1. 16 Sep, 2012 2 commits
  2. 14 Sep, 2012 3 commits
    • fpizlo@apple.com's avatar
      All of the things in SparseArrayValueMap should be out-of-line · 9cedb5d0
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96854
      
      Reviewed by Andy Estes.
      
      Those inline methods were buying us nothing.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * runtime/JSArray.cpp:
      * runtime/JSGlobalData.cpp:
      * runtime/JSObject.cpp:
      * runtime/RegExpMatchesArray.cpp:
      * runtime/SparseArrayValueMap.cpp:
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/SparseArrayValueMapInlineMethods.h: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128680 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9cedb5d0
    • commit-queue@webkit.org's avatar
      JSC should throw a more descriptive exception when blocking 'eval' via CSP. · 7415e10e
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=94331
      
      Patch by Mike West <mkwst@chromium.org> on 2012-09-14
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
          Drop the hard-coded "Eval is disabled" error message in favor of
          reading the error message off the global object.
      * runtime/FunctionConstructor.cpp:
      (JSC::FunctionConstructor::getCallData):
          Drop the hard-coded "Function constructor is disabled" error message
          in favor of reading the error message off the global object.
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::evalEnabled):
          Making this accessor method const.
      (JSC::JSGlobalObject::evalDisabledErrorMessage):
          Accessor for the error message set via 'setEvalDisabled'.
      (JSC::JSGlobalObject::setEvalEnabled):
          Adding an 'errorMessage' parameter which is stored on the global
          object, and used when exceptions are thrown.
      
      Source/WebCore:
      
      Unless explicitly whitelisted, the 'script-src' Content Security Policy
      directive blocks 'eval' and 'eval'-like constructs such as
      'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
      thrown, but the associated message is poor: "Eval is disabled" doesn't
      give developers enough information about why their code isn't behaving
      as expected.
      
      This patch adds an 'errorMessage' parameter to the JavaScriptCore method
      used to disable 'eval'; ContentSecurityPolicy has the opportunity to
      pass in a more detailed and descriptive error that contains more context
      for the developer.
      
      The new error message is tested by adjusting existing tests; nothing new
      is required.
      
      * bindings/js/ScriptController.cpp:
      (WebCore::ScriptController::initScript):
          Read the error message off the document's ContentSecurityPolicy.
      (WebCore::ScriptController::disableEval):
      * bindings/js/ScriptController.h:
      (ScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/js/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/js/WorkerScriptController.h:
      (WorkerScriptController):
          Pipe the error message through to JSGlobalObject when disabling eval
      * bindings/v8/ScriptController.cpp:
      (WebCore::ScriptController::disableEval):
      * bindings/v8/ScriptController.h:
      (ScriptController):
      * bindings/v8/WorkerScriptController.cpp:
      (WebCore::WorkerScriptController::disableEval):
      * bindings/v8/WorkerScriptController.h:
      (WorkerScriptController):
          Placeholder for V8 piping to be built in webk.it/94332.
      * dom/Document.cpp:
      (WebCore::Document::disableEval):
      * dom/Document.h:
      (Document):
      * dom/ScriptExecutionContext.h:
      (ScriptExecutionContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      * page/ContentSecurityPolicy.cpp:
      (WebCore::CSPDirectiveList::evalDisabledErrorMessage):
          Accessor for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (WebCore::CSPDirectiveList::setEvalDisabledErrorMessage):
          Mutator for the error message that ought be displayed to developers
          when 'eval' used while disabled for a specific directive list.
      (CSPDirectiveList):
      (WebCore::CSPDirectiveList::create):
          Upon creation of a CSPDirectiveList, set the error message if the
          directive list disables 'eval'.
      (WebCore::ContentSecurityPolicy::didReceiveHeader):
          Pass the error message into ScriptExecutionContext::disableEval.
      (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage):
          Public accessor for the policy's error message; walks the list of
          directive lists and returns the first error message found.
      (WebCore):
      * page/ContentSecurityPolicy.h:
      * workers/WorkerContext.cpp:
      (WebCore::WorkerContext::disableEval):
      * workers/WorkerContext.h:
      (WorkerContext):
          Pipe the error message through to the ScriptController when
          disabling eval.
      
      LayoutTests:
      
      * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
      * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt:
      * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128670 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      7415e10e
    • fpizlo@apple.com's avatar
      bbc homepage crashes immediately · c9f16125
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96812
      <rdar://problem/12081386>
      
      Reviewed by Oliver Hunt.
      
      If you use the old storage pointer to write to space you thought was newly allocated,
      you're going to have a bad time.
      
      * runtime/JSArray.cpp:
      (JSC::JSArray::unshiftCount):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c9f16125
  3. 13 Sep, 2012 2 commits
    • mhahnenberg@apple.com's avatar
      Rename forEachCell to forEachLiveCell · 4930320c
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96685
      
      Reviewed by Oliver Hunt.
      
      forEachCell actually only iterates over live cells. We should rename it to 
      reflect what it actually does. This is also helpful because we want to add a new 
      forEachCell that actually does iterate each and every cell in a MarkedBlock 
      regardless of whether or not it is live.
      
      * debugger/Debugger.cpp:
      (JSC::Debugger::recompileAllJSFunctions):
      * heap/Heap.cpp:
      (JSC::Heap::globalObjectCount):
      (JSC::Heap::objectTypeCounts):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::forEachLiveCell):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::forEachLiveCell):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::releaseExecutableMemory):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128498 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4930320c
    • loislo@chromium.org's avatar
      [Qt][Win] REGRESSION(r128400): It broke the build · 4ef04bfb
      loislo@chromium.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96617
      
      Patch by Filip Pizlo <fpizlo@apple.com> on 2012-09-13
      Reviewed by Simon Hausmann.
      
      Source/JavaScriptCore:
      
      Changed "JSC::Array" to "JSC::ArrayClass" because it's not used often enough
      for the brevity to be beneficial, and because "Array" causes too much namespace
      pollution.
      
      * runtime/IndexingType.h:
      (JSC):
      * runtime/JSArray.cpp:
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSObject.cpp:
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::ensureArrayStorage):
      
      Source/WebCore:
      
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128428 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ef04bfb
  4. 12 Sep, 2012 2 commits
    • fpizlo@apple.com's avatar
      JSC should have property butterflies · d8dd0535
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=91933
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This changes the JSC object model. Previously, all objects had fast lookup for
      named properties. Integer indexed properties were only fast if you used a
      JSArray. With this change, all objects have fast indexed properties. This is
      accomplished without any space overhead by using a bidirectional object layout,
      aka butterflies. Each JSObject has a m_butterfly pointer where previously it
      had a m_outOfLineStorage pointer. To the left of the location pointed to by
      m_butterfly, we place all named out-of-line properties. To the right, we place
      all indexed properties along with indexing meta-data. Though, some indexing
      meta-data is placed in the 8-byte word immediately left of the pointed-to
      location; this is in anticipation of the indexing meta-data being small enough
      in the common case that m_butterfly always points to the first indexed
      property.
              
      This is performance neutral, except on tests that use indexed properties on
      plain objects, where the speed-up is in excess of an order of magnitude.
              
      One notable aspect of what this change brings is that it allows indexing
      storage to morph over time. Currently this is only used to allow all non-array
      objects to start out without any indexed storage. But it could be used for
      some kinds of array type inference in the future.
      
