1. 04 Dec, 2013 1 commit
    • fpizlo@apple.com's avatar
      Fold constant typed arrays · ee327c85
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=125205
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt and Mark Hahnenberg.
              
      If by some other mechanism we have a typed array access on a compile-time constant
      typed array pointer, then fold:
              
      - Array bounds checks. Specifically, fold the load of length.
              
      - Loading the vector.
              
      This needs to install a watchpoint on the array itself because of the possibility of
      neutering. Neutering is ridiculous. We do this without bloating the size of
      ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
      allocated an array that didn't end up becoming a compile-time constant). To install
      the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
      the ArrayBuffer, where that incoming reference is from a watchpoint object. The
      ArrayBuffer already knows about such incoming references and can fire the
      watchpoints that way.
              
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * dfg/DFGDesiredWatchpoints.cpp:
      (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
      (JSC::DFG::DesiredWatchpoints::addLazily):
      * dfg/DFGDesiredWatchpoints.h:
      (JSC::DFG::GenericSetAdaptor::add):
      (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
      (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
      (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
      (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
      (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
      (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
      (JSC::DFG::DesiredWatchpoints::isStillValid):
      (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
      (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::tryGetFoldableView):
      * dfg/DFGGraph.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
      (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGWatchpointCollectionPhase.cpp:
      (JSC::DFG::WatchpointCollectionPhase::handle):
      (JSC::DFG::WatchpointCollectionPhase::addLazily):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
      (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
      * runtime/ArrayBuffer.cpp:
      (JSC::ArrayBuffer::transfer):
      * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
      (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
      (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
      (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
      (JSC::ArrayBufferNeuteringWatchpoint::destroy):
      (JSC::ArrayBufferNeuteringWatchpoint::create):
      (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
      * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
      (JSC::ArrayBufferNeuteringWatchpoint::set):
      * runtime/VM.cpp:
      (JSC::VM::VM):
      * runtime/VM.h:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt and Mark Hahnenberg.
      
      * js/regress/fixed-typed-array-storage-expected.txt: Added.
      * js/regress/fixed-typed-array-storage-var-index-expected.txt: Added.
      * js/regress/fixed-typed-array-storage-var-index.html: Added.
      * js/regress/fixed-typed-array-storage.html: Added.
      * js/regress/script-tests/fixed-typed-array-storage-var-index.js: Added.
      (foo):
      * js/regress/script-tests/fixed-typed-array-storage.js: Added.
      (foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160150 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ee327c85
  2. 30 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Finally remove those DFG_ENABLE things · ecd97b0c
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=125025
      
      Rubber stamped by Sam Weinig.
              
      This removes a bunch of unused and untested insanity.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::tallyFrequentExitSites):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
      (JSC::DFG::ByteCodeParser::makeSafe):
      (JSC::DFG::ByteCodeParser::makeDivSafe):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::linkBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parseCodeBlock):
      (JSC::DFG::ByteCodeParser::parse):
      (JSC::DFG::parse):
      * dfg/DFGCFGSimplificationPhase.cpp:
      (JSC::DFG::CFGSimplificationPhase::run):
      (JSC::DFG::CFGSimplificationPhase::convertToJump):
      (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::endIndexForPureCSE):
      (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
      (JSC::DFG::CSEPhase::setReplacement):
      (JSC::DFG::CSEPhase::eliminate):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.h:
      (JSC::DFG::verboseCompilationEnabled):
      (JSC::DFG::logCompilationChanges):
      (JSC::DFG::shouldDumpGraphAtEachPhase):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::initialize):
      (JSC::DFG::InPlaceAbstractState::endBasicBlock):
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::compileBody):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompilerCommon.cpp:
      (JSC::DFG::adjustAndJumpToTarget):
      * dfg/DFGPredictionInjectionPhase.cpp:
      (JSC::DFG::PredictionInjectionPhase::run):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::run):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::propagateForward):
      (JSC::DFG::PredictionPropagationPhase::propagateBackward):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::use):
      * dfg/DFGSlowPathGenerator.h:
      (JSC::DFG::SlowPathGenerator::generate):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
      (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
      (JSC::DFG::SpeculativeJIT::dump):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * dfg/DFGVariableEventStream.h:
      (JSC::DFG::VariableEventStream::appendAndLog):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159886 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ecd97b0c
  3. 26 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Restructure global variable constant inference so that it could work for any... · 8646834a
      fpizlo@apple.com authored
      Restructure global variable constant inference so that it could work for any kind of symbol table variable
      https://bugs.webkit.org/show_bug.cgi?id=124760
      
      Reviewed by Oliver Hunt.
              
      This changes the way global variable constant inference works so that it can be reused
      for closure variable constant inference. Some of the premises that originally motivated
      this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
      that we'll be able to fix those premises in the future. The main point of this patch is
      to make it easy to reuse global variable constant inference for closure variable
      constant inference, and this will be possible provided we can also either (a) infer
      one-shot closures (easy) or (b) infer closure variables that are always assigned prior
      to first use.
              
      One of the things that this patch is meant to enable is constant inference for closure
      variables that may be part of a multi-shot closure. Closure variables may be
      instantiated multiple times, like:
              
          function foo() {
              var WIDTH = 45;
              function bar() {
                  ... use WIDTH ...
              }
              ...
          }
              
      Even if foo() is called many times and WIDTH is assigned to multiple times, that
      doesn't change the fact that it's a constant. The goal of closure variable constant
      inference is to catch any case where a closure variable has been assigned at least once
      and its value has never changed. This patch doesn't implement that, but it does change
      global variable constant inference to have most of the powers needed to do that. Note
      that most likely we will use this functionality only to implement constant inference
      for one-shot closures, but the resulting machinery is still simpler than what we had
      before.
              
      This involves three changes:
              
          - The watchpoint object now contains the inferred value. This involves creating a
            new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
            for closure variables.
              
          - Writing to a variable that is watchpointed still involves these three states that
            we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
            now, the Initialized->Invalidated state transition only happens if we change the
            variable's value, rather than store to the variable. Repeatedly storing the same
            value won't change the variable's state.
              
          - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
            need fancy fencing to get a consistent view of the watchpoint in the JIT. The
            state of the VariableWatchpointSet for the purposes of constant folding is
            entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
            JSValue() then you cannot fold (either because the set is uninitialized or
            because it's invalidated - doesn't matter which); on the other hand if the value
            is anything other than JSValue() then you can fold, and that's the value you fold
            to. Simple!
              
      This also changes the way that DFG IR deals with variable watchpoints. It's now
      oblivious to global variables. You install a watchpoint using VariableWatchpoint and
      you notify write using NotifyWrite. Easy!
              
      Note that this will requires some more tweaks because of the fact that op_enter will
      store Undefined into every captured variable. Hence it won't even work for one-shot
      closures. One-shot closures are easily fixed by introducing another state (so we'll
      have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
      require static analysis. One-shot closures are clearly a higher priority.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/Instruction.h:
      * bytecode/VariableWatchpointSet.h: Added.
      (JSC::VariableWatchpointSet::VariableWatchpointSet):
      (JSC::VariableWatchpointSet::~VariableWatchpointSet):
      (JSC::VariableWatchpointSet::inferredValue):
      (JSC::VariableWatchpointSet::notifyWrite):
      (JSC::VariableWatchpointSet::invalidate):
      (JSC::VariableWatchpointSet::finalizeUnconditionally):
      (JSC::VariableWatchpointSet::addressOfInferredValue):
      * bytecode/Watchpoint.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasRegisterPointer):
      (JSC::DFG::Node::hasVariableWatchpointSet):
      (JSC::DFG::Node::variableWatchpointSet):
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGWatchpointCollectionPhase.cpp:
      (JSC::DFG::WatchpointCollectionPhase::handle):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
      * jit/JIT.h:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitNotifyWrite):
      (JSC::JIT::emitPutGlobalVar):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitNotifyWrite):
      (JSC::JIT::emitPutGlobalVar):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::addGlobalVar):
      (JSC::JSGlobalObject::addFunction):
      * runtime/JSGlobalObject.h:
      * runtime/JSScope.h:
      (JSC::ResolveOp::ResolveOp):
      * runtime/JSSymbolTableObject.h:
      (JSC::symbolTablePut):
      (JSC::symbolTablePutWithAttributes):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::inferredValue):
      (JSC::SymbolTableEntry::prepareToWatch):
      (JSC::SymbolTableEntry::addWatchpoint):
      (JSC::SymbolTableEntry::notifyWriteSlow):
      (JSC::SymbolTable::visitChildren):
      (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
      (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
      (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
      * runtime/SymbolTable.h:
      (JSC::SymbolTableEntry::watchpointSet):
      (JSC::SymbolTableEntry::notifyWrite):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159798 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      8646834a
  4. 24 Nov, 2013 1 commit
  5. 22 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size... · 81bb8bb3
      fpizlo@apple.com authored
      CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things
      https://bugs.webkit.org/show_bug.cgi?id=124793
      
      Reviewed by Mark Hahnenberg.
              
      Now m_numCalleeRegisters always refers to the number of locals that the attached
      bytecode uses. It never means anything else.
              
      For frame size, we now have it lazily computed from m_numCalleeRegisters for the
      baseline engines and we have it stored in DFG::CommonData for the optimizing JITs.
              
      For frame-size-needed-at-exit, we store that in DFG::CommonData, too.
              
      The code no longer implies that there is any arithmetic relationship between
      m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater
      than the former.
              
      The code no longer implies that there is any arithmetic relationship between the
      frame Size and the frame-size-needed-at-exit. Previously it implied that the latter
      is greater that the former.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::frameRegisterCount):
      * bytecode/CodeBlock.h:
      * dfg/DFGCommonData.h:
      (JSC::DFG::CommonData::CommonData):
      (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::frameRegisterCount):
      (JSC::DFG::Graph::requiredRegisterCountForExit):
      (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      (JSC::DFG::JITCompiler::compileFunction):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      * ftl/FTLOSREntry.cpp:
      (JSC::FTL::prepareOSREntry):
      * interpreter/CallFrame.cpp:
      (JSC::CallFrame::frameExtentInternal):
      * interpreter/JSStackInlines.h:
      (JSC::JSStack::pushFrame):
      * jit/JIT.h:
      (JSC::JIT::frameRegisterCountFor):
      * jit/JITOperations.cpp:
      * llint/LLIntEntrypoint.cpp:
      (JSC::LLInt::frameRegisterCountFor):
      * llint/LLIntEntrypoint.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159721 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      81bb8bb3
  6. 19 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Infer constant global variables · 33961712
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124464
      
      Source/JavaScriptCore: 
      
      Reviewed by Sam Weinig.
              
      All global variables that are candidates for watchpoint-based constant inference (i.e.
      not 'const' variables) will now have WatchpointSet's associated with them and those
      are used to drive the inference by tracking three states of each variable:
              
      Uninitialized: the variable's value is Undefined and the WatchpointSet state is
          ClearWatchpoint.
              
      Initialized: the variable's value was set to something (could even be explicitly set
          to Undefined) and the WatchpointSet state is IsWatching.
              
      Invalidated: the variable's value was set to something else (could even be the same
          thing as before but the point is that a put operation did execute again) and the
          WatchpointSet is IsInvalidated.
              
      If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
      IsWatching, then the current value of the variable can be folded in place of the get,
      and a watchpoint on the variable can be registered.
              
      We handle race conditions between the mutator and compiler by mandating that:
              
      - The mutator changes the WatchpointSet state after executing the put.
              
      - There is no opportunity to install code or call functions between when the mutator
        executes a put and changes the WatchpointSet state.
              
      - The compiler checks the WatchpointSet state prior to reading the value.
              
      The concrete algorithm used by the mutator is:
              
          1. Store the new value into the variable.
          --- Execute a store-store fence.
          2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
             IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
             watchpoints.
              
      The concrete algorithm that the compiler uses is:
              
          1. Load the state. If it's *not* IsWatching, then give up on constant inference.
          --- Execute a load-load fence.
          2. Load the value of the variable and use that for folding, while also registering
             a DesiredWatchpoint. The various parts of this step can be done in any order.
              
      The desired watchpoint registration will fail if the watchpoint set is already
      invalidated. Now consider the following interesting interleavings:
              
      Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
          operation, and the variable is folded. The fencing ensures that C2 sees the value
          stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
          before the compilation is installed the mutator executes another store then we
          will be sure that it will be a complete sequence of M1+M2 since compilations get
          installed at safepoints and never "in the middle" of a put_to_scope. Hence that
          compilation installation will be invalidated. If the M1+M2 sequence happens after
          the code is installed, then the code will be invalidated by triggering a jettison.
              
      Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
          a sensible outcome since if the compiler read the variable's value, it would have
          seen Undefined.
              
      Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
      Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
      Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
      Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
              
      IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
              
      IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
          watchpoint, and that watchpoint will get invalidated before the code is installed.
              
      IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
      IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
      IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
      IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
              
      Note that this kind of reasoning shows why having the mutator first bump the state and
      then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
      execute put) then we could have the following deadly interleavings:
              
      Uninitialized->M1->C1->C2->M2:
      Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
          compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
          watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
          value other than Undefined, and you're toast.
              
