (JSC::newIndexingType):
      
      LayoutTests: 
      
      Removed failing expectation for primitive-property-access-edge-cases, and
      added more tests to cover the numerical-setter-on-prototype cases.
      
      * fast/js/array-bad-time-expected.txt: Added.
      * fast/js/array-bad-time.html: Added.
      * fast/js/array-slow-put-expected.txt: Added.
      * fast/js/array-slow-put.html: Added.
      * fast/js/cross-frame-bad-time-expected.txt: Added.
      * fast/js/cross-frame-bad-time.html: Added.
      * fast/js/jsc-test-list:
      * fast/js/object-bad-time-expected.txt: Added.
      * fast/js/object-bad-time.html: Added.
      * fast/js/object-slow-put-expected.txt: Added.
      * fast/js/object-slow-put.html: Added.
      * fast/js/script-tests/array-bad-time.js: Added.
      * fast/js/script-tests/array-slow-put.js: Added.
      (foo):
      * fast/js/script-tests/cross-frame-bad-time.js: Added.
      (foo):
      * fast/js/script-tests/object-bad-time.js: Added.
      (Cons):
      * fast/js/script-tests/object-slow-put.js: Added.
      (Cons):
      (foo):
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128802 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1c4a32c9
  5. 16 Sep, 2012 3 commits
  6. 14 Sep, 2012 3 commits
    • fpizlo@apple.com's avatar
      All of the things in SparseArrayValueMap should be out-of-line · 9cedb5d0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96854
      
      Reviewed by Andy Estes.
      
      Those inline methods were buying us nothing.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * runtime/JSArray.cpp:
      * runtime/JSGlobalData.cpp:
      * runtime/JSObject.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/SparseArrayValueMapInlineMethods.h: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128680 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9cedb5d0
    • commit-queue@webkit.org's avatar
      JSC should throw a more descriptive exception when blocking 'eval' via CSP. · 7415e10e
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=94331
      
      Patch by Mike West <mkwst@chromium.org> on 2012-09-14
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
          Drop the hard-coded "Eval is disabled" error message in favor of
          reading the error message off the global object.
      * runtime/FunctionConstructor.cpp:
      (JSC::FunctionConstructor::getCallData):
          Drop the hard-coded "Function constructor is disabled" error message
          in favor of reading the error message off the global object.
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::evalEnabled):
          Making this accessor method const.
      (JSC::JSGlobalObject::evalDisabledErrorMessage):
          Accessor for the error message set via 'setEvalDisabled'.
      (JSC::JSGlobalObject::setEvalEnabled):
          Adding an 'errorMessage' parameter which is stored on the global
          object, and used when exceptions are thrown.
      
      Source/WebCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      The new error message is tested by adjusting existing tests; nothing new
      is required.
      
      * bindings/js/ScriptController.cpp:
      (WebCore::ScriptController::initScript):
          Read the error message off the document's ContentSecurityPolicy.
      (WebCore::ScriptController::disableEval):
      * bindings/js/ScriptController.h:
      (ScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/js/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/js/WorkerScriptController.h:
      (WorkerScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/v8/ScriptController.cpp:
      (WebCore::ScriptController::disableEval):
      * bindings/v8/ScriptController.h:
      (ScriptController):
      * bindings/v8/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/v8/WorkerScriptController.h:
      (WorkerScriptController):
          Placeholder for V8 piping to be built in webk.it/94332.
      * dom/Document.cpp:
      (WebCore::Document::disableEval):
      * dom/Document.h:
      (Document):
      * dom/ScriptExecutionContext.h:
      (ScriptExecutionContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      * page/ContentSecurityPolicy.cpp:
      (WebCore::CSPDirectiveList::evalDisabledErrorMessage):
          Accessor for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (WebCore::CSPDirectiveList::setEvalDisabledErrorMessage):
          Mutator for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (CSPDirectiveList):
      (WebCore::CSPDirectiveList::create):
          Upon creation of a CSPDirectiveList, set the error message if the
          directive list disables 'eval'.
      (WebCore::ContentSecurityPolicy::didReceiveHeader):
          Pass the error message into ScriptExecutionContext::disableEval.
      (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage):
          Public accessor for the policy's error message; walks the list of
          directive lists and returns the first error message found.
      (WebCore):
      * page/ContentSecurityPolicy.h:
      * workers/WorkerContext.cpp:
      (WebCore::WorkerContext::disableEval):
      * workers/WorkerContext.h:
      (WorkerContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      
      LayoutTests:
      
      * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
      * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt:
      * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128670 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7415e10e
    • fpizlo@apple.com's avatar
      bbc homepage crashes immediately · c9f16125
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96812
      <rdar://problem/12081386>
      
      Reviewed by Oliver Hunt.
      
      If you use the old storage pointer to write to space you thought was newly allocated,
      you're going to have a bad time.
      
      * runtime/JSArray.cpp:
      (JSC::JSArray::unshiftCount):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c9f16125
  7. 13 Sep, 2012 2 commits
    • mhahnenberg@apple.com's avatar
      Rename forEachCell to forEachLiveCell · 4930320c
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96685
      
      Reviewed by Oliver Hunt.
      
      forEachCell actually only iterates over live cells. We should rename it to 
      reflect what it actually does. This is also helpful because we want to add a new 
      forEachCell that actually does iterate each and every cell in a MarkedBlock 
      regardless of whether or not it is live.
      
      * debugger/Debugger.cpp:
      (JSC::Debugger::recompileAllJSFunctions):
      * heap/Heap.cpp:
      (JSC::Heap::globalObjectCount):
      (JSC::Heap::objectTypeCounts):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::forEachLiveCell):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::forEachLiveCell):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::releaseExecutableMemory):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128498 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4930320c
    • loislo@chromium.org's avatar
      [Qt][Win] REGRESSION(r128400): It broke the build · 4ef04bfb
      loislo@chromium.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96617
      
      Patch by Filip Pizlo <fpizlo@apple.com> on 2012-09-13
      Reviewed by Simon Hausmann.
      
      Source/JavaScriptCore:
      
      Changed "JSC::Array" to "JSC::ArrayClass" because it's not used often enough
      for the brevity to be beneficial, and because "Array" causes too much namespace
      pollution.
      
      * runtime/IndexingType.h:
      (JSC):
      * runtime/JSArray.cpp:
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSObject.cpp:
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::ensureArrayStorage):
      
      Source/WebCore:
      
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128428 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ef04bfb
  8. 12 Sep, 2012 2 commits
    • fpizlo@apple.com's avatar
      JSC should have property butterflies · d8dd0535
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=91933
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This changes the JSC object model. Previously, all objects had fast lookup for
      named properties. Integer indexed properties were only fast if you used a
      JSArray. With this change, all objects have fast indexed properties. This is
      accomplished without any space overhead by using a bidirectional object layout,
      aka butterflies. Each JSObject has a m_butterfly pointer where previously it
      had a m_outOfLineStorage pointer. To the left of the location pointed to by
      m_butterfly, we place all named out-of-line properties. To the right, we place
      all indexed properties along with indexing meta-data. Though, some indexing
      meta-data is placed in the 8-byte word immediately left of the pointed-to
      location; this is in anticipation of the indexing meta-data being small enough
      in the common case that m_butterfly always points to the first indexed
      property.
              