      * API/JSCallbackObject.h:
      (JSCallbackObject):
      * API/JSCallbackObjectFunctions.h:
      (JSC::::getOwnPropertySlotByIndex):
      (JSC):
      (JSC::::getOwnNonIndexPropertyNames):
      * API/JSObjectRef.cpp:
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::arrayModeFromStructure):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitDirectPutById):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAdjacencyList.h:
      (JSC::DFG::AdjacencyList::AdjacencyList):
      (AdjacencyList):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::fromObserved):
      (JSC::DFG::modeAlreadyChecked):
      (JSC::DFG::modeToString):
      * dfg/DFGArrayMode.h:
      (DFG):
      (JSC::DFG::modeUsesButterfly):
      (JSC::DFG::modeIsJSArray):
      (JSC::DFG::isInBoundsAccess):
      (JSC::DFG::modeSupportsLength):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::addNode):
      (FixupPhase):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (Node):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGOperations.cpp:
      (JSC::DFG::putByVal):
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
      (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureCheckHoistingPhase.cpp:
      (JSC::DFG::StructureCheckHoistingPhase::run):
      * heap/CopiedSpace.h:
      (CopiedSpace):
      * jit/JIT.h:
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      (JSC::JIT::emitAllocateBasicStorage):
      (JSC::JIT::emitAllocateJSArray):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emitSlow_op_new_array):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_put_by_val):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePatchGetArrayLength):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/Arguments.cpp:
      (JSC::Arguments::deletePropertyByIndex):
      (JSC::Arguments::defineOwnProperty):
      * runtime/ArrayConstructor.cpp:
      * runtime/ArrayConventions.h: Added.
      (JSC):
      (JSC::isDenseEnoughForVector):
      (JSC::indexingHeaderForArray):
      (JSC::baseIndexingHeaderForArray):
      * runtime/ArrayPrototype.cpp:
      (JSC::ArrayPrototype::create):
      (JSC):
      (JSC::ArrayPrototype::ArrayPrototype):
      (JSC::arrayProtoFuncToString):
      (JSC::arrayProtoFuncJoin):
      (JSC::arrayProtoFuncSort):
      (JSC::arrayProtoFuncFilter):
      (JSC::arrayProtoFuncMap):
      (JSC::arrayProtoFuncEvery):
      (JSC::arrayProtoFuncForEach):
      (JSC::arrayProtoFuncSome):
      (JSC::arrayProtoFuncReduce):
      (JSC::arrayProtoFuncReduceRight):
      * runtime/ArrayPrototype.h:
      (ArrayPrototype):
      (JSC::ArrayPrototype::createStructure):
      * runtime/ArrayStorage.h: Added.
      (JSC):
      (ArrayStorage):
      (JSC::ArrayStorage::ArrayStorage):
      (JSC::ArrayStorage::from):
      (JSC::ArrayStorage::butterfly):
      (JSC::ArrayStorage::indexingHeader):
      (JSC::ArrayStorage::length):
      (JSC::ArrayStorage::setLength):
      (JSC::ArrayStorage::vectorLength):
      (JSC::ArrayStorage::setVectorLength):
      (JSC::ArrayStorage::copyHeaderFromDuringGC):
      (JSC::ArrayStorage::inSparseMode):
      (JSC::ArrayStorage::lengthOffset):
      (JSC::ArrayStorage::vectorLengthOffset):
      (JSC::ArrayStorage::numValuesInVectorOffset):
      (JSC::ArrayStorage::vectorOffset):
      (JSC::ArrayStorage::indexBiasOffset):
      (JSC::ArrayStorage::sparseMapOffset):
      (JSC::ArrayStorage::sizeFor):
      * runtime/Butterfly.h: Added.
      (JSC):
      (Butterfly):
      (JSC::Butterfly::Butterfly):
      (JSC::Butterfly::totalSize):
      (JSC::Butterfly::fromBase):
      (JSC::Butterfly::offsetOfIndexingHeader):
      (JSC::Butterfly::offsetOfPublicLength):
      (JSC::Butterfly::offsetOfVectorLength):
      (JSC::Butterfly::indexingHeader):
      (JSC::Butterfly::propertyStorage):
      (JSC::Butterfly::indexingPayload):
      (JSC::Butterfly::arrayStorage):
      (JSC::Butterfly::offsetOfPropertyStorage):
      (JSC::Butterfly::indexOfPropertyStorage):
      (JSC::Butterfly::base):
      * runtime/ButterflyInlineMethods.h: Added.
      (JSC):
      (JSC::Butterfly::createUninitialized):
      (JSC::Butterfly::create):
      (JSC::Butterfly::createUninitializedDuringCollection):
      (JSC::Butterfly::base):
      (JSC::Butterfly::growPropertyStorage):
      (JSC::Butterfly::growArrayRight):
      (JSC::Butterfly::resizeArray):
      (JSC::Butterfly::unshift):
      (JSC::Butterfly::shift):
      * runtime/ClassInfo.h:
      (MethodTable):
      (JSC):
      * runtime/IndexingHeader.h: Added.
      (JSC):
      (IndexingHeader):
      (JSC::IndexingHeader::offsetOfIndexingHeader):
      (JSC::IndexingHeader::offsetOfPublicLength):
      (JSC::IndexingHeader::offsetOfVectorLength):
      (JSC::IndexingHeader::IndexingHeader):
      (JSC::IndexingHeader::vectorLength):
      (JSC::IndexingHeader::setVectorLength):
      (JSC::IndexingHeader::publicLength):
      (JSC::IndexingHeader::setPublicLength):
      (JSC::IndexingHeader::from):
      (JSC::IndexingHeader::fromEndOf):
      (JSC::IndexingHeader::propertyStorage):
      (JSC::IndexingHeader::arrayStorage):
      (JSC::IndexingHeader::butterfly):
      * runtime/IndexingHeaderInlineMethods.h: Added.
      (JSC):
      (JSC::IndexingHeader::preCapacity):
      (JSC::IndexingHeader::indexingPayloadSizeInBytes):
      * runtime/IndexingType.h: Added.
      (JSC):
      (JSC::hasIndexingHeader):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      (JSC::JSActivation::visitChildren):
      (JSC::JSActivation::getOwnNonIndexPropertyNames):
      * runtime/JSActivation.h:
      (JSActivation):
      (JSC::JSActivation::tearOff):
      * runtime/JSArray.cpp:
      (JSC):
      (JSC::createArrayButterflyInDictionaryIndexingMode):
      (JSC::JSArray::setLengthWritable):
      (JSC::JSArray::defineOwnProperty):
      (JSC::JSArray::getOwnPropertySlot):
      (JSC::JSArray::getOwnPropertyDescriptor):
      (JSC::JSArray::put):
      (JSC::JSArray::deleteProperty):
      (JSC::JSArray::getOwnNonIndexPropertyNames):
      (JSC::JSArray::unshiftCountSlowCase):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      (JSC::JSArray::shiftCount):
      (JSC::JSArray::unshiftCount):
      (JSC::JSArray::sortNumeric):
      (JSC::JSArray::sort):
      (JSC::JSArray::fillArgList):
      (JSC::JSArray::copyToArguments):
      (JSC::JSArray::compactForSorting):
      * runtime/JSArray.h:
      (JSC):
      (JSArray):
      (JSC::JSArray::JSArray):
      (JSC::JSArray::length):
      (JSC::JSArray::createStructure):
      (JSC::JSArray::isLengthWritable):
      (JSC::createArrayButterfly):
      (JSC::JSArray::create):
      (JSC::JSArray::tryCreateUninitialized):
      * runtime/JSBoundFunction.cpp:
      (JSC::boundFunctionCall):
      (JSC::boundFunctionConstruct):
      (JSC::JSBoundFunction::finishCreation):
      * runtime/JSCell.cpp:
      (JSC::JSCell::getOwnNonIndexPropertyNames):
      (JSC):
      * runtime/JSCell.h:
      (JSCell):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnNonIndexPropertyNames):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSFunction.h:
      (JSFunction):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSObject.cpp:
      (JSC):
      (JSC::JSObject::visitButterfly):
      (JSC::JSObject::visitChildren):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::getOwnPropertySlotByIndex):
      (JSC::JSObject::put):
      (JSC::JSObject::putByIndex):
      (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
      (JSC::JSObject::enterDictionaryIndexingMode):
      (JSC::JSObject::createArrayStorage):
      (JSC::JSObject::createInitialArrayStorage):
      (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
      (JSC::JSObject::putDirectAccessor):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::deletePropertyByIndex):
      (JSC::JSObject::getOwnPropertyNames):
      (JSC::JSObject::getOwnNonIndexPropertyNames):
      (JSC::JSObject::preventExtensions):
      (JSC::JSObject::fillGetterPropertySlot):
      (JSC::JSObject::putIndexedDescriptor):
      (JSC::JSObject::defineOwnIndexedProperty):
      (JSC::JSObject::allocateSparseIndexMap):
      (JSC::JSObject::deallocateSparseIndexMap):
      (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putByIndexBeyondVectorLength):
      (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
      (JSC::JSObject::putDirectIndexBeyondVectorLength):
      (JSC::JSObject::getNewVectorLength):
      (JSC::JSObject::increaseVectorLength):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      (JSC::putDescriptor):
      (JSC::JSObject::putDirectMayBeIndex):
      (JSC::JSObject::defineOwnNonIndexProperty):
      (JSC::JSObject::defineOwnProperty):
      (JSC::JSObject::getOwnPropertySlotSlow):
      * runtime/JSObject.h:
      (JSC::JSObject::getArrayLength):
      (JSObject):
      (JSC::JSObject::getVectorLength):
      (JSC::JSObject::putDirectIndex):
      (JSC::JSObject::canGetIndexQuickly):
      (JSC::JSObject::getIndexQuickly):
      (JSC::JSObject::canSetIndexQuickly):
      (JSC::JSObject::setIndexQuickly):
      (JSC::JSObject::initializeIndex):
      (JSC::JSObject::completeInitialization):
      (JSC::JSObject::inSparseIndexingMode):
      (JSC::JSObject::butterfly):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::indexingShouldBeSparse):
      (JSC::JSObject::butterflyOffset):
      (JSC::JSObject::butterflyAddress):
      (JSC::JSObject::arrayStorage):
      (JSC::JSObject::arrayStorageOrZero):
      (JSC::JSObject::ensureArrayStorage):
      (JSC::JSObject::checkIndexingConsistency):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC):
      (JSC::JSObject::setButterfly):
      (JSC::JSObject::setButterflyWithoutChangingStructure):
      (JSC::JSObject::JSObject):
      (JSC::JSObject::inlineGetOwnPropertySlot):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetInButterfly):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSSymbolTableObject.cpp:
      (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
      * runtime/JSSymbolTableObject.h:
      (JSSymbolTableObject):
      * runtime/JSTypeInfo.h:
      (JSC):
      (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
      (JSC::TypeInfo::overridesGetPropertyNames):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      * runtime/ObjectPrototype.cpp:
      (JSC::ObjectPrototype::ObjectPrototype):
      (JSC):
      * runtime/ObjectPrototype.h:
      (ObjectPrototype):
      * runtime/PropertyOffset.h:
      (JSC::offsetInOutOfLineStorage):
      * runtime/PropertyStorage.h: Added.
      (JSC):
      * runtime/PutDirectIndexMode.h: Added.
      (JSC):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::RegExpMatchesArray):
      (JSC):
      (JSC::RegExpMatchesArray::create):
      (JSC::RegExpMatchesArray::finishCreation):
      * runtime/RegExpMatchesArray.h:
      (RegExpMatchesArray):
      (JSC::RegExpMatchesArray::createStructure):
      * runtime/RegExpObject.cpp:
      (JSC::RegExpObject::getOwnNonIndexPropertyNames):
      * runtime/RegExpObject.h:
      (RegExpObject):
      * runtime/Reject.h: Added.
      (JSC):
      (JSC::reject):
      * runtime/SparseArrayValueMap.cpp: Added.
      (JSC):
      * runtime/SparseArrayValueMap.h: Added.
      (JSC):
      (SparseArrayEntry):
      (JSC::SparseArrayEntry::SparseArrayEntry):
      (SparseArrayValueMap):
      (JSC::SparseArrayValueMap::sparseMode):
      (JSC::SparseArrayValueMap::setSparseMode):
      (JSC::SparseArrayValueMap::lengthIsReadOnly):
      (JSC::SparseArrayValueMap::setLengthIsReadOnly):
      (JSC::SparseArrayValueMap::find):
      (JSC::SparseArrayValueMap::remove):
      (JSC::SparseArrayValueMap::notFound):
      (JSC::SparseArrayValueMap::isEmpty):
      (JSC::SparseArrayValueMap::contains):
      (JSC::SparseArrayValueMap::size):
      (JSC::SparseArrayValueMap::begin):
      (JSC::SparseArrayValueMap::end):
      * runtime/SparseArrayValueMapInlineMethods.h: Added.
      (JSC):
      (JSC::SparseArrayValueMap::SparseArrayValueMap):
      (JSC::SparseArrayValueMap::~SparseArrayValueMap):
      (JSC::SparseArrayValueMap::finishCreation):
      (JSC::SparseArrayValueMap::create):
      (JSC::SparseArrayValueMap::destroy):
      (JSC::SparseArrayValueMap::createStructure):
      (JSC::SparseArrayValueMap::add):
      (JSC::SparseArrayValueMap::putEntry):
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::SparseArrayEntry::get):
      (JSC::SparseArrayEntry::getNonSparseMode):
      (JSC::SparseArrayValueMap::visitChildren):
      * runtime/StorageBarrier.h: Removed.
      * runtime/StringObject.cpp:
      (JSC::StringObject::putByIndex):
      (JSC):
      (JSC::StringObject::deletePropertyByIndex):
      * runtime/StringObject.h:
      (StringObject):
      * runtime/StringPrototype.cpp:
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::Structure::nonPropertyTransition):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::indexingType):
      (JSC::Structure::indexingTypeIncludingHistory):
      (JSC::Structure::indexingTypeOffset):
      (JSC::Structure::create):
      * runtime/StructureTransitionTable.h:
      (JSC):
      (JSC::toAttributes):
      (JSC::newIndexingType):
      (JSC::StructureTransitionTable::Hash::hash):
      * tests/mozilla/js1_6/Array/regress-304828.js:
      