      You could fix this sort of thing by making the Desired Watchpoints machinery more
      sophisticated, for example having it track the value that was folded; if the global
      variable's value was later found to be different then we could invalidate the
      compilation. You could also fix it by having the compiler also check that the value of
      the variable is not Undefined before folding. While those all sound great, I decided
      to instead just use the right interleaving since that results in less code and feels
      more intuitive.
              
      This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
      It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
      because 3d-cube takes global variable assignment slow paths very often. Note that this
      3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
      also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
      (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
      to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
      slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
      programming often leads to global-var-based idioms and those variables tend to be
      assigned once, leading to excellent constant folding opportunities in an optimizing
      JIT. This is very evident in the speed-ups on JSRegress.
      
      * assembler/ARM64Assembler.h:
      (JSC::ARM64Assembler::dmbSY):
      * assembler/ARMv7Assembler.h:
      (JSC::ARMv7Assembler::dmbSY):
      * assembler/MacroAssemblerARM64.h:
      (JSC::MacroAssemblerARM64::memfence):
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::load8):
      (JSC::MacroAssemblerARMv7::memfence):
      * assembler/MacroAssemblerX86.h:
      (JSC::MacroAssemblerX86::load8):
      (JSC::MacroAssemblerX86::store8):
      * assembler/MacroAssemblerX86Common.h:
      (JSC::MacroAssemblerX86Common::getUnusedRegister):
      (JSC::MacroAssemblerX86Common::store8):
      (JSC::MacroAssemblerX86Common::memoryFence):
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::load8):
      (JSC::MacroAssemblerX86_64::store8):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::movb_rm):
      (JSC::X86Assembler::movzbl_mr):
      (JSC::X86Assembler::mfence):
      (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
      (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      * bytecode/Watchpoint.cpp:
      (JSC::WatchpointSet::WatchpointSet):
      (JSC::WatchpointSet::add):
      (JSC::WatchpointSet::notifyWriteSlow):
      * bytecode/Watchpoint.h:
      (JSC::WatchpointSet::state):
      (JSC::WatchpointSet::isStillValid):
      (JSC::WatchpointSet::addressOfSetIsNotEmpty):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getJSConstantForValue):
      (JSC::DFG::ByteCodeParser::getJSConstant):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::isStronglyProvedConstantIn):
      (JSC::DFG::Node::hasIdentifierNumberForCheck):
      (JSC::DFG::Node::hasRegisterPointer):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * ftl/FTLAbbreviatedTypes.h:
      * ftl/FTLAbbreviations.h:
      (JSC::FTL::buildFence):
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::fence):
      * jit/JIT.h:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitPutGlobalVar):
      (JSC::JIT::emit_op_put_to_scope):
      (JSC::JIT::emitSlow_op_put_to_scope):
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * llvm/LLVMAPIFunctions.h:
      * offlineasm/arm.rb:
      * offlineasm/arm64.rb:
      * offlineasm/cloop.rb:
      * offlineasm/instructions.rb:
      * offlineasm/x86.rb:
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::addGlobalVar):
      (JSC::JSGlobalObject::addFunction):
      * runtime/JSGlobalObject.h:
      (JSC::JSGlobalObject::addVar):
      (JSC::JSGlobalObject::addConst):
      * runtime/JSScope.cpp:
      (JSC::abstractAccess):
      * runtime/JSSymbolTableObject.h:
      (JSC::symbolTablePut):
      (JSC::symbolTablePutWithAttributes):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::couldBeWatched):
      (JSC::SymbolTableEntry::prepareToWatch):
      (JSC::SymbolTableEntry::notifyWriteSlow):
      * runtime/SymbolTable.h:
      
      LayoutTests: 
      
      Reviewed by Sam Weinig.
      
      * js/regress/global-var-const-infer-expected.txt: Added.
      * js/regress/global-var-const-infer-fire-from-opt-expected.txt: Added.
      * js/regress/global-var-const-infer-fire-from-opt.html: Added.
      * js/regress/global-var-const-infer.html: Added.
      * js/regress/script-tests/global-var-const-infer-fire-from-opt.js: Added.
      (foo):
      (setA):
      (setB):
      (check):
      * js/regress/script-tests/global-var-const-infer.js: Added.
      (foo):
      (check):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159545 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      33961712
  7. 13 Nov, 2013 1 commit
    • aestes@apple.com's avatar
      Fix the ARM64 build after recent JavaScriptCore changes · 4f809911
      aestes@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124315
      
      Reviewed by Michael Saboff.
      
      Based on patches by myself, Filip Pizlo, Benjamin Poulain, and Michael Saboff.
      
      * Configurations/JavaScriptCore.xcconfig: Hid the symbol for
      std::bad_function_call.
      * JavaScriptCore.xcodeproj/project.pbxproj: Marked
      MacroAssemblerARM64.h and ARM64Assembler.h as Private headers.
      * assembler/ARM64Assembler.h:
      (JSC::ARM64Assembler::executableOffsetFor):
      * assembler/MacroAssemblerARM64.h: Removed ARM64's executableCopy(),
      which was removed from other assembler backends in r157690.
      (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): Added.
      (JSC::MacroAssemblerARM64::lshift64): Added.
      (JSC::MacroAssemblerARM64::mul64): Added.
      (JSC::MacroAssemblerARM64::rshift64): Added.
      (JSC::MacroAssemblerARM64::convertInt64ToDouble): Added.
      (JSC::MacroAssemblerARM64::branchMul64): Added.
      (JSC::MacroAssemblerARM64::branchNeg64): Added.
      (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): Added.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithDiv): Changed
      SpeculateIntegerOperand to SpeculateInt32Operand,
      nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(), and
      nodeUsedAsNumber() to bytecodeUsesAsNumber().
      (JSC::DFG::SpeculativeJIT::compileArithMod): Changed
      nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero().
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159261 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4f809911
  8. 11 Nov, 2013 1 commit
    • fpizlo@apple.com's avatar
      Get rid of the lastResultRegister optimization in the baseline JIT · 9a5ab80f
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=124171
      
      Rubber stamped by Mark Hahnenberg.
              
      The baseline JIT no longer needs amazing throughput. And this optimization has caused
      way too many OSR exit bugs. And it constrains how much we can do in the DFG/FTL. So,
      I'm getting rid of it.
      
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      (JSC::DFG::OSRExit::convertToForward):
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      * dfg/DFGSpeculativeJIT.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
      (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::observeMovHint):
      * ftl/FTLOSRExit.cpp:
      (JSC::FTL::OSRExit::OSRExit):
      (JSC::FTL::OSRExit::convertToForward):
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * jit/JIT.cpp:
      (JSC::JIT::JIT):
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      * jit/JIT.h:
      (JSC::JIT::appendCall):
      * jit/JITArithmetic32_64.cpp:
      (JSC::JIT::emit_op_lshift):
      (JSC::JIT::emitRightShift):
      (JSC::JIT::emit_op_bitand):
      (JSC::JIT::emit_op_bitor):
      (JSC::JIT::emit_op_bitxor):
      (JSC::JIT::emit_op_inc):
      (JSC::JIT::emit_op_dec):
      * jit/JITCall.cpp:
      (JSC::JIT::emitPutCallResult):
      (JSC::JIT::compileLoadVarargs):
      * jit/JITInlines.h:
      (JSC::JIT::emitGetFromCallFrameHeaderPtr):
      (JSC::JIT::emitGetFromCallFrameHeader32):
      (JSC::JIT::emitGetFromCallFrameHeader64):
      (JSC::JIT::emitLoadTag):
      (JSC::JIT::emitLoadPayload):
      (JSC::JIT::emitLoad2):
      (JSC::JIT::emitGetVirtualRegister):
      (JSC::JIT::emitGetVirtualRegisters):
      (JSC::JIT::emitPutVirtualRegister):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_mov):
      (JSC::JIT::emit_op_catch):
      (JSC::JIT::emit_op_new_func):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_mov):
      (JSC::JIT::emit_op_to_primitive):
      (JSC::JIT::emit_op_to_number):
      (JSC::JIT::emit_op_catch):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_resolve_scope):
      (JSC::JIT::emit_op_get_from_scope):
      (JSC::JIT::emit_op_put_to_scope):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_val):
      (JSC::JIT::emit_op_get_by_id):
      (JSC::JIT::emit_op_get_by_pname):
      (JSC::JIT::emitResolveClosure):
      (JSC::JIT::emit_op_resolve_scope):
      (JSC::JIT::emit_op_get_from_scope):
      (JSC::JIT::emit_op_init_global_const):
      * jit/SlowPathCall.h:
      (JSC::JITSlowPathCall::call):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159091 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9a5ab80f
  9. 08 Nov, 2013 1 commit
  10. 06 Nov, 2013 1 commit
  11. 05 Nov, 2013 1 commit
  12. 04 Nov, 2013 2 commits
    • fpizlo@apple.com's avatar
      DFG CheckArray(String) should just be a Phantom(String:) · 97ef5780
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123779
      
      Reviewed by Geoffrey Garen.
              
      This should be a speed-up since Phantom(String:) is smart enough to use the string
      structure. It should also be a simplification since CheckArray(String) was totally
      redundant.
              
      Also FixupPhase was assuming that it may see CheckArray's. That's wrong. It can
      create CheckArray's but it won't see them as input since no previous phase can
      create them.
      
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::checkArray):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::checkArray):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      97ef5780
    • mhahnenberg@apple.com's avatar
      JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid · 4c1fa6d3
      mhahnenberg@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123746
      
      Reviewed by Geoffrey Garen.
      
      Source/JavaScriptCore: 
      
      This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant 
      with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte 
      allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish 
      anybody else for the rare case that somebody decides to allocate a 0-length typed array. 
      It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations, 
      no 0-byte copying.
       
      Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when 
      their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that 
      when length is 0 m_vector is null.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
      * heap/CopiedSpaceInlines.h:
      (JSC::CopiedSpace::tryAllocate):
      * runtime/ArrayBuffer.h:
      (JSC::ArrayBuffer::create):
      * runtime/JSArrayBufferView.cpp:
      (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
      * runtime/JSGenericTypedArrayViewInlines.h:
      (JSC::::visitChildren):
      (JSC::::copyBackingStore):
      (JSC::::slowDownAndWasteMemory):
      
      LayoutTests: 
      
      Added a test to make sure that we don't crash when allocating a typed array with 0 length.
      
      * js/script-tests/typedarray-zero-size.js: Added.
      (foo):
      * js/typedarray-zero-size-expected.txt: Added.
      * js/typedarray-zero-size.html: Added.
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158583 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c1fa6d3
  13. 30 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      Add InvalidationPoints to the DFG and use them for all watchpoints · d84425d1
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123472
      
      Reviewed by Mark Hahnenberg.
              
      This makes a fundamental change to how watchpoints work in the DFG.
              
      Previously, a watchpoint was an instruction whose execution semantics were something
      like:
              
          if (watchpoint->invalidated)
              exit
              
      We would implement this without any branch by using jump replacement.
              
      This is a very good optimization. But it's a bit awkward once you get a lot of
      watchpoints: semantically we will have lots of these branches in the code, which the
      compiler needs to reason about even though they don't actually result in any emitted
      code.
              
      Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
      be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
      called into again, but it would do nothing for CodeBlocks that were already on the
      stack.
              
      This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
      replacement has nothing to do with watchpoints; instead it's something that happens if
      you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
      all of the potential call-return safe-exit-points in a CodeBlock. We call these
      "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
      collect all of the watchpoint sets that the CodeBlock cares about, and then registering
      a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
      jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
      (because the entrypoint now points to baseline code) and can't be returned into
      (because returning exits to baseline before the next bytecode instruction).
              
      This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
      for jettison() to be used effectively for things like breakpointing and single-stepping
      in the debugger.
              
      Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
      can, at any time and for any reason, request that an optimized CodeBlock is rendered
      immediately invalid. You can use this for many cool things, I'm sure.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/AbstractMacroAssembler.h:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::jettison):
      * bytecode/CodeBlock.h:
      * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
      (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
      * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
      (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
      (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
      * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
      (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
      * dfg/DFGAbstractHeap.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGClobberize.cpp:
      (JSC::DFG::writesOverlap):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
      (JSC::DFG::AbstractHeapOverlaps::operator()):
      (JSC::DFG::AbstractHeapOverlaps::result):
      * dfg/DFGCommonData.cpp:
      (JSC::DFG::CommonData::invalidate):
      * dfg/DFGCommonData.h:
      (JSC::DFG::CommonData::CommonData):
      * dfg/DFGDesiredWatchpoints.cpp:
      (JSC::DFG::DesiredWatchpoints::addLazily):
      (JSC::DFG::DesiredWatchpoints::reallyAdd):
      * dfg/DFGDesiredWatchpoints.h:
      (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
      (JSC::DFG::GenericDesiredWatchpoints::addLazily):
      (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
      (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
      (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
      (JSC::DFG::InvalidationPointInjectionPhase::run):
      (JSC::DFG::InvalidationPointInjectionPhase::handle):
      (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
      (JSC::DFG::performInvalidationPointInjection):
      * dfg/DFGInvalidationPointInjectionPhase.h: Added.
      * dfg/DFGJITCode.h:
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::linkOSRExits):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      * dfg/DFGJumpReplacement.cpp: Added.
      (JSC::DFG::JumpReplacement::fire):
      * dfg/DFGJumpReplacement.h: Added.
      (JSC::DFG::JumpReplacement::JumpReplacement):
      * dfg/DFGNodeType.h:
      * dfg/DFGOSRExitCompilationInfo.h:
      * dfg/DFGOperations.cpp:
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      (JSC::DFG::Plan::reallyAdd):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
      (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGWatchpointCollectionPhase.cpp: Added.
      (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
      (JSC::DFG::WatchpointCollectionPhase::run):
      (JSC::DFG::WatchpointCollectionPhase::handle):
      (JSC::DFG::WatchpointCollectionPhase::handleEdge):
      (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
      (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
      (JSC::DFG::WatchpointCollectionPhase::addLazily):
      (JSC::DFG::WatchpointCollectionPhase::globalObject):
      (JSC::DFG::performWatchpointCollection):
      * dfg/DFGWatchpointCollectionPhase.h: Added.
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
      (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
      (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
      (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
      (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
      (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
      * jit/JITOperations.cpp:
      * jit/JumpReplacementWatchpoint.cpp: Removed.
      * jit/JumpReplacementWatchpoint.h: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d84425d1
  14. 28 Oct, 2013 2 commits
    • fpizlo@apple.com's avatar
      OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo · e8af48ca
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123423
      
      Reviewed by Mark Hahnenberg.
              
      Also enable ExitKind to tell you if it's a watchpoint.
      
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      (JSC::isWatchpoint):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::linkOSRExits):
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::appendExitInfo):
      * dfg/DFGOSRExit.cpp:
      (JSC::DFG::OSRExit::OSRExit):
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompilationInfo.h:
      (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e8af48ca
    • fpizlo@apple.com's avatar
      Get rid of InlineStart so that I don't have to implement it in FTL · f5be8c90
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=123302
      
      Reviewed by Geoffrey Garen.
              
      InlineStart was a special instruction that we would insert at the top of inlined code,
      so that the backend could capture the OSR state of arguments to an inlined call. It used
      to be that only the backend had this information, so this instruction was sort of an ugly
      callback from the backend for filling in some data structures.
              
      But in the time since when that code was written (two years ago?), we rationalized how
      variables work. It's now the case that variables that the runtime must know about are
      treated specially in IR (they are "flushed") and we know how we will represent them even
      before we get to the backend. The last place that makes changes to their representation
      is the StackLayoutPhase.
              
      So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
      instruction had. Instead of handling the bookkeeping in the backend, we handle it in
      StackLayoutPhase. This means that the DFG and FTL can share code for handling this
      bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
              
      Of course, giving the FTL the ability to handle code blocks that had inlining means that
      we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
      frames. This patch also fixes that.
      
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGGraph.h:
      * dfg/DFGNode.h:
      * dfg/DFGNodeType.h:
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::safeToExecute):
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStackLayoutPhase.cpp:
      (JSC::DFG::StackLayoutPhase::run):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@158116 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      f5be8c90
  15. 20 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      StructureStubInfo's usedRegisters set should be able to track all registers,... · 9dbc4b4f
      fpizlo@apple.com authored
      StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
      https://bugs.webkit.org/show_bug.cgi?id=123076
      
      Source/JavaScriptCore: 
      
      Reviewed by Sam Weinig.
              
      Start preparing for a world in which we are patching code generated by LLVM, which may have
      very different register usage conventions than our JITs. This requires us being more explicit
      about the registers we are using. For example, the repatching code shouldn't take for granted
      that tagMaskRegister holds the TagMask or that the register is even in use.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::numberOfRegisters):
      (JSC::MacroAssembler::registerIndex):
      (JSC::MacroAssembler::numberOfFPRegisters):
      (JSC::MacroAssembler::fpRegisterIndex):
      (JSC::MacroAssembler::totalNumberOfRegisters):
      * bytecode/StructureStubInfo.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::usedRegisters):
      * dfg/DFGSpeculativeJIT.h:
      * ftl/FTLSaveRestore.cpp:
      (JSC::FTL::bytesForGPRs):
      (JSC::FTL::bytesForFPRs):
      (JSC::FTL::offsetOfGPR):
      (JSC::FTL::offsetOfFPR):
      * jit/JITInlineCacheGenerator.cpp:
      (JSC::JITByIdGenerator::JITByIdGenerator):
      (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
      * jit/JITInlineCacheGenerator.h:
      (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emit_op_get_by_id):
      (JSC::JIT::emit_op_put_by_id):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_get_by_id):
      (JSC::JIT::emit_op_put_by_id):
      * jit/RegisterSet.cpp: Added.
      (JSC::RegisterSet::specialRegisters):
      * jit/RegisterSet.h: Added.
      (JSC::RegisterSet::RegisterSet):
      (JSC::RegisterSet::set):
      (JSC::RegisterSet::clear):
      (JSC::RegisterSet::get):
      (JSC::RegisterSet::merge):
      * jit/Repatch.cpp:
      (JSC::generateProtoChainAccessStub):
      (JSC::tryCacheGetByID):
      (JSC::tryBuildGetByIDList):
      (JSC::emitPutReplaceStub):
      (JSC::tryRepatchIn):
      (JSC::linkClosureCall):
      * jit/TempRegisterSet.cpp: Added.
      (JSC::TempRegisterSet::TempRegisterSet):
      * jit/TempRegisterSet.h:
      
      Source/WTF: 
      
      Reviewed by Sam Weinig.
              
      Teach BitVector how to efficiently merge (i.e. bitvector |=).
      
      * wtf/BitVector.cpp:
      (WTF::BitVector::mergeSlow):
      * wtf/BitVector.h:
      (WTF::BitVector::merge):
      (WTF::BitVector::cleanseInlineBits):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157707 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9dbc4b4f
  16. 18 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using... · d49bfe80
      fpizlo@apple.com authored
      A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
      https://bugs.webkit.org/show_bug.cgi?id=122940
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
      whereas previously it was in a Vector, so it moved. This allows you to use pointers to
      StructureStubInfo. This also eliminates the use of return PC as a way of finding the
      StructureStubInfo's. It removes some of the need for the compile-time property access
      records; for example the DFG no longer has to save information about registers in a
      property access record only to later save it to the stub info.
              
      The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
      at any stage of compilation.
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printGetByIdCacheStatus):
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::~CodeBlock):
      (JSC::CodeBlock::propagateTransitions):
      (JSC::CodeBlock::finalizeUnconditionally):
      (JSC::CodeBlock::addStubInfo):
      (JSC::CodeBlock::getStubInfoMap):
      (JSC::CodeBlock::shrinkToFit):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::begin):
      (JSC::CodeBlock::end):
      (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
      * bytecode/CodeOrigin.h:
      (JSC::CodeOrigin::CodeOrigin):
      (JSC::CodeOrigin::isHashTableDeletedValue):
      (JSC::CodeOrigin::hash):
      (JSC::CodeOriginHash::hash):
      (JSC::CodeOriginHash::equal):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h:
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFor):
      * bytecode/PutByIdStatus.h:
      * bytecode/StructureStubInfo.h:
      (JSC::getStructureStubInfoCodeOrigin):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
      (JSC::DFG::InRecord::InRecord):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileIn):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      * jit/CCallHelpers.h:
      (JSC::CCallHelpers::setupArgumentsWithExecState):
      * jit/JIT.cpp:
      (JSC::PropertyStubCompilationInfo::copyToStubInfo):
      (JSC::JIT::privateCompile):
      * jit/JIT.h:
      (JSC::PropertyStubCompilationInfo::slowCaseInfo):
      * jit/JITInlines.h:
      (JSC::JIT::callOperation):
      * jit/JITOperations.cpp:
      * jit/JITOperations.h:
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::emitSlow_op_get_by_id):
      (JSC::JIT::emitSlow_op_put_by_id):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emitSlow_op_get_by_id):
      (JSC::JIT::emitSlow_op_put_by_id):
      * jit/Repatch.cpp:
      (JSC::appropriateGenericPutByIdFunction):
      (JSC::appropriateListBuildingPutByIdFunction):
      (JSC::resetPutByID):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * GNUmakefile.list.am:
      * WTF.vcxproj/WTF.vcxproj:
      * WTF.xcodeproj/project.pbxproj:
      * wtf/BagToHashMap.h: Added.
      (WTF::toHashMap):
      * wtf/CMakeLists.txt:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d49bfe80
  17. 15 Oct, 2013 1 commit
    • dbates@webkit.org's avatar
      [iOS] Upstream JavaScriptCore support for ARM64 · 98f0de07
      dbates@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=122762
      
      Source/JavaScriptCore:
      
      Reviewed by Oliver Hunt and Filip Pizlo.
      
      * Configurations/Base.xcconfig:
      * Configurations/DebugRelease.xcconfig:
      * Configurations/JavaScriptCore.xcconfig:
      * Configurations/ToolExecutable.xcconfig:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/ARM64Assembler.h: Added.
      * assembler/AbstractMacroAssembler.h:
      (JSC::isARM64):
      (JSC::AbstractMacroAssembler::Label::Label):
      (JSC::AbstractMacroAssembler::Jump::Jump):
      (JSC::AbstractMacroAssembler::Jump::link):
      (JSC::AbstractMacroAssembler::Jump::linkTo):
      (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
      (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
      (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
      (JSC::AbstractMacroAssembler::CachedTempRegister::value):
      (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
      (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
      (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
      (JSC::AbstractMacroAssembler::isTempRegisterValid):
      (JSC::AbstractMacroAssembler::clearTempRegisterValid):
      (JSC::AbstractMacroAssembler::setTempRegisterValid):
      * assembler/LinkBuffer.cpp:
      (JSC::LinkBuffer::copyCompactAndLinkCode):
      (JSC::LinkBuffer::linkCode):
      * assembler/LinkBuffer.h:
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::isPtrAlignedAddressOffset):
      (JSC::MacroAssembler::pushToSave):
      (JSC::MacroAssembler::popToRestore):
      (JSC::MacroAssembler::patchableBranchTest32):
      * assembler/MacroAssemblerARM64.h: Added.
      * assembler/MacroAssemblerARMv7.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithDiv):
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      * disassembler/ARM64/A64DOpcode.cpp: Added.
      * disassembler/ARM64/A64DOpcode.h: Added.
      * disassembler/ARM64Disassembler.cpp: Added.
      * heap/MachineStackMarker.cpp:
      (JSC::getPlatformThreadRegisters):
      (JSC::otherThreadStackPointer):
      * heap/Region.h:
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::debugCall):
      * jit/CCallHelpers.h:
      * jit/ExecutableAllocator.h:
      * jit/FPRInfo.h:
      (JSC::FPRInfo::toRegister):
      (JSC::FPRInfo::toIndex):
      (JSC::FPRInfo::debugName):
      * jit/GPRInfo.h:
      (JSC::GPRInfo::toRegister):
      (JSC::GPRInfo::toIndex):
      (JSC::GPRInfo::debugName):
      * jit/JITInlines.h:
      (JSC::JIT::restoreArgumentReferenceForTrampoline):
      * jit/JITOperationWrappers.h:
      * jit/JITOperations.cpp:
      * jit/JITStubs.cpp:
      (JSC::performPlatformSpecificJITAssertions):
      (JSC::tryCachePutByID):
      * jit/JITStubs.h:
      (JSC::JITStackFrame::returnAddressSlot):
      * jit/JITStubsARM64.h: Added.
      * jit/JSInterfaceJIT.h:
      * jit/Repatch.cpp:
      (JSC::emitRestoreScratch):
      (JSC::generateProtoChainAccessStub):
      (JSC::tryCacheGetByID):
      (JSC::emitPutReplaceStub):
      (JSC::tryCachePutByID):
      (JSC::tryRepatchIn):
      * jit/ScratchRegisterAllocator.h:
      (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
      (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
      * jit/ThunkGenerators.cpp:
      (JSC::nativeForGenerator):
      (JSC::floorThunkGenerator):
      (JSC::ceilThunkGenerator):
      * jsc.cpp:
      (main):
      * llint/LLIntOfflineAsmConfig.h:
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::handleHostCall):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/arm.rb:
      * offlineasm/arm64.rb: Added.
      * offlineasm/backends.rb:
      * offlineasm/instructions.rb:
      * offlineasm/risc.rb:
      * offlineasm/transform.rb:
      * yarr/YarrJIT.cpp:
      (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
      (JSC::Yarr::YarrGenerator::initCallFrame):
      (JSC::Yarr::YarrGenerator::removeCallFrame):
      (JSC::Yarr::YarrGenerator::generateEnter):
      * yarr/YarrJIT.h:
      
      Source/WTF:
      
      Reviewed by Oliver Hunt.
      