      This is performance neutral, except on tests that use indexed properties on
      plain objects, where the speed-up is in excess of an order of magnitude.
              
      One notable aspect of what this change brings is that it allows indexing
      storage to morph over time. Currently this is only used to allow all non-array
      objects to start out without any indexed storage. But it could be used for
      some kinds of array type inference in the future.
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::getOwnPropertySlotByIndex):
      (JSC):
      (JSC::::getOwnNonIndexPropertyNames):
      * API/JSObjectRef.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutById):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (AdjacencyList):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::addNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateBasicStorage):
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::defineOwnProperty):
      * runtime/ArrayConstructor.cpp:
      * runtime/ArrayConventions.h: Added.
      (JSC):
      (JSC::isDenseEnoughForVector):
      (JSC::indexingHeaderForArray):
      (JSC::baseIndexingHeaderForArray):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::create):
      (JSC):
      (JSC::ArrayPrototype::ArrayPrototype):
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/ArrayPrototype.h:
      (ArrayPrototype):
      (JSC::ArrayPrototype::createStructure):
      * runtime/ArrayStorage.h: Added.
      (JSC):
      (ArrayStorage):
      (JSC::ArrayStorage::ArrayStorage):
      (JSC::ArrayStorage::from):
      (JSC::ArrayStorage::butterfly):
      (JSC::ArrayStorage::indexingHeader):
      (JSC::ArrayStorage::length):
      (JSC::ArrayStorage::setLength):
      (JSC::ArrayStorage::vectorLength):
      (JSC::ArrayStorage::setVectorLength):
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (JSC::ArrayStorage::inSparseMode):
      (JSC::ArrayStorage::lengthOffset):
      (JSC::ArrayStorage::vectorLengthOffset):
      (JSC::ArrayStorage::numValuesInVectorOffset):
      (JSC::ArrayStorage::vectorOffset):
      (JSC::ArrayStorage::indexBiasOffset):
      (JSC::ArrayStorage::sparseMapOffset):
      (JSC::ArrayStorage::sizeFor):
      * runtime/Butterfly.h: Added.
      (JSC):
      (Butterfly):
      (JSC::Butterfly::Butterfly):
      (JSC::Butterfly::totalSize):
      (JSC::Butterfly::fromBase):
      (JSC::Butterfly::offsetOfIndexingHeader):
      (JSC::Butterfly::offsetOfPublicLength):
      (JSC::Butterfly::offsetOfVectorLength):
      (JSC::Butterfly::indexingHeader):
      (JSC::Butterfly::propertyStorage):
      (JSC::Butterfly::indexingPayload):
      (JSC::Butterfly::arrayStorage):
      (JSC::Butterfly::offsetOfPropertyStorage):
      (JSC::Butterfly::indexOfPropertyStorage):
      (JSC::Butterfly::base):
      * runtime/ButterflyInlineMethods.h: Added.
      (JSC):
      (JSC::Butterfly::createUninitialized):
      (JSC::Butterfly::create):
      (JSC::Butterfly::createUninitializedDuringCollection):
      (JSC::Butterfly::base):
      (JSC::Butterfly::growPropertyStorage):
      (JSC::Butterfly::growArrayRight):
      (JSC::Butterfly::resizeArray):
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
      * runtime/IndexingHeader.h: Added.
      (JSC):
      (IndexingHeader):
      (JSC::IndexingHeader::offsetOfIndexingHeader):
      (JSC::IndexingHeader::offsetOfPublicLength):
      (JSC::IndexingHeader::offsetOfVectorLength):
      (JSC::IndexingHeader::IndexingHeader):
      (JSC::IndexingHeader::vectorLength):
      (JSC::IndexingHeader::setVectorLength):
      (JSC::IndexingHeader::publicLength):
      (JSC::IndexingHeader::setPublicLength):
      (JSC::IndexingHeader::from):
      (JSC::IndexingHeader::fromEndOf):
      (JSC::IndexingHeader::propertyStorage):
      (JSC::IndexingHeader::arrayStorage):
      (JSC::IndexingHeader::butterfly):
      * runtime/IndexingHeaderInlineMethods.h: Added.
      (JSC):
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.h: Added.
      (JSC):
      (JSC::hasIndexingHeader):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::tearOff):
      * runtime/JSArray.cpp:
      (JSC):
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::defineOwnProperty):
      (JSC::JSArray::getOwnPropertySlot):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::put):
      (JSC::JSArray::deleteProperty):
      (JSC::JSArray::getOwnNonIndexPropertyNames):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC):
      (JSArray):
      (JSC::JSArray::JSArray):
      (JSC::JSArray::length):
      (JSC::JSArray::createStructure):
      (JSC::JSArray::isLengthWritable):
      (JSC::createArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSBoundFunction.cpp:
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      (JSC::JSBoundFunction::finishCreation):
      * runtime/JSCell.cpp:
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnNonIndexPropertyNames):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::visitChildren):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::createInitialArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::putDirectAccessor):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::getOwnNonIndexPropertyNames):
      (JSC::JSObject::preventExtensions):
      (JSC::JSObject::fillGetterPropertySlot):
      (JSC::JSObject::putIndexedDescriptor):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::allocateSparseIndexMap):
      (JSC::JSObject::deallocateSparseIndexMap):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      (JSC::putDescriptor):
      (JSC::JSObject::putDirectMayBeIndex):
      (JSC::JSObject::defineOwnNonIndexProperty):
      (JSC::JSObject::defineOwnProperty):
      (JSC::JSObject::getOwnPropertySlotSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSObject):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::putDirectIndex):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::butterfly):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::indexingShouldBeSparse):
      (JSC::JSObject::butterflyOffset):
      (JSC::JSObject::butterflyAddress):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrZero):
      (JSC::JSObject::ensureArrayStorage):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC):
      (JSC::JSObject::setButterfly):
      (JSC::JSObject::setButterflyWithoutChangingStructure):
      (JSC::JSObject::JSObject):
      (JSC::JSObject::inlineGetOwnPropertySlot):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetInButterfly):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/JSTypeInfo.h:
      (JSC):
      (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
      (JSC::TypeInfo::overridesGetPropertyNames):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::ObjectPrototype):
      (JSC):
      * runtime/ObjectPrototype.h:
      (ObjectPrototype):
      * runtime/PropertyOffset.h:
      (JSC::offsetInOutOfLineStorage):
      * runtime/PropertyStorage.h: Added.
      (JSC):
      * runtime/PutDirectIndexMode.h: Added.
      (JSC):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::RegExpMatchesArray):
      (JSC):
      (JSC::RegExpMatchesArray::create):
      (JSC::RegExpMatchesArray::finishCreation):
      * runtime/RegExpMatchesArray.h:
      (RegExpMatchesArray):
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::getOwnNonIndexPropertyNames):
      * runtime/RegExpObject.h:
      (RegExpObject):
      * runtime/Reject.h: Added.
      (JSC):
      (JSC::reject):
      * runtime/SparseArrayValueMap.cpp: Added.
      (JSC):
      * runtime/SparseArrayValueMap.h: Added.
      (JSC):
      (SparseArrayEntry):
      (JSC::SparseArrayEntry::SparseArrayEntry):
      (SparseArrayValueMap):
      (JSC::SparseArrayValueMap::sparseMode):
      (JSC::SparseArrayValueMap::setSparseMode):
      (JSC::SparseArrayValueMap::lengthIsReadOnly):
      (JSC::SparseArrayValueMap::setLengthIsReadOnly):
      (JSC::SparseArrayValueMap::find):
      (JSC::SparseArrayValueMap::remove):
      (JSC::SparseArrayValueMap::notFound):
      (JSC::SparseArrayValueMap::isEmpty):
      (JSC::SparseArrayValueMap::contains):
      (JSC::SparseArrayValueMap::size):
      (JSC::SparseArrayValueMap::begin):
      (JSC::SparseArrayValueMap::end):
      * runtime/SparseArrayValueMapInlineMethods.h: Added.
      (JSC):
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/StorageBarrier.h: Removed.
      * runtime/StringObject.cpp:
      (JSC::StringObject::putByIndex):
      (JSC):
      (JSC::StringObject::deletePropertyByIndex):
      * runtime/StringObject.h:
      (StringObject):
      * runtime/StringPrototype.cpp:
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::nonPropertyTransition):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::indexingType):
      (JSC::Structure::indexingTypeIncludingHistory):
      (JSC::Structure::indexingTypeOffset):
      (JSC::Structure::create):
      * runtime/StructureTransitionTable.h:
      (JSC):
      (JSC::toAttributes):
      (JSC::newIndexingType):
      (JSC::StructureTransitionTable::Hash::hash):
      * tests/mozilla/js1_6/Array/regress-304828.js:
      