      Source/WebCore: 
      
      Teach the DOM that to intercept get/put on indexed properties, you now have
      to override getOwnPropertySlotByIndex and putByIndex.
      
      No new tests because no new behavior. One test was rebased because indexed
      property iteration order now matches other engines (indexed properties always
      come first).
      
      * bindings/js/ArrayValue.cpp:
      (WebCore::ArrayValue::get):
      * bindings/js/JSBlobCustom.cpp:
      (WebCore::JSBlobConstructor::constructJSBlob):
      * bindings/js/JSCanvasRenderingContext2DCustom.cpp:
      (WebCore::JSCanvasRenderingContext2D::setWebkitLineDash):
      * bindings/js/JSDOMStringListCustom.cpp:
      (WebCore::toDOMStringList):
      * bindings/js/JSDOMStringMapCustom.cpp:
      (WebCore::JSDOMStringMap::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSDOMWindowCustom.cpp:
      (WebCore::JSDOMWindow::getOwnPropertySlot):
      (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindow::putByIndex):
      (WebCore::JSDOMWindow::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.cpp:
      (WebCore::JSDOMWindowShell::getOwnPropertySlotByIndex):
      (WebCore):
      (WebCore::JSDOMWindowShell::putByIndex):
      (WebCore::JSDOMWindowShell::deletePropertyByIndex):
      * bindings/js/JSDOMWindowShell.h:
      (JSDOMWindowShell):
      * bindings/js/JSHistoryCustom.cpp:
      (WebCore::JSHistory::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSInspectorFrontendHostCustom.cpp:
      (WebCore::populateContextMenuItems):
      * bindings/js/JSLocationCustom.cpp:
      (WebCore::JSLocation::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSStorageCustom.cpp:
      (WebCore::JSStorage::deletePropertyByIndex):
      (WebCore):
      * bindings/js/JSWebSocketCustom.cpp:
      (WebCore::JSWebSocketConstructor::constructJSWebSocket):
      * bindings/js/ScriptValue.cpp:
      (WebCore::jsToInspectorValue):
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneSerializer::serialize):
      * bindings/scripts/CodeGeneratorJS.pm:
      (GenerateHeader):
      (GenerateImplementation):
      * bridge/runtime_array.cpp:
      (JSC::RuntimeArray::RuntimeArray):
      * bridge/runtime_array.h:
      (JSC::RuntimeArray::createStructure):
      (RuntimeArray):
      
      LayoutTests: 
      
      Modify the JSON test to indicate that iterating over properties now returns
      indexed properties first. This is a behavior change that makes us more
      compliant with other implementations.
              
      Also check in new expected file for the edge cases of indexed property access
      with prototype accessors. This changeset introduces a known regression in that
      department, which is tracked here: https://bugs.webkit.org/show_bug.cgi?id=96596
      
      * fast/js/resources/JSON-stringify.js:
      * platform/mac/fast/js/primitive-property-access-edge-cases-expected.txt: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128400 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8dd0535
    • ggaren@apple.com's avatar
      Don't allocate a backing store just for a function's name · 0030e138
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96468
      
      Reviewed by Oliver Hunt.
      
      Treat function.name like function.length etc., and use a custom getter.
      This saves space in closures.
      
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::functionName):
      * debugger/DebuggerCallFrame.h:
      (DebuggerCallFrame): Updated for interface change.
      
      * runtime/Executable.h:
      (JSC::JSFunction::JSFunction): Do a little inlining.
      
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation): Gone now. That's the point of the patch.
      
      (JSC::JSFunction::name):
      (JSC::JSFunction::displayName):
      (JSC::JSFunction::nameGetter):
      (JSC::JSFunction::getOwnPropertySlot):
      (JSC::JSFunction::getOwnPropertyDescriptor):
      (JSC::JSFunction::getOwnPropertyNames):
      (JSC::JSFunction::put):
      (JSC::JSFunction::deleteProperty):
      (JSC::JSFunction::defineOwnProperty): Added custom accessors for .name
      just like .length and others.
      
      * runtime/JSFunction.h:
      (JSC::JSFunction::create):
      (JSFunction): Updated for interface changes.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128265 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0030e138
  5. 11 Sep, 2012 1 commit
    • ggaren@apple.com's avatar
      JSActivation should inline allocate its registers, and eliminate · 06a8bb6e
      ggaren@apple.com authored
      'arguments' registers in the common case
      https://bugs.webkit.org/show_bug.cgi?id=96427
      
      Reviewed by Filip Pizlo.
      
      This cuts the size class for simple closures down to 64 bytes.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Set the usesNonStrictEval
      flag, which is new. Use a more specific test for whether a function
      uses 'arguments', so we can avoid allocating, initializing, and tearing
      off those registers in the common case. Distinguish between capturing
      arguments and not, so we can avoid allocating space for arguments in
      the torn-off object.
      
      We can make this even more general in the future, with some bytecode
      generator refactoring.
      
      (JSC::BytecodeGenerator::resolve): Updated for new interface.
      
      * bytecompiler/BytecodeGenerator.h:
      (BytecodeGenerator):
      (JSC::BytecodeGenerator::symbolTable): Updated some types.
      
      * heap/Heap.cpp:
      (JSC::Heap::isValidAllocation): Allow large allocations, now that they
      are both supported and used.
      
      * heap/Heap.h:
      (Heap): Added a new form of allocateCell that specifies the full size
      of the allocation, to allow for extra space on the end.
      