      * Configurations/Base.xcconfig:
      * wtf/Atomics.h:
      (WTF::weakCompareAndSwap):
      (WTF::armV7_dmb):
      * wtf/FastMalloc.cpp:
      * wtf/Platform.h:
      * wtf/dtoa.cpp:
      * wtf/dtoa/utils.h:
      * wtf/text/ASCIIFastPath.h:
      (WTF::copyLCharsFromUCharSource):
      * wtf/text/StringImpl.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157474 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      98f0de07
  18. 11 Oct, 2013 2 commits
    • commit-queue@webkit.org's avatar
      DFG: Add JIT support for LogicalNot(String/StringIdent) · 008e8dc2
      commit-queue@webkit.org authored
      https://bugs.webkit.org/show_bug.cgi?id=122627
      
      Patch by Nadav Rotem <nrotem@apple.com> on 2013-10-11
      Reviewed by Filip Pizlo.
      
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157329 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      008e8dc2
    • mark.lam@apple.com's avatar
      Transition op_new_* JITStubs to JIT operations. · 5d7e7084
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122460.
      
      Reviewed by Michael Saboff.
      
      Also:
      - Removed the redundant operationNewFunctionExpression().  It is identical to
        operationNewFunctionNoCheck().
      - Sorted JIT operation signature keys in the comment in JITOperations.h.
      - Removed the unused returnValue2Register definition for X86_64.
      
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
      * jit/CCallHelpers.h:
      (JSC::CCallHelpers::setupArgumentsWithExecState):
      * jit/JIT.h:
      * jit/JITInlines.h:
      (JSC::JIT::callOperation):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emitSlow_op_new_object):
      (JSC::JIT::emit_op_new_func):
      (JSC::JIT::emit_op_new_func_exp):
      (JSC::JIT::emit_op_new_array):
      (JSC::JIT::emit_op_new_array_with_size):
      (JSC::JIT::emit_op_new_array_buffer):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emitSlow_op_new_object):
      * jit/JITOperations.cpp:
      * jit/JITOperations.h:
      * jit/JITStubs.cpp:
      * jit/JITStubs.h:
      * jit/JSInterfaceJIT.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157313 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      5d7e7084
  19. 07 Oct, 2013 2 commits
    • fpizlo@apple.com's avatar
      Trap 5 (most likely int $3) in... · e8a55280
      fpizlo@apple.com authored
      Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit
      https://bugs.webkit.org/show_bug.cgi?id=122420
      
      Source/JavaScriptCore: 
      
      Reviewed by Michael Saboff.
              
      For the (-2^31/-1)|0 case, we were returning the left operand (i.e. -2^31) but we were
      failing to account for the possibility that this operand has high-bit garbage and
      int32Result() requires that the high bits are zero.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithDiv):
      
      LayoutTests: 
      
      Reviewed by Michael Saboff.
      
      * js/script-tests/integer-division-neg2tothe32-by-neg1.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157043 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e8a55280
    • fpizlo@apple.com's avatar
      ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) ==... · 0e97f125
      fpizlo@apple.com authored
      ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit
      https://bugs.webkit.org/show_bug.cgi?id=122418
      
      Reviewed by Oliver Hunt.
      
      Source/JavaScriptCore: 
      
      This is pretty awesome. With stack compression, Arguments created in the DFG will point
      their m_registers pointers into a different slab of stack than they would have in byte
      code.
      
      Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously
      neglected to do so. This patch fixes that.
              
      Fixing this unveiled another bug: the stack reversal broke the reification of inlined
      phantom arguments.
              
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompilerCommon.cpp:
      (JSC::DFG::reifyInlinedCallFrames):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * runtime/Arguments.h:
      (JSC::Arguments::offsetOfNumArguments):
      (JSC::Arguments::offsetOfRegisters):
      (JSC::Arguments::offsetOfSlowArgumentData):
      (JSC::Arguments::offsetOfOverrodeLength):
      
      LayoutTests: 
      
      * js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js:
      * js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js:
      * js/script-tests/dfg-arguments-osr-exit.js:
      * js/script-tests/dfg-inline-arguments-capture-throw-exception.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157035 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0e97f125
  20. 06 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      Unified test infrastructure via the jsc shell · 89a4f645
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=120696
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      Add a mozilla-tests.yaml list. This is autogenerated by create-mozilla-js-test-list.
      I think it's better to leave this checked in; we may even just edit it directly in
      the future. Also generating it is not cheap.
              
      Fix some low-hanging fruit bugs that I caught by introducing more test coverage.
              
      - We were not emitting labels for CFA-unreachable blocks, which caused link errors.
        It's possible for a CFA-unreachable block to be jumped to, if the thing that causes
        it to be unreachable is a speculation in a Branch or peephole compare.
              
      - The register allocation assertions didn't handle peephole branches correctly. Since
        the peephole branch handling returns early from compile(), the clearBlahbittyBlah()
        method wasn't being called.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * tests/mozilla/mozilla-tests.yaml: Added.
      
      Tools: 
      
      Reviewed by Oliver Hunt.
              
      Make run-jsc-stress-tests smart enough to be able to handle different styles of test
      output (silent or noisy) and different styles of test failure (just bad exit code,
      text diff, filtering for some magical text, etc.). This allows me to get rid of the
      layout-test-helper. It also allows me to switch all of the old Mozilla tests to
      running in run-jsc-stress-tests.
              
      Also removes all of the code paths that defended against not having shellwords. Just
      install the shellwords gem if you want to run tests.
              
      Also removes the non-parallel test running code. No reason for it to exist anymore.
              
      This is a massive increase in test coverage. It uncovered bugs. I fixed two of them
      as part of this patch, and left three more as new bugzillas.
      
      * Scripts/create-mozilla-js-test-list: Added.
      * Scripts/jsc-stress-test-helpers/check-mozilla-failure: Added.
      * Scripts/jsc-stress-test-helpers/layout-test-helper: Removed.
      * Scripts/run-javascriptcore-tests:
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
              
      Suppress running the no-cjit and dfg-eager variants of these tests because there are
      still some hard bugs to fix; they were revealed by the increase in test coverage.
      
      * js/script-tests/dfg-inline-arguments-capture-throw-exception.js:
      * js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js:
      * js/script-tests/integer-division-neg2tothe32-by-neg1.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157014 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      89a4f645
  21. 05 Oct, 2013 1 commit
    • fpizlo@apple.com's avatar
      Compress DFG stack layout · a62d4829
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122024
      
      Reviewed by Oliver Hunt.
              
      The DFG needs to be able to store things at a known offset from frame pointer so that
      the runtime can read those things. Prior to this patch, the DFG would use the exact
      offsets that the bytecode asked for, even in the case of inlining, where it would use
      the callsite stack offset to shift all of the inlined function's variables over just as
      they would have been if a bytecode interpreter had really made the call.
              
      But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
      storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
      that, but it would seriously complicate LLVM's stack layout. But what we might be able
      to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
      alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
      variables in a contiguous range that can be expressed to LLVM as a struct that we
      alloca, then all of this can still work just fine.
              
      Previously the flushed variables didn't fit in a contiguous range, but this patch makes
      them contiguous by allowing the stack layout to be compressed.
              
      What this really means is that there is now a distinction between where the DFG saw a
      variable stored in bytecode and where it will actually store it in the resulting machine
      code. Henceforth when the DFG says "local" or "virtual register" it means the variable
      according to bytecode (with the stack offsetting for inlined code as before), but when
      it says "machine local" or "machine virtual register" it means the actual place where it
      will store things in the resulting machine code. All of the OSR exit, inlined arguments,
      captured variables, and various stack unwinding machine now knows about all of this.
              
      Note that the DFG's abstract interpretation still uses bytecode variables rather than
      machine variables. Same for CSE and abstract heaps. This makes sense since it means that
      we don't have to decide on machine variable allocation just to do those optimizations.
              
      The decision of what a local's machine location becomes is deferred to very late in
      compilation. We only need to assign machine locations to variables that must be stored
      to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
      decision and updates all data structures.
              
      So far the way that this is being used is just to compress the DFG stack layout, which
      is something that we should have done anyway, a long time ago. And the compression isn't
      even that good - the current StackLayoutPhase just identifies local indices that are
      unused in machine code and slides all other variables towards zero. This doesn't achieve
      particularly good compression but it is better than nothing. Note that this phase makes
      it seem like the bytecode-machine mapping is based on bytecode local indices; for
      example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
      true for the current StackLayoutPhase but it _will not_ be true for all possible stack
      layout phases and it would be incorrect to assume that it should be true. This is why
      the current data structures have each VariableAccessData hold its own copy of the
      machine virtual register, and also have each InlineCallFrame report their own machine
      virtual registers for the various things. The DFG backend is likely to always use the
      dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
      eventually get a better one, where we do some kind of constraint-based coloring: we
      institute constraints where some VariableAccessData's must have the same indices as some
      other ones, and also must be right next to some other ones; then we process all
      VariableAccessData's and attempt to assign them machine locals while preserving those
      constraints. This could lead to two VariableAccessDatas for the same bytecode local
      ending up with different machine locals.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::isCaptured):
      (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
      (JSC::CodeBlock::machineSlowArguments):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::hasSlowArguments):
      * bytecode/CodeOrigin.cpp:
      (JSC::CodeOrigin::dump):
      (JSC::InlineCallFrame::calleeForCallFrame):
      (JSC::InlineCallFrame::dumpInContext):
      * bytecode/CodeOrigin.h:
      (JSC::InlineCallFrame::InlineCallFrame):
      (JSC::InlineCallFrame::calleeConstant):
      * bytecode/Operands.h:
      (JSC::Operands::indexForOperand):
      * dfg/DFGBasicBlock.cpp:
      (JSC::DFG::BasicBlock::SSAData::SSAData):
      * dfg/DFGBasicBlock.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::ByteCodeParser):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::flush):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCommon.h:
      * dfg/DFGCommonData.h:
      (JSC::DFG::CommonData::CommonData):
      * dfg/DFGDesiredWriteBarriers.cpp:
      (JSC::DFG::DesiredWriteBarrier::trigger):
      * dfg/DFGDesiredWriteBarriers.h:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      (JSC::DFG::FlushLivenessAnalysisPhase::run):
      (JSC::DFG::FlushLivenessAnalysisPhase::process):
      (JSC::DFG::FlushLivenessAnalysisPhase::reportError):
      * dfg/DFGFlushedAt.cpp: Added.
      (JSC::DFG::FlushedAt::dump):
      (JSC::DFG::FlushedAt::dumpInContext):
      * dfg/DFGFlushedAt.h: Added.
      (JSC::DFG::FlushedAt::FlushedAt):
      (JSC::DFG::FlushedAt::operator!):
      (JSC::DFG::FlushedAt::format):
      (JSC::DFG::FlushedAt::virtualRegister):
      (JSC::DFG::FlushedAt::operator==):
      (JSC::DFG::FlushedAt::operator!=):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::Graph):
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::bytecodeRegisterForArgument):
      (JSC::DFG::Graph::argumentsRegisterFor):
      (JSC::DFG::Graph::machineArgumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
      (JSC::DFG::Graph::activationRegister):
      (JSC::DFG::Graph::uncheckedActivationRegister):
      (JSC::DFG::Graph::machineActivationRegister):
      (JSC::DFG::Graph::uncheckedMachineActivationRegister):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::convertToGetLocalUnlinked):
      (JSC::DFG::Node::convertToGetLocal):
      (JSC::DFG::Node::machineLocal):
      (JSC::DFG::Node::hasUnlinkedMachineLocal):
      (JSC::DFG::Node::setUnlinkedMachineLocal):
      (JSC::DFG::Node::unlinkedMachineLocal):
      (JSC::DFG::Node::hasInlineStartData):
      (JSC::DFG::Node::inlineStartData):
      * dfg/DFGNodeFlags.cpp:
      (JSC::DFG::dumpNodeFlags):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompilerCommon.cpp:
      (JSC::DFG::reifyInlinedCallFrames):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGPlan.cpp:
      (JSC::DFG::Plan::compileInThreadImpl):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::ScoreBoard):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::createOSREntries):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
      (JSC::DFG::SpeculativeJIT::callFrameSlot):
      (JSC::DFG::SpeculativeJIT::argumentSlot):
      (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
      (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
      (JSC::DFG::SpeculativeJIT::argumentTagSlot):
      (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
      (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
      (JSC::DFG::SpeculativeJIT::callOperation):
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::emitCall):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStackLayoutPhase.cpp: Added.
      (JSC::DFG::StackLayoutPhase::StackLayoutPhase):
      (JSC::DFG::StackLayoutPhase::run):
      (JSC::DFG::performStackLayout):
      * dfg/DFGStackLayoutPhase.h: Added.
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::machineLocal):
      (JSC::DFG::VariableAccessData::flushedAt):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStack):
      (JSC::FTL::ExitValue::inJSStackAsInt32):
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      (JSC::FTL::ExitValue::inJSStackAsDouble):
      (JSC::FTL::ExitValue::virtualRegister):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      (JSC::FTL::ValueSource::ValueSource):
      (JSC::FTL::ValueSource::kind):
      (JSC::FTL::ValueSource::operator!):
      (JSC::FTL::ValueSource::node):
      (JSC::FTL::ValueSource::virtualRegister):
      * interpreter/Interpreter.cpp:
      (JSC::unwindCallFrame):
      * interpreter/StackVisitor.cpp:
      (JSC::StackVisitor::readInlinedFrame):
      (JSC::StackVisitor::Frame::createArguments):
      (JSC::StackVisitor::Frame::existingArguments):
      * interpreter/StackVisitor.h:
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::addressFor):
      (JSC::AssemblyHelpers::tagFor):
      (JSC::AssemblyHelpers::payloadFor):
      (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff):
      * runtime/Arguments.h:
      (JSC::Arguments::allocateSlowArguments):
      (JSC::Arguments::tryDeleteArgument):
      (JSC::Arguments::isDeletedArgument):
      (JSC::Arguments::isArgument):
      (JSC::Arguments::argument):
      (JSC::Arguments::finishCreation):
      * runtime/JSActivation.h:
      (JSC::JSActivation::create):
      (JSC::JSActivation::JSActivation):
      * runtime/JSFunction.cpp:
      (JSC::RetrieveArgumentsFunctor::operator()):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156984 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      a62d4829
  22. 02 Oct, 2013 1 commit
    • andersca@apple.com's avatar
      Get rid of Qt code from JavaScriptCore · 467391db
      andersca@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122223
      
      Reviewed by Oliver Hunt.
      