      Source/WebCore: 
      
      Teach the DOM that to intercept get/put on indexed properties, you now have
      to override getOwnPropertySlotByIndex and putByIndex.
      
      No new tests because no new behavior. One test was rebased because indexed
      property iteration order now matches other engines (indexed properties always
      come first).
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMStringMapCustom.cpp:
      (WebCore::JSDOMStringMap::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindow::putByIndex):
      (WebCore::JSDOMWindow::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindowShell::putByIndex):
      (WebCore::JSDOMWindowShell::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSStorageCustom.cpp:
      (WebCore::JSStorage::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::serialize):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateImplementation):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::RuntimeArray):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      (RuntimeArray):
      
      LayoutTests: 
      
      Modify the JSON test to indicate that iterating over properties now returns
      indexed properties first. This is a behavior change that makes us more
      compliant with other implementations.
              
      Also check in new expected file for the edge cases of indexed property access
      with prototype accessors. This changeset introduces a known regression in that
      department, which is tracked here: https://bugs.webkit.org/show_bug.cgi?id=96596
      
      * fast/js/resources/JSON-stringify.js:
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8dd0535
    • ggaren@apple.com's avatar
      Don't allocate a backing store just for a function's name · 0030e138
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96468
      
      Reviewed by Oliver Hunt.
      
      Treat function.name like function.length etc., and use a custom getter.
      This saves space in closures.
      
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::functionName):
      * debugger/DebuggerCallFrame.h:
      (DebuggerCallFrame): Updated for interface change.
      
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction): Do a little inlining.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation): Gone now. That's the point of the patch.
      
      (JSC::JSFunction::name):
      (JSC::JSFunction::displayName):
      (JSC::JSFunction::nameGetter):
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnPropertyNames):
      (JSC::JSFunction::put):
      (JSC::JSFunction::deleteProperty):
      (JSC::JSFunction::defineOwnProperty): Added custom accessors for .name
      just like .length and others.
      
      * runtime/JSFunction.h:
      (JSC::JSFunction::create):
      (JSFunction): Updated for interface changes.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0030e138
  9. 11 Sep, 2012 1 commit
    • ggaren@apple.com's avatar
      JSActivation should inline allocate its registers, and eliminate · 06a8bb6e
      ggaren@apple.com authored
      'arguments' registers in the common case
      https://bugs.webkit.org/show_bug.cgi?id=96427
      
      Reviewed by Filip Pizlo.
      
      This cuts the size class for simple closures down to 64 bytes.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Set the usesNonStrictEval
      flag, which is new. Use a more specific test for whether a function
      uses 'arguments', so we can avoid allocating, initializing, and tearing
      off those registers in the common case. Distinguish between capturing
      arguments and not, so we can avoid allocating space for arguments in
      the torn-off object.
      
      We can make this even more general in the future, with some bytecode
      generator refactoring.
      
      (JSC::BytecodeGenerator::resolve): Updated for new interface.
      
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::symbolTable): Updated some types.
      
      * heap/Heap.cpp:
      (JSC::Heap::isValidAllocation): Allow large allocations, now that they
      are both supported and used.
      
      * heap/Heap.h:
      (Heap): Added a new form of allocateCell that specifies the full size
      of the allocation, to allow for extra space on the end.
      
      * interpreter/CallFrame.h:
      (JSC::ExecState::argumentOffset):
      (JSC::ExecState::argumentOffsetIncludingThis):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::unwindCallFrame): Refactored this code to be more
      specific about tearing off 'arguments' vs activations. This is something
      I forgot in my last patch, and it is required now that we can have
      acitvations without 'arguments' registers.
      
      * runtime/Arguments.h:
      (JSC::Arguments::setRegisters): No need for setRegisters anymore because
      the activation object's storage doesn't change.
      
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation): Initialize our storage manually because
      it's not declared to the C++ compiler.
      
      (JSC::JSActivation::visitChildren): No copyAndAppend because our storage
      is not out-of-line anymore.
      
      (JSC::JSActivation::symbolTableGet):
      (JSC::JSActivation::symbolTablePut):
      (JSC::JSActivation::getOwnPropertyNames):
      (JSC::JSActivation::symbolTablePutWithAttributes):
      (JSC::JSActivation::getOwnPropertySlot):
      (JSC::JSActivation::getOwnPropertyDescriptor):
      (JSC::JSActivation::argumentsGetter): Refactored isTornOff() testing to
      avoid using a data member and to avoid hard-coding any offset assumptions.
      
      * runtime/JSActivation.h:
      (JSC):
      (JSActivation):
      (JSC::JSActivation::create):
      (JSC::JSActivation::isDynamicScope):
      (JSC::JSActivation::captureStart):
      (JSC::JSActivation::storageSize):
      (JSC::JSActivation::storageSizeInBytes):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isTornOff):
      (JSC::JSActivation::storage):
      (JSC::JSActivation::allocationSize):
      (JSC::JSActivation::isValid): New helper functions for doing the math
      on our inline storage. Note that in the "AllOfTheThings" tear-off case,
      the number of things is not known at compile time, so we store the
      number in the argument count register. We can't just copy the raw contents
      of the register beacuse we need a value that is safe for precise marking,
      and the value in the register file has an invalid tag.
      