      * interpreter/CallFrame.h:
      (JSC::ExecState::argumentOffset):
      (JSC::ExecState::argumentOffsetIncludingThis):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::unwindCallFrame): Refactored this code to be more
      specific about tearing off 'arguments' vs activations. This is something
      I forgot in my last patch, and it is required now that we can have
      acitvations without 'arguments' registers.
      
      * runtime/Arguments.h:
      (JSC::Arguments::setRegisters): No need for setRegisters anymore because
      the activation object's storage doesn't change.
      
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation): Initialize our storage manually because
      it's not declared to the C++ compiler.
      
      (JSC::JSActivation::visitChildren): No copyAndAppend because our storage
      is not out-of-line anymore.
      
      (JSC::JSActivation::symbolTableGet):
      (JSC::JSActivation::symbolTablePut):
      (JSC::JSActivation::getOwnPropertyNames):
      (JSC::JSActivation::symbolTablePutWithAttributes):
      (JSC::JSActivation::getOwnPropertySlot):
      (JSC::JSActivation::getOwnPropertyDescriptor):
      (JSC::JSActivation::argumentsGetter): Refactored isTornOff() testing to
      avoid using a data member and to avoid hard-coding any offset assumptions.
      
      * runtime/JSActivation.h:
      (JSC):
      (JSActivation):
      (JSC::JSActivation::create):
      (JSC::JSActivation::isDynamicScope):
      (JSC::JSActivation::captureStart):
      (JSC::JSActivation::storageSize):
      (JSC::JSActivation::storageSizeInBytes):
      (JSC::JSActivation::registerOffset):
      (JSC::JSActivation::tearOff):
      (JSC::JSActivation::isTornOff):
      (JSC::JSActivation::storage):
      (JSC::JSActivation::allocationSize):
      (JSC::JSActivation::isValid): New helper functions for doing the math
      on our inline storage. Note that in the "AllOfTheThings" tear-off case,
      the number of things is not known at compile time, so we store the
      number in the argument count register. We can't just copy the raw contents
      of the register beacuse we need a value that is safe for precise marking,
      and the value in the register file has an invalid tag.
      
      * runtime/JSCell.h:
      (JSC::allocateCell): New function for allocating with extra storage
      on the end.
      
      * runtime/JSSymbolTableObject.h:
      (JSC::JSSymbolTableObject::JSSymbolTableObject):
      (JSC::JSSymbolTableObject::finishCreation):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::JSVariableObject):
      (JSVariableObject): Make it easier for subclasses to use their symbol
      tables during construction, by passing the table as a constructor argument.
      
      * runtime/SymbolTable.h:
      (JSC::SharedSymbolTable::usesNonStrictEval):
      (JSC::SharedSymbolTable::setUsesNonStrictEval):
      (SharedSymbolTable):
      (JSC::SharedSymbolTable::captureMode):
      (JSC::SharedSymbolTable::setCaptureMode):
      (JSC::SharedSymbolTable::captureStart):
      (JSC::SharedSymbolTable::setCaptureStart):
      (JSC::SharedSymbolTable::captureEnd):
      (JSC::SharedSymbolTable::setCaptureEnd):
      (JSC::SharedSymbolTable::parameterCountIncludingThis):
      (JSC::SharedSymbolTable::setParameterCountIncludingThis):
      (JSC::SharedSymbolTable::SharedSymbolTable): Added data members to more
      precisely describe what kind of capture is in play, and to avoid having
      data members in the activation. We expect N activations per symbol table,
      so this can be a big savings in heavy closure usage.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128260 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      06a8bb6e
  6. 10 Sep, 2012 4 commits
    • mhahnenberg@apple.com's avatar
      Remove m_classInfo from JSCell · bd52e3e5
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96311
      
      Reviewed by Oliver Hunt.
      
      Now that no one is using the ClassInfo in JSCell, we can remove it for the greater good. This is a 1.5% win on v8v7 and
      a 1.7% win on kraken, and is an overall performance progression.
      
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Had to rearrange the order of when we take things off the free list
      and when we store the Structure in the object because we would clobber the free list otherwise. This made it not okay for
      the structure argument and the scratch register to alias one another. Also removed the store of the ClassInfo pointer in the
      object. Yay!
      (SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp: Since it's no longer okay for for the scratch register and structure register to alias
      one another as stated above, had to add an extra temporary for passing the Structure.
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp: Ditto.
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject): Similar changes to DFG's inline allocation except that it removed the object from
      the free list first, so no changes were necessary there.
      * llint/LowLevelInterpreter.asm: Change the constants for amount of inline storage to match PropertyOffset.h and remove
      the store of the ClassInfo pointer during inline allocation.
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSCell.h: Remove the m_classInfo field and associated methods.
      (JSCell):
      * runtime/JSObject.h:
      (JSObject):
      * runtime/PropertyOffset.h: Expand the number of inline storage properties to take up the extra space that we're freeing
      with the removal of the ClassInfo pointer.
      (JSC):
      * runtime/Structure.h:
      (JSC):
      (JSC::JSCell::JSCell):
      (JSC::JSCell::finishCreation):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128146 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bd52e3e5
    • ggaren@apple.com's avatar
      Added large allocation support to MarkedSpace · 6159e5f9
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96214
      
      Originally reviewed by Oliver Hunt, then I added a design revision by
      suggested by Phil Pizlo.
      
      I expanded the imprecise size classes to cover up to 32KB, then added
      an mmap-based allocator for everything bigger. There's a lot of tuning
      we could do in these size classes, but currently they're almost
      completely unused, so I haven't done any tuning.
      
      Subtle point: the large allocator is a degenerate case of our free list
      logic. Its list only ever contains zero or one items.
      
      * heap/Heap.h:
      (JSC::Heap::allocateStructure): Pipe in size information.
      
      * heap/MarkedAllocator.cpp:
      (JSC::MarkedAllocator::tryAllocateHelper): Handle the case where we
      find a free item in the sweep list but the item isn't big enough. This
      can happen in the large allocator because it mixes sizes.
      
      (JSC::MarkedAllocator::tryAllocate):
      (JSC::MarkedAllocator::allocateSlowCase): More piping.
      
      (JSC::MarkedAllocator::allocateBlock): Handle the oversize case.
      
      (JSC::MarkedAllocator::addBlock): I moved the call to didAddBlock here
      because it made more sense.
      
      * heap/MarkedAllocator.h:
      (MarkedAllocator):
      (JSC::MarkedAllocator::allocate):
      * heap/MarkedSpace.cpp:
      (JSC::MarkedSpace::MarkedSpace):
      (JSC::MarkedSpace::resetAllocators):
      (JSC::MarkedSpace::canonicalizeCellLivenessData):
      (JSC::MarkedSpace::isPagedOut):
      (JSC::MarkedSpace::freeBlock):
      * heap/MarkedSpace.h:
      (MarkedSpace):
      (JSC::MarkedSpace::allocatorFor):
      (JSC::MarkedSpace::destructorAllocatorFor):
      (JSC::MarkedSpace::allocateWithoutDestructor):
      (JSC::MarkedSpace::allocateWithDestructor):
      (JSC::MarkedSpace::allocateStructure):
      (JSC::MarkedSpace::forEachBlock):
      * runtime/Structure.h:
      (JSC::Structure): More piping.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6159e5f9
    • mhahnenberg@apple.com's avatar
      Combine MarkStack and SlotVisitor into single class · a57e6716
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96043
      
      Reviewed by Geoff Garen.
      