      * API/JSStringRefQt.cpp: Removed.
      * API/JSStringRefQt.h: Removed.
      * API/OpaqueJSString.h:
      * DerivedSources.pri: Removed.
      * JavaScriptCore.pri: Removed.
      * JavaScriptCore.pro: Removed.
      * LLIntOffsetsExtractor.pro: Removed.
      * Target.pri: Removed.
      * assembler/AbstractMacroAssembler.h:
      * assembler/MacroAssembler.h:
      (JSC::MacroAssembler::urshift32):
      * assembler/MacroAssemblerARMv7.h:
      (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
      * assembler/MacroAssemblerX86Common.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      * heap/HeapTimer.cpp:
      (JSC::HeapTimer::timerEvent):
      * heap/HeapTimer.h:
      * heap/IncrementalSweeper.cpp:
      (JSC::IncrementalSweeper::scheduleTimer):
      * heap/IncrementalSweeper.h:
      * jit/JITArithmetic32_64.cpp:
      (JSC::JIT::emitSub32Constant):
      * jsc.cpp:
      (main):
      * jsc.pro: Removed.
      * runtime/DateConstructor.cpp:
      * runtime/GCActivityCallback.cpp:
      (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
      (JSC::DefaultGCActivityCallback::cancelTimer):
      * runtime/GCActivityCallback.h:
      * testRegExp.cpp:
      (main):
      * yarr/yarr.pri: Removed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156780 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      467391db
  23. 01 Oct, 2013 2 commits
    • fpizlo@apple.com's avatar
      Variable event stream (for DFG OSR exit) should be explicit about where on the... · ee4d8a7a
      fpizlo@apple.com authored
      Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value
      https://bugs.webkit.org/show_bug.cgi?id=122178
      
      Reviewed by Geoffrey Garen.
              
      Now if the DFG stores the value of a variable into the stack explicitly via a SetLocal,
      it will record where on the stack it stored the value in addition to recording where on
      the stack the bytecode would have done the SetLocal. Previously it just recorded the
      format and the bytecode variable. Recording just the bytecode variable is currently fine
      since the DFG always executes SetLocal's to the same stack location that the bytecode
      would have used. But that prevents stack compression (webkit.org/b/122024) so this patch
      allows the SetLocal to say both the bytecode variable that we're speaking of and the
      actual stack location to which the SetLocal stored the value.
              
      This had to touch a lot of code, so I took the opportunity to also resolve
      webkit.org/b/108019.
      
      * bytecode/Operands.h:
      (JSC::Operands::hasOperand):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::dataFormatFor):
      * dfg/DFGMinifiedID.h:
      (JSC::DFG::MinifiedID::bits):
      (JSC::DFG::MinifiedID::invalidID):
      (JSC::DFG::MinifiedID::otherInvalidID):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::ValueSource):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::forDataFormat):
      (JSC::DFG::ValueSource::isSet):
      (JSC::DFG::ValueSource::kind):
      (JSC::DFG::ValueSource::valueRecovery):
      (JSC::DFG::ValueSource::id):
      (JSC::DFG::ValueSource::virtualRegister):
      * dfg/DFGVariableEvent.cpp:
      (JSC::DFG::VariableEvent::dump):
      (JSC::DFG::VariableEvent::dumpSpillInfo):
      * dfg/DFGVariableEvent.h:
      (JSC::DFG::VariableEvent::fillGPR):
      (JSC::DFG::VariableEvent::fillPair):
      (JSC::DFG::VariableEvent::fillFPR):
      (JSC::DFG::VariableEvent::spill):
      (JSC::DFG::VariableEvent::death):
      (JSC::DFG::VariableEvent::setLocal):
      (JSC::DFG::VariableEvent::movHint):
      (JSC::DFG::VariableEvent::id):
      (JSC::DFG::VariableEvent::gpr):
      (JSC::DFG::VariableEvent::tagGPR):
      (JSC::DFG::VariableEvent::payloadGPR):
      (JSC::DFG::VariableEvent::fpr):
      (JSC::DFG::VariableEvent::spillRegister):
      (JSC::DFG::VariableEvent::bytecodeRegister):
      (JSC::DFG::VariableEvent::machineRegister):
      (JSC::DFG::VariableEvent::variableRepresentation):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156747 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ee4d8a7a
    • fpizlo@apple.com's avatar
      SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone · 3937f523
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=122140
      
      Reviewed by Darin Adler.
              
      Just killing code.
      
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156723 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3937f523
  24. 30 Sep, 2013 3 commits
    • fpizlo@apple.com's avatar
      Get rid of the AlreadyInJSStack recoveries since they are totally redundant... · c6bb4a9f
      fpizlo@apple.com authored
      Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries
      https://bugs.webkit.org/show_bug.cgi?id=122065
      
      Reviewed by Mark Hahnenberg.
              
      This mostly just kills a bunch of code.
              
      But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint
      creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes.
      If we hoist some type check into the local, then we might inject a conversion node
      between the ExtractOSREntryLocal and the SetLocal - for example we might put in a
      Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed
      on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery.
      When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting
      node to the first node that has a different CodeOrigin. This only works if the nodes
      after the forward exit are MovHints or other tnings that the OSR exit compiler can
      forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal
      nodes for the same bytecode index. Two possible solutions exist. We could teach the
      forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals.
      This would be a lot of complexity; right now it just needs to deal with exactly one
      SetLocal-like operation. The alternative is to make sure that the conversion node that
      we inject ends up exiting *backward* rather than forward.
              
      But making the conversion nodes exit backward is somewhat tricky. Before this patch,
      conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out
      that the solution is to rationalize how we choose the speculation direciton for a
      conversion node. The conversion node's speculation direction should be the same as the
      speculation direction of the node for which it is doing a conversion. Since SetLocal's
      already exit forward by default, this policy preserves our previous behavior. But it
      also allows the OSR entrypoint creation phase to make its SetLocals exit backward
      instead.
              
      Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need
      to make sure that the OSR exit machine knows that the local variables are indeed live.
      Consider that if we have:
              
          a: ExtractOSREntryLocal(loc1)
          b: SetLocal(@a, loc1)
          c: ExtractOSRentryLocal(loc2)
          d: SetLocal(@c, loc2)
              
      Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit
      compiler will clobber loc2 with Undefined. So we need to make sure that we actually
      emit code like:
              
          a: ExtractOSREntryLocal(loc1)
          b: ExtractOSREntryLocal(loc2)
          c: SetLocal(@a, loc1)
          d: SetLocal(@b, loc2)
          e: SetLocal(@a, loc1)
          f: SetLocal(@b, loc2)
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeOrigin.h:
      * bytecode/ValueRecovery.cpp: Added.
      (JSC::ValueRecovery::recover):
      (JSC::ValueRecovery::dumpInContext):
      (JSC::ValueRecovery::dump):
      * bytecode/ValueRecovery.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixEdge):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::speculationDirection):
      (JSC::DFG::Node::setSpeculationDirection):
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      (JSC::DFG::OSREntrypointCreationPhase::run):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      * dfg/DFGValueSource.h:
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::speculate):
      (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
      * interpreter/Register.h:
      (JSC::Register::unboxedStrictInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOff):
      * runtime/Arguments.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156677 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c6bb4a9f
    • rgabor@webkit.org's avatar
      Unreviewed. Build fix for DEBUG_VERBOSE mode after r156511. · d79d1b63
      rgabor@webkit.org authored
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156641 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d79d1b63
    • rgabor@webkit.org's avatar
      Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490. · 4c500bc5
      rgabor@webkit.org authored
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::fmodAsDFGOperation):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156637 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c500bc5
  25. 26 Sep, 2013 4 commits
    • msaboff@apple.com's avatar
      VirtualRegister should be a class · 62aa8b77
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121732
      
      Reviewed by Geoffrey Garen.
      
      This is a refactoring change.  Changed VirtualRegister from an enum to a class.
      Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
      and the similar functions for locals to VirtualRegister class.
      
      This is in preparation for changing the offset for the first local register from
      0 to -1.  This is needed since most native calling conventions have the architected
      frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
      pointer.  Local values start below that address.
      
      * bytecode/CodeBlock.cpp:
      * bytecode/CodeBlock.h:
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      * bytecode/MethodOfGettingAValueProfile.cpp:
      * bytecode/Operands.h:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecode/UnlinkedCodeBlock.h:
      * bytecode/ValueRecovery.h:
      * bytecode/VirtualRegister.h:
      * bytecompiler/BytecodeGenerator.cpp:
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/RegisterID.h:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGAbstractHeap.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      * dfg/DFGArgumentPosition.h:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      * dfg/DFGCapabilities.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCode.cpp:
      * dfg/DFGNode.h:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGScoreBoard.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT32_64.cpp:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGValidate.cpp:
      * dfg/DFGValueRecoveryOverride.h:
      * dfg/DFGVariableAccessData.h:
      * dfg/DFGVariableEvent.h:
      * dfg/DFGVariableEventStream.cpp:
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      * ftl/FTLExitArgumentForOperand.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLOSREntry.cpp:
      * ftl/FTLOSRExit.cpp:
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      * jit/AssemblyHelpers.h:
      * jit/JIT.h:
      * jit/JITCall.cpp:
      * jit/JITCall32_64.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      * jit/JITPropertyAccess32_64.cpp:
      * jit/JITStubs.cpp:
      * llint/LLIntSlowPaths.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * runtime/CommonSlowPaths.cpp:
      * runtime/JSActivation.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156511 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62aa8b77
    • mark.lam@apple.com's avatar
      Move DFG inline caching logic into jit/. · 9df8b83f
      mark.lam@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121749.
      
      Reviewed by Geoffrey Garen.
      
      Relanding http://trac.webkit.org/changeset/156235 after rebasing to latest
      revision and fixing build breakages on Windows.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::resetStubInternal):
      * bytecode/StructureStubInfo.h:
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOperations.cpp:
      (JSC::DFG::operationPutByValInternal):
      * dfg/DFGOperations.h:
      (JSC::DFG::operationNewTypedArrayWithSizeForType):
      (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
      * dfg/DFGRegisterSet.h: Removed.
      * dfg/DFGRepatch.cpp: Removed.
      * dfg/DFGRepatch.h: Removed.
      * dfg/DFGScratchRegisterAllocator.h: Removed.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGThunks.cpp:
      * dfg/DFGThunks.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      * ftl/FTLOSRExitCompiler.h:
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::writeBarrier):
      * jit/JIT.cpp:
      (JSC::JIT::linkFor):
      (JSC::JIT::linkSlowCall):
      * jit/JITCall.cpp:
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITCall32_64.cpp:
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITOperationWrappers.h: Copied from Source/JavaScriptCore/jit/JITOperationWrappers.h.
      * jit/JITOperations.cpp: Copied from Source/JavaScriptCore/jit/JITOperations.cpp.
      (JSC::getHostCallReturnValueWithExecState):
      * jit/JITOperations.h: Copied from Source/JavaScriptCore/jit/JITOperations.h.
      * jit/RegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
      * jit/Repatch.cpp: Copied from Source/JavaScriptCore/jit/Repatch.cpp.
      (JSC::tryBuildGetByIDList):
      * jit/Repatch.h: Copied from Source/JavaScriptCore/jit/Repatch.h.
      * jit/ScratchRegisterAllocator.h: Copied from Source/JavaScriptCore/jit/ScratchRegisterAllocator.h.
      * jit/ThunkGenerators.cpp:
      (JSC::oldStyleGenerateSlowCaseFor):
      (JSC::oldStyleLinkForGenerator):
      (JSC::oldStyleLinkCallGenerator):
      (JSC::oldStyleLinkConstructGenerator):
      (JSC::oldStyleLinkClosureCallGenerator):
      (JSC::oldStyleVirtualForGenerator):
      (JSC::oldStyleVirtualCallGenerator):
      (JSC::oldStyleVirtualConstructGenerator):
      (JSC::emitPointerValidation):
      (JSC::throwExceptionFromCallSlowPathGenerator):
      (JSC::slowPathFor):
      (JSC::linkForThunkGenerator):
      (JSC::linkCallThunkGenerator):
      (JSC::linkConstructThunkGenerator):
      (JSC::linkClosureCallThunkGenerator):
      (JSC::virtualForThunkGenerator):
      (JSC::virtualCallThunkGenerator):
      (JSC::virtualConstructThunkGenerator):
      * jit/ThunkGenerators.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156490 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9df8b83f
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156474. · bf43ed96
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156474
      https://bugs.webkit.org/show_bug.cgi?id=121966
      
      Broke the builds. (Requested by xenon on #webkit).
      