      * runtime/JSCell.h:
      (JSC::allocateCell): New function for allocating with extra storage
      on the end.
      
      * runtime/JSSymbolTableObject.h:
      (JSC::JSSymbolTableObject::JSSymbolTableObject):
      (JSC::JSSymbolTableObject::finishCreation):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::JSVariableObject):
      (JSVariableObject): Make it easier for subclasses to use their symbol
      tables during construction, by passing the table as a constructor argument.
      
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::usesNonStrictEval):
      (JSC::SharedSymbolTable::setUsesNonStrictEval):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::captureMode):
      (JSC::SharedSymbolTable::setCaptureMode):
      (JSC::SharedSymbolTable::captureStart):
      (JSC::SharedSymbolTable::setCaptureStart):
      (JSC::SharedSymbolTable::captureEnd):
      (JSC::SharedSymbolTable::setCaptureEnd):
      (JSC::SharedSymbolTable::parameterCountIncludingThis):
      (JSC::SharedSymbolTable::setParameterCountIncludingThis):
      (JSC::SharedSymbolTable::SharedSymbolTable): Added data members to more
      precisely describe what kind of capture is in play, and to avoid having
      data members in the activation. We expect N activations per symbol table,
      so this can be a big savings in heavy closure usage.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128260 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      06a8bb6e
  10. 10 Sep, 2012 4 commits
    • mhahnenberg@apple.com's avatar
      Remove m_classInfo from JSCell · bd52e3e5
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96311
      
      Reviewed by Oliver Hunt.
      
      Now that no one is using the ClassInfo in JSCell, we can remove it for the greater good. This is a 1.5% win on v8v7 and
      a 1.7% win on kraken, and is an overall performance progression.
      
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Had to rearrange the order of when we take things off the free list
      and when we store the Structure in the object because we would clobber the free list otherwise. This made it not okay for
      the structure argument and the scratch register to alias one another. Also removed the store of the ClassInfo pointer in the
      object. Yay!
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp: Since it's no longer okay for for the scratch register and structure register to alias
      one another as stated above, had to add an extra temporary for passing the Structure.
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp: Ditto.
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject): Similar changes to DFG's inline allocation except that it removed the object from
      the free list first, so no changes were necessary there.
      * llint/LowLevelInterpreter.asm: Change the constants for amount of inline storage to match PropertyOffset.h and remove
      the store of the ClassInfo pointer during inline allocation.
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSCell.h: Remove the m_classInfo field and associated methods.
      (JSCell):
      * runtime/JSObject.h:
      (JSObject):
      * runtime/PropertyOffset.h: Expand the number of inline storage properties to take up the extra space that we're freeing
      with the removal of the ClassInfo pointer.
      (JSC):
      * runtime/Structure.h:
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128146 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bd52e3e5
    • ggaren@apple.com's avatar
      Added large allocation support to MarkedSpace · 6159e5f9
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96214
      
      Originally reviewed by Oliver Hunt, then I added a design revision by
      suggested by Phil Pizlo.
      
      I expanded the imprecise size classes to cover up to 32KB, then added
      an mmap-based allocator for everything bigger. There's a lot of tuning
      we could do in these size classes, but currently they're almost
      completely unused, so I haven't done any tuning.
      
      Subtle point: the large allocator is a degenerate case of our free list
      logic. Its list only ever contains zero or one items.
      
      * heap/Heap.h:
      (JSC::Heap::allocateStructure): Pipe in size information.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): Handle the case where we
      find a free item in the sweep list but the item isn't big enough. This
      can happen in the large allocator because it mixes sizes.
      
      (JSC::MarkedAllocator::tryAllocate):
      (JSC::MarkedAllocator::allocateSlowCase): More piping.
      
      (JSC::MarkedAllocator::allocateBlock): Handle the oversize case.
      
      (JSC::MarkedAllocator::addBlock): I moved the call to didAddBlock here
      because it made more sense.
      
      * heap/MarkedAllocator.h:
      (MarkedAllocator):
      (JSC::MarkedAllocator::allocate):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::destructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithoutDestructor):
      (JSC::MarkedSpace::allocateWithDestructor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC::MarkedSpace::forEachBlock):
      * runtime/Structure.h:
      (JSC::Structure): More piping.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6159e5f9
    • mhahnenberg@apple.com's avatar
      Combine MarkStack and SlotVisitor into single class · a57e6716
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96043
      
      Reviewed by Geoff Garen.
      
      Move all of MarkStack into SlotVisitor. The remaining stuff in MarkStack.cpp actually has to do 
      with MarkStack management/allocation. Cleaned up a few of the header files while I was at it.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      * dfg/DFGCommon.h:
      * heap/GCThreadSharedData.cpp:
      * heap/GCThreadSharedData.h:
      (GCThreadSharedData):
      * heap/HeapRootVisitor.h:
      * heap/MarkStack.cpp:
      (JSC):
      * heap/MarkStack.h:
      (JSC):
      (MarkStackSegment):
      (JSC::MarkStackSegment::data):
      (JSC::MarkStackSegment::capacityFromSize):
      (JSC::MarkStackSegment::sizeFromCapacity):
      (MarkStackSegmentAllocator):
      (MarkStackArray):
      * heap/MarkStackInlineMethods.h:
      (JSC::MarkStackArray::postIncTop):
      (JSC):
      (JSC::MarkStackArray::preDecTop):
      (JSC::MarkStackArray::setTopForFullSegment):
      (JSC::MarkStackArray::setTopForEmptySegment):
      (JSC::MarkStackArray::top):
      (JSC::MarkStackArray::validatePrevious):
      (JSC::MarkStackArray::append):
      (JSC::MarkStackArray::canRemoveLast):
      (JSC::MarkStackArray::removeLast):
      (JSC::MarkStackArray::isEmpty):
      (JSC::MarkStackArray::size):
      * heap/SlotVisitor.cpp: Added.
      (JSC):
      (JSC::SlotVisitor::SlotVisitor):
      (JSC::SlotVisitor::~SlotVisitor):
      (JSC::SlotVisitor::setup):
      (JSC::SlotVisitor::reset):
      (JSC::SlotVisitor::append):
      (JSC::visitChildren):
      (JSC::SlotVisitor::donateKnownParallel):
      (JSC::SlotVisitor::drain):
      (JSC::SlotVisitor::drainFromShared):
      (JSC::SlotVisitor::mergeOpaqueRoots):
      (JSC::SlotVisitor::startCopying):
      (JSC::SlotVisitor::allocateNewSpaceSlow):
      (JSC::SlotVisitor::allocateNewSpaceOrPin):
      (JSC::JSString::tryHashConstLock):
      (JSC::JSString::releaseHashConstLock):
      (JSC::JSString::shouldTryHashConst):
      (JSC::SlotVisitor::internalAppend):
      (JSC::SlotVisitor::copyAndAppend):
      (JSC::SlotVisitor::doneCopying):
      (JSC::SlotVisitor::harvestWeakReferences):
      (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
      (JSC::SlotVisitor::validate):
      * heap/SlotVisitor.h:
      (JSC):
      (SlotVisitor):
      (JSC::SlotVisitor::sharedData):
      (JSC::SlotVisitor::isEmpty):
      (JSC::SlotVisitor::visitCount):
      (JSC::SlotVisitor::resetChildCount):
      (JSC::SlotVisitor::childCount):
      (JSC::SlotVisitor::incrementChildCount):
      (ParallelModeEnabler):
      (JSC::ParallelModeEnabler::ParallelModeEnabler):
      (JSC::ParallelModeEnabler::~ParallelModeEnabler):
      * heap/SlotVisitorInlineMethods.h:
      (JSC::SlotVisitor::append):
      (JSC):
      (JSC::SlotVisitor::appendUnbarrieredPointer):
      (JSC::SlotVisitor::appendUnbarrieredValue):
      (JSC::SlotVisitor::internalAppend):
      (JSC::SlotVisitor::addWeakReferenceHarvester):
      (JSC::SlotVisitor::addUnconditionalFinalizer):
      (JSC::SlotVisitor::addOpaqueRoot):
      (JSC::SlotVisitor::containsOpaqueRoot):
      (JSC::SlotVisitor::opaqueRootCount):
      (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary):
      (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable):
      (JSC::SlotVisitor::donate):
      (JSC::SlotVisitor::donateAndDrain):
      * jit/JITWriteBarrier.h:
      (JSC::SlotVisitor::append):
      * jit/JumpReplacementWatchpoint.cpp:
      * runtime/JSCell.h:
      * runtime/Structure.h:
      (JSC::SlotVisitor::internalAppend):
      * runtime/WriteBarrier.h:
      (JSC):
      (JSC::SlotVisitor::append):
      (JSC::SlotVisitor::appendValues):
      * yarr/YarrJIT.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a57e6716
    • commit-queue@webkit.org's avatar
      [EFL] JIT memory usage is not retrieved · c3f4dbdc
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96095
      