      Move all of MarkStack into SlotVisitor. The remaining stuff in MarkStack.cpp actually has to do 
      with MarkStack management/allocation. Cleaned up a few of the header files while I was at it.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      * dfg/DFGCommon.h:
      * heap/GCThreadSharedData.cpp:
      * heap/GCThreadSharedData.h:
      (GCThreadSharedData):
      * heap/HeapRootVisitor.h:
      * heap/MarkStack.cpp:
      (JSC):
      * heap/MarkStack.h:
      (JSC):
      (MarkStackSegment):
      (JSC::MarkStackSegment::data):
      (JSC::MarkStackSegment::capacityFromSize):
      (JSC::MarkStackSegment::sizeFromCapacity):
      (MarkStackSegmentAllocator):
      (MarkStackArray):
      * heap/MarkStackInlineMethods.h:
      (JSC::MarkStackArray::postIncTop):
      (JSC):
      (JSC::MarkStackArray::preDecTop):
      (JSC::MarkStackArray::setTopForFullSegment):
      (JSC::MarkStackArray::setTopForEmptySegment):
      (JSC::MarkStackArray::top):
      (JSC::MarkStackArray::validatePrevious):
      (JSC::MarkStackArray::append):
      (JSC::MarkStackArray::canRemoveLast):
      (JSC::MarkStackArray::removeLast):
      (JSC::MarkStackArray::isEmpty):
      (JSC::MarkStackArray::size):
      * heap/SlotVisitor.cpp: Added.
      (JSC):
      (JSC::SlotVisitor::SlotVisitor):
      (JSC::SlotVisitor::~SlotVisitor):
      (JSC::SlotVisitor::setup):
      (JSC::SlotVisitor::reset):
      (JSC::SlotVisitor::append):
      (JSC::visitChildren):
      (JSC::SlotVisitor::donateKnownParallel):
      (JSC::SlotVisitor::drain):
      (JSC::SlotVisitor::drainFromShared):
      (JSC::SlotVisitor::mergeOpaqueRoots):
      (JSC::SlotVisitor::startCopying):
      (JSC::SlotVisitor::allocateNewSpaceSlow):
      (JSC::SlotVisitor::allocateNewSpaceOrPin):
      (JSC::JSString::tryHashConstLock):
      (JSC::JSString::releaseHashConstLock):
      (JSC::JSString::shouldTryHashConst):
      (JSC::SlotVisitor::internalAppend):
      (JSC::SlotVisitor::copyAndAppend):
      (JSC::SlotVisitor::doneCopying):
      (JSC::SlotVisitor::harvestWeakReferences):
      (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
      (JSC::SlotVisitor::validate):
      * heap/SlotVisitor.h:
      (JSC):
      (SlotVisitor):
      (JSC::SlotVisitor::sharedData):
      (JSC::SlotVisitor::isEmpty):
      (JSC::SlotVisitor::visitCount):
      (JSC::SlotVisitor::resetChildCount):
      (JSC::SlotVisitor::childCount):
      (JSC::SlotVisitor::incrementChildCount):
      (ParallelModeEnabler):
      (JSC::ParallelModeEnabler::ParallelModeEnabler):
      (JSC::ParallelModeEnabler::~ParallelModeEnabler):
      * heap/SlotVisitorInlineMethods.h:
      (JSC::SlotVisitor::append):
      (JSC):
      (JSC::SlotVisitor::appendUnbarrieredPointer):
      (JSC::SlotVisitor::appendUnbarrieredValue):
      (JSC::SlotVisitor::internalAppend):
      (JSC::SlotVisitor::addWeakReferenceHarvester):
      (JSC::SlotVisitor::addUnconditionalFinalizer):
      (JSC::SlotVisitor::addOpaqueRoot):
      (JSC::SlotVisitor::containsOpaqueRoot):
      (JSC::SlotVisitor::opaqueRootCount):
      (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary):
      (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable):
      (JSC::SlotVisitor::donate):
      (JSC::SlotVisitor::donateAndDrain):
      * jit/JITWriteBarrier.h:
      (JSC::SlotVisitor::append):
      * jit/JumpReplacementWatchpoint.cpp:
      * runtime/JSCell.h:
      * runtime/Structure.h:
      (JSC::SlotVisitor::internalAppend):
      * runtime/WriteBarrier.h:
      (JSC):
      (JSC::SlotVisitor::append):
      (JSC::SlotVisitor::appendValues):
      * yarr/YarrJIT.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a57e6716
    • commit-queue@webkit.org's avatar
      [EFL] JIT memory usage is not retrieved · c3f4dbdc
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=96095
      
      Patch by Hojong Han <hojong.han@samsung.com> on 2012-09-10
      Reviewed by Geoffrey Garen.
      
      Fill JITBytes for EFL port.
      
      * runtime/MemoryStatistics.cpp:
      (JSC::globalMemoryStatistics):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c3f4dbdc
  7. 07 Sep, 2012 2 commits
    • benjamin@webkit.org's avatar
      Rename the ustring() accessor to string() · c9b7a208
      benjamin@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95919
      
      Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-07
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      Rename ustring() to string() to make the accessor name more logical after
      r127191.
      
      * API/JSBase.cpp:
      (JSEvaluateScript):
      (JSCheckScriptSyntax):
      * API/JSObjectRef.cpp:
      (JSObjectMakeFunctionWithCallback):
      (JSObjectMakeFunction):
      (JSObjectCopyPropertyNames):
      * API/JSProfilerPrivate.cpp:
      (JSStartProfiling):
      (JSEndProfiling):
      * API/JSValueRef.cpp:
      (JSValueMakeString):
      (JSValueMakeFromJSONString):
      * API/OpaqueJSString.cpp:
      (OpaqueJSString::string):
      * API/OpaqueJSString.h:
      (OpaqueJSString):
      * bytecode/CodeBlock.cpp:
      (JSC::idName):
      (JSC::CodeBlock::dump):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::emitLoad):
      (JSC::BytecodeGenerator::addStringConstant):
      * bytecompiler/NodesCodegen.cpp:
      (JSC::RegExpNode::emitBytecode):
      (JSC::processClauseList):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      (GlobalObject::addFunction):
      (GlobalObject::addConstructableFunction):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * parser/ASTBuilder.h:
      (JSC::ASTBuilder::createRegExp):
      * parser/Parser.cpp:
      (JSC::::parsePrimaryExpression):
      * parser/Parser.h:
      (JSC::Scope::declareVariable):
      (JSC::Scope::declareParameter):
      (JSC::Scope::useVariable):
      * parser/SyntaxChecker.h:
      (JSC::SyntaxChecker::createRegExp):
      * runtime/ExceptionHelpers.cpp:
      (JSC::createUndefinedVariableError):
      * runtime/Executable.cpp:
      (JSC::FunctionExecutable::paramString):
      * runtime/Executable.h:
      (JSC::FunctionExecutable::finishCreation):
      * runtime/FunctionPrototype.cpp:
      (JSC::FunctionPrototype::addFunctionProperties):
      * runtime/Identifier.h:
      (JSC::Identifier::string):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::calculatedDisplayName):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      * runtime/JSONObject.cpp:
      (JSC::PropertyNameForFunctionCall::value):
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::Walker::walk):
      * runtime/JSPropertyNameIterator.h:
      (JSC::JSPropertyNameIterator::finishCreation):
      * runtime/JSScope.cpp:
      (JSC::JSScope::resolveBase):
      * runtime/JSString.h:
      (JSC::inlineJSValueNotStringtoString):
      * runtime/LiteralParser.cpp:
      (JSC::::parse):
      * runtime/ObjectConstructor.cpp:
      (JSC::ObjectConstructor::finishCreation):
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      * runtime/RegExpConstructor.cpp:
      (JSC::RegExpConstructor::finishCreation):
      
      Source/WebCore: 
      
      * bindings/js/Dictionary.cpp:
      (WebCore::Dictionary::getOwnPropertiesAsStringHashMap):
      (WebCore::Dictionary::getOwnPropertyNames):
      * bindings/js/SerializedScriptValue.cpp:
      Simplify a few String constructions which were still using type conversion
      through StringImpl.
      
      (WebCore::CloneSerializer::write):
      (WebCore::CloneDeserializer::CachedString::string):
      (WebCore::CloneDeserializer::readFile):
      (WebCore::CloneDeserializer::readTerminal):
      (WebCore::CloneDeserializer::deserialize):
      * bridge/NP_jsobject.cpp:
      (_NPN_Enumerate):
      
      Source/WebKit/efl: 
      
      * WebCoreSupport/DumpRenderTreeSupportEfl.cpp:
      (DumpRenderTreeSupportEfl::sendWebIntentResponse):
      (DumpRenderTreeSupportEfl::deliverWebIntent):
      Aslo update the code from the UString->String conversion through StringImpl.
      
      Source/WebKit/mac: 
      
      * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
      (WebKit::NetscapePluginInstanceProxy::enumerate):
      
      Source/WebKit2: 
      
      * WebProcess/Plugins/Netscape/NPJSObject.cpp:
      (WebKit::NPJSObject::enumerate):
      
      Tools: 
      
      Update EFL's DRT.
      
      Fix some string conversion that have been made useless
      with recent changes.
      
      * DumpRenderTree/efl/EventSender.cpp:
      (keyPadNameFromJSValue):
      (keyNameFromJSValue):
      * DumpRenderTree/efl/TestRunnerEfl.cpp:
      (TestRunner::queueLoad):
      (TestRunner::addOriginAccessWhitelistEntry):
      (TestRunner::removeOriginAccessWhitelistEntry):
      (TestRunner::setUserStyleSheetLocation):
      (TestRunner::setValueForUser):
      (TestRunner::elementDoesAutoCompleteForElementWithId):
      (TestRunner::execCommand):
      (TestRunner::findString):
      (TestRunner::isCommandEnabled):
      (TestRunner::clearApplicationCacheForOrigin):
      (TestRunner::setDomainRelaxationForbiddenForURLScheme):
      (TestRunner::pauseAnimationAtTimeOnElementWithId):
      (TestRunner::pauseTransitionAtTimeOnElementWithId):
      (toInt):
      (TestRunner::overridePreference):
      (TestRunner::addUserScript):
      (TestRunner::addUserStyleSheet):
      (TestRunner::evaluateInWebInspector):
      (TestRunner::evaluateScriptInIsolatedWorld):
      (TestRunner::setTextDirection):
      * DumpRenderTree/efl/WorkQueueItemEfl.cpp:
      (LoadItem::invoke):
      (LoadHTMLStringItem::invoke):
      (ScriptItem::invoke):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127958 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c9b7a208
    • barraclough@apple.com's avatar
      Object.prototype.__define{G,S}etter__ with non-callable second parameter... · 885da322
      barraclough@apple.com authored
      Object.prototype.__define{G,S}etter__ with non-callable second parameter should throw TypeError instead of SyntaxError
      https://bugs.webkit.org/show_bug.cgi?id=93873
      
      Reviewed by Sam Weinig.
      