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::registerName):
      (JSC::CodeBlock::dumpBytecode):
      (JSC::CodeBlock::CodeBlock):
      (JSC::CodeBlock::createActivation):
      (JSC::CodeBlock::nameForRegister):
      * bytecode/CodeBlock.h:
      (JSC::unmodifiedArgumentsRegister):
      (JSC::CodeBlock::isKnownNotImmediate):
      (JSC::CodeBlock::setThisRegister):
      (JSC::CodeBlock::thisRegister):
      (JSC::CodeBlock::setArgumentsRegister):
      (JSC::CodeBlock::argumentsRegister):
      (JSC::CodeBlock::uncheckedArgumentsRegister):
      (JSC::CodeBlock::setActivationRegister):
      (JSC::CodeBlock::activationRegister):
      (JSC::CodeBlock::uncheckedActivationRegister):
      (JSC::CodeBlock::usesArguments):
      (JSC::CodeBlock::isCaptured):
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
      (JSC::LazyOperandValueProfileKey::operator!):
      (JSC::LazyOperandValueProfileKey::hash):
      (JSC::LazyOperandValueProfileKey::operand):
      (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
      (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
      * bytecode/MethodOfGettingAValueProfile.cpp:
      (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
      (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
      * bytecode/Operands.h:
      (JSC::localToOperand):
      (JSC::operandIsLocal):
      (JSC::operandToLocal):
      (JSC::operandIsArgument):
      (JSC::operandToArgument):
      (JSC::argumentToOperand):
      (JSC::Operands::operand):
      (JSC::Operands::hasOperand):
      (JSC::Operands::setOperand):
      (JSC::Operands::operandForIndex):
      (JSC::Operands::setOperandFirstTime):
      * bytecode/UnlinkedCodeBlock.cpp:
      (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
      * bytecode/UnlinkedCodeBlock.h:
      (JSC::UnlinkedCodeBlock::setThisRegister):
      (JSC::UnlinkedCodeBlock::setActivationRegister):
      (JSC::UnlinkedCodeBlock::setArgumentsRegister):
      (JSC::UnlinkedCodeBlock::usesArguments):
      (JSC::UnlinkedCodeBlock::argumentsRegister):
      (JSC::UnlinkedCodeBlock::usesGlobalObject):
      (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
      (JSC::UnlinkedCodeBlock::globalObjectRegister):
      (JSC::UnlinkedCodeBlock::thisRegister):
      (JSC::UnlinkedCodeBlock::activationRegister):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * bytecode/VirtualRegister.h:
      (WTF::printInternal):
      * bytecompiler/BytecodeGenerator.cpp:
      (JSC::BytecodeGenerator::generate):
      (JSC::BytecodeGenerator::addVar):
      (JSC::BytecodeGenerator::BytecodeGenerator):
      (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
      (JSC::BytecodeGenerator::newRegister):
      (JSC::BytecodeGenerator::emitLoadGlobalObject):
      (JSC::BytecodeGenerator::emitGetArgumentsLength):
      (JSC::BytecodeGenerator::emitGetArgumentByVal):
      (JSC::BytecodeGenerator::createArgumentsIfNecessary):
      (JSC::BytecodeGenerator::emitReturn):
      * bytecompiler/BytecodeGenerator.h:
      (JSC::BytecodeGenerator::registerFor):
      * bytecompiler/RegisterID.h:
      (JSC::RegisterID::RegisterID):
      (JSC::RegisterID::setIndex):
      (JSC::RegisterID::index):
      * debugger/DebuggerCallFrame.cpp:
      (JSC::DebuggerCallFrame::thisObject):
      * dfg/DFGAbstractHeap.h:
      (JSC::DFG::AbstractHeap::Payload::Payload):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      (JSC::DFG::::clobberCapturedVars):
      * dfg/DFGArgumentPosition.h:
      (JSC::DFG::ArgumentPosition::dump):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
      (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::newVariableAccessData):
      (JSC::DFG::ByteCodeParser::getDirect):
      (JSC::DFG::ByteCodeParser::get):
      (JSC::DFG::ByteCodeParser::setDirect):
      (JSC::DFG::ByteCodeParser::set):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
      (JSC::DFG::ByteCodeParser::findArgumentPosition):
      (JSC::DFG::ByteCodeParser::flush):
      (JSC::DFG::ByteCodeParser::flushDirect):
      (JSC::DFG::ByteCodeParser::getToInt32):
      (JSC::DFG::ByteCodeParser::getThis):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::emitFunctionChecks):
      (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
      (JSC::DFG::ByteCodeParser::handleInlining):
      (JSC::DFG::ByteCodeParser::handleMinMax):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
      (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
      (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
      * dfg/DFGCapabilities.cpp:
      (JSC::DFG::capabilityLevel):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::argumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
      (JSC::DFG::Graph::uncheckedActivationRegisterFor):
      (JSC::DFG::Graph::valueProfileFor):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::convertToGetLocalUnlinked):
      (JSC::DFG::Node::hasVirtualRegister):
      (JSC::DFG::Node::virtualRegister):
      (JSC::DFG::Node::setVirtualRegister):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      (JSC::DFG::OSREntrypointCreationPhase::run):
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGRegisterBank.h:
      (JSC::DFG::RegisterBank::tryAllocate):
      (JSC::DFG::RegisterBank::allocateSpecific):
      (JSC::DFG::RegisterBank::retain):
      (JSC::DFG::RegisterBank::isInUse):
      (JSC::DFG::RegisterBank::dump):
      (JSC::DFG::RegisterBank::releaseAtIndex):
      (JSC::DFG::RegisterBank::allocateInternal):
      (JSC::DFG::RegisterBank::MapEntry::MapEntry):
      * dfg/DFGScoreBoard.h:
      (JSC::DFG::ScoreBoard::allocate):
      (JSC::DFG::ScoreBoard::use):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      (JSC::DFG::SpeculativeJIT::checkConsistency):
      (JSC::DFG::SpeculativeJIT::compileMovHint):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::allocate):
      (JSC::DFG::SpeculativeJIT::fprAllocate):
      (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
      (JSC::DFG::SpeculativeJIT::flushRegisters):
      (JSC::DFG::SpeculativeJIT::isFlushed):
      (JSC::DFG::SpeculativeJIT::argumentSlot):
      (JSC::DFG::SpeculativeJIT::argumentTagSlot):
      (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
      (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
      (JSC::DFG::SpeculativeJIT::setNodeForOperand):
      (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
      (JSC::DFG::SpeculativeJIT::recordSetLocal):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGValidate.cpp:
      (JSC::DFG::Validate::validate):
      (JSC::DFG::Validate::validateCPS):
      (JSC::DFG::Validate::checkOperand):
      (JSC::DFG::Validate::reportValidationContext):
      * dfg/DFGValueRecoveryOverride.h:
      (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::operand):
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
      (JSC::DFG::VariableAccessData::flushFormat):
      * dfg/DFGVariableEvent.h:
      (JSC::DFG::VariableEvent::spill):
      (JSC::DFG::VariableEvent::setLocal):
      * dfg/DFGVariableEventStream.cpp:
      (JSC::DFG::VariableEventStream::reconstruct):
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      (JSC::DFG::VirtualRegisterAllocationPhase::run):
      * ftl/FTLExitArgumentForOperand.h:
      (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
      (JSC::FTL::ExitArgumentForOperand::operand):
      * ftl/FTLLink.cpp:
      (JSC::FTL::link):
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
      (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
      (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
      (JSC::FTL::LowerDFGToLLVM::observeMovHint):
      (JSC::FTL::LowerDFGToLLVM::addressFor):
      (JSC::FTL::LowerDFGToLLVM::payloadFor):
      (JSC::FTL::LowerDFGToLLVM::tagFor):
      * ftl/FTLOSREntry.cpp:
      (JSC::FTL::prepareOSREntry):
      * ftl/FTLOSRExit.cpp:
      (JSC::FTL::OSRExit::convertToForward):
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::dumpRegisters):
      (JSC::unwindCallFrame):
      (JSC::Interpreter::unwind):
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::addressFor):
      (JSC::AssemblyHelpers::tagFor):
      (JSC::AssemblyHelpers::payloadFor):
      (JSC::AssemblyHelpers::argumentsRegisterFor):
      * jit/JIT.h:
      * jit/JITCall.cpp:
      (JSC::JIT::compileLoadVarargs):
      * jit/JITInlines.h:
      (JSC::JIT::emitGetVirtualRegister):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_tear_off_arguments):
      (JSC::JIT::emit_op_get_pnames):
      (JSC::JIT::emit_op_enter):
      (JSC::JIT::emit_op_create_arguments):
      (JSC::JIT::emitSlow_op_get_argument_by_val):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_enter):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * profiler/ProfilerBytecodeSequence.cpp:
      (JSC::Profiler::BytecodeSequence::BytecodeSequence):
      * runtime/CommonSlowPaths.cpp:
      (JSC::SLOW_PATH_DECL):
      * runtime/JSActivation.cpp:
      (JSC::JSActivation::argumentsGetter):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bf43ed96
    • msaboff@apple.com's avatar
      VirtualRegister should be a class · 1796ad0f
      msaboff@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121732
      
      Reviewed by Geoffrey Garen.
      
      This is a refactoring change.  Changed VirtualRegister from an enum to a class.
      Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
      and the similar functions for locals to VirtualRegister class.
      
      This is in preparation for changing the offset for the first local register from
      0 to -1.  This is needed since most native calling conventions have the architected
      frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
      pointer.  Local values start below that address.
      