      Patch by Hojong Han <hojong.han@samsung.com> on 2012-09-10
      Reviewed by Geoffrey Garen.
      
      Fill JITBytes for EFL port.
      
      * runtime/MemoryStatistics.cpp:
      (JSC::globalMemoryStatistics):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c3f4dbdc
  11. 07 Sep, 2012 2 commits
    • benjamin@webkit.org's avatar
      Rename the ustring() accessor to string() · c9b7a208
      benjamin@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95919
      
      Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-07
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      Rename ustring() to string() to make the accessor name more logical after
      r127191.
      
      * API/JSBase.cpp:
      (JSEvaluateScript):
      (JSCheckScriptSyntax):
      * API/JSObjectRef.cpp:
      (JSObjectMakeFunctionWithCallback):
      (JSObjectMakeFunction):
      (JSObjectCopyPropertyNames):
      * API/JSProfilerPrivate.cpp:
      (JSStartProfiling):
      (JSEndProfiling):
      * API/JSValueRef.cpp:
      (JSValueMakeString):
      (JSValueMakeFromJSONString):
      * API/OpaqueJSString.cpp:
      (OpaqueJSString::string):
      * API/OpaqueJSString.h:
      (OpaqueJSString):
      * bytecode/CodeBlock.cpp:
      (JSC::idName):
      (JSC::CodeBlock::dump):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitLoad):
      (JSC::BytecodeGenerator::addStringConstant):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::RegExpNode::emitBytecode):
      (JSC::processClauseList):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      (GlobalObject::addFunction):
      (GlobalObject::addConstructableFunction):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * parser/ASTBuilder.h:
      (JSC::ASTBuilder::createRegExp):
      * parser/Parser.cpp:
      (JSC::::parsePrimaryExpression):
      * parser/Parser.h:
      (JSC::Scope::declareVariable):
      (JSC::Scope::declareParameter):
      (JSC::Scope::useVariable):
      * parser/SyntaxChecker.h:
      (JSC::SyntaxChecker::createRegExp):
      * runtime/ExceptionHelpers.cpp:
      (JSC::createUndefinedVariableError):
      * runtime/Executable.cpp:
      (JSC::FunctionExecutable::paramString):
      * runtime/Executable.h:
      (JSC::FunctionExecutable::finishCreation):
      * runtime/FunctionPrototype.cpp:
      (JSC::FunctionPrototype::addFunctionProperties):
      * runtime/Identifier.h:
      (JSC::Identifier::string):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::calculatedDisplayName):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::PropertyNameForFunctionCall::value):
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSPropertyNameIterator.h:
      (JSC::JSPropertyNameIterator::finishCreation):
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolveBase):
      * runtime/JSString.h:
      (JSC::inlineJSValueNotStringtoString):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      (JSC::ObjectConstructor::finishCreation):
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      * runtime/RegExpConstructor.cpp:
      (JSC::RegExpConstructor::finishCreation):
      
      Source/WebCore: 
      
      * bindings/js/Dictionary.cpp:
      (WebCore::Dictionary::getOwnPropertiesAsStringHashMap):
      (WebCore::Dictionary::getOwnPropertyNames):
      * bindings/js/SerializedScriptValue.cpp:
      Simplify a few String constructions which were still using type conversion
      through StringImpl.
      
      (WebCore::CloneSerializer::write):
      (WebCore::CloneDeserializer::CachedString::string):
      (WebCore::CloneDeserializer::readFile):
      (WebCore::CloneDeserializer::readTerminal):
      (WebCore::CloneDeserializer::deserialize):
      * bridge/NP_jsobject.cpp:
      (_NPN_Enumerate):
      
      Source/WebKit/efl: 
      
      * WebCoreSupport/DumpRenderTreeSupportEfl.cpp:
      (DumpRenderTreeSupportEfl::sendWebIntentResponse):
      (DumpRenderTreeSupportEfl::deliverWebIntent):
      Aslo update the code from the UString->String conversion through StringImpl.
      
      Source/WebKit/mac: 
      
      * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
      (WebKit::NetscapePluginInstanceProxy::enumerate):
      
      Source/WebKit2: 
      
      * WebProcess/Plugins/Netscape/NPJSObject.cpp:
      (WebKit::NPJSObject::enumerate):
      
      Tools: 
      
      Update EFL's DRT.
      
      Fix some string conversion that have been made useless
      with recent changes.
      