      Source/JavaScriptCore: 
      
      * runtime/ObjectPrototype.cpp:
      (JSC::objectProtoFuncDefineGetter):
          - throw TypeError instead of SyntaxError
      (JSC::objectProtoFuncDefineSetter):
          - throw TypeError instead of SyntaxError
      
      LayoutTests: 
      
      * fast/js/property-getters-and-setters-expected.txt:
          - updated results
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127930 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      885da322
  8. 06 Sep, 2012 6 commits
    • mhahnenberg@apple.com's avatar
      JSC should have a zombie mode · 66b96f28
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=96047
      
      Reviewed by Geoffrey Garen.
      
      To aid clients of JSC while they are debugging memory issues, we should add a zombie
      mode that scribbles into objects in the MarkedSpace after they are found to be dead
      to prevent a sort of "use after free" situation. As a first cut we should support a
      mode that just scribbles on objects prior to their being reused (i.e. while they are
      "zombies") and a mode in which, in addition to scribbling on zombies, once an object
      has been marked its mark bit will never be cleared, thus giving us "immortal" zombies.
      
      These two modes will be enabled through the use of environment variables. For now these
      will be "JSZombieEnabled" and "JSImmortalZombieEnabled". Setting them to any value will
      result in the use of the appropriate mode.
      
      * heap/Heap.cpp:
      (JSC::Heap::collect): Zombifies dead objects at the end of collection if zombie mode is enabled.
      (ZombifyCellFunctor):
      (JSC::ZombifyCellFunctor::ZombifyCellFunctor): Sets marked bits for dead objects if in immortal mode and writes 0xbbadbeef into them.
      (JSC::ZombifyCellFunctor::operator()):
      (JSC):
      (ZombifyBlockFunctor):
      (JSC::ZombifyBlockFunctor::operator()):
      (JSC::Heap::zombifyDeadObjects): Eagerly sweeps so that we don't write garbage into an object before it
      is finalized/destroyed.
      * heap/Heap.h:
      (Heap):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::forEachDeadCell): Used to iterate over dead cells at the end of collection if zombie mode is enabled.
      (JSC):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127829 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      66b96f28
    • ggaren@apple.com's avatar
      Source/JavaScriptCore: Rolled back in <http://trac.webkit.org/changeset/127698> with a fix for · f820008c
      ggaren@apple.com authored
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html, which
      is to make sure that function declarations don't put their names in scope.
      
      Reviewed by Gavin Barraclough.
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      LayoutTests: Rolled back in <http://trac.webkit.org/changeset/127698> with a fix for
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html.
      
      Added a more explicit test for the feature I broke in 
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html.
      
      Reviewed by Gavin Barraclough.
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      * fast/dom/HTMLScriptElement/script-reexecution.html:
      * fast/js/function-name-is-in-scope-expected.txt: Added.
      * fast/js/function-name-is-in-scope.html: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127810 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f820008c
    • msaboff@apple.com's avatar
      16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution · f25bc169
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95810
      
      Reviewed by Benjamin Poulain.
      
      Source/JavaScriptCore: 
      
      Added 8 bit path that copies the contents of an 8 bit fiber to the 16 bit buffer
      when resolving a 16 bit rope.
      
      * runtime/JSString.cpp:
      (JSC::JSRopeString::resolveRopeSlowCase):
      
      Source/WTF: 
      
      New copy routine that takes an 8 bit source and a 16 bit destination.  Used when copying
      the contents of an 8 bit fiber to the 16 bit buffer when resolving a 16 bit rope.
      
      * wtf/text/StringImpl.h:
      (WTF::StringImpl::copyChars):
      (StringImpl):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127809 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f25bc169
    • ggaren@apple.com's avatar
      Rolled out <http://trac.webkit.org/changeset/127698> because it broke · b6920873
      ggaren@apple.com authored
      fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html
      
          Named functions should not allocate scope objects for their names
          https://bugs.webkit.org/show_bug.cgi?id=95659
      
          Reviewed by Oliver Hunt.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127774 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      b6920873
    • commit-queue@webkit.org's avatar
      Renamed useYarrJIT() option to useRegExpJIT(). Also fixed regression in · 8a89a852
      commit-queue@webkit.org authored
      which inadvertantly allows the ASM llint to use the baseline JIT when
      useRegExpJIT() is true.
      https://bugs.webkit.org/show_bug.cgi?id=95918.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-06
      Reviewed by Geoffrey Garen.
      
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler):
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSC::JSGlobalData::canUseJIT):
      (JSC::JSGlobalData::canUseRegExpJIT):
      (JSGlobalData):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8a89a852
    • ggaren@apple.com's avatar
      Named functions should not allocate scope objects for their names · d9e96293
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95659
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      In most cases, we can merge a function expression's name into its symbol
      table. This reduces memory footprint per closure from three objects
      (function + activation + name scope) to two (function + activation),
      speeds up closure allocation, and speeds up recursive calls.
      
      In the case of a named function expression that contains a non-strict
      eval, the rules are so bat-poop crazy that I don't know how to model
      them without an extra object. Since functions now default to not having
      such an object, this case needs to allocate the object on function
      entry.
      
      Therefore, this patch makes the slow case a bit slower so the fast case
      can be faster and more memory-efficient. (Note that the slow case already
      allocates an activation on entry, and until recently also allocated a
      scope chain node on entry, so adding one allocation on entry shouldn't
      break the bank.)
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock): Caught a missed initializer. No behavior change.
      
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::BytecodeGenerator): Put the callee in static scope
      during compilation so it doesn't need to be in dynamic scope at runtime.
      
      (JSC::BytecodeGenerator::resolveCallee):
      (JSC::BytecodeGenerator::addCallee): Helper functions for either statically
      resolving the callee or adding a dynamic scope that will resolve to it,
      depending on whether you're in the fast path.
      
      We move the callee into a var location if it's captured because activations
      prefer to have contiguous ranges of captured variables.
      
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::registerFor):
      (BytecodeGenerator):
      
      * dfg/DFGOperations.cpp:
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL): This is the point of the patch: remove
      one allocation in the case of a named function expression.
      
      * parser/Parser.cpp:
      (JSC::::Parser):
      * parser/Parser.h:
      (JSC::Scope::declareCallee):
      (Scope):
      (Parser):
      (JSC::parse):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::checkSyntax):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::fromGlobalCode): Pipe the callee's name through
      the parser so we get accurate information on whether the callee was captured.
      
      (JSC::FunctionExecutable::FunctionExecutable):
      (JSC::EvalExecutable::compileInternal):
      (JSC::ProgramExecutable::checkSyntax):
      (JSC::ProgramExecutable::compileInternal):
      (JSC::FunctionExecutable::produceCodeBlockFor):
      (JSC::FunctionExecutable::fromGlobalCode):
      * runtime/Executable.h:
      (JSC::FunctionExecutable::create):
      (FunctionExecutable):
      (JSC::FunctionExecutable::finishCreation): I had to refactor function
      creation to support the following function constructor quirk: the function
      gets a name, but its name is not in lexical scope.
      
      To simplify this, FunctionExecutable now automatically extracts all the
      data it needs from the parsed node. The special "fromGlobalCode" path
      used by the function constructor creates an anonymous function, and then
      quirkily sets the value used by the .name property to be non-null, even
      though the parsed name is null.
      
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::create):
      (JSC::JSNameScope::JSNameScope): Added support for explicitly specifying
      your container scope. The compiler uses this for named function expressions.
      
      LayoutTests: 
      
      Added coverage for some extra-tricky cases.
      
      * fast/js/named-function-expression-expected.txt:
      * fast/js/script-tests/named-function-expression.js:
      (shouldBeTrueWithDescription): I rolled my own shouldBeTrue() here to avoid the
      built-in shouldBe()'s eval scoping, which can change the variable
      resolution rules I'm trying to test.
      
      * inspector/debugger/debugger-expand-scope-expected.txt: Not sure why this
      result used to miss the function name scope, but the new result is a
      progression, so I've updated the expected results.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127698 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d9e96293
  9. 04 Sep, 2012 3 commits
    • commit-queue@webkit.org's avatar
      Allow the YarrJIT to use the assembler even when useJIT() is false. · 2793046c
      commit-queue@webkit.org authored
      Introduce the useYarrJIT() option.
      https://bugs.webkit.org/show_bug.cgi?id=95809.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-09-04
      Reviewed by Geoffrey Garen.
      
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler):
      * runtime/Options.cpp:
      (JSC::Options::initialize):
      * runtime/Options.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127554 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      2793046c
    • benjamin@webkit.org's avatar
      Improve JSC use of Strings after the UString->String change · 762e2c65
      benjamin@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95633
      
      Patch by Benjamin Poulain <bpoulain@apple.com> on 2012-09-04
      Reviewed by Geoffrey Garen.
      