      * bytecode/CodeBlock.cpp:
      * bytecode/CodeBlock.h:
      * bytecode/Instruction.h:
      * bytecode/LazyOperandValueProfile.h:
      * bytecode/MethodOfGettingAValueProfile.cpp:
      * bytecode/Operands.h:
      * bytecode/UnlinkedCodeBlock.cpp:
      * bytecode/UnlinkedCodeBlock.h:
      * bytecode/ValueRecovery.h:
      * bytecode/VirtualRegister.h:
      * bytecompiler/BytecodeGenerator.cpp:
      * bytecompiler/BytecodeGenerator.h:
      * bytecompiler/RegisterID.h:
      * debugger/DebuggerCallFrame.cpp:
      * dfg/DFGAbstractHeap.h:
      * dfg/DFGAbstractInterpreterInlines.h:
      * dfg/DFGArgumentPosition.h:
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      * dfg/DFGByteCodeParser.cpp:
      * dfg/DFGCFGSimplificationPhase.cpp:
      * dfg/DFGCPSRethreadingPhase.cpp:
      * dfg/DFGCapabilities.cpp:
      * dfg/DFGConstantFoldingPhase.cpp:
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      * dfg/DFGGraph.h:
      * dfg/DFGJITCode.cpp:
      * dfg/DFGNode.h:
      * dfg/DFGOSREntry.cpp:
      * dfg/DFGOSREntrypointCreationPhase.cpp:
      * dfg/DFGOSRExit.h:
      * dfg/DFGOSRExitCompiler32_64.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      * dfg/DFGRegisterBank.h:
      * dfg/DFGScoreBoard.h:
      * dfg/DFGSpeculativeJIT.cpp:
      * dfg/DFGSpeculativeJIT.h:
      * dfg/DFGSpeculativeJIT64.cpp:
      * dfg/DFGValidate.cpp:
      * dfg/DFGValueRecoveryOverride.h:
      * dfg/DFGVariableAccessData.h:
      * dfg/DFGVariableEvent.h:
      * dfg/DFGVariableEventStream.cpp:
      * dfg/DFGVirtualRegisterAllocationPhase.cpp:
      * ftl/FTLExitArgumentForOperand.h:
      * ftl/FTLLink.cpp:
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLOSREntry.cpp:
      * ftl/FTLOSRExit.cpp:
      * ftl/FTLOSRExit.h:
      * ftl/FTLOSRExitCompiler.cpp:
      * interpreter/CallFrame.h:
      * interpreter/Interpreter.cpp:
      * jit/AssemblyHelpers.h:
      * jit/JIT.h:
      * jit/JITCall.cpp:
      * jit/JITInlines.h:
      * jit/JITOpcodes.cpp:
      * jit/JITOpcodes32_64.cpp:
      * jit/JITStubs.cpp:
      * llint/LLIntSlowPaths.cpp:
      * profiler/ProfilerBytecodeSequence.cpp:
      * runtime/CommonSlowPaths.cpp:
      * runtime/JSActivation.cpp:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156474 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1796ad0f
  26. 21 Sep, 2013 2 commits
    • fpizlo@apple.com's avatar
      Unreviewed, revert http://trac.webkit.org/changeset/156235. It won't work on Windows. · da4645e1
      fpizlo@apple.com authored
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::resetStubInternal):
      * bytecode/StructureStubInfo.h:
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOperations.cpp:
      (JSC::DFG::operationPutByValInternal):
      * dfg/DFGOperations.h:
      (JSC::DFG::operationNewTypedArrayWithSizeForType):
      (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
      * dfg/DFGRegisterSet.h: Added.
      (JSC::DFG::RegisterSet::RegisterSet):
      (JSC::DFG::RegisterSet::asPOD):
      (JSC::DFG::RegisterSet::copyInfo):
      (JSC::DFG::RegisterSet::set):
      (JSC::DFG::RegisterSet::setGPRByIndex):
      (JSC::DFG::RegisterSet::clear):
      (JSC::DFG::RegisterSet::get):
      (JSC::DFG::RegisterSet::getGPRByIndex):
      (JSC::DFG::RegisterSet::getFreeGPR):
      (JSC::DFG::RegisterSet::setFPRByIndex):
      (JSC::DFG::RegisterSet::getFPRByIndex):
      (JSC::DFG::RegisterSet::setByIndex):
      (JSC::DFG::RegisterSet::getByIndex):
      (JSC::DFG::RegisterSet::numberOfSetGPRs):
      (JSC::DFG::RegisterSet::numberOfSetFPRs):
      (JSC::DFG::RegisterSet::numberOfSetRegisters):
      (JSC::DFG::RegisterSet::setBit):
      (JSC::DFG::RegisterSet::clearBit):
      (JSC::DFG::RegisterSet::getBit):
      * dfg/DFGRepatch.cpp: Added.
      (JSC::DFG::repatchCall):
      (JSC::DFG::repatchByIdSelfAccess):
      (JSC::DFG::addStructureTransitionCheck):
      (JSC::DFG::replaceWithJump):
      (JSC::DFG::emitRestoreScratch):
      (JSC::DFG::linkRestoreScratch):
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::repatchGetByID):
      (JSC::DFG::getPolymorphicStructureList):
      (JSC::DFG::patchJumpToGetByIdStub):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::buildGetByIDList):
      (JSC::DFG::appropriateGenericPutByIdFunction):
      (JSC::DFG::appropriateListBuildingPutByIdFunction):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryCachePutByID):
      (JSC::DFG::repatchPutByID):
      (JSC::DFG::tryBuildPutByIdList):
      (JSC::DFG::buildPutByIdList):
      (JSC::DFG::tryRepatchIn):
      (JSC::DFG::repatchIn):
      (JSC::DFG::linkSlowFor):
      (JSC::DFG::linkFor):
      (JSC::DFG::linkClosureCall):
      (JSC::DFG::resetGetByID):
      (JSC::DFG::resetPutByID):
      (JSC::DFG::resetIn):
      * dfg/DFGRepatch.h: Added.
      (JSC::DFG::resetGetByID):
      (JSC::DFG::resetPutByID):
      (JSC::DFG::resetIn):
      * dfg/DFGScratchRegisterAllocator.h: Added.
      (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
      (JSC::DFG::ScratchRegisterAllocator::lock):
      (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
      (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
      (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
      (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
      (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
      (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
      (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
      (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
      (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::writeBarrier):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGThunks.cpp:
      (JSC::DFG::emitPointerValidation):
      (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
      (JSC::DFG::slowPathFor):
      (JSC::DFG::linkForThunkGenerator):
      (JSC::DFG::linkCallThunkGenerator):
      (JSC::DFG::linkConstructThunkGenerator):
      (JSC::DFG::linkClosureCallThunkGenerator):
      (JSC::DFG::virtualForThunkGenerator):
      (JSC::DFG::virtualCallThunkGenerator):
      (JSC::DFG::virtualConstructThunkGenerator):
      * dfg/DFGThunks.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      * ftl/FTLOSRExitCompiler.h:
      * jit/AssemblyHelpers.h:
      * jit/JIT.cpp:
      (JSC::JIT::linkFor):
      (JSC::JIT::linkSlowCall):
      * jit/JITCall.cpp:
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITCall32_64.cpp:
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITOperationWrappers.h: Removed.
      * jit/JITOperations.cpp: Removed.
      * jit/JITOperations.h: Removed.
      * jit/RegisterSet.h: Removed.
      * jit/Repatch.cpp: Removed.
      * jit/Repatch.h: Removed.
      * jit/ScratchRegisterAllocator.h: Removed.
      * jit/ThunkGenerators.cpp:
      (JSC::generateSlowCaseFor):
      (JSC::linkForGenerator):
      (JSC::linkCallGenerator):
      (JSC::linkConstructGenerator):
      (JSC::linkClosureCallGenerator):
      (JSC::virtualForGenerator):
      (JSC::virtualCallGenerator):
      (JSC::virtualConstructGenerator):
      * jit/ThunkGenerators.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156237 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      da4645e1
    • fpizlo@apple.com's avatar
      Move DFG inline caching logic into jit/ · 4513333c
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121749
      
      Rubber stamped by Sam Weinig.
              
      We want to get rid of the baseline JIT's inline caching machinery and have it use the
      DFG's instead. But before we do that we need to move the DFG's inline caching machine
      out from behind its ENABLE(DFG_JIT) guards and make it available to the whole system.
      This patch does that:
              
      - dfg/DFGRepatch becomes jit/Repatch.
              
      - The thunks used by the DFG IC go into jit/ThunkGenerators, instead of dfg/DFGThunks.
              
      - The operations used by the DFG IC go into jit/JITOperations, instead of
        dfg/DFGOperations.
              
      - The old JIT's thunk generators for calls are renamed to reduce confusion. Previously
        it was easy to know which generators belong to which JIT because the old JIT used
        JSC::virtualCallBlah and the DFG used JSC::DFG::virtualCallBlah, but that's not the
        case anymore. Note that the old JIT's thunk generators will die in a future patch.
              
      No functional changes beyond those moves.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkInfo.cpp:
      (JSC::CallLinkInfo::unlink):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::resetStubInternal):
      * bytecode/StructureStubInfo.h:
      * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
      (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
      (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
      * dfg/DFGJITCompiler.h:
      * dfg/DFGOSRExitCompiler.h:
      * dfg/DFGOperations.cpp:
      (JSC::DFG::operationPutByValInternal):
      * dfg/DFGOperations.h:
      (JSC::DFG::operationNewTypedArrayWithSizeForType):
      (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
      * dfg/DFGRegisterSet.h: Removed.
      * dfg/DFGRepatch.cpp: Removed.
      * dfg/DFGRepatch.h: Removed.
      * dfg/DFGScratchRegisterAllocator.h: Removed.
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compare):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
      (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
      (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGThunks.cpp:
      * dfg/DFGThunks.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
      * jit/AssemblyHelpers.h:
      (JSC::AssemblyHelpers::writeBarrier):
      * jit/JIT.cpp:
      (JSC::JIT::linkFor):
      (JSC::JIT::linkSlowCall):
      * jit/JITCall.cpp:
      (JSC::JIT::compileCallEval):
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITCall32_64.cpp:
      (JSC::JIT::compileCallEvalSlowCase):
      (JSC::JIT::compileOpCallSlowCase):
      (JSC::JIT::privateCompileClosureCall):
      * jit/JITOperationWrappers.h: Added.
      * jit/JITOperations.cpp: Added.
      * jit/JITOperations.h: Added.
      * jit/RegisterSet.h: Added.
      (JSC::RegisterSet::RegisterSet):
      (JSC::RegisterSet::asPOD):
      (JSC::RegisterSet::copyInfo):
      (JSC::RegisterSet::set):
      (JSC::RegisterSet::setGPRByIndex):
      (JSC::RegisterSet::clear):
      (JSC::RegisterSet::get):
      (JSC::RegisterSet::getGPRByIndex):
      (JSC::RegisterSet::getFreeGPR):
      (JSC::RegisterSet::setFPRByIndex):
      (JSC::RegisterSet::getFPRByIndex):
      (JSC::RegisterSet::setByIndex):
      (JSC::RegisterSet::getByIndex):
      (JSC::RegisterSet::numberOfSetGPRs):
      (JSC::RegisterSet::numberOfSetFPRs):
      (JSC::RegisterSet::numberOfSetRegisters):
      (JSC::RegisterSet::setBit):
      (JSC::RegisterSet::clearBit):
      (JSC::RegisterSet::getBit):
      * jit/Repatch.cpp: Added.
      (JSC::repatchCall):
      (JSC::repatchByIdSelfAccess):
      (JSC::addStructureTransitionCheck):
      (JSC::replaceWithJump):
      (JSC::emitRestoreScratch):
      (JSC::linkRestoreScratch):
      (JSC::generateProtoChainAccessStub):
      (JSC::tryCacheGetByID):
      (JSC::repatchGetByID):
      (JSC::getPolymorphicStructureList):
      (JSC::patchJumpToGetByIdStub):
      (JSC::tryBuildGetByIDList):
      (JSC::buildGetByIDList):
      (JSC::appropriateGenericPutByIdFunction):
      (JSC::appropriateListBuildingPutByIdFunction):
      (JSC::emitPutReplaceStub):
      (JSC::emitPutTransitionStub):
      (JSC::tryCachePutByID):
      (JSC::repatchPutByID):
      (JSC::tryBuildPutByIdList):
      (JSC::buildPutByIdList):
      (JSC::tryRepatchIn):
      (JSC::repatchIn):
      (JSC::linkSlowFor):
      (JSC::linkFor):
      (JSC::linkClosureCall):
      (JSC::resetGetByID):
      (JSC::resetPutByID):
      (JSC::resetIn):
      * jit/Repatch.h: Added.
      (JSC::resetGetByID):
      (JSC::resetPutByID):
      (JSC::resetIn):
      * jit/ScratchRegisterAllocator.h: Added.
      (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
      (JSC::ScratchRegisterAllocator::lock):
      (JSC::ScratchRegisterAllocator::allocateScratch):
      (JSC::ScratchRegisterAllocator::allocateScratchGPR):
      (JSC::ScratchRegisterAllocator::allocateScratchFPR):
      (JSC::ScratchRegisterAllocator::didReuseRegisters):
      (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
      (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
      (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
      (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
      (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
      * jit/ThunkGenerators.cpp:
      (JSC::oldStyleGenerateSlowCaseFor):
      (JSC::oldStyleLinkForGenerator):
      (JSC::oldStyleLinkCallGenerator):
      (JSC::oldStyleLinkConstructGenerator):
      (JSC::oldStyleLinkClosureCallGenerator):
      (JSC::oldStyleVirtualForGenerator):
      (JSC::oldStyleVirtualCallGenerator):
      (JSC::oldStyleVirtualConstructGenerator):
      (JSC::emitPointerValidation):
      (JSC::throwExceptionFromCallSlowPathGenerator):
      (JSC::slowPathFor):
      (JSC::linkForThunkGenerator):
      (JSC::linkCallThunkGenerator):
      (JSC::linkConstructThunkGenerator):
      (JSC::linkClosureCallThunkGenerator):
      (JSC::virtualForThunkGenerator):
      (JSC::virtualCallThunkGenerator):
      (JSC::virtualConstructThunkGenerator):
      * jit/ThunkGenerators.h:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156235 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4513333c
  27. 18 Sep, 2013 2 commits
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 6921b29b
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt52Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt52AsDoubleSpeculation):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGDCEPhase.cpp:
      (JSC::DFG::DCEPhase::fixupBlock):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt52):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt52):
      * dfg/DFGNodeType.h:
      (JSC::DFG::permitsOSRBackwardRewiring):
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/dfg-int-overflow-large-constants-in-a-line-expected.txt:
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      * js/script-tests/dfg-int-overflow-large-constants-in-a-line.js:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156047 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6921b29b
    • commit-queue@webkit.org's avatar
      Unreviewed, rolling out r156019 and r156020. · 92c67000
      commit-queue@webkit.org authored
      http://trac.webkit.org/changeset/156019
      http://trac.webkit.org/changeset/156020
      https://bugs.webkit.org/show_bug.cgi?id=121540
      
      Broke tests (Requested by ap on #webkit).
      