      * DumpRenderTree/efl/EventSender.cpp:
      (keyPadNameFromJSValue):
      (keyNameFromJSValue):
      * DumpRenderTree/efl/TestRunnerEfl.cpp:
      (TestRunner::queueLoad):
      (TestRunner::addOriginAccessWhitelistEntry):
      (TestRunner::removeOriginAccessWhitelistEntry):
      (TestRunner::setUserStyleSheetLocation):
      (TestRunner::setValueForUser):
      (TestRunner::elementDoesAutoCompleteForElementWithId):
      (TestRunner::execCommand):
      (TestRunner::findString):
      (TestRunner::isCommandEnabled):
      (TestRunner::clearApplicationCacheForOrigin):
      (TestRunner::setDomainRelaxationForbiddenForURLScheme):
      (TestRunner::pauseAnimationAtTimeOnElementWithId):
      (TestRunner::pauseTransitionAtTimeOnElementWithId):
      (toInt):
      (TestRunner::overridePreference):
      (TestRunner::addUserScript):
      (TestRunner::addUserStyleSheet):
      (TestRunner::evaluateInWebInspector):
      (TestRunner::evaluateScriptInIsolatedWorld):
      (TestRunner::setTextDirection):
      * DumpRenderTree/efl/WorkQueueItemEfl.cpp:
      (LoadItem::invoke):
      (LoadHTMLStringItem::invoke):
      (ScriptItem::invoke):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127958 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c9b7a208
    • barraclough@apple.com's avatar
      Object.prototype.__define{G,S}etter__ with non-callable second parameter... · 885da322
      barraclough@apple.com authored
      Object.prototype.__define{G,S}etter__ with non-callable second parameter should throw TypeError instead of SyntaxError
      https://bugs.webkit.org/show_bug.cgi?id=93873
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      * runtime/ObjectPrototype.cpp:
      (JSC::objectProtoFuncDefineGetter):
          - throw TypeError instead of SyntaxError
      (JSC::objectProtoFuncDefineSetter):
          - throw TypeError instead of SyntaxError
      
      LayoutTests: 
      
      * fast/js/property-getters-and-setters-expected.txt:
          - updated results
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127930 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      885da322
  12. 06 Sep, 2012 6 commits
    • mhahnenberg@apple.com's avatar
      JSC should have a zombie mode · 66b96f28
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96047
      
      Reviewed by Geoffrey Garen.
      
      To aid clients of JSC while they are debugging memory issues, we should add a zombie
      mode that scribbles into objects in the MarkedSpace after they are found to be dead
      to prevent a sort of "use after free" situation. As a first cut we should support a
      mode that just scribbles on objects prior to their being reused (i.e. while they are
      "zombies") and a mode in which, in addition to scribbling on zombies, once an object
      has been marked its mark bit will never be cleared, thus giving us "immortal" zombies.
      
      These two modes will be enabled through the use of environment variables. For now these
      will be "JSZombieEnabled" and "JSImmortalZombieEnabled". Setting them to any value will
      result in the use of the appropriate mode.
      
      * heap/Heap.cpp:
      (JSC::Heap::collect): Zombifies dead objects at the end of collection if zombie mode is enabled.
      (ZombifyCellFunctor):
      (JSC::ZombifyCellFunctor::ZombifyCellFunctor): Sets marked bits for dead objects if in immortal mode and writes 0xbbadbeef into them.
      (JSC::ZombifyCellFunctor::operator()):
      (JSC):
      (ZombifyBlockFunctor):
      (JSC::ZombifyBlockFunctor::operator()):
      (JSC::Heap::zombifyDeadObjects): Eagerly sweeps so that we don't write garbage into an object before it
      is finalized/destroyed.
      * heap/Heap.h:
      (Heap):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::forEachDeadCell): Used to iterate over dead cells at the end of collection if zombie mode is enabled.
      (JSC):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127829 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      66b96f28
    • ggaren@apple.com's avatar
      Source/JavaScriptCore: Rolled back in <http://trac.webkit.org/changeset/127698> with a fix for · f820008c
      ggaren@apple.com authored
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html, which
      is to make sure that function declarations don't put their names in scope.
      
      Reviewed by Gavin Barraclough.
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      LayoutTests: Rolled back in <http://trac.webkit.org/changeset/127698> with a fix for
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html.
      
      Added a more explicit test for the feature I broke in 
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html.
      
      Reviewed by Gavin Barraclough.
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      * fast/dom/HTMLScriptElement/script-reexecution.html:
      * fast/js/function-name-is-in-scope-expected.txt: Added.
      * fast/js/function-name-is-in-scope.html: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127810 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f820008c
    • msaboff@apple.com's avatar
      16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution · f25bc169
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95810
      
      Reviewed by Benjamin Poulain.
      
      Source/JavaScriptCore: 
      
      Added 8 bit path that copies the contents of an 8 bit fiber to the 16 bit buffer
      when resolving a 16 bit rope.
      
      * runtime/JSString.cpp:
      (JSC::JSRopeString::resolveRopeSlowCase):
      
      Source/WTF: 
      
      New copy routine that takes an 8 bit source and a 16 bit destination.  Used when copying
      the contents of an 8 bit fiber to the 16 bit buffer when resolving a 16 bit rope.
      
      * wtf/text/StringImpl.h:
      (WTF::StringImpl::copyChars):
      (StringImpl):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127809 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f25bc169
    • ggaren@apple.com's avatar
      Rolled out <http://trac.webkit.org/changeset/127698> because it broke · b6920873
      ggaren@apple.com authored
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127774 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b6920873
    • commit-queue@webkit.org's avatar
      Renamed useYarrJIT() option to useRegExpJIT(). Also fixed regression in · 8a89a852
      commit-queue@webkit.org authored
      which inadvertantly allows the ASM llint to use the baseline JIT when
      useRegExpJIT() is true.
      https://bugs.webkit.org/show_bug.cgi?id=95918.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-06
      Reviewed by Geoffrey Garen.
      
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler):
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSC::JSGlobalData::canUseJIT):
      (JSC::JSGlobalData::canUseRegExpJIT):
      (JSGlobalData):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8a89a852
    • ggaren@apple.com's avatar
      Named functions should not allocate scope objects for their names · d9e96293
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95659
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      In most cases, we can merge a function expression's name into its symbol
      table. This reduces memory footprint per closure from three objects
      (function + activation + name scope) to two (function + activation),
      speeds up closure allocation, and speeds up recursive calls.
      
      In the case of a named function expression that contains a non-strict
      eval, the rules are so bat-poop crazy that I don't know how to model
      them without an extra object. Since functions now default to not having
      such an object, this case needs to allocate the object on function
      entry.
      
      Therefore, this patch makes the slow case a bit slower so the fast case
      can be faster and more memory-efficient. (Note that the slow case already
      allocates an activation on entry, and until recently also allocated a
      scope chain node on entry, so adding one allocation on entry shouldn't
      break the bank.)
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock): Caught a missed initializer. No behavior change.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Put the callee in static scope
      during compilation so it doesn't need to be in dynamic scope at runtime.
      
      (JSC::BytecodeGenerator::resolveCallee):
      (JSC::BytecodeGenerator::addCallee): Helper functions for either statically
      resolving the callee or adding a dynamic scope that will resolve to it,
      depending on whether you're in the fast path.
      
      We move the callee into a var location if it's captured because activations
      prefer to have contiguous ranges of captured variables.
      