      This patch improve the use of strings in the JSC runtime.
      
      The initialization of Identifier is left for future patches.
      
      The improvements are the following:
      -5% faster to raise one of the modified exception.
      -3 times faster to execute Boolean::toString()
      
      Most of the changes are just about using the new methods
      for string literals.
      
      With the changes, the binary on x86_64 gets 176 bytes smaller.
      
      * API/JSCallbackObjectFunctions.h:
      (JSC::::staticFunctionGetter):
      (JSC::::callbackGetter):
      * API/JSContextRef.cpp:
      (JSContextCreateBacktrace):
      * API/JSObjectRef.cpp:
      (JSObjectMakeFunctionWithCallback):
      * bytecode/CodeBlock.cpp:
      (JSC::valueToSourceString):
      (JSC::CodeBlock::nameForRegister):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::addStackTraceIfNecessary):
      * runtime/ArrayConstructor.cpp:
      (JSC::constructArrayWithSizeQuirk):
      * runtime/ArrayPrototype.cpp:
      (JSC::shift):
      (JSC::unshift):
      (JSC::arrayProtoFuncPop):
      (JSC::arrayProtoFuncReverse):
      * runtime/BooleanPrototype.cpp:
      (JSC::booleanProtoFuncToString): Instead of instanciating new strings, reuse the
      keywords available in SmallStrings. Avoiding the creation of the JSString and StringImpl
      makes the method significantly faster.
      
      * runtime/DateConversion.cpp:
      (JSC::formatDateTime):
      * runtime/DatePrototype.cpp:
      (JSC::formatLocaleDate):
      (JSC::formateDateInstance):
      (JSC::dateProtoFuncToISOString):
      Change the way we use snprintf() for clarity and performance.
      
      Instead of allocating one extra byte to put a zero "just in case", we use the size returned
      by snprintf().
      To prevent any overflow from a programming mistake, we explicitely test for overflow and
      return an empty string.
      
      (JSC::dateProtoFuncToJSON):
      * runtime/Error.cpp:
      (JSC::createNotEnoughArgumentsError):
      (JSC::throwTypeError):
      (JSC::throwSyntaxError):
      * runtime/Error.h:
      (JSC::StrictModeTypeErrorFunction::create):
      * runtime/ErrorPrototype.cpp:
      (JSC::ErrorPrototype::finishCreation):
      (JSC::errorProtoFuncToString):
      Using a null String is correct because (8) uses jsString(), (9) tests for a length of 0.
      
      * runtime/ExceptionHelpers.cpp:
      (JSC::InterruptedExecutionError::defaultValue):
      (JSC::TerminatedExecutionError::defaultValue):
      (JSC::createStackOverflowError):
      (JSC::createOutOfMemoryError):
      * runtime/Executable.cpp:
      (JSC::EvalExecutable::compileInternal):
      (JSC::FunctionExecutable::paramString):
      * runtime/FunctionConstructor.cpp:
      (JSC::constructFunction):
      (JSC::constructFunctionSkippingEvalEnabledCheck):
      * runtime/FunctionPrototype.h:
      (JSC::FunctionPrototype::create):
      Using a null String for the name is correct because InternalFunction uses jsString()
      to create the name value.
      
      * runtime/InternalFunction.cpp:
      (JSC::InternalFunction::finishCreation):
      There is no need to create an empty string for a null string, jsString() handle both
      cases as empty JSString.
      
      * runtime/JSArray.cpp:
      (JSC::reject):
      (JSC::SparseArrayValueMap::put):
      (JSC::JSArray::put):
      (JSC::JSArray::putByIndexBeyondVectorLength):
      (JSC::JSArray::putDirectIndexBeyondVectorLength):
      (JSC::JSArray::setLength):
      (JSC::JSArray::pop):
      (JSC::JSArray::push):
      * runtime/JSFunction.cpp:
      (JSC::JSFunction::finishCreation): Same issue as InternalFunction::finishCreation.
      
      (JSC::JSFunction::callerGetter):
      (JSC::JSFunction::defineOwnProperty):
      * runtime/JSGlobalData.cpp:
      (JSC::enableAssembler): Use CFSTR() instead of CFStringCreateWithCString().
      CFStringCreateWithCString() copy the content and may choose to decode the data.
      CFSTR() is much more efficient.
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      JSFunction uses jsString() to create the name, we can use null strings instead
      of creating empty strings.
      
      (JSC::JSGlobalObject::createThrowTypeError): ditto.
      * runtime/JSGlobalObjectFunctions.cpp:
      (JSC::encode):
      (JSC::decode):
      (JSC::globalFuncEval):
      * runtime/JSONObject.cpp:
      (JSC::Stringifier::appendStringifiedValue):
      (JSC::Stringifier::Holder::appendNextProperty):
      (JSC::JSONProtoFuncParse):
      (JSC::JSONProtoFuncStringify):
      * runtime/JSObject.cpp:
      (JSC::JSObject::put):
      (JSC::JSObject::defaultValue):
      (JSC::JSObject::hasInstance):
      (JSC::JSObject::defineOwnProperty):
      * runtime/JSString.cpp:
      Return an empty JSString to avoid the creation of a temporary empty String.
      
      (JSC::JSRopeString::getIndexSlowCase):
      * runtime/JSString.h:
      (JSC): Remove the versions of jsNontrivialString() taking a char*. All the callers
      have been replaced by calls using ASCIILiteral.
      
      * runtime/JSValue.cpp:
      (JSC::JSValue::putToPrimitive):
      * runtime/LiteralParser.cpp:
      (JSC::::Lexer::lex):
      (JSC::::Lexer::lexString):
      (JSC::::Lexer::lexNumber):
      (JSC::::parse):
      * runtime/LiteralParser.h:
      (JSC::LiteralParser::getErrorMessage):
      * runtime/NumberPrototype.cpp:
      (JSC::numberProtoFuncToExponential):
      (JSC::numberProtoFuncToFixed):
      (JSC::numberProtoFuncToPrecision):
      (JSC::numberProtoFuncToString):
      * runtime/ObjectConstructor.cpp:
      (JSC::objectConstructorGetPrototypeOf):
      (JSC::objectConstructorGetOwnPropertyDescriptor):
      (JSC::objectConstructorGetOwnPropertyNames):
      (JSC::objectConstructorKeys):
      (JSC::toPropertyDescriptor):
      (JSC::objectConstructorDefineProperty):
      (JSC::objectConstructorDefineProperties):
      (JSC::objectConstructorCreate):
      (JSC::objectConstructorSeal):
      (JSC::objectConstructorFreeze):
      (JSC::objectConstructorPreventExtensions):
      (JSC::objectConstructorIsSealed):
      (JSC::objectConstructorIsFrozen):
      (JSC::objectConstructorIsExtensible):
      * runtime/ObjectPrototype.cpp:
      (JSC::objectProtoFuncDefineGetter):
      (JSC::objectProtoFuncDefineSetter):
      (JSC::objectProtoFuncToString):
      * runtime/RegExpConstructor.cpp:
      (JSC::constructRegExp):
      * runtime/RegExpObject.cpp:
      (JSC::reject):
      (JSC::regExpObjectSource):
      * runtime/RegExpPrototype.cpp:
      (JSC::regExpProtoFuncCompile):
      * runtime/StringObject.cpp:
      (JSC::StringObject::defineOwnProperty):
      * runtime/StringPrototype.cpp:
      (JSC::jsSpliceSubstrings):
      (JSC::jsSpliceSubstringsWithSeparators):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      762e2c65
    • zoltan@webkit.org's avatar
      Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore · c6395da1
      zoltan@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95737
      
      Reviewed by Eric Seidel.
      
      Add WTF_MAKE_FAST_ALLOCATED macro to the following class declarations because these are instantiated by operator new.
      
      Source/JavaScriptCore:
      
      * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
      
      * heap/MachineStackMarker.cpp:
      (MachineThreads::Thread): Thread is instantiated at heap/MachineStackMarker.cpp:196.
      * jit/ExecutableAllocatorFixedVMPool.cpp:
      (FixedVMPoolExecutableAllocator): FixedVMPoolExecutableAllocator is instantiated at jit/ExecutableAllocatorFixedVMPool.cpp:111
      * parser/SourceProviderCache.h:
      (SourceProviderCache): SourceProviderCache is instantiated at parser/SourceProvider.h:49.
      * parser/SourceProviderCacheItem.h:
      (SourceProviderCacheItem): SourceProviderCacheItem is instantiated at parser/Parser.cpp:843.
      * runtime/GCActivityCallback.h:
      (GCActivityCallback): GCActivityCallback is instantiated at runtime/GCActivityCallback.h:96.
      * tools/CodeProfile.h:
      (CodeProfile): CodeProfile is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:140.
      