      Source/JavaScriptCore:
      
      * assembler/MacroAssemblerX86_64.h:
      * assembler/X86Assembler.h:
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/ExitKind.cpp:
      (JSC::exitKindToString):
      * bytecode/ExitKind.h:
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isInt48Speculation):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isInt48AsDoubleSpeculation):
      (JSC::isRealNumberSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::unboxDouble):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::makeSafe):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::canonicalize):
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt32):
      (JSC::DFG::GenerationInfo::fillInt32):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      (JSC::DFG::Node::canSpeculateInt48):
      * dfg/DFGNodeFlags.h:
      (JSC::DFG::nodeCanSpeculateInt48):
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      (JSC::DFG::shortOperandsDump):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::boxDouble):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int32Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt32):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::mulWithOverflow32):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      
      Source/WTF:
      
      * wtf/PrintStream.h:
      
      Tools:
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests:
      
      * js/regress/large-int-captured-expected.txt: Removed.
      * js/regress/large-int-captured.html: Removed.
      * js/regress/large-int-expected.txt: Removed.
      * js/regress/large-int-neg-expected.txt: Removed.
      * js/regress/large-int-neg.html: Removed.
      * js/regress/large-int.html: Removed.
      * js/regress/marsaglia-larger-ints-expected.txt: Removed.
      * js/regress/marsaglia-larger-ints.html: Removed.
      * js/regress/script-tests/large-int-captured.js: Removed.
      * js/regress/script-tests/large-int-neg.js: Removed.
      * js/regress/script-tests/large-int.js: Removed.
      * js/regress/script-tests/marsaglia-larger-ints.js: Removed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      92c67000
  28. 17 Sep, 2013 1 commit
    • fpizlo@apple.com's avatar
      DFG should support Int52 for local variables · 4c466ec6
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=121064
      
      Source/JavaScriptCore: 
      
      Reviewed by Oliver Hunt.
              
      This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
      programs that have local int32 overflows but where a larger int representation can
      prevent us from having to convert all the way up to double.
              
      It's a small speed-up for now. But we're just supporting Int52 for a handful of
      operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
      the groundwork for adding Int52 to JSValue, which will probably be a bigger
      speed-up.
              
      The basic approach is:
              
      - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
        or HeapTop - i.e. it doesn't arise from JSValues.
              
      - DFG treats Int52 as being part of its FullTop and will treat it as being a
        subtype of double unless instructed otherwise.
              
      - Prediction propagator creates Int52s whenever we have a node going doubly but due
        to large values rather than fractional values, and that node is known to be able
        to produce Int52 natively in the DFG backend.
              
      - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
        to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
        input.
              
      - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
        are left-shifted by 16 (great for overflow checks) and ones that are
        sign-extended. Both backends know how to convert between Int52s and the other
        representations.
      
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::rshift64):
      (JSC::MacroAssemblerX86_64::mul64):
      (JSC::MacroAssemblerX86_64::branchMul64):
      (JSC::MacroAssemblerX86_64::branchNeg64):
      (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::imulq_rr):
      (JSC::X86Assembler::cvtsi2sdq_rr):
      * bytecode/DataFormat.h:
      (JSC::dataFormatToString):
      * bytecode/OperandsInlines.h:
      (JSC::::dumpInContext):
      * bytecode/SpeculatedType.cpp:
      (JSC::dumpSpeculation):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h:
      (JSC::isInt32SpeculationForArithmetic):
      (JSC::isMachineIntSpeculationForArithmetic):
      (JSC::isBytecodeRealNumberSpeculation):
      (JSC::isFullRealNumberSpeculation):
      (JSC::isBytecodeNumberSpeculation):
      (JSC::isFullNumberSpeculation):
      (JSC::isBytecodeNumberSpeculationExpectingDefined):
      (JSC::isFullNumberSpeculationExpectingDefined):
      * bytecode/ValueRecovery.h:
      (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
      (JSC::ValueRecovery::inGPR):
      (JSC::ValueRecovery::displacedInJSStack):
      (JSC::ValueRecovery::isAlreadyInJSStack):
      (JSC::ValueRecovery::gpr):
      (JSC::ValueRecovery::virtualRegister):
      (JSC::ValueRecovery::dumpInContext):
      * dfg/DFGAbstractInterpreter.h:
      (JSC::DFG::AbstractInterpreter::needsTypeCheck):
      (JSC::DFG::AbstractInterpreter::filterByType):
      * dfg/DFGAbstractInterpreterInlines.h:
      (JSC::DFG::::executeEffects):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::couldBeType):
      (JSC::DFG::AbstractValue::isType):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::validateType):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::ArrayMode::refine):
      * dfg/DFGAssemblyHelpers.h:
      (JSC::DFG::AssemblyHelpers::boxInt52):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::pureCSE):
      (JSC::DFG::CSEPhase::getByValLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGClobberize.h:
      (JSC::DFG::clobberize):
      * dfg/DFGCommon.h:
      (JSC::DFG::enableInt52):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::run):
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
      (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
      (JSC::DFG::FixupPhase::observeUseKindOnNode):
      (JSC::DFG::FixupPhase::fixEdge):
      (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
      (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
      * dfg/DFGFlushFormat.cpp:
      (WTF::printInternal):
      * dfg/DFGFlushFormat.h:
      (JSC::DFG::resultFor):
      (JSC::DFG::useKindFor):
      * dfg/DFGGenerationInfo.h:
      (JSC::DFG::GenerationInfo::initInt52):
      (JSC::DFG::GenerationInfo::initStrictInt52):
      (JSC::DFG::GenerationInfo::isFormat):
      (JSC::DFG::GenerationInfo::isInt52):
      (JSC::DFG::GenerationInfo::isStrictInt52):
      (JSC::DFG::GenerationInfo::fillInt52):
      (JSC::DFG::GenerationInfo::fillStrictInt52):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addShouldSpeculateMachineInt):
      (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
      (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
      * dfg/DFGInPlaceAbstractState.cpp:
      (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
      * dfg/DFGJITCode.cpp:
      (JSC::DFG::JITCode::reconstruct):
      * dfg/DFGMinifiedNode.h:
      (JSC::DFG::belongsInMinifiedGraph):
      (JSC::DFG::MinifiedNode::hasChild):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
      * dfg/DFGNodeFlags.h:
      * dfg/DFGNodeType.h:
      (JSC::DFG::forwardRewiringSelectionScore):
      * dfg/DFGOSRExitCompiler.cpp:
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
      * dfg/DFGSafeToExecute.h:
      (JSC::DFG::SafeToExecuteEdge::operator()):
      (JSC::DFG::safeToExecute):
      * dfg/DFGSilentRegisterSavePlan.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
      (JSC::DFG::SpeculativeJIT::silentFill):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compileInlineStart):
      (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::speculateMachineInt):
      (JSC::DFG::SpeculativeJIT::speculateNumber):
      (JSC::DFG::SpeculativeJIT::speculateRealNumber):
      (JSC::DFG::SpeculativeJIT::speculate):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::canReuse):
      (JSC::DFG::SpeculativeJIT::isFilled):
      (JSC::DFG::SpeculativeJIT::isFilledDouble):
      (JSC::DFG::SpeculativeJIT::use):
      (JSC::DFG::SpeculativeJIT::isKnownInteger):
      (JSC::DFG::SpeculativeJIT::isKnownCell):
      (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
      (JSC::DFG::SpeculativeJIT::int52Result):
      (JSC::DFG::SpeculativeJIT::strictInt52Result):
      (JSC::DFG::SpeculativeJIT::initConstantInfo):
      (JSC::DFG::SpeculativeJIT::isInteger):
      (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
      (JSC::DFG::SpeculativeJIT::generationInfo):
      (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
      (JSC::DFG::SpeculateInt52Operand::edge):
      (JSC::DFG::SpeculateInt52Operand::node):
      (JSC::DFG::SpeculateInt52Operand::gpr):
      (JSC::DFG::SpeculateInt52Operand::use):
      (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
      (JSC::DFG::SpeculateStrictInt52Operand::edge):
      (JSC::DFG::SpeculateStrictInt52Operand::node):
      (JSC::DFG::SpeculateStrictInt52Operand::gpr):
      (JSC::DFG::SpeculateStrictInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
      (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
      (JSC::DFG::SpeculateWhicheverInt52Operand::node):
      (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
      (JSC::DFG::SpeculateWhicheverInt52Operand::use):
      (JSC::DFG::SpeculateWhicheverInt52Operand::format):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::boxInt52):
      (JSC::DFG::SpeculativeJIT::fillJSValue):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
      (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
      (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
      (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
      (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
      (JSC::DFG::SpeculativeJIT::compileInt52Compare):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGUseKind.cpp:
      (WTF::printInternal):
      * dfg/DFGUseKind.h:
      (JSC::DFG::typeFilterFor):
      (JSC::DFG::isNumerical):
      * dfg/DFGValueSource.cpp:
      (JSC::DFG::ValueSource::dump):
      * dfg/DFGValueSource.h:
      (JSC::DFG::dataFormatToValueSourceKind):
      (JSC::DFG::valueSourceKindToDataFormat):
      (JSC::DFG::ValueSource::forFlushFormat):
      (JSC::DFG::ValueSource::valueRecovery):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::flushFormat):
      * ftl/FTLCArgumentGetter.cpp:
      (JSC::FTL::CArgumentGetter::loadNextAndBox):
      * ftl/FTLCArgumentGetter.h:
      * ftl/FTLCapabilities.cpp:
      (JSC::FTL::canCompile):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      * ftl/FTLExitValue.h:
      (JSC::FTL::ExitValue::inJSStackAsInt52):
      * ftl/FTLIntrinsicRepository.h:
      * ftl/FTLLowerDFGToLLVM.cpp:
      (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
      (JSC::FTL::LowerDFGToLLVM::compileNode):
      (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
      (JSC::FTL::LowerDFGToLLVM::compilePhi):
      (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
      (JSC::FTL::LowerDFGToLLVM::compileAdd):
      (JSC::FTL::LowerDFGToLLVM::compileArithSub):
      (JSC::FTL::LowerDFGToLLVM::compileArithMul):
      (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
      (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
      (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
      (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
      (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
      (JSC::FTL::LowerDFGToLLVM::lowInt32):
      (JSC::FTL::LowerDFGToLLVM::lowInt52):
      (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
      (JSC::FTL::LowerDFGToLLVM::opposite):
      (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
      (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
      (JSC::FTL::LowerDFGToLLVM::lowCell):
      (JSC::FTL::LowerDFGToLLVM::lowBoolean):
      (JSC::FTL::LowerDFGToLLVM::lowDouble):
      (JSC::FTL::LowerDFGToLLVM::lowJSValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
      (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
      (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
      (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
      (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
      (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
      (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
      (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
      (JSC::FTL::LowerDFGToLLVM::setInt52):
      (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
      * ftl/FTLOSRExitCompiler.cpp:
      (JSC::FTL::compileStub):
      * ftl/FTLOutput.h:
      (JSC::FTL::Output::addWithOverflow64):
      (JSC::FTL::Output::subWithOverflow64):
      (JSC::FTL::Output::mulWithOverflow64):
      * ftl/FTLValueFormat.cpp:
      (WTF::printInternal):
      * ftl/FTLValueFormat.h:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dump):
      * ftl/FTLValueSource.h:
      * interpreter/Register.h:
      (JSC::Register::unboxedInt52):
      * runtime/Arguments.cpp:
      (JSC::Arguments::tearOffForInlineCallFrame):
      * runtime/IndexingType.cpp:
      (JSC::leastUpperBoundOfIndexingTypeAndType):
      * runtime/JSCJSValue.h:
      * runtime/JSCJSValueInlines.h:
      (JSC::JSValue::isMachineInt):
      (JSC::JSValue::asMachineInt):
      
      Source/WTF: 
      
      Reviewed by Oliver Hunt.
      
      * wtf/PrintStream.h:
      (WTF::ValueIgnoringContext::ValueIgnoringContext):
      (WTF::ValueIgnoringContext::dump):
      (WTF::ignoringContext):
      
      Tools: 
      
      Reviewed by Oliver Hunt.
      
      * Scripts/run-jsc-stress-tests:
      
      LayoutTests: 
      
      Reviewed by Oliver Hunt.
      
      * js/regress/large-int-captured-expected.txt: Added.
      * js/regress/large-int-captured.html: Added.
      * js/regress/large-int-expected.txt: Added.
      * js/regress/large-int-neg-expected.txt: Added.
      * js/regress/large-int-neg.html: Added.
      * js/regress/large-int.html: Added.
      * js/regress/marsaglia-larger-ints-expected.txt: Added.
      * js/regress/marsaglia-larger-ints.html: Added.
      * js/regress/script-tests/large-int-captured.js: Added.
      (.bar):
      (foo):
      * js/regress/script-tests/large-int-neg.js: Added.
      (foo):
      * js/regress/script-tests/large-int.js: Added.
      (foo):
      * js/regress/script-tests/marsaglia-larger-ints.js: Added.
      (uint):
      (marsaglia):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@156019 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4c466ec6