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::registerFor):
      (BytecodeGenerator):
      
      * dfg/DFGOperations.cpp:
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL): This is the point of the patch: remove
      one allocation in the case of a named function expression.
      
      * parser/Parser.cpp:
      (JSC::::Parser):
      * parser/Parser.h:
      (JSC::Scope::declareCallee):
      (Scope):
      (Parser):
      (JSC::parse):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::checkSyntax):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::fromGlobalCode): Pipe the callee's name through
      the parser so we get accurate information on whether the callee was captured.
      
      (JSC::FunctionExecutable::FunctionExecutable):
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::checkSyntax):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::fromGlobalCode):
      * runtime/Executable.h:
      (JSC::FunctionExecutable::create):
      (FunctionExecutable):
      (JSC::FunctionExecutable::finishCreation): I had to refactor function
      creation to support the following function constructor quirk: the function
      gets a name, but its name is not in lexical scope.
      
      To simplify this, FunctionExecutable now automatically extracts all the
      data it needs from the parsed node. The special "fromGlobalCode" path
      used by the function constructor creates an anonymous function, and then
      quirkily sets the value used by the .name property to be non-null, even
      though the parsed name is null.
      
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::create):
      (JSC::JSNameScope::JSNameScope): Added support for explicitly specifying
      your container scope. The compiler uses this for named function expressions.
      
      LayoutTests: 
      
      Added coverage for some extra-tricky cases.
      
      * fast/js/named-function-expression-expected.txt:
      * fast/js/script-tests/named-function-expression.js:
      (shouldBeTrueWithDescription): I rolled my own shouldBeTrue() here to avoid the
      built-in shouldBe()'s eval scoping, which can change the variable
      resolution rules I'm trying to test.
      
      * inspector/debugger/debugger-expand-scope-expected.txt: Not sure why this
      result used to miss the function name scope, but the new result is a
      progression, so I've updated the expected results.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127698 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d9e96293
  13. 04 Sep, 2012 3 commits
    • commit-queue@webkit.org's avatar
      Allow the YarrJIT to use the assembler even when useJIT() is false. · 2793046c
      commit-queue@webkit.org authored
      Introduce the useYarrJIT() option.
      https://bugs.webkit.org/show_bug.cgi?id=95809.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-04
      Reviewed by Geoffrey Garen.
      
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127554 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      2793046c
    • benjamin@webkit.org's avatar
      Improve JSC use of Strings after the UString->String change · 762e2c65
      benjamin@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95633
      
      Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-04
      Reviewed by Geoffrey Garen.
      
      This patch improve the use of strings in the JSC runtime.
      
      The initialization of Identifier is left for future patches.
      
      The improvements are the following:
      -5% faster to raise one of the modified exception.
      -3 times faster to execute Boolean::toString()
      
      Most of the changes are just about using the new methods
      for string literals.
      
      With the changes, the binary on x86_64 gets 176 bytes smaller.
      
      * API/JSCallbackObjectFunctions.h:
      (JSC::::staticFunctionGetter):
      (JSC::::callbackGetter):
      * API/JSContextRef.cpp:
      (JSContextCreateBacktrace):
      * API/JSObjectRef.cpp:
      (JSObjectMakeFunctionWithCallback):
      * bytecode/CodeBlock.cpp:
      (JSC::valueToSourceString):
      (JSC::CodeBlock::nameForRegister):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::addStackTraceIfNecessary):
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/ArrayPrototype.cpp:
      (JSC::shift):
      (JSC::unshift):
      (JSC::arrayProtoFuncPop):
      (JSC::arrayProtoFuncReverse):
      * runtime/BooleanPrototype.cpp:
      (JSC::booleanProtoFuncToString): Instead of instanciating new strings, reuse the
      keywords available in SmallStrings. Avoiding the creation of the JSString and StringImpl
      makes the method significantly faster.
      
      * runtime/DateConversion.cpp:
      (JSC::formatDateTime):
      * runtime/DatePrototype.cpp:
      (JSC::formatLocaleDate):
      (JSC::formateDateInstance):
      (JSC::dateProtoFuncToISOString):
      Change the way we use snprintf() for clarity and performance.
      
      Instead of allocating one extra byte to put a zero "just in case", we use the size returned
      by snprintf().
      To prevent any overflow from a programming mistake, we explicitely test for overflow and
      return an empty string.
      
      (JSC::dateProtoFuncToJSON):
      * runtime/Error.cpp:
      (JSC::createNotEnoughArgumentsError):
      (JSC::throwTypeError):
      (JSC::throwSyntaxError):
      * runtime/Error.h:
      (JSC::StrictModeTypeErrorFunction::create):
      * runtime/ErrorPrototype.cpp:
      (JSC::ErrorPrototype::finishCreation):
      (JSC::errorProtoFuncToString):
      Using a null String is correct because (8) uses jsString(), (9) tests for a length of 0.
      
      * runtime/ExceptionHelpers.cpp:
      (JSC::InterruptedExecutionError::defaultValue):
      (JSC::TerminatedExecutionError::defaultValue):
      (JSC::createStackOverflowError):
      (JSC::createOutOfMemoryError):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::FunctionExecutable::paramString):
      * runtime/FunctionConstructor.cpp:
      (JSC::constructFunction):
      (JSC::constructFunctionSkippingEvalEnabledCheck):
      * runtime/FunctionPrototype.h:
      (JSC::FunctionPrototype::create):
      Using a null String for the name is correct because InternalFunction uses jsString()
      to create the name value.
      
      * runtime/InternalFunction.cpp:
      (JSC::InternalFunction::finishCreation):
      There is no need to create an empty string for a null string, jsString() handle both
      cases as empty JSString.
      
      * runtime/JSArray.cpp:
      (JSC::reject):
      (JSC::SparseArrayValueMap::put):
      (JSC::JSArray::put):
      (JSC::JSArray::putByIndexBeyondVectorLength):
      (JSC::JSArray::putDirectIndexBeyondVectorLength):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation): Same issue as InternalFunction::finishCreation.
      
      (JSC::JSFunction::callerGetter):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler): Use CFSTR() instead of CFStringCreateWithCString().
      CFStringCreateWithCString() copy the content and may choose to decode the data.
      CFSTR() is much more efficient.
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      JSFunction uses jsString() to create the name, we can use null strings instead
      of creating empty strings.
      
      (JSC::JSGlobalObject::createThrowTypeError): ditto.
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::encode):
      (JSC::decode):
      (JSC::globalFuncEval):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::appendStringifiedValue):
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::JSONProtoFuncParse):
      (JSC::JSONProtoFuncStringify):
      * runtime/JSObject.cpp:
      (JSC::JSObject::put):
      (JSC::JSObject::defaultValue):
      (JSC::JSObject::hasInstance):
      (JSC::JSObject::defineOwnProperty):
      * runtime/JSString.cpp:
      Return an empty JSString to avoid the creation of a temporary empty String.
      