      Source/WTF:
      
      * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
      * wtf/MediaTime.h: MediaTime is instantiated at wtf/MediaTime.cpp:288.
      * wtf/MetaAllocator.h:
      (MetaAllocatorTracker): MetaAllocatorTracker is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:120.
      * wtf/ThreadingPthreads.cpp:
      (PthreadState): PthreadState is instantiated at wtf/ThreadingPthreads.cpp:165.
      * wtf/text/AtomicString.cpp:
      (AtomicStringTable): AtomicStringTable is instantiated at wtf/text/AtomicString.cpp:43.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127484 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c6395da1
  10. 01 Sep, 2012 5 commits
  11. 31 Aug, 2012 7 commits
    • fpizlo@apple.com's avatar
      JSArray::putDirectIndex should by default behave like JSObject::putDirect · 3fbbc4f8
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95630
      
      Reviewed by Gavin Barraclough.
      
      Source/JavaScriptCore: 
      
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::privateExecute):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * jsc.cpp:
      (GlobalObject::finishCreation):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * runtime/JSArray.cpp:
      (JSC::SparseArrayValueMap::putDirect):
      (JSC::JSArray::defineOwnNumericProperty):
      (JSC::JSArray::putDirectIndexBeyondVectorLength):
      * runtime/JSArray.h:
      (SparseArrayValueMap):
      (JSArray):
      (JSC::JSArray::putDirectIndex):
      * runtime/JSONObject.cpp:
      (JSC::Walker::walk):
      * runtime/RegExpMatchesArray.cpp:
      (JSC::RegExpMatchesArray::reifyAllProperties):
      (JSC::RegExpMatchesArray::reifyMatchProperty):
      * runtime/StringPrototype.cpp:
      (JSC::splitStringByOneCharacterImpl):
      (JSC::stringProtoFuncSplit):
      
      Source/WebCore: 
      
      No new tests because no change in behavior.
      
      * bindings/js/SerializedScriptValue.cpp:
      (WebCore::CloneDeserializer::putProperty):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127349 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3fbbc4f8
    • ggaren@apple.com's avatar
      Rolled back in a piece of <http://trac.webkit.org/changeset/127293>. · a62184de
      ggaren@apple.com authored
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::JSNameScope):
      * runtime/JSWithScope.h:
      (JSC::JSWithScope::JSWithScope):
      * runtime/StrictEvalActivation.cpp:
      (JSC::StrictEvalActivation::StrictEvalActivation):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127348 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a62184de
    • ggaren@apple.com's avatar
      Rolled back in a piece of <http://trac.webkit.org/changeset/127293>. · 70aed69e
      ggaren@apple.com authored
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve_global_dynamic):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::withScopeStructure):
      (JSC::JSGlobalObject::strictEvalActivationStructure):
      (JSC::JSGlobalObject::activationStructure):
      (JSC::JSGlobalObject::nameScopeStructure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127345 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      70aed69e
    • ggaren@apple.com's avatar
      Rolled back in a piece of <http://trac.webkit.org/changeset/127293>. · d84288e5
      ggaren@apple.com authored
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (MarkedBlock):
      (JSC::MarkedBlock::globalData):
      (JSC):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::addAllocator):
      * heap/WeakSet.h:
      (WeakSet):
      (JSC::WeakSet::WeakSet):
      (JSC::WeakSet::globalData):
      * runtime/JSGlobalData.h:
      (JSC::WeakSet::heap):
      (JSC):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127338 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d84288e5
    • commit-queue@webkit.org's avatar
      Refactor LLInt and supporting code in preparation for the C Loop backend. · eebad5de
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=95531.
      
      Patch by Mark Lam <mark.lam@apple.com> on 2012-08-31
      Reviewed by Filip Pizlo.
      
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFromLLInt):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFromLLInt):
      * jit/JITExceptions.cpp:
      (JSC::genericThrow): Use ExecutableBase::catchRoutineFor() to fetch
          fetch the catch routine for a thrown exception.  This will allow
          us to redefine that for the C loop later, and still keep this
          code readable.
      * llint/LLIntOfflineAsmConfig.h: Moved ASM macros to
          LowLevelInterpreter.cpp which is the only place they are used. This
          will make it more convenient to redefine them for the C loop later.
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::setUpCall): Use ExecutableBase's hostCodeEntry()
          jsCodeEntryFor(), and jsCodeWithArityCheckEntryFor() for computing
          the entry points to functions being called.
      * llint/LLIntSlowPaths.h:
      (SlowPathReturnType):
      (JSC::LLInt::encodeResult):
      (LLInt):
      (JSC::LLInt::decodeResult): Added.  Needed by LLInt C Loop later.
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter.cpp:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/asm.rb: Disambiguate between opcodes and other labels.
      * offlineasm/config.rb:
      * runtime/Executable.h:
      (JSC::ExecutableBase::hostCodeEntryFor): Added.
      (ExecutableBase):
      (JSC::ExecutableBase::jsCodeEntryFor): Added.
      (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): Added.
      (JSC::ExecutableBase::catchRoutineFor): Added.
      * runtime/JSValueInlineMethods.h:
      (JSC):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127333 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      eebad5de
    • ggaren@apple.com's avatar
      Not reviewed. · 1929b299
      ggaren@apple.com authored
      Rolled out http://trac.webkit.org/changeset/127293 because it broke
      inspector tests on Windows.
      
          Shrink activation objects by half
          https://bugs.webkit.org/show_bug.cgi?id=95591
      
          Reviewed by Sam Weinig.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1929b299
    • ggaren@apple.com's avatar
      Shrink activation objects by half · 0b44fca6
      ggaren@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=95591
      
      Reviewed by Sam Weinig.
      
      Removed the global object, global data, and global this pointers from
      JSScope, and changed an int to a bitfield. This gets the JSActivation
      class down to 64 bytes, which in practice cuts it in half by getting it
      out of the 128 byte size class.
      
      Now, it's one extra indirection to get these pointers. These pointers
      aren't accessed by JIT code, so I thought there would be no cost to the
      extra indirection. However, some C++-heavy SunSpider tests regressed a
      bit in an early version of the patch, which added even more indirection.
      This suggests that calls to exec->globalData() and/or exec->lexicalGlobalObject()
      are common and probably duplicated in lots of places, and could stand
      further optimization in C++.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute): Test against the specific activation
      for our global object, since there's no VM-shared activation structure
      anymore. This is guaranteed to have the same success rate as the old test
      because activation scope is fixed at compile time.
      
      * heap/MarkedBlock.cpp:
      (JSC::MarkedBlock::MarkedBlock):
      * heap/MarkedBlock.h:
      (JSC::MarkedBlock::globalData):
      * heap/WeakSet.cpp:
      (JSC::WeakSet::addAllocator):
      * heap/WeakSet.h:
      (WeakSet):
      (JSC::WeakSet::WeakSet):
      (JSC::WeakSet::globalData): Store a JSGlobalData* instead of a Heap*
      because JSGlobalData->Heap is just a constant fold in the addressing
      mode, while Heap->JSGlobalData is an extra pointer dereference. (These
      objects should eventually just merge.)
      
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve_global_dynamic): See DFGAbstractState.cpp.
      
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm: Load the activation structure from
      the code block instead of the global data because the structure is not
      VM-shared anymore. (See DFGAbstractState.cpp.)
      
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::JSActivation):
      * runtime/JSActivation.h:
      (JSActivation): This is the point of the patch: Remove the data.
      
      * runtime/JSGlobalData.cpp:
      (JSC::JSGlobalData::JSGlobalData):
      * runtime/JSGlobalData.h:
      (JSGlobalData): No longer VM-shared. (See DFGAbstractState.cpp.)
      
      (JSC::WeakSet::heap): (See WeakSet.h.)
      
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::JSGlobalObject):
      (JSC::JSGlobalObject::setGlobalThis):
      (JSC::JSGlobalObject::reset):
      (JSC::JSGlobalObject::visitChildren):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::withScopeStructure):
      (JSC::JSGlobalObject::strictEvalActivationStructure):
      (JSC::JSGlobalObject::activationStructure):
      (JSC::JSGlobalObject::nameScopeStructure):
      (JSC::JSScope::globalThis):
      (JSC::JSGlobalObject::globalThis): Data that used to be in the JSScope
      class goes here now, so it's not duplicated across all activations.
      
      * runtime/JSNameScope.h:
      (JSC::JSNameScope::JSNameScope):
      * runtime/JSScope.cpp:
      (JSC::JSScope::visitChildren): This is the point of the patch: Remove the data.
      
      * runtime/JSScope.h:
      (JSScope):
      (JSC::JSScope::JSScope):
      (JSC::JSScope::globalObject):
      (JSC::JSScope::globalData):
      * runtime/JSSegmentedVariableObject.h:
      (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
      * runtime/JSSymbolTableObject.h:
      (JSC::JSSymbolTableObject::JSSymbolTableObject):
      * runtime/JSVariableObject.h:
      (JSC::JSVariableObject::JSVariableObject):
      * runtime/JSWithScope.h:
      (JSC::JSWithScope::JSWithScope):
      * runtime/StrictEvalActivation.cpp:
      (JSC::StrictEvalActivation::StrictEvalActivation): Simplified now that
      we don't need to pass so much data to JSScope.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127293 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0b44fca6
  12. 30 Aug, 2012 3 commits