      (JSC::JSRopeString::getIndexSlowCase):
      * runtime/JSString.h:
      (JSC): Remove the versions of jsNontrivialString() taking a char*. All the callers
      have been replaced by calls using ASCIILiteral.
      
      * runtime/JSValue.cpp:
      (JSC::JSValue::putToPrimitive):
      * runtime/LiteralParser.cpp:
      (JSC::::Lexer::lex):
      (JSC::::Lexer::lexString):
      (JSC::::Lexer::lexNumber):
      (JSC::::parse):
      * runtime/LiteralParser.h:
      (JSC::LiteralParser::getErrorMessage):
      * runtime/NumberPrototype.cpp:
      (JSC::numberProtoFuncToExponential):
      (JSC::numberProtoFuncToFixed):
      (JSC::numberProtoFuncToPrecision):
      (JSC::numberProtoFuncToString):
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorGetPrototypeOf):
      (JSC::objectConstructorGetOwnPropertyDescriptor):
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      (JSC::toPropertyDescriptor):
      (JSC::objectConstructorDefineProperty):
      (JSC::objectConstructorDefineProperties):
      (JSC::objectConstructorCreate):
      (JSC::objectConstructorSeal):
      (JSC::objectConstructorFreeze):
      (JSC::objectConstructorPreventExtensions):
      (JSC::objectConstructorIsSealed):
      (JSC::objectConstructorIsFrozen):
      (JSC::objectConstructorIsExtensible):
      * runtime/ObjectPrototype.cpp:
      (JSC::objectProtoFuncDefineGetter):
      (JSC::objectProtoFuncDefineSetter):
      (JSC::objectProtoFuncToString):
      * runtime/RegExpConstructor.cpp:
      (JSC::constructRegExp):
      * runtime/RegExpObject.cpp:
      (JSC::reject):
      (JSC::regExpObjectSource):
      * runtime/RegExpPrototype.cpp:
      (JSC::regExpProtoFuncCompile):
      * runtime/StringObject.cpp:
      (JSC::StringObject::defineOwnProperty):
      * runtime/StringPrototype.cpp:
      (JSC::jsSpliceSubstrings):
      (JSC::jsSpliceSubstringsWithSeparators):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      762e2c65
    • zoltan@webkit.org's avatar
      Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore · c6395da1
      zoltan@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95737
      
      Reviewed by Eric Seidel.
      
      Add WTF_MAKE_FAST_ALLOCATED macro to the following class declarations because these are instantiated by operator new.
      
      Source/JavaScriptCore:
      
      * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
      
      * heap/MachineStackMarker.cpp:
      (MachineThreads::Thread): Thread is instantiated at heap/MachineStackMarker.cpp:196.
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (FixedVMPoolExecutableAllocator): FixedVMPoolExecutableAllocator is instantiated at jit/ExecutableAllocatorFixedVMPool.cpp:111
      * parser/SourceProviderCache.h:
      (SourceProviderCache): SourceProviderCache is instantiated at parser/SourceProvider.h:49.
      * parser/SourceProviderCacheItem.h:
      (SourceProviderCacheItem): SourceProviderCacheItem is instantiated at parser/Parser.cpp:843.
      * runtime/GCActivityCallback.h:
      (GCActivityCallback): GCActivityCallback is instantiated at runtime/GCActivityCallback.h:96.
      * tools/CodeProfile.h:
      (CodeProfile): CodeProfile is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:140.
      
      Source/WTF:
      
      * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
      * wtf/MediaTime.h: MediaTime is instantiated at wtf/MediaTime.cpp:288.
      * wtf/MetaAllocator.h:
      (MetaAllocatorTracker): MetaAllocatorTracker is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:120.
      * wtf/ThreadingPthreads.cpp:
      (PthreadState): PthreadState is instantiated at wtf/ThreadingPthreads.cpp:165.
      * wtf/text/AtomicString.cpp:
      (AtomicStringTable): AtomicStringTable is instantiated at wtf/text/AtomicString.cpp:43.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127484 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c6395da1
  14. 01 Sep, 2012 3 commits
    • ggaren@apple.com's avatar
      2012-09-01 Geoffrey Garen <ggaren@apple.com> · 15418b20
      ggaren@apple.com authored
              Rolled back out a piece of <http://trac.webkit.org/changeset/127293>
              because it broke inspector tests on Windows.
      
                  Shrink activation objects by half
                  https://bugs.webkit.org/show_bug.cgi?id=95591
      
                  Reviewed by Sam Weinig.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127376 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      15418b20
    • commit-queue@webkit.org's avatar
      LLInt C loop backend. · e13567fb
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=91052.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-01
      Reviewed by Filip Pizlo.
      
      Source/JavaScriptCore:
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::bytecodeOffset):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::execute):
      (JSC::Interpreter::executeCall):
      (JSC::Interpreter::executeConstruct):
      (JSC):
      * interpreter/Interpreter.h:
      * jit/JITStubs.h:
      (JITStackFrame):
      (JSC):
      * llint/LLIntCLoop.cpp: Added.
      (JSC):
      (LLInt):
      (JSC::LLInt::CLoop::initialize):
      (JSC::LLInt::CLoop::catchRoutineFor):
      (JSC::LLInt::CLoop::hostCodeEntryFor):
      (JSC::LLInt::CLoop::jsCodeEntryWithArityCheckFor):
      (JSC::LLInt::CLoop::jsCodeEntryFor):
      * llint/LLIntCLoop.h: Added.
      (JSC):
      (LLInt):
      (CLoop):
      * llint/LLIntData.cpp:
      (JSC::LLInt::initialize):
      * llint/LLIntData.h:
      (JSC):
      * llint/LLIntOfflineAsmConfig.h:
      * llint/LLIntOpcode.h:
      * llint/LLIntThunks.cpp:
      (LLInt):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter.cpp:
      (LLInt):
      (JSC::LLInt::Ints2Double):
      (JSC):
      (JSC::CLoop::execute):
      * llint/LowLevelInterpreter.h:
      (JSC):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/asm.rb:
      * offlineasm/backends.rb:
      * offlineasm/cloop.rb: Added.
      * offlineasm/instructions.rb:
      * runtime/Executable.h:
      (ExecutableBase):
      (JSC::ExecutableBase::hostCodeEntryFor):
      (JSC::ExecutableBase::jsCodeEntryFor):
      (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
      (JSC::ExecutableBase::catchRoutineFor):
      (NativeExecutable):
      * runtime/JSValue.h:
      (JSC):
      (LLInt):
      (JSValue):
      * runtime/JSValueInlineMethods.h:
      (JSC):
      (JSC::JSValue::JSValue):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      
      Source/WTF:
      
      Added configs for the llint C loop backend.
      
      * wtf/Platform.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127374 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e13567fb
    • ggaren@apple.com's avatar
      Rolled back in a piece of <http://trac.webkit.org/changeset/127293>. · 570cd740
      ggaren@apple.com authored
                  Shrink activation objects by half
                  https://bugs.webkit.org/show_bug.cgi?id=95591
      
                  Reviewed by Sam Weinig.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127373 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      570cd740